Privacy Breach Management
Breaches may occur because of innocent mistakes or intentional actions by either public service employees, third-party service providers acting on behalf of government institutions, or other outside parties with malicious intent. The most common privacy breach is the unauthorized disclosure of personal information. Footnote 1
There are six steps to consider when responding to suspected or actual privacy breaches. This Privacy Breach Management Toolkit is made up of the following steps, along with corresponding tools:
- Step 1: Preliminary Assessment and Containment
- Step 2: Full Assessment
- Step 3: Notification
- Step 4: Mitigation and Prevention
- Step 5: Notification to the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat
- Step 6: Lessons Learned
These tools are for Access to Information and Privacy (ATIP) professionals, managers and individuals who are seeking guidance on privacy breach management within the federal context. This toolkit is intended to help individuals take the appropriate steps in the event of a privacy breach.
The Privacy Breach Management Toolkit offers institutions a common and consistent approach to managing and responding to privacy breaches across federal organizations in compliance with policy requirements of the Treasury Board of Canada Secretariat (TBS) and recommendations from the Office of the Privacy Commissioner of Canada (OPC).
Individuals must take preventive steps to avoid privacy breaches from occurring by following policies issued by TBS and their own institution's internal guidelines and procedural safeguards. Individuals should also complete privacy training.
This toolkit supports the requirements of the Privacy Act, which requires federal government institutions to "protect the privacy of individuals with respect to personal information about themselves held by a government institution and to provide individuals with a right of access to that information."Footnote 2 Privacy Breach Management Roles and Responsibilities for managing and responding to privacy breaches are also available.
Step 1: Preliminary Assessment and Containment
The senior official of the office where the breach occurred should notify the ATIP Coordinator and/or the Chief Privacy Officer (CPO) as soon as possible after the discovery of a privacy breach. Occasionally, a breach may occur before a long weekend; therefore, it is recommended to notify the ATIP Coordinator or the CPO via email as soon as possible.
A privacy breach may also involve a breach of security. In these situations, the OPI authority needs to ensure coordination with the Department Security Officer (DSO).
It is important to involve the ATIP Coordinator and/or the CPO and the DSO to ensure that the privacy of individuals and the security of assets are taken into account in the resolution process.
Caution: In responding to a privacy breach, institutions should be careful not to take steps that may exacerbate the existing breach or create a new one (e.g., disclosing additional personal information).
Office of Primary Interest Preliminary Assessment
The preliminary assessment focuses on thoroughly identifying whether a privacy breach occurred and how it has occurred. In order to facilitate this process, the Office of Primary Interest (OPI) Preliminary Assessment and Containment Tool is used. In the event the OPI has answered yes to the questions contained within the OPI Preliminary Assessment and Containment tool, the OPI should take immediate action to contain the breach.
While containing the breach, the institution should proceed with documenting as extensively as possible, within a short period, the circumstances that gave rise to the privacy breach, including an inventory of the personal information that has been compromised.
Office of Primary Interest Containment
Once a suspected or known privacy breach has occurred, the OPI should take immediate action to contain the breach and to secure the affected records, systems, email or websites. Suggested containment strategies are found in the OPI Preliminary Assessment and Containment Tool. For example, immediate action to contain the breach may consist of the following:
- Remove, move or segregate exposed information or files, i.e., take all necessary steps to prevent further unauthorized access and disclosure;
- Retrieve any documents or copies of documents that were wrongfully disclosed or taken by an unauthorized person;
- Return the documents to their original location or to the intended recipient;
- Advise the employee to cease transmission of email or correspondence to the incorrect address; and
- Request the recipient to delete all affected email, correspondence and records.
In some instances, it may be necessary to shut down the application, website or device temporarily to permit a complete assessment of the breach and resolve vulnerabilities. Additional considerations may be revoking access, modifying passwords or correcting weaknesses in physical security. This should be undertaken in consultation with the institution's security and information technology officials.
Following the discovery and containment of a privacy breach, complete the Preliminary Report Tool to determine the level of the breach assessment required. In some instances, the preliminary report has sufficient information so that the institution can manage and close the breach without requiring a full assessment. In other situations, the information collected at the preliminary report stage will ascertain the need to pursue a full assessment.
Completing the preliminary report will require the identification of the following:
- Individual(s) who may have caused the breach;
- Potential witnesses who may have information related to the breach;
- Affected parties whose personal information was disclosed, accessed, stolen or lost; and
- The institutional sector (public or private) or third party that is responsible for the personal information involved (external stakeholders).
Upon submission of the preliminary report to the ATIP Coordinator, the CPO and/or the DSO, an investigator will be assigned to assist in documenting the privacy breach and provide support and guidance to the OPI.
At this stage, should the privacy breach require a full assessment, the ATIP Office may want to notify the OPC and TBS verbally of the privacy breach. Step 2: Full Assessment
Step 2: Full Assessment
The full assessment is crucial in managing the privacy breach. In this step, it is imperative to document the circumstances that gave rise to the breach.
The institution must make reasonable efforts to identify the affected individuals or groups of individuals likely to have been affected. This should be documented as part of the record by using the OPI Privacy Breach Checklist and the ATIP Privacy Breach Risk Impact Instrument.
Note: The ATIP Office may notify the OPC and TBS verbally of a privacy breach at any point during the breach management process. Formal written notification (i.e., a breach report to the OPC and TBS) must follow when the investigation has identified a material privacy breach.
Office of Primary Interest (OPI) Privacy Breach Checklist
The OPI should document the privacy breach by completing the OPI Privacy Breach Checklist. The ATIP and/or CPO official is a valuable resource to assist the OPI in all the steps of the process. They can provide direction on which sections of the OPI Privacy Breach Checklist must be completed. The information to be documented in the checklist is as follows:
- Details on the circumstances that gave rise to the breach: what happened, where it happened, when it happened, and how it was discovered;
- Inventory of the personal information that was compromised;
- Identification of the parties or persons whose personal information has been wrongfully disclosed, accessed, stolen, compromised or lost;
- Identification of the institutional sector or third party responsible for the personal information involved; and
- All other relevant information (e.g., previously similar or related privacy breaches).
Access to Information and Privacy (ATIP) Privacy Breach Risk Impact Instrument
Based on the information provided by the OPI, the ATIP official or the CPO will assess the risk associated with the privacy breach by using the ATIP Privacy Breach Risk Impact Instrument. This contains a "heat sheet" to help the analyst identify the risk impacts for the institution and the affected individual(s). The heat sheet is based on the guiding principles found in TBS's Framework for the Management of Risks, which assesses and identifies the risk impacts to the institution through a privacy lens. When government institutions have access to large amounts of personal information, the ATIP official should consider whether the institution should be held to a higher standard of care with respect to protection of privacy. The challenge for institutions remains how to accurately evaluate the potential impacts that would be incurred by the affected individual, based on the nature of the privacy breach. TBS has provided guidance on how, in general terms, the institution can identify the level of the risk that impacts on the affected individual. During this assessment, the ATIP official should use an objective test, i.e., an evaluation of how a reasonable person would react under similar circumstances if the identical personal information was inappropriately disclosed or breached.
Consider the following factors in assessing the risk:
- Personal Information Involved
- What data elements have been breached? (name, contact information, financial, medical, etc.)
- How sensitive is the information? Generally, the more sensitive the information, the higher the risk of harm to individuals. Some personal information is more sensitive than others (e.g., health information, government-issued pieces of identification such as social insurance numbers (SINs), driver's licence and health care numbers, and financial account numbers such as credit or debit card numbers that could be used to facilitate identity theft). A combination of personal information is typically more sensitive than a single piece of personal information. However, sensitivity alone is not the only criteria in assessing the risk, as foreseeable harm to the individual is also important.
- What is the context of the personal information involved? A list of clients who requested a copy of Canada's Food Guide, for example, may not be sensitive. However, the same information about clients who have requested information on medical marijuana may be more sensitive.
- Is the personal information adequately encrypted, anonymized or otherwise not easily accessible?
- How can the personal information be used? Can the information be used for fraudulent or otherwise harmful purposes? The combination of certain types of sensitive personal information along with name, address and date of birth, suggest a higher risk because of the potential for identity theft.
An assessment of the type of personal information involved will help to determine how to respond to the breach, who should be informed, and what form of notification to the individuals affected, if any, is appropriate. For example, if a laptop that contains adequately encrypted information is stolen and subsequently recovered, and investigations show that the information was not tampered with, notification of individuals may not be necessary.
- Cause and Extent of the Breach
- To the extent possible, determine the cause of the breach.
- Is there a risk of ongoing breaches or further exposure of the information?
- What was the extent of the unauthorized access to or collection, use or disclosure of personal information? This includes the number and nature of likely recipients and the risk of further access, use or disclosure, including via mass media or online.
- Was the information lost or stolen? If it was stolen, can it be determined whether the information was the target of the theft or not?
- Has the personal information been recovered?
- What steps have already been taken to mitigate the harm?
- Is this a systemic problem or an isolated incident?
- Individuals Affected by the Breach
- How many individuals' have been affected by the breach?
- Who is affected by the breach? (employees, contractors, public, clients, service providers, other government institutions, internal or external stakeholders, or others)
- The Source of the Breach
- Was the breach the result of an internal processing error or was it due to malicious acts perpetrated by outside parties?
- Was the breach accidental or intentional?
- Did it occur on the institution's premises or systems or by a contractor doing business on behalf of the institution?
- Foreseeable Harm From the Breach
- In assessing the possibility of foreseeable harm from the breach, what are the reasonable expectations of those affected? For example, a stranger who accidentally receives personal information in error and immediately reports it is less likely to misuse the information than a person suspected of having intentionally intruded into a government building or system.
- Who is the recipient of the information? Is there any relationship between the unauthorized recipients and the data subject? For example, was the disclosure to an unknown party or to a party suspected of being involved in criminal activity where there is a potential risk of misuse? Or was the recipient a trusted, known entity or a person who would reasonably be expected to return the information without disclosing or using it?
- What harm to the individuals could result from the breach? Examples include:
- Financial loss (identity theft);
- Health implications (physical safety);
- Loss of reputation (humiliation); or
- Legal penalties (civil or criminal).
- What harm to the institution could result from the breach? Examples include:
- Loss of trust;
- Financial loss (of assets);
- Legal proceeding (a lawsuit); or
- Public interest (public health and safety).
Now that the OPI Privacy Breach Checklist and the ATIP Privacy Breach Risk Impact Instrument are completed, institutions should move on to Step 3: Notification, as the outcomes of the assessment should provide direction as to who should be notified.
Step 3: Notification
Notification is an important mitigation strategy that can benefit both the institution and the individuals affected by a breach. If a privacy breach creates a risk of harm to the individual, those affected should be notified. Prompt notification of individuals in these cases can help them mitigate the damage by taking steps to protect themselves.
Caution: In responding to a privacy breach, institutional authorities should be careful not to take steps that may exacerbate the existing breach or create a new one (i.e., disclosing additional personal information).
Note: The ATIP Office may verbally notify the OPC and TBS of the privacy breach at this stage of the process if not already done. Formal written notification (a breach report to the OPC and TBS) must follow when the investigation has identified a material privacy breach.
ATIP Internal Notification Process
Each situation needs to be considered on a case-by-case basis and in collaboration with the ATIP official and/or the CPO to determine the extent of the notification required by using the Privacy Breach Management Process. ATIP officials and/or the CPO will notify Human Resources, Legal Services and Communications (Public Affairs), as required. The outcomes of the ATIP Privacy Breach Risk Impact Instrument completed in Step 2 can assist in the internal notification process.
Who Should Notify the Institution's Internal Official(s)?
The ATIP official and/or the CPO will brief senior management using the Privacy Breach Management Process as reference and by completing the Privacy Breach Management Reporting Tool as soon as possible. This report provides information to senior management by including aggregate (non-identified) information in the background and the type or content of the material breached. When completing the status section of the report, the ATIP official and/or the CPO should pay particular attention by outlining what remedial actions were undertaken and clearly identify whether the breach has been resolved. Providing regular status reports and identifying trends allows senior management the opportunity to identify weaknesses in personal information-handling processes and develop risk mitigation strategies.
Sample notification letters have been developed to assist institutions with the Notification to Affected Individuals and the Notification to External Stakeholders. Institutions may modify the content of these letters to reflect the context of the breach and the actions taken to date. The Communications Division of the institution should be notified to handle all media inquiries.
Some key elements are important to consider before issuing a notification letter:
- Notifying Affected Individuals
The OPI in collaboration with the ATIP official, the CPO and/or the DSO should consider the following factors when deciding whether to notify individuals:
- What are the legal and contractual obligations?
- What is the risk of harm to the individual?
- Is there a reasonable risk of identity theft or fraud (usually due to the type of information lost, such as an individual's name and address, together with government-issued identification numbers or date of birth)?
- Is there a risk of physical harm (such as stalking, harassment or worse)?
- Is there a risk of humiliation or damage to the individual's reputation (e.g., when the information lost includes mental health, medical or disciplinary records or other information)?
- What is the ability of the individual to avoid harm or mitigate possible harm?
- Use Notification to Affected Individuals: Sample Letter.
- When to Notify, How to Notify and Who Should Notify
At this stage, the OPI Privacy Breach Checklist, which contains a set of facts to use in determining whether to notify individuals, should be completed.
When to notify: Notification of individuals affected by the breach should occur as soon as reasonably possible following assessment and evaluation of the breach.
How to notify: The preferred method of notification is direct and proactive (i.e., by telephone, letter or in person) to affected individuals. Indirect notification, via information posted on the institutional website, posted notices or the media, should generally be used only when the individuals cannot be located or the number of individuals is so large that direct notification would be untimely or prohibitively costly. The OPI should use email only if the individual had previously consented to the receipt of electronic notices. Institutions should be careful not to unduly alarm individuals, especially where the institution only suspects but cannot confirm that certain individuals have been affected by the breach. However, this should not prevent institutions from informing those whose personal information has been compromised.
Who should notify: Typically, whoever in the institution has a direct relationship with the stakeholder, client or employee should notify the affected individuals. Use Notification to External Stakeholders: Sample Letter.
- What Should Be Included in the Notification?
The content of notifications will vary depending on the particular breach and the method of notification chosen. Notifications should include, as appropriate, the following:
- A general description of the incident, including the date and time;
- The source of the breach (whether it be the institution, a contracted party or a third party with whom the institution has an information-sharing agreement);
- A list of the personal information inappropriately accessed or disclosed;
- A description of the measures taken or to be taken to retrieve the personal information, contain the breach and prevent recurrence, and timelines for when mitigate measures, if not already underway, will be put into effect;
- Advice to the individual on mitigating risks of identity theft or to deal with compromised personal information (e.g., putting a "flag" on an individual's credit report) and instructions on how to undertake these activities;
- The name and contact information of an official at the institution with whom individuals can discuss the matter further or obtain assistance; and
- If applicable, a reference to the effect that the OPC and TBS have been notified of the nature of the breach and the individual's right of complaint to the OPC under the Privacy Act.
The OPI may also inform affected individuals of developments as the matter is further investigated and any outstanding issues are resolved. Step 4: Mitigation and Prevention
Step 4: Mitigation and Prevention
Once the immediate steps are taken to mitigate the risks associated with the privacy breach, the OPI in collaboration with the ATIP official, the CPO and/or the DSO needs to investigate the cause of the breach thoroughly, consider whether to develop a prevention plan, and consider what that plan might include.
Potential corrective measures may be taken by the OPI in conjunction with other sectors within the institution, such as Human Resources. Depending on the seriousness of the breach and mitigating and aggravating factors, the measure or action chosen should be appropriate and intended to correct the situation. The consequences should be determined on a case-by-case basis. Use the Mitigation and Prevention Tool.
Corrective measures may include the following:
- Training and education;
- Disciplinary reprimand (oral or written);
- Revocation of certain privileges and/or user access to system or records;
- Revocation of security clearance;
- Reassignment (transfer or deployment);
- Suspension; and
Institutions may also wish to review internal policies and procedures to prevent recurrence.
Employees should be made aware of the consequences of their personal information-handling practices, and that once an individual's personal information has been lost, it may not always be possible to undo the damage. Less serious infractions should be treated with education and mentoring strategies, whereas more serious or multiple breaches may warrant a more serious response. In cases where the breach is either the culmination of inappropriate information-handling practices or is so serious that the employee-employer relationship is irrevocably damaged, termination of employment may be the most appropriate measure.
Note: The enabling legislation for some institutions incorporates a Code of Privacy, which contains punitive consequences to employees who intentionally disclose personal information.
The level of effort should reflect the significance of the breach and whether the breach was a systemic or isolated event. The breach prevention plan may include the following:
- Revising or developing internal procedures and policies;
- Additional training for employees, such as that found in the employee Training Deck for Employees;
- Tightening restrictions on access to certain personal information based on roles, responsibilities and the need to know;
- Encryption of personal information on portable electronic devices;
- Contractual clauses to deal with breaches of privacy by third-party service providers; and
- The conduct of ongoing audits of physical and technical security.
When formulating recommendations, it will also be important for ATIP officials, the CPO, information management officials and/or DSOs to take into account any uncovered deficiencies in personal information management practices, such as the following:
- Whether a Privacy Impact Assessment (PIA) was conducted, and, if so, should it be reviewed or updated;
- Review or update relevant Personal Information Banks (PIBs) ; and
- Conduct an inventory of records that contain personal information.
The end result should be that all the risks identified during the institution's investigation are addressed to the extent possible.
To assist with mitigation and prevention, Training Deck for Employees and Training Deck for Executives are available.
At this point in the process, we can conclude that a privacy breach was discovered or contained, a full assessment was completed followed by the notification of affected groups, and mitigation and prevention plan has been formulated. If the investigation has identified a material privacy breach, the institution must provide a breach report to the OPC and TBS by completing Step 5, Notification to the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat.
Step 5: Notification to the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat
The ATIP Office is the single liaison for the institution when notifying the OPC and TBS.
Breach Report to OPC and TBS
The ATIP Office may verbally notify the OPC and TBS informally of a privacy breach at any point during the breach management process. However, institutions must provide formal written notification (breach report to OPC and TBS) when the investigation has identified a material privacy breach. ATIP will submit notification to the OPC and TBS by completing and sending the Breach Report to the Office of the Privacy Commissioner. The report includes the following information:
- The nature and extent of the breach;
- The type of personal information involved;
- The parties involved;
- Anticipated risks of harm;
- Steps taken or to be taken to notify individuals; and
- What remedial action has been taken.
Step 6: Lessons Learned
Maintaining ongoing communication with ATIP regarding privacy issues resulting from the breach is an opportunity to strengthen the privacy practices within the OPI's program area specifically and the institution as a whole.
Executives and managers should encourage employees to be conscious of privacy in their day-to-day work. This increased awareness will contribute to a reduction in the program area's overall privacy risks.
Executives should engage their institution's ATIP Office and/or CPO to determine what training opportunities may be provided to suit their particular needs or to identify what services may be offered to support their program area.
Institutions should track privacy breaches within their program areas by identifying trends within each step of the privacy breach management process. Collecting this information can facilitate identifying underlying patterns with respect to personal information-handling practices and prevent future breaches. The Trend Analysis by Fiscal Year can be used for tracking these activities.
- Compromise ( compromission)
- Refers to the unauthorized access to or disclosure, destruction, removal, modification, use or interruption of assets or information.
- Disclosure ( divulgation)
- Refers to the release of personal information by any method (e.g., transmission, provision of a copy, examination of a record) to any person.
- Every reasonable effort ( tous les efforts raisonnables)
- Means a level of effort that a fair and reasonable person would expect or would find acceptable.
- Government institution ( institution fédérale)
- Is "any department or ministry of state of the Government of Canada, or any body or office, listed in the schedule; and, any parent Crown corporation, and any wholly-owned subsidiary of such a corporation, within the meaning of section 83 of the Financial Administration Act" (source: section 3 of the Privacy Act). The term "government institution" does not include ministers' offices.
- Handling ( traitement)
- Refers to the retention, accuracy, use, disclosure and disposition of personal information. In the context of this directive, the term is used generically and for ease of reference and does not imply a lesser standard in terms of the above-mentioned concepts.
- Identity ( identité)
- Is a reference or designation used to distinguish a unique and particular individual, organization or device.
- Material privacy breach ( atteinte substantielle à la vie privée)
- A privacy breach that involves sensitive personal information and could reasonably be expected to cause injury or harm to the individual and/or involves a large number of affected individuals.
- Personal information ( renseignements personnels)
- Refers to information about an identifiable individual that is recorded in any form. This includes name, address, telephone number, medical/clinical information, identification numbers ( SIN), education, blood type, ethnicity, employee files, etc. In addition, it includes information about an identifiable individual where there is a serious possibility that an individual could be identified through the use of information, alone or in combination with other available information.
- Personal information bank ( fichier de renseignements personnels)
- Is a description of personal information that is organized and retrievable by a person's name or by an identifying number, symbol or other particular assigned only to that person. The personal information described in the personal information bank has been used, is being used, or is available for an administrative purpose and is under the control of a government institution.
- Privacy ( vie privée)
- Is the right of an individual to be left alone, to be free of unwarranted intrusions. It is also the right of an individual to retain control over his or her personal information and to know the uses, disclosures and whereabouts of that information.
- Privacy breach ( atteinte à la vie privée)
- Involves improper or unauthorized creation, collection, use, disclosure, retention or disposal of personal information.
- Privacy Commissioner ( Commissaire à la protection de la vie privée)
- Is an Officer of Parliament appointed by Governor in Council.
- Privacy impact assessment ( évaluation des facteurs relatifs à la vie privée)
- Is a policy process for identifying, assessing and mitigating privacy risks. Government institutions are to develop and maintain privacy impact assessments for all new or modified programs and activities that involve the use of personal information for an administrative purpose.
- Privacy practices ( pratiques relatives à la protection de la vie privée)
- Refers to all practices related to the creation, collection, retention, accuracy, use, disclosure and disposition of personal information.
- Program or activity ( programme ou activité)
- Is, for the purposes of the appropriate collection, use or disclosure of personal information by government institutions subject to this policy, a program or activity that is authorized or approved by Parliament. Parliamentary authority is usually contained in an Act of Parliament or subsequent Regulations. Parliamentary authority can also be in the form of approval of expenditures proposed in the Estimates and as authorized by an appropriation Act. Also included in this definition are any activities conducted as part of the administration of the program.
- Risk ( risque)
- Denotes the effect of uncertainty on objectives. It is the expression of the likelihood and impact of an event with the potential to affect the achievement of an organization's objectives. The classic formula for quantifying risk combines magnitude of damage and probability is as follows: Risk = Probability × Impact.
- Risk management ( gestion des risques)
- Is a systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, making decisions on and communicating risk issues. The risk management is built into existing governance and organizational structures, such as business planning, decision making and operational processes. The institution will ensure that it has the capacity and tools to be innovative while protecting personal information and maintaining public interest.
- Uncertainty ( incertitude)
- Is the state, even partially, of deficiency of information related to understanding or knowledge of an event, its consequences or likelihood.
- Date modified: