Deal with privacy breaches quickly
Deal with privacy breaches, quickly
A privacy breach is the improper or unauthorized collection, creation, use, sharing, retention or disposal of personal information. A privacy breach may occur within an institution or off-site. It may be the result of inadvertent errors or malicious actions by employees, third parties, including partners in information sharing arrangements or bad actors.
Primary causes of a privacy breach
The most common cause of a privacy breach is human error, for example:
- a misdirected email or postal mail containing personal information, such as an email with login credentials or a postal package that includes a passport
- not protecting equipment that contains personal information. For example, transferring a hard drive without clearing its data
- unauthorized access to personal information, such as snooping in a database
- collecting more information than is needed
- holding onto personal information for longer than you needed or for longer than you indicated in your retention plan
Marie, a program officer, gets a new portfolio of files right before she leaves on vacation for a month.
When Marie returns, she tries to access her former portfolio and keeps getting denied. After three attempts, she’s locked out of her account and must request an official password change with the administrator of the system.
Marie is frustrated but realizes that since she got a new portfolio before her vacation this prevented her from accidentally accessing files that are not hers. This shows that the safeguard implemented to limit unauthorized access was successful.
Material privacy breaches
Material privacy breaches involve a real risk of significant harm to an individual. This includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, identity theft, and financial loss.
These types of breaches must be reported to the Office of the Privacy Commissioner of Canada (OPC) and to the Treasury Board of Canada Secretariat (TBS).
Preventing a privacy breach
Ideally, you want to prevent breaches from happening. Implementing safeguards is an important first step, but you’re also advised to create a plan for dealing with a privacy breach, before it happens.
Your initiative must have a plan to respond to privacy breaches affecting any personal information under its control. This includes personal information shared with or collected by third parties as part of a contract or agreement.
The plan to respond to a privacy breach must:
- include roles and responsibilities
- align with any security requirements
Privacy tip: When responding to a breach, be careful not to take any steps that would make the situation worse or lead to another breach, for example sharing additional personal information.
Managing a privacy breach
There are four steps to respond to a breach in privacy:
Step 1: Identify and contain the breach
If your initiative suspects a privacy breach, employees must try to control it right away. Then, employees should notify privacy and security officials of the potential or confirmed breach.
Step 2: Complete a full assessment of the breach
Your initiative needs to work with the privacy experts to decide whether a full assessment of the breach is needed.
Step 3: Mitigate and Communicate the impacts of the breach
When the breach is contained, work with your privacy experts to put in place measures to reduce the risk of it happening again, including informing the public.
Step 4: Prevent another breach
Your initiative needs to put in place prevention measures to reduce the risk of a future breach occurring. These measures must be put in place within a suitable time frame.
At this point, the privacy experts will need to complete a formal report to inform the OPC and TBS if the breach is considered a material breach.
- Date modified: