Mitigation and Prevention

Privacy Breach Management Tools

Mitigation

Corrective measures may be taken by the program manager in conjunction with Human Resources and/or Labour Relations. Remedial action taken may include the following:

  • Disciplinary reprimand (oral or written)
  • Training and education
  • Coaching and/or mentoring
  • Revocation of certain privileges and/or user access to system or records
  • Revocation of security clearance
  • Reassignment (transfer or deployment)
  • Changes to business lines
  • Inclusion of audit trails
  • Encryptions implementation
  • Suspension
  • Termination

Institutions may also wish to review their internal policies and procedures to prevent recurrence.

Depending of the seriousness of the breach and mitigating and aggravating factors, the measure or action chosen should be appropriate and intended to correct the actions of the individual(s) responsible for the breach. The consequences should be determined on a case-by-case basis.

Typically, for a less serious infraction, such as failing to log off a computer that holds personal information, an appropriate response may be counselling or instruction. More serious infractions or multiple breaches may warrant a more serious response. In cases where the breach is either the culmination of inappropriate information-handling practices or is so serious that the employee-employer relationship is irrevocably damaged, termination of employment or release from the organization may be the most appropriate measure.

The degree of administrative or disciplinary measures may range from a verbal warning to immediate termination.

Administrative or disciplinary action may be based on the following:

  • Failure to implement and maintain security controls for personal information and for which an individual is responsible, regardless of whether such action results in the loss of control or unauthorized disclosure of personal information;
  • Exceeding authorized access to personal information or intentional disclosure of personal information to unauthorized persons;
  • Failure to report any known or suspected loss of control or unauthorized disclosure of personal information;
  • For managers and supervisors, failure to adequately instruct, train or supervise individuals in their responsibilities; and
  • For managers and supervisors, failure to take appropriate action pursuant to personal information-handling requirements upon discovering a breach, failure to implement and maintain required security controls, and failure to prevent a breach from occurring.

Public Service Personnel

When a breach is allegedly committed by public service personnel and no criminal offence is suspected, an administrative investigation shall be conducted to determine, in consultation with Human Resources and/or Labour Relations, the circumstances of the breach and whether disciplinary measures are warranted.

Refer to Step 2 of the Privacy Breach Risk Impact Instrument to determine the severity of the breach.

Contractor

When a breach is allegedly committed by a contractor and no criminal offence is suspected, an administrative investigation shall be conducted to determine, in consultation with the department's business authority, the circumstances surrounding the breach and what measures are to be taken by the department in accordance with the terms of the contract.

Refer to Step 2 of the Privacy Breach Risk Impact Instrument to determine the severity of the breach.

Prevention

  • Review the way in which information is collected.
  • Conduct education and training, and ensure that training materials are up to date.
  • Update policies and guidance to address legal and policy requirements.
  • Conduct Privacy Impact Assessments and Threat and Risk Assessments.
  • Ensure consideration of privacy before making contracting decisions or entering into information-sharing agreements and handling personal information.
  • Engage the Access to Information and Privacy (ATIP) Office on the collection, use, disclosure, retention and disposal of personal information.
  • Engage with the Office of Primary Interest (OPI) on to how to prevent recurrence.
  • ATIP will follow up with the OPI to ensure that a plan is developed to mitigate the risks identified during the investigation and that the plan is implemented.
  • Develop and implement a breach prevention plan, which may include the following:
    • A security audit to be conducted for both physical and information technology security;
    • A review of policies and procedures (e.g., security policies, record retention and collection policies, etc.) to make any changes that reflect lessons learned from the investigation;
    • A review of employee training practices; and
    • A review of information-sharing agreements.
  • Review and update Privacy Impact Assessments and related Personal Information Banks.
  • Conduct an inventory of records that contain personal information.
  • Ensure that records are disposed of in accordance with records disposition authorities and with internal information management policies and procedures.
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: