News reports regarding the so-called Heartbleed computer virus
sparked concerns regarding cyber security and digitally-stored
personal information. The Canada Revenue Agency announced that the
virus caused a security breach involving the compromise of the
social insurance numbers of hundreds of individuals. Other
high profile payment system breaches have also been reported.
Although it makes for interesting news, it is not always the
effect of a computer virus or the actions of a computer hacker that
can lead to a breach of personal information. Human error or
systems errors also lead to reported privacy breaches (see our
previous article "
Alberta Privacy Commissioner Issues Report on Privacy
Nevertheless, the security of digitally-stored personal
information is a key part of securing all of the personal
information held by your organization. What can your organization
Keep up-to-date on
information security practices. Your IT personnel and your
organization's Privacy Officer should be involved in this
crucial ongoing obligation.
Limit your collection of
personal information. Consider your organization's
collection practices. Collect only what you need. For instance, a
social insurance number is valuable information for identity
thieves. Your organization may only need this information for
limited groups of individuals (such as your employees).
Take steps to secure personal
information. Put in place adequate safeguards which are
appropriate to the types of personal information you
collect. Adopt appropriate policies and procedures, including
those related to responding to a privacy breach.
Be vigilant and provide
training. Monitor for privacy breaches, and train your
employees to report potential privacy breaches to your Privacy
Consider your reporting
duties. If your activities fall under
Alberta's Personal Information Protection Act, or
certain other privacy statutes in other jurisdictions, report to
the appropriate parties any breach that leads to a real risk of
significant harm (including the risk of identity theft). Proposed
amendments to the federal private-sector Personal
Information Protection and Electronic Documents Act will
also necessitate the reporting of privacy breaches.
Consider the potential for
liability. Depending on the application of privacy laws
and the availability of tort actions in a particular jurisdiction,
a lawsuit, including a class action, could be filed in relation to
privacy breaches. Consult legal counsel about liability
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).