Risks of significant harm

[Office of the Privacy Commissioner of Canada logo is centred in white on a black screen.]

[♪]

[A pink rectangle appears on the screen. In the corner of the rectangle, the word “breach” appears in white.]

BREACH

[A still image of a person’s hands appears, holding a smartphone in front of an open laptop. The laptop has graphs and arrows and many rows of text. The smartphone’s screen has a locked padlock in the centre. The picture darkens, and fades into the background. A yellow rectangle appears with the words, “Risks of significant harm” written on it. Beside the words is a white triangle with an exclamation point inside of it.]

Risks of significant harm

[Text fades in below the yellow rectangle.]

What do we mean by a real risk of significant harm and how does it apply?

Narrator: First up is, what do we mean by a real risk of significant harm, and how does it apply?

[The text fades out, and a header fades in at the top, just under the yellow rectangle.]

According to PIPEDA, significant harm includes:

[Text appears beneath the header and is spoken by the narrator:]

Narrator: According to PIPEDA, significant harm includes bodily harm,

[The text beneath the header fades out, new text fades in and is spoken by the narrator:]

Narrator: humiliation,

[The text beneath the header fades out, new text fades in and is spoken by the narrator:]

Narrator: damage to reputation or relationships,

[The text beneath the header fades out, new text fades in and is spoken by the narrator:]

Narrator: loss of employment, business or professional opportunities,

[The text beneath the header fades out, new text fades in and is spoken by the narrator:]

Narrator: financial loss,

[The text beneath the header fades out, new text fades in and is spoken by the narrator:]

Narrator: identity theft,

[The text beneath the header fades out, new text fades in and is spoken by the narrator:]

Narrator: negative effects on the credit record,

[The text beneath the header fades out, new text fades in and is spoken by the narrator:]

Narrator: and damage to, or loss of property.

[The text fades out, and a large white circle appears in its place. The white circle has a question mark in the middle.]

[The white circle slides over, and a white padlock appears beside the white circle. The padlock has a target in the middle. The padlock breaks in half just below the latch.]

Narrator: So how do you assess whether a breach of security safeguards creates a real risk of significant harm to one,

[Drawings of four people appear to the right of the padlock. The edge of another person is just barely visible at the edge of the screen.]

Narrator: or multiple individuals?

[The circle, padlock, and people slide down and away, and the drawing of a store appears. The store has a large picture window with a small “open” sign in the corner. Next to the window is a narrow door.]

[A sheet of paper appears beside the store. The sheet of paper has five squares in a column on it, and next to each square there is text. Beside the store, text fades in.]

Framework for assessing the real risk of significant harm

[A red checkmark appears in the second box from the top in the column on the piece of paper.]

Narrator: Your business should have a framework in place for assessing the real risk of significant harm.

[The text fades out, new text fades in and is spoken by the narrator:]

Narrator: This will ensure that you assess all breaches the same way, every time.

[A large white padlock appears. The padlock has a target in the centre. The padlock breaks in half just under the latch.]

[A magnifying glass appears next to the padlock, and angles over it, so that the glass of the magnifying glass highlights the edge of the break in yellow.]

Narrator: Consider these two questions each time you assess a breach of security safeguards.

[The padlock and magnifying glass slide to over, new text fades in and is spoken by the narrator:]

Narrator: Ask yourself, how sensitive is the personal information involved in the breach?

[The text fades out, new text fades in and is spoken by the narrator:]

Narrator: How likely is it that the personal information has been, or ever could be, misused?

[The text, padlock, and magnifying glass disappear. A large white drawing of a sheet of paper appears. There are rows of text covering it.]

[A triangle appears beside the piece of paper, slightly overlapping. The triangle has an exclamation point inside.]

Narrator: Before we move on, let’s look at some examples of what information is considered sensitive, and how to determine the likelihood of it being misused.

[Text fades in beside the piece of paper and is spoken by the narrator:]

Narrator: Some information is almost always considered sensitive.

[The piece of paper transforms into a clipboard, and a zig-zagging line like that of a heart monitor replaces the text.]

Narrator: Things like medical records, and financial records.

[The text fades out and new text replaces it.]

[The zig-zag line on the clipboard is replaced by a column of circles like bullet points, with text beside them. The following text appears next to the clipboard and is spoken by the narrator:]

Narrator: Personal information that is commonly circulated, names and addresses, for example,

[The white triangle with the exclamation point on it disappears.]

Narrator: is not generally considered sensitive.

[The clipboard transforms into a rectangle with three tiny circles at the top. The list of bullet points remains. At the bottom of the bullet point list is a white padlock.]

Any information can be sensitive, depending on the context

Narrator: However, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

[The text and image fades out, and a store slides in. The store has a large picture window, with a small “open” sign in the corner. Beside the window is a narrow door. Next to the store is a small broken padlock with a target on the front. The padlock is broken in half just below the latch.]

Narrator: So if a breach of security safeguards happens at your business,

[Six small pieces of paper fly up to rest to the right of the store. The papers all have white text on them.]

Narrator: it’s important to take into account what personal information has been breached,

[Three of the six pieces of paper, one in the top row, and two in the bottom, flash and turn orange.]

Narrator: and the situation, or the impact that this breach has created, or can create.

[Text fades in beside the store, below the padlock.]

Will this create a real risk of significant harm to an individual?

Narrator: This will help you determine whether the information is sensitive enough to create a real risk of significant harm to an individual.

[The text fades out, and new text fades in.]

You also need to assess whether the information might be misused

Narrator: Once you consider the sensitivity of the information, you also need to assess whether the information might be misused.

[The text fades out.]

Narrator: When you are determining if breached information is likely to be misused,

[The padlock grows larger, and moves over. A magnifying glass appears next to the padlock, and angles over it, so that the glass of the magnifying glass highlights the edge of the break in yellow.]

Narrator: it’s best to take another close look at the circumstances of the breach.

[The store, pieces of paper, and padlock and magnifying glass disappear, and text appears in their place that is spoken by the narrator:]

Narrator: Here are a few of the questions to consider when determining the probability of misuse.

[The text slides up, and new text appears below it that is spoken by the narrator:]

Narrator: What happened, and how likely is it that someone would be harmed by the breach?

[The text on the bottom fades out and new text appears below the header that is spoken by the narrator:]

Narrator: Who accessed, or could have accessed the personal information?

[The text on the bottom fades out and new text appears below the header that is spoken by the narrator:]

Narrator: How long has the personal information been exposed?

[The text on the bottom fades out and new text appears below the header that is spoken by the narrator:]

Narrator: Has any misuse taken place?

[The text on the bottom fades out and new text appears below the header that is spoken by the narrator:]

Narrator: Is there evidence of malicious intent, as in the case of theft, or hacking.

[The text on the bottom fades out and new text appears below the header that is spoken by the narrator:]

Narrator: Was the information exposed to entities, individuals, like information thieves, who are likely to attempt to cause harm or present a risk to the reputation of the affected individual, or individuals?

[All the text fades out, and a large padlock appears. The padlock is locked, and has a target on the front.]

[The padlock breaks in half just below the latch.]

Narrator: To recap, if there’s a privacy breach at your business,

[A magnifying glass appears next to the padlock, and angles over it, so that the glass of the magnifying glass highlights the edge of the break in yellow.]

Narrator: the two guiding principles to help you assess whether it is a breach that creates a real risk of significant harm are:

[The padlock and magnifying glass slide over, and text fades in that is spoken by the narrator: ]

Narrator: Consider the sensitivity of the breached information,

[The text fades out, and new text fades in that is spoken by the narrator:]

Narrator: determine the likelihood of misuse.

[The text fades out, and the broken padlock and magnifying glass slide back the centre of the screen.]

Narrator: Okay, so let’s say you’ve assessed that there’s been a breach of your security safeguards,

[A triangle with an exclamation point inside of it appears beside the broken padlock.]

Narrator: there is a real risk of significant harm, and you need to report it.

[The triangle and the padlock disappear, and a large white circle with a question mark in the middle appears.]

Narrator: What do you do?

[The images and text fade out to black.]

[Office of the Privacy Commissioner of Canada Logo.]

[The website address fades in below the logo, with “priv” underlined in yellow.]

priv.gc.ca/breach

[Music fades out]

[Fades to black]