Uniform Breach Notification Act

1. Uniform Breach Notification Act Toronto Computer Lawyers Group March 1, 2010 John D. Gregory Ministry of the Attorney General

2. ULCC privacy breach notification 2 Overview Privacy protection � safe to assume? Breach notification � the new wave Uniform Law Conference of Canada What is the test for notification? Who decides? What does the notice contain? What is the penalty? What else do we need to know? Sources and statutes

3. ULCC privacy breach notification 3 Privacy protection No introduction needed Question in today�s context: Is there any particular content needed for the duty to preserve privacy of personal information, in order to support breach notification? How precise should the duty be? Any significant difference between public and private sectors?

4. ULCC privacy breach notification 4 Breach notification Again no introduction needed today �Tell the people you blew it� Shame and cost result: incentive to security? Enable people to protect themselves About 45 US jurisdictions Four Canadian jurisdictions (so far) Ontario PHIPA 2004 Newfoundland and Labrador PHIA 2008 (not in force) New Brunswick PHIPAA 2009 (not in force) Alberta PIPA 2009 (not in force)

5. ULCC privacy breach notification 5 Uniform Law Conference Organization funded and largely populated by federal, provincial and territorial governments Founded in 1918 Works in criminal and civil sections Prepares uniform statutes for P/T and sometimes F/P/T enactment Relatively good record of enactment Works on projects with private sector

6. ULCC privacy breach notification 6 Test for notification When should the duty arise: Any compromise of security? Is possible access to data enough? How sure does one have to be? Only if harm is likely? Possible? How to phrase that risk of harm helpfully? Risk of significant harm Real risk of significant harm Adverse impact on well-being Should it depend on the data compromised? Should there be a safe harbour (e.g. encryption)?

7. ULCC privacy breach notification 7 Who should decide? Data holder has incentive not to notify Privacy commissioner may be busy, understaffed Don�t want data holder to offload responsibility to commissioner Most commissioners (ombudsmen etc) do not have order powers Are advice + guidelines enough?

8. ULCC privacy breach notification 8 Content of the notice How much should the notice contain? Circumstances of the breach? Details of the information lost? Measures to remedy insecurity of holder and avoid a repeat? Outline of risks faced by individual? Steps to take to mitigate these risks? Legal recourse? Commissioner?

9. ULCC privacy breach notification 9 Penalties The breach itself need not be an offence for there to be an offence of not notifying. Yield to police investigation? For how long? Should Crown prosecute the Crown? If not, what enforcement in public sector? Should there be civil remedies (and statutory remedies - otherwise common law actions are shaky because it is hard to prove damages) Should there be other help given Mandatory credit reports, credit freezes, etc?

10. ULCC privacy breach notification 10 Other considerations Over to you What are we leaving out? Must any data holder have access to a specialist in data security, privacy protection, risk analysis (or law)? Other issues

11. ULCC privacy breach notification 11 Sources ULCC 2008 report http://www.ulcc.ca/en/poam2/Identity%20Theft%20Working%20Group%20Report.pdf Paragraphs 4 � 65 Cites commissions� reports etc. ULCC 2009 report (and draft Act) http://www.ulcc.ca/en/poam2/9%20Interim%20Report%20Protection%20of%20Privacy.pdf Cites Parliamentary committee�s views

12. ULCC privacy breach notification 12 Ontario Personal Health Information Protection Act, 2004 s. 12 What: if personal health information is stolen, lost, or accessed by unauthorized persons No degree of risk No safe harbour Action: Notice to individuals When: at the first reasonable opportunity Note: IPC recommends adding discretion

13. ULCC privacy breach notification 13 Newfoundland and Labrador Personal Health Information Act 2008 s. 15 What: information is lost, stolen, disposed of or disclosed to or accessed by an unauthorized person Action: notify the individual When: at the first reasonable opportunity AND if reasonable belief in material breach involving unauthorized collection, use or disclosure, inform the commissioner Safe harbour: reasonable belief of no adverse impact on health care or well-being of individual Commissioner may recommend notice anyway

14. ULCC privacy breach notification 14 New Brunswick Personal Health Information Privacy and Access Act 2009 s. 49 What: information is lost, stolen, disposed of or disclosed to or accessed by an unauthorized person Action: notify the individual and Commissioner When: at the first reasonable opportunity Safe harbour: reasonable belief of no adverse impact on health care or well-being of individual Commissioner may recommend notice anyway

15. ULCC privacy breach notification 15 Alberta Personal Information Protection Act (am. 2009) ss. 34.1, 37.1 What: loss of or unauthorized access to or disclosure of PI when a reasonable person would consider � a real risk of significant harm. Action: Notice to Commissioner When: Without unreasonable delay Commissioner can order notice to individuals May add terms and conditions Commissioner must expedite decision where the real risk of significant harm is obvious and immediate.

16. ULCC privacy breach notification 16 Contact Comments to john.d.gregory@ontario.ca Deadline: end of March 2010 Draft Uniform Act needs to be done by end of May 2010 for proposed adoption in August 2010