Conduct a preliminary assessment

On this page:

Instructions

Who

The office of primary interest (OPI) can use the preliminary assessment tool to document the suspected breach and take steps to contain it. Often it will be the employee who first identifies the breach that conducts the assessment.

What

The assessment offers guidance on how to contain a potential or confirmed privacy breach and mitigate its impacts.

How

  • if any of the following questions to assess a breach apply, review and implement the suggested breach containment measures provided
  • this page can be printed and shared with privacy officials to use in their assessment

Next steps

Once the assessment is completed, OPIs should:

  • immediately follow the recommended containment measures
  • complete the OPI preliminary breach report or their institution’s version thereof
  • provide the completed report to their institution’s privacy officials (often located within the ATIP office) and security officials, where appropriate, as soon as possible

The institution’s privacy officials will review the assessment and decide whether further steps are needed. If OPIs need guidance on conducting appropriate containment measures, the OPI can contact their institution’s privacy officials or security officials at any time.

Questions to assess a breach

1) Was there an improper and unauthorized disclosure?

This occurs when personal information is disclosed by the institution (including by third parties acting under arrangement, agreement or contract with the institution), whether intentionally or unintentionally, to a recipient without a “need to know”.

This disclosure can occur externally or internally within an institution.

Examples:

  • accidental display of personal information to employees (for example, in a PowerPoint presentation or as a result of access permissions being set too broadly)
  • Incomplete or insufficient de-identification prior to sharing personal information
  • improper or incomplete application of severances or redactions before disclosing personal information
  • misdirected emails that are not sufficiently encrypted
Suggested containment measures

Suggested containment measures

  • determine the source of the breach (if unknown) and cease any activity resulting in the improper disclosure
  • determine:
    • where or to whom the personal information was disclosed
    • whether it was disclosed further, including verbally
  • request that any recipients not share the information further, then delete the personal information and provide confirmation once done
Possible prevention and mitigation measures

Possible prevention and mitigation measures

  • review access privileges to ensure that only those with a “need to know” have access to personal information
  • ensure that employees receive education and training on information management practices and the handling of personal information
  • review the ways in which information is de-identified or redacted prior to disclosure

2) Was there an improper and unauthorized access?

This occurs when an unauthorized party (that is, a person without a “need to know”), through their own actions, accesses personal information.

Their actions may be intentional or unintentional.

Examples: 

  • employee “snooping” or other abuse of access privileges
  • cyber attacks, for example ransomware, malware
Suggested containment measures

Suggested containment measures

  • immediately restrict access to the personal information
  • determine:
    • the source of the unauthorized access
    • whether any personal information was recorded by the unauthorized party; if so, request that any recorded information be deleted and confirmation be provided
  • determine whether personal information was further disclosed to others (verbally or via copies); if so, attempt to retrieve or ensure the destruction of any documents in question
  • if the breach may constitute a security incident, contact your institutional security or cyber security groups
Possible prevention and mitigation measures

Possible prevention and mitigation measures

  • undertake a security audit for information technology security
  • implement encryption
  • put in place monitoring and audit trails

3) Was there a loss of personal information?

This occurs when the institution loses control over personal information through the actions of its employees or partners, such that the institution no longer retains access to the personal information.

A loss may result in an unauthorized party gaining access or control over the information. This is unintentional on the part of the institution and the recipient.

Examples: 

  • mail delivery to the wrong address
  • disposal or sale of equipment or devices without first purging them of personal information
  • loss of equipment or files during a move or as a result of being misplaced
Suggested containment measures

Suggested containment measures

  • try to retrace steps and find:
    • the lost document(s)
    • the person or people to whom personal information may have been disclosed
  • attempt to retrieve the personal information (e.g. email recall, return of files or equipment, etc.)
  • where retrieval of the information is not possible, request that the recipient:
    • appropriately dispose of the personal information
    • provide confirmation once complete
  • determine whether personal information was further disclosed to others, verbally or via copies
  • conduct an inventory of the personal information that was or may have been lost
Possible prevention and mitigation measures

Possible prevention and mitigation measures

  • ensure that employees receive education and training on information management practices and the handling of personal information
  • ensure that records are disposed of in accordance with records disposition authorities and with internal information management policies and procedures

4) Was there a theft of personal information?

This occurs when an unauthorized party intentionally takes control of personal information such that the institution no longer has access to it.

Examples could include:

  • theft of equipment or device that is insufficiently encrypted
  • removal of paper files from the institution
Suggested containment measures

Suggested containment measures

Immediately contact your institutional security and/or cyber security groups.

Possible prevention and mitigation measures

Possible prevention and mitigation measures

  • conduct Security Assessments and Authorizations
  • undertake a security audit for physical security

5) Has another kind of breach occurred?

Other kinds of breaches are inappropriate collection, creation, use, retention or disposal.

Examples could include:

  • collecting or creating personal information that is not directly related to a program or activity (for example, inadvertent over collection of personal information)
  • using personal information for an unauthorized purpose
  • accidental or premature deleting or disposing of personal information
  • failing to dispose of personal information according to established disposal schedules
Suggested containment measures

Suggested containment measures

Containment measures will depend on the circumstances. However, in general, immediate efforts should be made to:

  • cease any activity that has caused the breach to ensure no further personal information is affected
  • secure the personal information affected by the breach
  • contact your institutional information management group, if applicable
Possible prevention and mitigation measures

Possible prevention and mitigation measures

  • conduct or review Privacy Impact Assessments
  • strengthen engagement with privacy officials on the collection, use, disclosure, retention and disposal of personal information

Page details

Date modified: