Office of Primary Interest (OPI) Preliminary Assessment and Containment

Privacy Breach Management Tools

If the answer is yes to any of the following questions, contact the Chief Privacy Officer, the Access to Information and Privacy Officer, or the Department Security Officer. Be sure to:

Establish which parties need to be made aware of the breach (such as unintended recipients of personal information) and inform them of what they are expected to do to assist in the containment exercise.
Establish whether there is anything you can do to contain the breach, recover any losses and limit the damage that the breach can cause.
Complete a Preliminary Report, i.e., document all activities that relate to the breach, including how the incident was contained. Include a date and time log, as appropriate, such as who did what and when.

Preliminary Assessment	Yes/No	Suggested Containment Strategies
1. Was there an abuse of access privileges (e.g., unauthorized access or use of records that contain personal information)?		Immediately restrict, suspend or revoke access privileges until completion of the investigation. Determine whether personal information was further disclosed to others (verbally or via copies). Attempt to retrieve the documents in question, and document the steps taken. Contact the Access to Information and Privacy officials and the Chief Privacy Officer if required. Complete a *Preliminary Report*.
2. Was personal information inappropriately disclosed (e.g., improper application of severances (material removed or blacked out), incomplete de-identification)?		Attempt to retrieve documents. Determine whether personal information was further disclosed to others (verbally or via copies). Document the steps taken. Contact the Access to Information and Privacy officials and the Chief Privacy Officer if required. Complete a *Preliminary Report*.
3. Was personal information lost (e.g., through the mail, during a move or on a misplaced electronic device)?		Attempt to retrace steps and find the lost document(s). Determine whether personal information was further disclosed to others (verbally or via copies). Document the steps taken. Conduct an inventory of the personal information that was or may have been compromised. Contact the Access to Information and Privacy officials and the Chief Privacy Officer if required. Complete a *Preliminary Report*.
4. Was personal information stolen (e.g., theft of computer equipment or devices)?		Attempt to retrieve the stolen equipment or device. Document the steps taken. Contact the Access to Information and Privacy officials and the Chief Privacy Officer if required. Complete a *Preliminary Report*.
5. Was personal information in an unencrypted email sent to the wrong address?		Cease transmission of email or correspondence to the incorrect address. Determine whether the email address is incorrect in the system (i.e., programmed incorrectly into the system). Attempt to recall the message. Determine where the email went. Request that the recipient delete all affected email or correspondence, with confirmation via email that this has been done. Determine whether personal information was further disclosed to others (verbally or via copies). Contact the Access to Information and Privacy officials and the Chief Privacy Officer if required. Document the steps taken. Complete a *Preliminary Report*.
6. Was personal information faxed, mailed or delivered to a wrong address?		Determine where the document went. Determine whether the address is incorrect in the system (i.e., programmed incorrectly into system). Request that the recipient return the document(s) if mailed, or request that the fax be destroyed, with confirmation that this has been done. Determine whether personal information was further disclosed to others (verbally or via copies). Document the steps taken. Contact the Access to Information and Privacy officials and the Chief Privacy Officer if required. Complete a *Preliminary Report*.
7. Did a third party compromise (hack into) a system that contains personal information?		Contact Security and IT to isolate the affected system, disable the affected system, or disable the user account to permit a complete assessment of the breach and resolve vulnerabilities. Document the steps taken. Contact the Access to Information and Privacy officials and the Chief Privacy Officer if required. Complete a *Preliminary Report*.
8. Did the sale or disposal of equipment or devices that contain personal information occur without a complete and irreversible purging of the item before its sale or disposal?		Contact IT. Document the steps taken. Complete a *Preliminary Report*.
9. Was there an inappropriate display of personal information clearly visible to employees or clients? (e.g., posting of medical appointments or types of leave, home telephone numbers, slides of PowerPoint presentations that contain personal information, etc.)?		Remove, move or segregate exposed information or files. Preserve evidence. Determine whether personal information was further disclosed to others (verbally or via copies). Document the steps taken. Complete a *Preliminary Report*.
10. Was there an inappropriate collection of personal information?		Determine whether personal information was further disclosed to others (verbally or via copies). Complete a *Preliminary Report*.
11. Was there an unexpected or unintended use of collected data? Is there a risk for re-identification of an affected individual or another identifiable individual?		Determine whether personal information was further disclosed to others (verbally or via copies) Complete a *Preliminary Report*.
12. Was there an improper or unauthorized creation of personal information?		Complete a *Preliminary Report*.
13. Was there an improper or unauthorized retention of personal information?		Complete a *Preliminary Report*.
14. Remarks/Other:

Language selection

Search

Office of Primary Interest (OPI) Preliminary Assessment and Containment

Privacy Breach Management Tools

Thank you for your help!