Complete a risk assessment of the privacy breach
Instructions
Who
Privacy officials can use the risk assessment tool to complete the full assessment of a privacy breach.
What
This tool can be used to assess and document the risks posed by a privacy breach to the individuals’ whose information has been affected, as well as any risks to the institution, as part of a full assessment of the breach.
The goal of the assessment is to:
- determine whether the breach constitutes a material privacy breach
- assign a risk level to the privacy breach
When
Once the delegated head of privacy has been notified of a potential or confirmed privacy breach by the office of primary interest (OPI), they will determine whether a full assessment is needed by considering the severity of the breach and the risk of potential of harm to the affected individual(s).
It may be helpful to start the risk assessment after the privacy breach checklist has been completed by the OPI so that privacy officials can use information from the checklist to inform their risk assessment
Privacy tip
The risk level of a breach can change when additional information about the breach becomes available and when mitigation measures are implemented. The assessment is meant to produce a snapshot in time that facilitates the process of mitigating, communication, reporting and preventing another breach. There is no need to revise the risk level to account for measures subsequently taken.
How
Be objective
During this assessment, the privacy official should use an objective test, that is, an evaluation of how a reasonable person would react under similar circumstances if identical personal information was inappropriately disclosed or breached.
Consider the sensitivity
In determining potential harm, it is important to consider the sensitivity of the personal information involved. In general, the more sensitive the information, the greater the potential harm.
Reflect on the context
Context is also important when considering potential harm. For example, individuals’ names in isolation may entail only a low level of potential harm. However, if those individuals’ names also appear on a list of applicants to an income support program, more information about the individuals is revealed and could entail a higher level of potential harm when considering this is in the context of a privacy breach.
Step 1: Download a copy of the Privacy breach risk assessment tool.
When using this tool, privacy officials should:
- refer to the information provided in the completed OPI privacy breach checklist
- seek information and clarifications from the OPI as required
Step 2: Assess the risk to the individual(s).
The level of risk associated with a privacy breach is determined by assessing:
- the potential harm of the breach
- the likelihood of the harm materializing
Step 3: Assess the risk to the institution.
The level of risk associated with a privacy breach is determined by assessing:
- the potential harm of the breach
- the likelihood of the harm materializing
Step 4: Determine whether the breach is material.
Determining whether a breach constitutes a material privacy breach depends solely on assessing the risks posed to the individual or individuals. When assessing risks to the individual(s), any risk level that is medium or high should be classified and treated as a material privacy breach.
Privacy tip
A material privacy breach is one that could reasonably be expected to create a real risk of significant harm to an individual. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Step 5: Assign a risk level of the privacy breach.
The overall level of risk associated with a privacy breach is determined by assessing both the risk to the individual(s) and the risk to the institution. For the breach’s overall risk level, indicate the highest risk level produced using the tool, whether the risk is to the individual(s) or to the institution.
Page details
- Date modified: