Privacy Breach Management

Office of Primary Interest (OPI) Privacy Breach Checklist

The OPI should document the privacy breach by completing the OPI Privacy Breach Checklist. The ATIP and/or CPO official is a valuable resource to assist the OPI in all the steps of the process. They can provide direction on which sections of the OPI Privacy Breach Checklist must be completed. The information to be documented in the checklist is as follows:

• Details on the circumstances that gave rise to the breach: what happened, where it happened, when it happened, and how it was discovered;
• Inventory of the personal information that was compromised;
• Identification of the parties or persons whose personal information has been wrongfully disclosed, accessed, stolen, compromised or lost;
• Identification of the institutional sector or third party responsible for the personal information involved; and
• All other relevant information (e.g., previously similar or related privacy breaches).

Access to Information and Privacy (ATIP) Privacy Breach Risk Impact Instrument

Based on the information provided by the OPI, the ATIP official or the CPO will assess the risk associated with the privacy breach by using the ATIP Privacy Breach Risk Impact Instrument. This contains a "heat sheet" to help the analyst identify the risk impacts for the institution and the affected individual(s). The heat sheet is based on the guiding principles found in TBS's Framework for the Management of Risks, which assesses and identifies the risk impacts to the institution through a privacy lens. When government institutions have access to large amounts of personal information, the ATIP official should consider whether the institution should be held to a higher standard of care with respect to protection of privacy. The challenge for institutions remains how to accurately evaluate the potential impacts that would be incurred by the affected individual, based on the nature of the privacy breach. TBS has provided guidance on how, in general terms, the institution can identify the level of the risk that impacts on the affected individual. During this assessment, the ATIP official should use an objective test, i.e., an evaluation of how a reasonable person would react under similar circumstances if the identical personal information was inappropriately disclosed or breached.

Consider the following factors in assessing the risk:

1. Personal Information Involved
   • What data elements have been breached? (name, contact information, financial, medical, etc.)
   • How sensitive is the information? Generally, the more sensitive the information, the higher the risk of harm to individuals. Some personal information is more sensitive than others (e.g., health information, government-issued pieces of identification such as social insurance numbers (SINs), driver's licence and health care numbers, and financial account numbers such as credit or debit card numbers that could be used to facilitate identity theft). A combination of personal information is typically more sensitive than a single piece of personal information. However, sensitivity alone is not the only criteria in assessing the risk, as foreseeable harm to the individual is also important.
   • What is the context of the personal information involved? A list of clients who requested a copy of Canada's Food Guide, for example, may not be sensitive. However, the same information about clients who have requested information on medical marijuana may be more sensitive.
   • Is the personal information adequately encrypted, anonymized or otherwise not easily accessible?
   • How can the personal information be used? Can the information be used for fraudulent or otherwise harmful purposes? The combination of certain types of sensitive personal information along with name, address and date of birth, suggest a higher risk because of the potential for identity theft.

   An assessment of the type of personal information involved will help to determine how to respond to the breach, who should be informed, and what form of notification to the individuals affected, if any, is appropriate. For example, if a laptop that contains adequately encrypted information is stolen and subsequently recovered, and investigations show that the information was not tampered with, notification of individuals may not be necessary.

2. Cause and Extent of the Breach
   • To the extent possible, determine the cause of the breach.
   • Is there a risk of ongoing breaches or further exposure of the information?
   • What was the extent of the unauthorized access to or collection, use or disclosure of personal information? This includes the number and nature of likely recipients and the risk of further access, use or disclosure, including via mass media or online.
   • Was the information lost or stolen? If it was stolen, can it be determined whether the information was the target of the theft or not?
   • Has the personal information been recovered?
   • What steps have already been taken to mitigate the harm?
   • Is this a systemic problem or an isolated incident?
3. Individuals Affected by the Breach
   • How many individuals' have been affected by the breach?
   • Who is affected by the breach? (employees, contractors, public, clients, service providers, other government institutions, internal or external stakeholders, or others)
4. The Source of the Breach
   • Was the breach the result of an internal processing error or was it due to malicious acts perpetrated by outside parties?
   • Was the breach accidental or intentional?
   • Did it occur on the institution's premises or systems or by a contractor doing business on behalf of the institution?
5. Foreseeable Harm From the Breach
   • In assessing the possibility of foreseeable harm from the breach, what are the reasonable expectations of those affected? For example, a stranger who accidentally receives personal information in error and immediately reports it is less likely to misuse the information than a person suspected of having intentionally intruded into a government building or system.
   • Who is the recipient of the information? Is there any relationship between the unauthorized recipients and the data subject? For example, was the disclosure to an unknown party or to a party suspected of being involved in criminal activity where there is a potential risk of misuse? Or was the recipient a trusted, known entity or a person who would reasonably be expected to return the information without disclosing or using it?
   • What harm to the individuals could result from the breach? Examples include:
     • Financial loss (identity theft);
     • Health implications (physical safety);
     • Loss of reputation (humiliation); or
     • Legal penalties (civil or criminal).
   • What harm to the institution could result from the breach? Examples include:
     • Loss of trust;
     • Financial loss (of assets);
     • Legal proceeding (a lawsuit); or
     • Public interest (public health and safety).

Now that the OPI Privacy Breach Checklist and the ATIP Privacy Breach Risk Impact Instrument are completed, institutions should move on to Step 3: Notification, as the outcomes of the assessment should provide direction as to who should be notified.

ATIP Internal Notification Process

Each situation needs to be considered on a case-by-case basis and in collaboration with the ATIP official and/or the CPO to determine the extent of the notification required by using the Privacy Breach Management Process. ATIP officials and/or the CPO will notify Human Resources, Legal Services and Communications (Public Affairs), as required. The outcomes of the ATIP Privacy Breach Risk Impact Instrument completed in Step 2 can assist in the internal notification process.

Reporting Tool

Who Should Notify the Institution's Internal Official(s)?

The ATIP official and/or the CPO will brief senior management using the Privacy Breach Management Process as reference and by completing the Privacy Breach Management Reporting Tool as soon as possible. This report provides information to senior management by including aggregate (non-identified) information in the background and the type or content of the material breached. When completing the status section of the report, the ATIP official and/or the CPO should pay particular attention by outlining what remedial actions were undertaken and clearly identify whether the breach has been resolved. Providing regular status reports and identifying trends allows senior management the opportunity to identify weaknesses in personal information-handling processes and develop risk mitigation strategies.

Notification Letters

Sample notification letters have been developed to assist institutions with the Notification to Affected Individuals and the Notification to External Stakeholders. Institutions may modify the content of these letters to reflect the context of the breach and the actions taken to date. The Communications Division of the institution should be notified to handle all media inquiries.

Some key elements are important to consider before issuing a notification letter:

1. Notifying Affected Individuals

   The OPI in collaboration with the ATIP official, the CPO and/or the DSO should consider the following factors when deciding whether to notify individuals:

   • What are the legal and contractual obligations?
   • What is the risk of harm to the individual?
   • Is there a reasonable risk of identity theft or fraud (usually due to the type of information lost, such as an individual's name and address, together with government-issued identification numbers or date of birth)?
   • Is there a risk of physical harm (such as stalking, harassment or worse)?
   • Is there a risk of humiliation or damage to the individual's reputation (e.g., when the information lost includes mental health, medical or disciplinary records or other information)?
   • What is the ability of the individual to avoid harm or mitigate possible harm?
   • Use Notification to Affected Individuals: Sample Letter.
2. When to Notify, How to Notify and Who Should Notify

   At this stage, the OPI Privacy Breach Checklist, which contains a set of facts to use in determining whether to notify individuals, should be completed.

   When to notify: Notification of individuals affected by the breach should occur as soon as reasonably possible following assessment and evaluation of the breach.

   How to notify: The preferred method of notification is direct and proactive (i.e., by telephone, letter or in person) to affected individuals. Indirect notification, via information posted on the institutional website, posted notices or the media, should generally be used only when the individuals cannot be located or the number of individuals is so large that direct notification would be untimely or prohibitively costly. The OPI should use email only if the individual had previously consented to the receipt of electronic notices. Institutions should be careful not to unduly alarm individuals, especially where the institution only suspects but cannot confirm that certain individuals have been affected by the breach. However, this should not prevent institutions from informing those whose personal information has been compromised. 

   Who should notify: Typically, whoever in the institution has a direct relationship with the stakeholder, client or employee should notify the affected individuals. Use Notification to External Stakeholders: Sample Letter.

3. What Should Be Included in the Notification?

   The content of notifications will vary depending on the particular breach and the method of notification chosen. Notifications should include, as appropriate, the following:

   • A general description of the incident, including the date and time;
   • The source of the breach (whether it be the institution, a contracted party or a third party with whom the institution has an information-sharing agreement);
   • A list of the personal information inappropriately accessed or disclosed;
   • A description of the measures taken or to be taken to retrieve the personal information, contain the breach and prevent recurrence, and timelines for when mitigate measures, if not already underway, will be put into effect;
   • Advice to the individual on mitigating risks of identity theft or to deal with compromised personal information (e.g., putting a "flag" on an individual's credit report) and instructions on how to undertake these activities;
   • The name and contact information of an official at the institution with whom individuals can discuss the matter further or obtain assistance; and
   • If applicable, a reference to the effect that the OPC and TBS have been notified of the nature of the breach and the individual's right of complaint to the OPC under the Privacy Act.

The OPI may also inform affected individuals of developments as the matter is further investigated and any outstanding issues are resolved. Step 4: Mitigation and Prevention

Mitigation Strategies

Potential corrective measures may be taken by the OPI in conjunction with other sectors within the institution, such as Human Resources. Depending on the seriousness of the breach and mitigating and aggravating factors, the measure or action chosen should be appropriate and intended to correct the situation. The consequences should be determined on a case-by-case basis. Use the Mitigation and Prevention Tool.

Corrective measures may include the following:

• Training and education;
• Coaching/mentoring;
• Disciplinary reprimand (oral or written);
• Revocation of certain privileges and/or user access to system or records;
• Revocation of security clearance;
• Reassignment (transfer or deployment);
• Suspension; and
• Termination.

Institutions may also wish to review internal policies and procedures to prevent recurrence.

Employees should be made aware of the consequences of their personal information-handling practices, and that once an individual's personal information has been lost, it may not always be possible to undo the damage. Less serious infractions should be treated with education and mentoring strategies, whereas more serious or multiple breaches may warrant a more serious response. In cases where the breach is either the culmination of inappropriate information-handling practices or is so serious that the employee-employer relationship is irrevocably damaged, termination of employment may be the most appropriate measure.

Note: The enabling legislation for some institutions incorporates a Code of Privacy, which contains punitive consequences to employees who intentionally disclose personal information.

Prevention Strategies

The level of effort should reflect the significance of the breach and whether the breach was a systemic or isolated event. The breach prevention plan may include the following:

• Revising or developing internal procedures and policies;
• Additional training for employees, such as that found in the employee Training Deck for Employees;
• Tightening restrictions on access to certain personal information based on roles, responsibilities and the need to know;
• Encryption of personal information on portable electronic devices;
• Contractual clauses to deal with breaches of privacy by third-party service providers; and
• The conduct of ongoing audits of physical and technical security.

When formulating recommendations, it will also be important for ATIP officials, the CPO, information management officials and/or DSOs to take into account any uncovered deficiencies in personal information management practices, such as the following:

• Whether a Privacy Impact Assessment (PIA) was conducted, and, if so, should it be reviewed or updated;
• Review or update relevant Personal Information Banks (PIBs) ; and
• Conduct an inventory of records that contain personal information.

The end result should be that all the risks identified during the institution's investigation are addressed to the extent possible.

Training Decks

To assist with mitigation and prevention, Training Deck for Employees and Training Deck for Executives are available.

At this point in the process, we can conclude that a privacy breach was discovered or contained, a full assessment was completed followed by the notification of affected groups, and mitigation and prevention plan has been formulated. If the investigation has identified a material privacy breach, the institution must provide a breach report to the OPC and TBS by completing Step 5, Notification to the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat.

Breach Report to OPC and TBS

The ATIP Office may verbally notify the OPC and TBS informally of a privacy breach at any point during the breach management process. However, institutions must provide formal written notification (breach report to OPC and TBS) when the investigation has identified a material privacy breach. ATIP will submit notification to the OPC and TBS by completing and sending the Breach Report to the Office of the Privacy Commissioner. The report includes the following information:

• The nature and extent of the breach;
• The type of personal information involved;
• The parties involved;
• Anticipated risks of harm;
• Steps taken or to be taken to notify individuals; and
• What remedial action has been taken.

Step 6: Lessons learned