Mitigate the risks and communicate internally

On this page:

Mitigate the risks

Once the breach has been contained and assessed, the office of primary interest (OPI) must collaborate with privacy officials to implement measures that mitigate the risks associated with the breach.

Measures to minimize harm

Mitigation measures must be implemented in a timely way to minimize risks or harm created by the breach. Examples of what a robust risk mitigation plan should include are:

  • a description of actions taken or to be taken to mitigate identified risks
  • an indication of who is responsible for each action
  • timelines for implementing the actions

To help demonstrate the appropriateness of the implementation time frames, institutions may wish to document their rationale for selecting the prevention measures.

Privacy tip

When responding to a privacy breach, be careful to avoid taking actions that may worsen the existing breach or create a new one (such as disclosing additional personal information).

Communicate internally

Depending on the nature and context of the breach, the OPI may need to communicate about the breach internally, including with:

  • senior management
  • human resources unit
  • legal services unit
  • security or cyber security unit
  • contracting and procurement unit
  • communications and public affairs unit

Some of these groups may have already been notified to help with containing or assessing the breach.

Institutions’ plans for addressing privacy breaches should detail the roles and responsibilities of each of these groups.

Privacy tip

The outcomes of the full assessment of the breach will help to determine who to notify.

Notify affected individuals

In the event of a material privacy breach, senior officials and executives of the OPI must ensure affected individuals are notified unless doing so would be inappropriate for security, confidentiality, legal or other reasons that could lead to unintended or further harm. If individuals are not notified of a material breach, privacy officials must provide a justification to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat.

If a security investigation is underway, the OPI should consult the institution’s security officials in case the notification should be delayed to avoid compromising the investigation.

When to notify

Individuals affected by the breach should be notified as soon as possible following the containment and assessment of the breach to ensure they can take steps to protect themselves, if possible.

The OPI may also inform affected individuals of developments during further investigations and when outstanding issues are resolved.

Who should notify

The group in the institution that has a direct relationship with the affected individuals should send the notification. That group is typically the institution’s OPI. If the institution has collected personal information through a third party, the institution is still the entity that should notify affected individuals.

How to notify

Notification of individuals should be direct and proactive, whether by phone, email, letter or in person. The method chosen depends on the circumstances and should be determined by the institution on a case-by-case basis. Indirect notification, through information posted on the institution’s website, social media or the media, should generally be used only when individuals cannot be located or when there are so many individuals that direct notification would not be timely or would be unrealistic.

Sample notification letter

The sample notification letter to affected individuals provides text that institutions can use when notifying individuals affected by a privacy breach. Institutions should tailor the content of the notification to reflect the context of the breach and the actions taken to date.

Sample Notification of a breach to affected individuals

Sample Notification of a breach to affected individuals

Dear [name]:

I am writing to you with important information about a recent privacy breach involving your personal information. [Name of institution] became aware of this breach on [date]. The breach occurred on or about [date] and occurred as follows:

[Describe the event, including, as applicable, the following:

  • a brief description of what happened, including the date and time, if known
  • the location of the breach (whether it be the institution, a contracted party or a third party with whom the institution has an information sharing agreement)
  • a list of personal information elements that were inappropriately accessed, collected, used or disclosed (for example, full name, social insurance number, date of birth, home address, account number(s), diagnosis, disability code)
  • risk(s) to the individual caused by the breach
  • steps the individual could or should take to protect themselves from potential harm from the breach (for example, subscribing to services such as credit alerts)
  • a brief description of what the organization is doing to mitigate the breach and any risk of harm to the individuals affected]

[Sample paragraphs regarding credit protection]

  • To help ensure that this information is not used inappropriately, [institution] will cover the cost for you to receive credit monitoring for one year. To receive this credit protection service, please provide your consent by calling our toll-free number at 12345678910.
  • You may periodically request a credit report. Whether or not your data has been involved in a breach, you can receive a report from each of the national credit bureaus listed below. You should remain vigilant about suspicious activity and check your credit reports, as well as your other account statements, periodically over the next 12 to 36 months. You should immediately report any suspicious activity to the credit bureaus.
  • You may place a fraud alert on your credit report. A fraud alert tells creditors to contact you before they open any new credit accounts or change your existing accounts. This can help prevent an identity thief from opening additional accounts in your name. As soon as one of the credit bureaus confirms your fraud alert, the other credit bureau will be automatically notified in order to place alerts on your credit report, and the reports will be sent to you free of charge. To place a fraud alert on your credit file, contact one of the two national credit bureaus at the numbers provided below.
  • Order your credit reports. By establishing a fraud alert, you will receive a follow-up letter that will explain how you can receive a free copy of your credit report. When you receive your credit report, examine it closely and look for signs of fraud, such as credit accounts that are not yours.
  • You can place a “credit freeze” on your credit file so that no credit reports can be released without your approval. Please contact the national credit bureaus below for more information. Both bureaus charge a fee for this service. To contact the credit bureaus, you can call the numbers below, or you can visit their websites for further contact information:
    • Equifax: 1-800-465-7166; www.equifax.ca
    • TransUnion: 1-800-663-9980; www.transunion.ca
  • Continue to monitor your credit reports. Even with a fraud alert on your account, you should continue to monitor your credit reports to ensure that an imposter has not opened an account with your personal information.

As the primary contact for information related to this breach, a toll-free number is available for you to call us with questions and concerns about the loss of your personal information. You may call [insert toll-free number] during normal business hours with any questions you have.

We have also established a section on our website [insert link] with updated information and links to resources that offer information on what to do if your personal information has been compromised.

We take our role in safeguarding your personal information and using it in an appropriate manner very seriously. Please rest assured that we are doing everything we can to rectify the situation.

Please note that under the Privacy Act you may complain to the Office of the Privacy Commissioner of Canada regarding to this breach. Complaints may be filed online using the following link: File a privacy complaint about a federal institution.

Complaints may also be forwarded by mail to the following address:

Office of the Privacy Commissioner of Canada
30 Victoria St
Gatineau QC
K1A 1H3

Additional information is available on the Privacy Commissioner’s website at https://www.priv.gc.ca/en.

[Insert paragraph based on situation]

Should you have any questions regarding this notice or if you would like more information, please do not hesitate to communicate with the undersigned.

Sincerely,

[Insert applicable name and contact information]

Related links

Page details

Date modified: