Keeping records

[Office of the Privacy Commissioner of Canada logo is centred in white on a black screen.]

[♪]

[A pink rectangle appears on the screen. In the corner of the rectangle, the word “breach” appears in white.]

BREACH

[A still image appears of a close up of a woman’s hand pulling a file folder out from a drawer full of file folders. The picture darkens, and fades into the background. An orange rectangle appears with the words, “Keeping records” written on it. Beside the words is a drawing of an open file folder, with a padlock sitting in front of it.]

Keeping records

[Text fades in beneath the orange rectangle.]

Keeping records of all breaches

Narrator: So now let’s look at keeping records of all breaches.

[The text below the orange rectangle disappears, and a locked padlock appears in its place. The padlock breaks in half beneath the latch.]

[Beside the padlock a triangle appears with an exclamation point inside.]

Narrator: Up to now, we’ve focused on breaches of personal information that pose a real risk of significant harm.

[The padlock and the triangle slide down and away. A drawing of a closed file folder, with papers barely visible inside, appears. Beside the file folder, text appears.]

The law requires that you keep and maintain a record of every breach of security safeguards involving personal information

[The text fades out, and new text fades in.]

That is under your organization’s control

Narrator: But the law requires that you keep and maintain a record of every breach of security safeguards involving personal information that is under your organization’s control,

[The text fades out, and new text fades in. The narrator speaks the text on screen:]

Narrator: regardless of whether the personal information involved is sensitive, or the probability of the information being misused.

[The text and file folder fades out, and new text fades in. Beside the text a drawing of a clipboard appears.]

[White text appears in rows on the clipboard. Next to each row of text is a small square, like a bullet point. The narrator speaks the text on screen:]

Narrator: It is important for your business to have good documentation of any privacy breaches that have taken place,

[The text fades out, and new text fades in. The narrator speaks the text on screen:]

Narrator: And to keep all the records for future reference.

[The text and clipboard fade out, and a drawing of a piece of paper appears. There is a pencil in front of the piece of paper. The top of the paper is dog-eared, and lines of white text cover the top of the page]

Narrator: When you make a record of a security breach, you must include:

[Text fades in beside the rectangle. A white square sits next to the text, with a green checkmark inside the box. The narrator speaks the text on screen:]

Narrator: The date, or estimated date of the breach,

[The text fades out, and new text fades in. A white square sits next to the text, with a green checkmark inside the box. The narrator speaks the text on screen:]

Narrator: a general description of the circumstances,

[The text fades out, and new text fades in. A white square sits beside the text, with a green checkmark inside the box. The narrator speaks the text on screen:]

Narrator: what personal information was exposed,

[The text fades out, and new text fades in. A white square sits beside the text, with a green checkmark inside the box.]

Narrator: whether or not the breach was reported to the Office of the Privacy Commission of Canada, the OPC, and,

[The text fades out, and new text fades in. A white square sits next to the text, with a green checkmark inside the box. The narrator speaks the text on screen:]

Narrator: if all affected individuals were notified.

[The text a paper slide down and away. New text fades in. Beside the text a drawing of a clipboard appears.]

[White text appears in rows on the clipboard. Next to each row of text is a small square, like a bullet point. The narrator speaks the text on screen:]

Narrator: Every record must also include enough information for the OPC to assess whether you have correctly applied the real risk of significant harm standard.

[The text fades out, and new text fades in. The narrator speaks the text on screen:]

Narrator: The records must also indicate that you have followed through by filing a report to the OPC, and notifying affected people if the incident is deemed to meet the standard.

[A locked padlock appears with a target on the front. The padlock breaks in half beneath the latch.]

[Beside the padlock a triangle appears with an exclamation point inside.]

Narrator: If you determine that a breach doesn’t pose a real risk of significant harm,

[The padlock slides over and the triangle disappears. Text fades in. The narrator speaks the text on screen:]

Narrator: be sure to include a brief explanation in your record that explains your reasons for not reporting it to the OPC, or notifying affected individuals.

[The text and padlock slide down and away, and a drawing of a file folder appears on the left. A piece of paper sits on top of the closed file folder. The paper has white text on it. New text fades in. The narrator speaks the text on screen:]

Narrator: Records should describe the type of information involved in the breach of security safeguards,

[The text fades out, and new text appears in its place. Next to the file folder and piece of paper, a circle appears with the drawing of a person’s head and shoulders inside. The circle turns red, and a red line slashes across it. The narrator speaks the text on screen:]

Narrator: but need not include personal details, unless it’s needed to explain the nature and sensitivity of the information.

[The file folder and text slides down and away, and a calendar page replaces it. Under the calendar page, text appears along the bottom.]

You must keep the record for 24 months

Narrator: You must keep the record for 24 months from the day on which you determined that the breach has occurred.

[The calendar page slides away. Three pieces of paper slide in, all slightly overlapping each other. Each piece of paper has a broken padlock in the corner, and is covered with rows of white text. The text at the bottom fades out, and new text appears in its place.]

You must keep a record of every breach of security safeguards

Narrator: And remember, you must keep a record of every breach of security safeguards, not just those that are considered to present a real risk of significant harm to individuals.

[The images and text fade out to black.]

[Office of the Privacy Commissioner of Canada Logo.]

[The website address fades in below the logo, with “priv” underlined in orange.]

priv.gc.ca/breach

[Music fades out]

[Fades to black]