When and how to notify people and organizations

[Office of the Privacy Commissioner of Canada logo is centred in white on a black screen.]

[♪]

[A pink rectangle stretches all the way along the top of the screen. In the far right-hand corner of the rectangle, the word “breach” appears in white.]

BREACH

[A still image appears of the legs of a line of people, all standing side by side, with their backs against a wall. The picture darkens, and fades into the background. A yellow rectangle appears with the words, “When and how to notify people and organizations” written on it. Beside the words is a drawing of a megaphone. Curved lines emanate out from the speaker of the megaphone.]

When and how to notify people and organizations

[Text appears below the yellow rectangle.]

When and how to notify people affected by a breach

Narrator: Now let’s look at when and how to notify people affected by a breach.

[The text fades out, and new text appears. Next to it is a drawing of a large padlock with a target on the front. The padlock breaks in half, just below the latch. The following words appear and are spoken by the narrator:]

Narrator: As soon as feasible after you’ve determined that a breach of personal information involves a real risk of significant harm,

[The text fades out and new text fades in. The padlock shrinks and moves upwards, and the figures of people appear beneath the broken padlock. The following words appear and are spoken by the narrator:]

Narrator: you need to let affected individuals know about it.

[The text fades out, and new text fades in. The following words appear and are spoken by the narrator:]

Narrator: Usually, the notice that a breach of security safeguards has taken place at your business must be delivered directly to the person affected by the breach.

[The text, padlock, and people fade out. A white diamond with a drawing of the upper body of a person inside it appears on the left. Text appears beneath the diamond. The following words appear and are spoken by the narrator:]

Narrator: Either in person,

[A second diamond appears to the right of the first. The second diamond has a drawing of a smartphone inside it. Text appears beneath the diamond. The following words appear and are spoken by the narrator:]

Narrator: by telephone,

[A third diamond appears next to the second. The third diamond has a drawing of an addressed and stamped envelope inside. Text appears beneath the diamond. The following words appear and are spoken by the narrator:]

Narrator: by mail

[A fourth diamond appears to the right of the third. The fourth diamond has a drawing of an open envelope inside. A sheet of paper with a circle on it sticks halfway out of the open envelope. The following words appear and are spoken by the narrator:]

Narrator: email,

[A fifth diamond appears to the right of the fourth. The fifth diamond has a drawing of a speech bubble with an ellipsis inside. The following words appear and are spoken by the narrator:]

Narrator: or some other direct form of communication.

[The diamonds disappear, and text fades in.]

Sometimes, indirect notification is acceptable

Narrator: But sometimes, indirect notification is acceptable. For example,

[The text fades out, and new text fades in just below the yellow rectangle at the top of the screen.]

An indirect notice is called for when a direct notice is likely to cause…

[Text fades in below the header.]

Further harm to the affected person

Narrator: an indirect notice is called for when a direct notice is likely to cause further harm to the affected person,

[The text below the header fades out. The following words appear and are spoken by the narrator:]

Narrator: cause undue hardship for your business,

[The header and text fade out, and a new header fades in, with new text below.]

An indirect notice is called for when…

You don’t have contact information for the affected person

Narrator: Or you don’t have contact information for the affected person.

[All the text disappears, and a square white speech bubble appears, with an exclamation mark inside it.]

Narrator: If getting the message out indirectly is appropriate in your case,

[The speech bubble slides over, and the following words appear and are spoken by the narrator:]

Narrator: you must publicize it through forms of communication that you expect will reach everyone affected by the privacy breach.

[The text fades out, and the following words appear and are spoken by the narrator:]

Narrator: This can include public announcements,

[Beside the speech bubble two rectangles with the word “News” inside appear. The rectangles are filled with rows of text, in columns. Under the first rectangle is the word “Online,” and under the second rectangle is the word, “Off-line.”]

[In the news boxes, white squares appear in gaps in the text rectangles.]

Narrator: such as advertisements in online and offline newspapers, as well as media messaging,

[The speech bubble and the news rectangles slide away, and a drawing of a screen appears. At the top of the screen is a triangle with an exclamation point inside. Rows text cover the screen. The exclamation point on the screen flashes on and off.]

Narrator: such as a prominent notice on your website, or other online or digital presence.

[The drawing of the screen grows larger, and moves over. Text appears.]

Must include enough information to allow individuals to understand the significance of the breach of security safeguards

Narrator: Your notification must include enough information to allow individuals to understand the significance of the breach of security safeguards, and to take steps, if any are possible, to reduce the risk of harm that could result from the breach, or mitigate the harm.

[The text disappears, and new text fades in.]

Make sure your notice is easy to understand

Narrator: As well, make sure your notice is easy to understand. Your notification must include the following:

[The drawing of the screen disappears, and a large rectangle appears in its place. The rectangle has a triangle in the upper corner with an exclamation point inside Beside the triangle are rows of text. Above the large rectangle, words appear.]

Your notification must include:

[Text fades in next to the rectangle. A white square sits beside the text, with a green checkmark inside the box. the following words appear and are spoken by the narrator:]

Narrator: The circumstances of the breach,

[The drawing of the screen disappears, and a rectangle filled with little squares like a calendar page appears. Beside the calendar page, text fades in and three boxes midway down the calendar page turn red.]

[Text fades in next to the rectangle. A white square sits beside the text, with a green checkmark inside the box. The narrator speaks the text on screen:]

Narrator: the day or period when the breach happened, or, if neither is known, the approximate period.

[The text and calendar disappear, and new text fades in. A rectangle appears. In the upper corner of the rectangle is a broken padlock, and beside the broken padlock are lines of text.]

[Text fades in beside the rectangle. A white square sits next to the text, with a green checkmark inside the box. The narrator speaks the text on screen:]

Narrator: What personal information has been exposed.

[The text and padlock disappear, and new text fades in. Inside the rectangle, a column of four squares fill up with green checkmarks, starting from the top, so that only the bottom box is empty. Beside each check box are lines of text.]

[Text fades in beside the rectangle. A white square sits next the text, with a green checkmark inside the box. The narrator speaks the text on screen:]

Narrator: The steps you’ve taken to reduce the risk of harm that could result from the breach.

[The text and images inside the rectangle fade out, as well as the text, and new text fades in. Inside the rectangle, three square boxes form a column on. The top two boxes have a green checkmark inside, and the bottom box is empty. Next to the column of boxes is the figure of a person.]

[Text fades in beside the rectangle. A white square sits next to the text, with a green checkmark inside the box.]

Narrator: The steps that affected people could take to reduce or mitigate the risk of harm, and,

[The text and the images inside the rectangle fade out. New text fades in and inside the rectangle, a white circle with the head and shoulders of a person inside appear. Next to the person, rows of white text appear.]

[Text fades in beside the rectangle. A white square sits next to the text, with a green checkmark inside the box. The narrator speaks the text on screen:]

Narrator: contact information that the affected people can use to obtain further information about the breach.

[All text and images disappear. A figure of a person standing slides in.]

[Facing the person a square speech bubble appears, with an exclamation point inside.]

Narrator: Now that we’ve looked into notifying all the people affected by a breach of security safeguards, we’ll look at notifying other organizations.

[The person and the speech bubble slide away, and a drawing of a building appears. The building has two rows of windows at the top. Below the rows of windows are two narrow windows, and beside the windows is a narrow door. Next to door is an alcove. Emerging from the store is a square speech bubble with an exclamation point inside.]

[Text fades in. The narrator speaks the text on screen:]

Narrator: You should notify any government institution or organization that you believe can:

[Text fades in. The narrator speaks the text on screen:]

Narrator: Reduce the risk of harm that could result from the breach,

[The text on the bottom fades out, and is replaced by new text. The narrator speaks the text on screen:]

Narrator: or, mitigate the harm.

[The text and drawing of the store disappear, and a large white circle appears in their place. The white circle has a question mark in the middle.]

Narrator: Which organizations you notify depends on the circumstances of a particular breach.

[The circle slides away and a drawing of a police officer, slides in.]

Narrator: But some examples include notifying law enforcement in the case of a computer system attack,

[The drawing of a police officer slides off, a drawing of a credit card with a chip slides in. A padlock appears beside the credit card, and breaks in half just under the latch.]

Narrator: or letting the organization that processes your payments know that a breach of personal information has happened, if it involves payment card information.

[The credit card and padlock slide off and a drawing of a hand with the pointer finger extended appears. The pointer finger has a string bow tied around it.]

Get the word out to institutions and organizations that can help you reduce the risk or mitigate the risk of harm to affected individuals

Narrator: The important thing to remember is to get the word out to institutions and organizations that can help you reduce the risk or mitigate the risk of harm to affected individuals.

[The images and text fade out to black.]

[Office of the Privacy Commissioner of Canada Logo.]

[The website address fades in below the logo, with “priv” underlined in yellow.]

priv.gc.ca/breach

[Music fades out]

[Fades to black]