Privacy Breach Management - Roles and Responsibilities

The management process for privacy breaches provides guidance for the Office of Primary Interest (OPI) on how to apply each phase within the six steps of the process. First, it is important for individuals to take each situation seriously and to immediately undertake a preliminary assessment and contain the breach. The OPI must notify the Access to Information and Privacy (ATIP) Coordinator or the Chief Privacy Officer (CPO) immediately, or within the time frame established by the institution, to seek guidance and advice on next steps. Decisions on how to respond to privacy breaches should be made on a case-by-case basis and in collaboration with ATIP. Roles and responsibilities for each party within the privacy breach management process have been specified.

Handling Privacy Breaches - Roles and Responsibilities

Following is the decision-making process for handling a privacy breach, along with the roles and responsibilities of key players in each step.

Step 1: Preliminary Assessment and Containment

  • The OPI’s responsibilities are as follows:
    • Identify the privacy breach that has occurred;
    • Contain the breach and conduct fact finding using the Preliminary Assessment and Containment tool;
    • Complete the Preliminary Report tool; and
    • Contact CPO, ATIP and/or the Department Security Officer (DSO) in order to notify internal official(s).
  • ATIP’s responsibilities are as follows:
    • Confirm that a privacy breach has occurred;
    • Indicate whether no full assessment is required, whether the breach has been handled within the institution, and whether the breach has been closed;
    • Indicate whether a full assessment is required, in which case ATIP is to proceed to Step 2; and
    • Advise the OPI at all stages of the privacy breach management process.

Step 2: Full Assessment

  • The OPI’s responsibilities are as follows:
    • In consultation with CPO, ATIP and DSO, complete the OPI Privacy Breach Checklist. The OPI may choose to contact Legal Services for advice regarding obligations and on possible Charter and other implications; and
    • Determine who is to be notified within the institution.
  • ATIP’s roles and responsibilities are as follows:
    • Conduct a full assessment using the ATIP Privacy Breach Risk Impact Instrument; and
    • Determine whether notification to the OPC or TBS is required at this stage of the process. ATIP is the single liaison of communication for the institution with the OPC and TBS.

Step 3: Notification

  • The OPI’s roles and responsibilities are as follows:
    • Finalize the completion of the OPI Privacy Breach Checklist.
  • Mutual responsibilities of the OPI and ATIP are as follows:
    • Notify internal officials, affected individuals and external stakeholders. Tools available are the ATIP Internal Notification Process, the Privacy Breach Management Reporting Tool and notification letters. Notification to internal officials may be in the form of a briefing note, letter or any other means deemed necessary; and
    • With DSO, CPO and/or ATIP, review the OPI Privacy Breach Checklist and make recommendations.
  • ATIP’s roles and responsibilities are as follows:
    • ATIP may choose to inform the OPC and TBS informally of a privacy breach at any point during the breach management process. However, institutions must provide formal written notification (breach report to OPC and TBS) when the investigation has determined that the breach is a material privacy breach.

Step 4: Mitigation and Prevention

  • The OPI’s roles and responsibilities are as follows:
    • Implement assessment recommendations using the Mitigation and Prevention tool.

Step 5: Notification to the Office of the Privacy Commissioner and Treasury Board of Canada Secretariat

  • ATIP’s roles and responsibilities are as follows:
    • ATIP is the single liaison with OPC and will complete the Breach Report to the OPC and TBS within a reasonable time frame.
    • The ATIP Office may verbally notify the OPC and TBS informally of a privacy breach at any point during the breach management process. However, institutions must provide formal written notification (breach report to OPC and TBS) when the investigation had determined that the breach is a material privacy breach. ATIP will submit notification to the OPC and TBS by completing and sending the Breach Report to the Office of the Privacy Commissioner.

Step 6: Lessons Learned

  • Mutual responsibilities of the OPI and ATIP are as follows:
    • Review and monitor trends on an ongoing basis using the Trend Analysis Tool.

Note: Timing is important to consider when responding to privacy breaches. The ATIP Office may notify the OPC and TBS verbally of a privacy breach at any point during the breach management process. Formal written notification (a breach report to the OPC and TBS) must follow when the investigation has determined that a breach is a material one.

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: