Complete a full assessment of the breach
On this page
Completing a full assessment
Once a potential breach is identified and contained, the institution’s delegated head for privacy will need to determine whether a full assessment is needed.
The assessment helps to determine:
- appropriate mitigation and prevention measures
- whether the breach is material and must be reported to the Office of the Privacy Commissioner (OPC) and the Treasury Board of Canada Secretariat (TBS)
Privacy tip
Unless the office of primary interest (OPI) provides sufficient information in their preliminary assessment to rule out a material breach and determine appropriate mitigation and prevention measures, a full assessment of the breach will likely be required.
At a minimum, a full assessment of the breach should document:
- the circumstances that gave rise to the breach
- an inventory of personal information that was affected
- the individuals whose personal information was affected
- the institutional sector or third party, if any, that had a direct or indirect role in handling the personal information involved in the breach
- the risk of harm to the individuals affected and to the institution
- whether the breach constitutes a material privacy breach
A full assessment can be completed using the:
OPI Privacy breach checklist
A program official from the OPI should be assigned to assess and document the breach. The program official can use the privacy breach checklist to complete their assessment.
The program official assigned should:
- not be implicated in the breach in any way
- usually be a manager or supervisor
Privacy tip
To ensure the checklist is completed in a timely way, it is recommended that the delegated head for privacy provide a deadline based on the potential severity of the breach. Accordingly, institutions’ plans for addressing privacy breaches should specifically state a timeframe for completing the checklist.
Privacy officials breach risk assessment tool
Based on the information provided by the OPI in the privacy breach checklist, a privacy official will complete a risk assessment of the breach to better understand the impacts to the affected individuals and the institution.
Coordinating with other stakeholders
Depending on the type and nature of the breach, the OPI and privacy officials may need to coordinate with various other stakeholders to complete the full assessment.
Security officials
Security officials
If there is a suspected security incident, the OPI and the delegated head for privacy must coordinate with the institution’s chief security officer to assess the privacy breach and investigate the security incident.
This helps ensure that the causes and implications of the privacy breach are fully understood and documented. For example, in the case of an unauthorized access to personal information, a security analysis may reveal the cause of the breach, such as a technological vulnerability, and the extent of an unauthorized access, which may be important in determining the risk posed by the breach.
Third parties
Third parties
For breaches that affect personal information held by third parties as part of a contract, agreement or arrangement with the institution, the OPI and delegated head for privacy can request that the third party complete the OPI Privacy Breach Checklist.
Third parties should provide sufficient detail for the assessment of a breach. If the delegated head for privacy is not satisfied that the information provided by the third party meets the requirements of the Directive on Privacy Practices, the institution can request that the third party provide sufficient access to the personal information holdings to undertake its own assessment. Contracts with third parties must include a provision that addresses this obligation in the event of a potential or confirmed privacy breach.
Public Services and Procurement Canada
Public Services and Procurement Canada
For breaches that affect personal information held by third parties as part of a contract managed by Public Services and Procurement Canada (PSPC), the institution must coordinate with the Special Investigations and Internal Disclosure Directorate of PSPC to ensure that the breach is correctly assessed and documented.
Office of the Privacy Commissioner and Treasury Board of Canada Secretariat
Office of the Privacy Commissioner and Treasury Board of Canada Secretariat
At this stage, the institution’s delegated head for privacy may wish to informally notify the OPC and TBS of a privacy breach that is potentially material. Institutions must formally report any material privacy breach to TBS and the OPC no later than seven days after the institution determines that a breach is material.