Office of Primary Interest (OPI) Preliminary Assessment and Containment
Privacy Breach Management Tools
If the answer is yes to any of the following questions, contact the Chief Privacy Officer, the Access to Information and Privacy Officer, or the Department Security Officer. Be sure to:
- Establish which parties need to be made aware of the breach (such as unintended recipients of personal information) and inform them of what they are expected to do to assist in the containment exercise.
- Establish whether there is anything you can do to contain the breach, recover any losses and limit the damage that the breach can cause.
- Complete a Preliminary Report, i.e., document all activities that relate to the breach, including how the incident was contained. Include a date and time log, as appropriate, such as who did what and when.
Preliminary Assessment | Yes/No | Suggested Containment Strategies |
---|---|---|
1. Was there an abuse of access privileges (e.g., unauthorized access or use of records that contain personal information)? |
|
|
2. Was personal information inappropriately disclosed (e.g., improper application of severances (material removed or blacked out), incomplete de-identification)? |
|
|
3. Was personal information lost (e.g., through the mail, during a move or on a misplaced electronic device)? |
|
|
4. Was personal information stolen (e.g., theft of computer equipment or devices)? |
|
|
5. Was personal information in an unencrypted email sent to the wrong address? |
|
|
6. Was personal information faxed, mailed or delivered to a wrong address? |
|
|
7. Did a third party compromise (hack into) a system that contains personal information? |
|
|
8. Did the sale or disposal of equipment or devices that contain personal information occur without a complete and irreversible purging of the item before its sale or disposal? |
|
|
9. Was there an inappropriate display of personal information clearly visible to employees or clients? (e.g., posting of medical appointments or types of leave, home telephone numbers, slides of PowerPoint presentations that contain personal information, etc.)? |
|
|
10. Was there an inappropriate collection of personal information? |
|
|
11. Was there an unexpected or unintended use of collected data? Is there a risk for re-identification of an affected individual or another identifiable individual? |
|
|
12. Was there an improper or unauthorized creation of personal information? |
|
|
13. Was there an improper or unauthorized retention of personal information? |
|
|
14. Remarks/Other: |
Report a problem or mistake on this page
- Date modified: