Complete the privacy breach checklist
Instructions
Who
This checklist, or the institution’s version thereof, is to be completed by a program official, typically a supervisor or manager, assigned by an office of primary interest’s (OPI) executives or senior officials.
What
This checklist can be used to document and assess the circumstances of the breach. It can also be used to determine appropriate mitigation and prevention measures.
Privacy officials can use information from the checklist to complete their risk assessment of the breach. OPIs and privacy officials should coordinate their actions throughout the full assessment of a privacy breach.
The completed checklist ensures that institutional privacy officials:
- consider all relevant information when they are determining the risks associated with the breach
- determine appropriate mitigation and prevention measures
When
This checklist should only be completed if privacy officials determined that a full assessment of the breach is required. OPIs should make completing this checklist, or their institution’s version thereof, a priority, as urgent action may be required to prevent or mitigate harm.
How
Information provided in the preliminary breach report can be used to complete some fields in this checklist.
Step 1: Download the privacy breach checklist.
Privacy tip
Completing the steps labelled “Required” in the checklist ensures compliance with the Directive on Privacy Practices.
Step 2: Assign a program official to lead the assessment.
Step 3: Document the chronology of the breach.
Step 4: Identify the cause and extent of the breach and the parties involved.
Step 5: Determine what personal information was involved.
Privacy tip
Do not include personal information in this checklist unless it is essential to managing the breach. Including personal information may be essential if a description alone does not provide sufficient detail to assess the sensitivity of the information or determine appropriate mitigation measures. If personal information is included, be sure to label the document “Protected B”.
Step 6: Document the containment measures taken.
Step 7: Determine the administrative, physical or technical safeguards that were in place at the time of the breach.
Step 8: Identify whether there are any other investigations occurring because of the breach.
Step 9: Assess what harm, if any, is foreseeable from this breach.
Step 10: Consider how the risks posed by the breach can be mitigated and how a similar breach can be prevented.
Step 11: Provide any other information that could be relevant for assessing the risks posed by the breach and determining appropriate mitigation and prevention measures.
Page details
- Date modified: