What's the harm if personal information is misused?

In this guidance note, we describe the risks and potential harms to individuals that organisations and privacy officers should consider.


The Personal Information Protection Act (PIPA) speaks about risks and harms in a few different sections. But what do we mean when we talk about "harm" from the use or misuse of personal information?


Organisations should consider the risk of harm to an individual when they are assessing what security safeguards are needed, when they suffer a breach of security, and when they are evaluating whether an offense has been committed.


PIPA section 13, "Security safeguards," contains the following requirements:

(1) An organisation shall protect personal information that it holds with appropriate safeguards against risk, including— (a) loss; (b) unauthorised access, destruction, use, modification or disclosure; or (c) any other misuse. [Emphasis added]