Identify and contain the breach
On this page:
Identify the breach
A privacy breach is the improper or unauthorized access to, creation, collection, use, disclosure, retention or disposal of personal information.
As soon as a potential or confirmed privacy breach is discovered, employees must immediately contain it and notify their privacy officials.
Privacy tip
While addressing a privacy breach, be careful not to take any steps that would make the situation worse or lead to another breach (for example, through the disclosure of additional personal information).
A privacy breach may involve a security incident, which must be reported to the institution’s security officials.
A privacy breach may also involve a third party. To ensure coordination in the event of a breach involving a third party under contract, agreement or arrangement with the institution, the institution’s plans for addressing privacy breaches should:
- include internal coordination measures in the event of a third-party breach
- outline which group should manage communications with the third party – either the office of primary interest (OPI), the privacy unit, or the procurement or contracting unit
For more information about privacy breaches and examples of scenarios that might constitute a breach refer to Identifying a privacy breach: definitions and scenarios.
Contain the breach
Once a potential breach has been identified, the OPI must determine and implement containment measures. At this time OPIs can also consider potential mitigation and prevention measures to be implemented.
While containing a privacy breach, it is recommended that the OPI document every detail that led to the breach and an inventory of the compromised personal information. This step should be done as quickly and as extensively as possible. OPIs will likely need to consult and coordinate with the institution’s security and information technology officials to implement contain measures.
If the breach occurs within a third party that is creating, collecting, using, disclosing, retaining or disposing of personal information as part of a contract, agreement or arrangement with the federal institution, the OPI should ensure that the third party undertakes appropriate containment actions to the extent possible.
If there is evidence that the breach may affect multiple institutions or otherwise may require coordinated action, privacy officials must notify TBS immediately.
Notify privacy officials
Once the breach has been contained OPIs must notify their institution’s privacy officials of the date, time and location of the breach. OPIs will need to provide a brief description of the breach, which includes at minimum:
- the type of personal information affected
- the number of individuals potentially affected
- any containment measures taken
The OPI can use the OPI preliminary Breach Report form to notify their privacy officials.
Once privacy officials have been informed of the potential breach, they will confirm whether a breach has occurred, and the level of breach assessment required. A privacy official should then be assigned to assist in documenting the privacy breach and provide support and guidance to the OPI. The OPI must provide the report to security officials if a security incident has occurred.
Privacy tip
In the event of a privacy breach within a third party, the institution can request that the third party complete the report.
Tools and guidance
Related links
Page details
- Date modified: