With the first wave of amendments to the Quebec law Act respecting the protection of personal information in the private sector (“PPIPS”) having taken effect just over a month ago, we thought we would share some misconceptions that we have come across while discussing security incidents involving personal information – a “privacy incident” – and mandatory reporting of violations.
As a reminder, in Quebec, “personal information” is defined as any information that relates to a natural person and allows that person to be identified directly or indirectly. A “privacy incident” is the access, use or disclosure of personal information not authorized by law as well as the loss of personal information or any other violation of the protection of this information.
1. “Only a few files were affected, so we’re not going to report it.”
How personal information reporting thresholds work in Quebec may seem somewhat counter-intuitive to seasoned risk analysts. Unlike most other forms of operational risk analysis – in which the assessment of the severity and impact of an event, and the actions to be taken to address it, is usually based on the number of systems or people affected and/or costs to the entity – a confidentiality incident must be reported if it is believed that the incident could result in risk of serious injury to the person or persons whose information has been compromised.
The assessment of “risk of serious injury” is based on:
- the sensitivity of personal information,
- the intended consequences of its use, and
- the likelihood that this information will be used for harmful purposes.
Such assessments may lead to the conclusion that what initially appeared to be very minor breaches require notification, while larger breaches do not. For example, the compromise of a single file containing a passport number and name will require notification, whereas the loss of a USB key containing only the email addresses of 150 people might not.
2. “The information is old, so we’re not going to report it.”
Regardless of the age of the personal information, any compromise of this information that could result in a risk of serious injury requires notification to the Quebec Privacy Commission, Commission for access to information (“CAI”) and the individual whose personal information has been compromised. If there is a risk of serious injury, the only three cases in which the person does not need to be notified directly are:
- whether sending such notice is likely to cause increased harm to the individual;
- whether sending such notice is likely to cause undue hardship to the entity; Where
- if the entity does not have the contact details of the person.
In each of these cases, however, the entity is required to make a public notice of the privacy incident, for example on its website.
3. “Only the paper files were stolen, so it was not a privacy incident.”
One thing we often forget is that privacy incidents are independent platform. It does not matter whether the personal information was recorded in a paper or digital document: if it has been compromised, a confidentiality incident has occurred and a “risk of serious injury” assessment is triggered, as well as any reporting obligations. who as a result. The possibility of paper files being compromised and triggering notification obligations is one reason why entities should not blindly rely on their cybersecurity incident response procedures to comply with privacy legislation. Due to their focus on cybersecurity, these procedures often fail to cover compromised personal information contained in paper records.
4. “We anonymize all personal information we collect, so there is no risk.”
Are you sure?
While it is true that anonymized personal information is no longer considered information about an identifiable individual and is therefore, in principle, not protected by applicable privacy laws, true anonymization is not possible. What is generally meant by “anonymization” is a variant of de-identification, which is a slightly different concept in privacy law. Although anonymization reduces the level of sensitivity of personal information and – depending on the techniques used – can actually make that information very difficult to re-identify, re-identification is, at least in theory, often possible. Before dismissing a privacy incident on the grounds that personal information has been anonymized, it is important to fully understand the techniques used to anonymize that information and to conduct a risk analysis as to the likelihood of re-identification and subsequent risk of injury. severe.
5. “We are victims of a cyberattack, so we must report it to the CAI.”
Here’s the good news, at least from a privacy perspective. Just because you’ve suffered a cyberattack doesn’t automatically mean you have to report it to the CAI. If the compromised files did not contain personal information or if, following an assessment of the potential risk of serious injury, it is determined that notification is not required, then an entity has no obligation to report the CAI attack. If the attack involves personal information (regardless of whether or not this information creates a risk of serious injury), the entity must still document the attack and the reason why it decided not to inform the CAI and the people concerned.