Office of Primary Interest (OPI) Privacy Breach Checklist

Privacy Breach Management Tools

Protected B (when completed)

The following checklist will assist in the initial response to a privacy breach and can be used to correspond with the Chief Privacy Officer (CPO), the Access to Information and Privacy (ATIP) Office, and the Department Security Officer (DSO). The ATIP Office will submit the final breach assessment and recommendations found on last page of this checklist to the Office of the Privacy Commissioner.

Assign an investigator.

Determine who should take the lead on the initial investigation and ensure that he or she has the appropriate resources and is sufficiently independent to avoid the appearance of a conflict of interest. This individual will be the liaison with CPO, ATIP and/or DSO.

Contact person

  • Name:
  • Title:
  • Telephone:
  • Email:

1. Preliminary Assessment and Containment

Identify the scope and type of problem.

  1. Document how the breach was detected and provide a brief description of the breach.
  2. Document all activities, and include a date and time log, as appropriate, e.g., who did what and when.

Issues and Questions for the OPI to Consider

  • Timeline of breach:
    • Date and time that the breach was discovered
    • Date and time that the breach was reported
    • Date and time that the breach occurred (if known)

    Notes:

  • Contact information for the parties involved:
    • List contact information for all parties involved in the breach

    Notes:

  • Who reported the breach?
    • Contact information for the person who reported the breach (full name, organizational unit and department, email address, telephone number, and location (i.e., mailing address and office room number).

    Notes:

  • How was the breach discovered?

    Notes:

  • Where did the breach take place?

    Notes:

  • Chronology of the breach: What was the cause and extent of the breach?
    • What happened?
    • How did it happen?
    • How broadly has the personal information been disclosed?
    • Who received the information?

    Notes:

Contain the privacy breach.

(Refer to the Office of Primary Interest (OPI) Preliminary Assessment and Containment form.)

  1. Establish who needs to be made aware of the breach (such as unintended recipients of personal information) and inform them of what they are expected to do to assist in the containment exercise.
  2. Establish whether there is anything you can do to recover any losses and limit the damage that the breach can cause.
  3. Document how the breach was contained.
  4. Document all activities, and include a date and time log, as appropriate, e.g., who did what and when.

Issues and Questions for the OPI to Consider

  • Establish a chronology of the actions taken.
  • What immediate remedial steps have been taken to minimize the harm and contain the breach or recover the data? (Examples are shutting down a system, conducting an inventory of the personal information that was or may have been compromised, contacting Security, changing locks, and revoking, suspending or restricting user access privileges.)

    Notes:

  • Is the threat over, or is it continuing? Is there an ongoing risk of further exposure of the information, or has the breach been contained? (Examples are where the data is now, how many people have seen it, and the risk of further access, use or disclosure.)

    Notes:

2. Full Assessment (Risk Analysis)

Determine what personal information was involved.

Issues and Questions for the OPI to Consider

  • Who or what group of individuals is affected? Who is at risk as a result of this breach? (Examples are clients, customers, patients, employees, students, contractors, suppliers, the public, etc.)

    Notes:

  • How many individuals are affected?

    Notes:

  • Describe the personal information involved. (Examples are financial and medical records. List specifics such as name, Social Insurance Number and contact information.)

    Notes:

  • Identify the individual(s) whose privacy may have been compromised. Provide name(s) and contact information (attach as a separate sheet if necessary). Take all precautions to avoid further release of the breached information.

    Notes:

Determine the form or format of the data or records that contain personal information.

Issues and Questions for the OPI to Consider

  • What is the format of the data or records? (Examples are paper records, electronic database, USB key, CD-ROM, etc.)

    Notes:

Determine the organizational, physical or technical measures that were in place at the time of the breach.

Issues and Questions for the OPI to Consider

  • Identify the technical security measures (encryption, password, etc.).

    Notes:

  • Identify the physical security measures (locks, alarm systems, etc.).

    Notes:

  • Identify the organizational measures (security clearances, policies, training programs, contractual provisions).

    Notes:

Identify whether there are any other investigations occurring as a result of this breach.

Issues and Questions for the OPI to Consider

  • Are there security or criminal investigations underway that are related to this breach (as a result of theft, unauthorized access, etc.)?

    Notes:

  • If yes:
    • At what point are the investigations?
    • Who is leading the investigation? Provide contact information.

    Notes:

Assess what harm, if any, is foreseeable from this breach.

Issues and Questions for the OPI to Consider

  • What harm or vulnerability is there to the affected individuals?
    • Identify theft
    • Risk of physical harm (personal injury)
    • Hurt, humiliation or damage to reputation
    • Financial standing
    • Loss of business or employment opportunities
    • Failure to meet professional standards
    • Other

    Notes:

  • Who received the information, and what is the risk of further access, use or disclosure?

    Notes:

  • What harm to the institution could result from the privacy breach (e.g., loss of trust or assets, legal proceedings)?

    Notes:

  • What harm could come to the public as a result of the privacy breach (e.g., risk to public health or safety)?

    Notes:

  • What harm to other parties could result from the privacy breach (e.g., other organizations or third parties responsible for the personal information involved)?

    Notes:

  • Has this happened before? If so, describe the previous breach(es).

    Notes:

3. Notification

Awareness of breach.

Informing individuals and organizations of a privacy breach can be an important element of the breach management process. The institution must determine the following:

  • Whether to notify affected individuals;
  • When to notify (notification to individuals may be delayed until the necessary measures have been taken to determine the scope of the breach and that it has been properly investigated);
  • How to notify (manner of notification);
  • Who should take responsibility for notification (ATIP, CPO, OPI or other);
  • The content of the notification; and
  • Whether to notify or report to the following:
    • Internal officials, Human Resources, Legal and Communications (Public Affairs); or
    • Other external third parties to meet legal and contractual requirements (e.g., professional bodies, credit companies, bureaus or grantors to provide fraud detection and monitoring services, etc.).

Caution: In providing notification, it is important to avoid further escalation of the existing privacy breach (i.e., disclosing personal information to those who have no need to know the identity of those affected).

Issues and Questions for the OPI to Consider

  • Is/are the affected individual(s) aware of the breach?
    • If yes, provide details, including the date of notification and how the notification was provided.
    • If no, contact CPO or the ATIP Office to determine the best way to proceed with the issue of notification.

    Notes:

4. Mitigation and Prevention

What is being done to prevent future similar breaches?

Issues and Questions for the OPI to Consider

  • What internal improvements to infrastructure, processes, systems, the breach response protocol, and any other actions are recommended? What is the timeline for implementation? Are there barriers to implementation?

    Notes:

5. Additional Comments

Final Privacy Breach Assessment and Recommendations

To be completed by the ATIP Office.

The ATIP Office is the single liaison for the department with the Office of the Privacy Commissioner (OPC).

Assessment

  • Chronology of the breach and actions taken
  • Scope of the risk
  • Description of action taken to mitigate and resolve the issue
  • Communications that were taken
  • Brief explanation of the basis for key decisions
  • Evaluation of whether the privacy breach protocol was followed
  • Internal improvements to infrastructure, processes, systems, the breach response protocol and any other actions that are recommended
  • Identification of any other relevant information (e.g., previous similar or related breaches)
  • Notification to OPC and the Treasury Board of Canada Secretariat (TBS)

Note: Use the information contained in this report to populate the Breach Report to the Office of the Privacy Commissioner. The following factors should be considered in deciding whether OPC and TBS should be notified of the privacy breach:

  • The personal information involved is sensitive.
  • There is a risk of identify theft or other harm, including pain and suffering or loss of reputation.
  • A large number of people are affected by the breach.
  • The information has not been fully recovered.
  • The organization or public body requires assistance in responding to the privacy breach.
  • The breach is the result of a systemic problem, or a similar privacy breach has occurred before.

Recommendations

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: