Canada launches breach risk self-assessment online tool

Privacy Commissioner of Canada Philippe Dufresne has launched a new online tool that will help businesses and federal institutions that experience a privacy breach to assess whether the breach is likely to create a real risk of significant harm to individuals.

The privacy breach risk self-assessment tool is a convenient web-based application that guides users through a series of questions to assess the sensitivity of personal information that is involved in a data breach, and the probability that it will be misused.

The results provided through this online tool will help organizations to conduct a risk assessment following a data breach and determine their required next steps, including notifying affected individuals.

Organizations that are subject to Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and federal government institutions, are required to report breaches that pose a real risk of significant harm to the Office of the Privacy Commissioner of Canada and to notify affected individuals.

Real risk of significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, financial loss, identity theft, negative effects on one’s credit record, and damage or loss of property.

In determining whether there is a real risk of significant harm, organizations must consider the degree of sensitivity of the personal information involved and the probability that the information will be misused.

Privacy breaches may result from identity theft, scams, hacking or other unauthorized access, be it deliberate or accidental. Sensitive information often includes personal health and financial data.