Ajax Privacy and Cybersecurity Lawyer, Rajen Akalu, of Akalu Law P.C., provides his comments on the Real Risk of Significant Harm (RROSH) test pursuant to Canada’s federal privacy law, PIPEDA.
A security breach is a stressful event. Under Canada’s federal privacy law, PIPEDA, organizations that suffer a data breach involving personal information must assess whether the breach creates a real risk of significant harm (RROSH) to individuals. This assessment is critical, as it determines whether the organization must notify affected individuals and the Office of the Privacy Commissioner of Canada (OPC).
What is “Real Risk of Significant Harm”?
According to PIPEDA, “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, financial loss, identity theft, negative effects on credit records, and damage to or loss of property.
To determine if there is a real risk, organizations must consider:
- The sensitivity of the personal information involved.
- The probability the information will be misused.
For example, a breach involving names and email addresses may not trigger notification obligations, but one involving SINs, banking information, or medical records likely would. It also matters whether the data loss was unauthorized or inadvertent. An then there are the grey areas where its not clear whether risk is present or not.
In the typical breach scenario, the affected organization will contact their insurer, who will in turn refer them to an approved lawyer. The lawyer may be contacted directly if there is no insurance in place. After reviewing the facts, the lawyer will make an assessment as to whether the breach constitutes a real risk of significant harm. If it does, a report will need to be filed with the Office of the Privacy Commission. (See LINK)
A lot is riding on the judgement of lawyer. If there’s a risk, mandatory reporting will be required and affected individuals will need to be notified. Depending on the number of individuals affected, this can potentially be very expensive and, arguably as some privacy scholars have argued, ineffective. Moreover, OPC may also require remediation measures to be put in place, and the organization may become subject to a class action lawsuit.
Most recently, the OPC created a privacy breach risk self-assessment tool. Once the questionnaire is completed, the tool will indicate whether a real risk of significant harm is either likely or unlikely. This can help inform next steps, including whether to report the breach.
Why This Matters
Failing to assess and act on a real risk of significant harm can result in:
- Legal and reputational consequences
- Fines of up to $100,000 per violation
- Loss of public trust
Here are some practical steps you can take…
- Have a data breach response plan
- Document your RROSH assessment process
- Notify promptly if the test is met
- Train staff on breach identification and reporting
Final Thoughts
The real risk of significant harm test provides criteria by which organizations determine whether mandatory reporting to the OPC is required. The OPC does have a tool to facilitate this, but it is prudent to speak with a lawyer here as the legal and financial consequences are potentially significant.
Rajen Akalu
647 299 5079
rajen@akalulaw.com
