OPC Publishes Advice on What to Do If an Individual Receives a Breach Notification

On November 11, 2018, changes to section 10.1 of the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA) came into force. In cases where a breach of security safeguards affecting personal information creates a real risk of significant harm to the individual, PIPEDA now requires organizations that hold an individual’s personal information to notify that individual in the event of a breach. Recently, the Office of the Privacy Commissioner of Canada (OPC), published advice to individuals on what to do when they receive a breach notification.

Once an organization conducts risks assessments and determines that a breach poses a real risk of significant harm, the organization must contact and notify the individual as soon as feasible, and give the individual easy-to-understand information. The OPC has established the following guidelines for individuals:

1. Read the notice carefully: The notice will provide the individual with information about the breach and how they can reduce their risks of harm.
2. Keep the breach notification in a safe place: The information found in the notice may be of importance later on.
3. Change your password: This applies not only for any passwords that may be linked to the breach, but also when the same password is used for different accounts.
4. Monitor affected accounts: This is especially important if the breach involves sensitive information like financial information.
5. Ask questions and stay vigilant: If there are questions regarding a breach, contact the organization through the contact information provided in the breach notification. Bad actors may not act right away, so it is important to take precautions to continuously protect one’s personal information.

Summary By: Alessia Monastero