Privacy Implementation Notice 2022-01: Cyber security incidents involving personal information
1. Effective Date
This implementation notice takes effect on January 28, 2022.
This implementation notice is issued pursuant to paragraph 71(1)(d) of the Privacy Act.
This implementation notice serves to assist institutions in meeting their Privacy Act requirements in the event of a cyber security incident, hereafter referred to as a cyber incident, that involves personal information. A cyber incident constitutes any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource.
This notice advises privacy officials, who are usually within the institution’s Access to Information and Privacy (ATIP) office, of their obligations regarding cyber incidents involving personal information held by or on behalf of the institution and the corresponding obligations of program and security officials. It also provides guidance on managing such incidents.
Large-scale cyber incidents involving personal information held by federal institutions and by third parties on their behalf have highlighted the need to effectively manage resulting privacy breaches. Privacy breaches are defined as the improper or unauthorized creation, collection, use, disclosure, retention or disposition of personal information. Mitigating the risks and harms associated with cyber incidents involving personal information is increasingly important as the Government of Canada moves towards a model of digital government and online service delivery.
It is essential that privacy officials are aware of their responsibilities and their institution’s plans and procedures for addressing privacy breaches, as well as the roles of program and security officials, in order to coordinate the institution’s response to breaches when necessary. This notice is part of ongoing TBS efforts to ensure appropriate management of cyber incidents involving personal information. It complements the forthcoming publication of an update to the Government of Canada Cyber Security Event Management Plan (GC CSEMP).
A cyber incident is a type of security event. A cyber incident can lead to or include a privacy breach if it involves personal information. Examples of potential cyber incidents include
- Suspicious or targeted emails with attachments/links that were not detected by existing security controls;
- Suspicious or unauthorized network activity;
- Data breaches or compromise/corruption of information; and
- Breaches of a GC service that is hosted or managed in the cloud.
In the event a cyber incident involves personal information, and may therefore constitute a privacy breach, it is imperative that privacy officials are aware of their responsibilities and coordinate their response with program and security officials where required.
Responsibilities of privacy officials
The Directive on Privacy Practices requires institutions to establish plans and procedures for addressing privacy breaches in their institution. These plans and procedures must align with the Policy on Government Security and its related directives and standards. They should speak to containing, assessing, and mitigating the breach, notifying those affected, and preventing a recurrence. They should also include steps to ensure institutional security is notified as necessary, as privacy breaches are frequently caused by or involve security incidents. Privacy officials should support program managers and officials in implementing the institution’s plans and procedures when a privacy breach occurs.
All material privacy breaches must be also reported to TBS and the Office of the Privacy Commissioner by privacy officials, as per 6.1.2 the Directive on Privacy Practices, and a record should be kept of all privacy breaches, whether material or not. These steps are critical to enable the tracking of privacy breaches and the identification of trends in threats to privacy across government, particularly in the context of cyber incidents.
In the case of a potential privacy breach that cannot be conclusively confirmed as a privacy breach, it is recommended that privacy officials treat the event as a breach and support programs in implementing the institution’s plans and procedures.
Responsibilities of program managers and officials
It is the responsibility of program managers and officials to implement the institution’s plans and procedures for addressing privacy breaches. When program officials become aware of a cyber incident that may involve personal information, steps must be taken to secure the affected information and prevent any further compromise of personal information.
In the event of a cyber incident, program officials should liaise with both privacy and security officials. Privacy officials are best placed to determine whether personal information has been affected (i.e. whether a privacy breach has occurred) and, if so, the degree of risk to privacy associated with the cyber incident. If a privacy breach has occurred, privacy officials should subsequently aid program officials in managing the privacy breach. Security officials are in turn responsible for identifying any security deficiencies and making recommendations or launching an investigation, where appropriate.
Responsibilities of security officials
The Policy on Service and Digital and Directive on Service and Digital set out a number of requirements for security officials with regard to cyber incidents. Institutions’ designated official for cyber security, in coordination with the institution’s Chief Information Officer and Chief Security Officer (CSO), must take immediate action to assess impacts and implement mitigation measures in response to cyber incidents and events. Plans must also be in place to respond to cyber security incidents and events in accordance with the GC CSEMP. As per the Directive on Security Management, the CSO is responsible for establishing institution-wide processes to monitor and ensure a coordinated response to all security incidents.
The Policy and Directive on Service and Digital also require institutions to establish roles and responsibilities for reporting cyber incidents, including those that result in a privacy breach. The GC CSEMP further specifies that privacy officials be notified of all cyber incident where there is the possibility that personal information is involved. This is to ensure any potential privacy breaches are detected. As per the Standard on Security Event Reporting, security officials will report the incident to law enforcement and/or national security agencies in certain circumstances.
Coordination between privacy and security officials
Institutions’ plans and procedures for addressing privacy breaches and managing cyber incidents should include steps to notify and coordinate with privacy or security counterparts where necessary. The respective responses of privacy and security officials to a cyber incident involving personal information should be coordinated in key parts of the following stages: 1) assessment, 2) mitigation and prevention, and 3) notification.
Privacy officials should, in most cases, conduct a full assessment of a cyber incident involving personal information. However, a full assessment may not be necessary if the preliminary assessment undertaken by program officials provides sufficient information to rule out a material privacy breach and determine appropriate mitigation and prevention measures. For example, a breach caused by a misdirected email that contains non-sensitive personal information and is received by a known entity (e.g. a contractor or an employee without a need-to-know) may not require a full assessment. Privacy officials could determine based on the information provided by the preliminary assessment by the program official that it is not a material privacy breach and that mitigation and prevention measures are easily applied. Security officials, meanwhile, would conduct an investigation of the incident.
Communication between privacy and security counterparts during the course of these processes is important to ensure the causes and implications of the incident are fully understood and documented. For example, in the case of an unauthorized access to personal information, a security analysis may shed light on the cause (such as a technological vulnerability) and extent of an unauthorized access, which can have a bearing on determining the materiality of a privacy breach. Conversely, a privacy analysis can determine the sensitivity of the personal information involved and the risk of harm to the individuals affected. This can aid security officials in determining the impact on the institution, such as reputational, legal or financial risks, and whether subsequent mitigation or escalation is warranted. As a best practice, the relevant outcomes of these processes should be shared with privacy and security counterparts.
2) Mitigation and prevention
Coordination should also occur in the implementation of mitigation and prevention measures in response to a cyber incident involving personal information. Institutions’ plans and procedures for addressing privacy breaches should include appropriate prevention measures, which may include both privacy and security measures, such as additional privacy training, the revocation of security clearance, the reconfiguration of security controls, or even a temporary shutdown of a service.
Depending on the institutional process established, either privacy or security officials should notify the Deputy Head and the institution’s communications group of a cyber incident involving a privacy breach when necessary. If a privacy breach has or could become a matter of public interest, communications officials should be notified so that communications material may be prepared to answer questions from the public, the media, or Parliamentarians. The institution’s legal services unit should also be notified if the assessment concludes that there is a risk of litigation. As explained below, Public Service and Procurement Canada (PSPC) should be notified of cyber incidents and privacy breaches occurring within third parties under contract with the institution.
Third-party cyber incidents
Stewardship of Canadians’ personal information requires government institutions to ensure personal information is protected regardless of where and by whom it is held. The Policy on Privacy Protection requires institutions to establish measures to ensure the requirements of the Privacy Act are met when establishing contracts, agreements or arrangements that involve personal information. Third parties that are not institutions of the federal government are subject to other laws. Their response to a privacy breach will be dictated by those laws as well as the stipulations of the contract, agreement or arrangement. Programs should consult their privacy officials and legal services to determine relevant obligations. In all cases of third-party cyber incidents involving personal information held on behalf of a government institution, it is important that the institution determine whether a privacy breach has occurred and take steps to ensure any privacy breach is managed appropriately.
When entering into a contract or arrangement that involves personal information, programs should ensure appropriate clauses are included to protect and manage the personal information, including the requirement for the third party to notify the institution immediately of any cyber incident or privacy breach that involves the personal information. In the event of such a notification, institutions should alert the Special Investigations and Internal Disclosure Directorate (SIID) of PSPC, who is responsible for investigating privacy breaches resulting from cyber incidents involving third-party contractors. In addition to ensuring contractual obligations are met, SIID will coordinate with the affected institution and other government stakeholders to further the investigation of the incident.
It is strongly recommended that institutional plans and procedure for addressing privacy breaches cover privacy breaches occurring within third parties that affect personal information being held on behalf of the institution. Measures that should be a part of plans and procedures include notifying affected individuals when they may be able to take steps to protect themselves. Steps should also be taken to ensure the risks associated with the privacy breach are assessed and notification is sent to the OPC and TBS if the breach is material. Institutions should keep a record of all privacy breaches, including those that occur within third parties.
For more information on ensuring appropriate privacy safeguards are in place for information sharing, consult the Guidance on Preparing Information Sharing Agreements Involving Personal Information and Guidance Document: Taking Privacy into Account Before Making Contracting Decisions.
This implementation notice applies to the government institutions as defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.
Related Treasury Board policy instruments
- Directive on Privacy Practices
- Directive on Security Management
- Directive on Service and Digital
- Government of Canada Cyber Security Event Management Plan
- Guidance Document: Taking Privacy into Account Before Making Contracting Decisions
- Guidance on Preparing Information Sharing Agreements Involving Personal Information
- Guidelines for Privacy Breaches
- Policy on Government Security
- Policy on Privacy Protection
- Policy on Service and Digital
- Privacy Breach Management Toolkit
- Standard on Security Event Reporting
Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this implementation notice.
Employees of federal institutions may contact their Access to Information and Privacy (ATIP) coordinator for information about this implementation notice.
- Date modified: