Communicating privacy breaches internally
Depending on the nature and context of the breach, the office of primary interest (OPI) may need to inform senior management and other groups within the organization of the breach.
The information that the OPI is required to provide will depend on the group they’re communicating with.
Senior management
Senior management
It is recommended that the greater the risks posed by the breach, the higher the breach should be escalated within the institution. For example, a privacy breach that has a negligible risk level may only need to be brought to the attention of the program manager or director. A breach with a risk level of “High” will likely require briefing the senior officials and possibly the Minister.
Important information that should be provided when escalating the breach includes:
- the work unit(s) affected by the breach
- the date the breach occurred (or if unknown, the date the breach was discovered)
- a brief description of the breach (e.g. the circumstances and the information and individuals affected)
- any containment measures taken
- the risk level of the breach, including an overview of individual harm assessment, and an assessment of whether it is considered material
- next steps, including:
- in the event of a material privacy breach, the institution’s head of privacy needs to report the breach to the Office of the Privacy Commissioner (OPC) and the Treasury Board Secretariat (TBS)
- the requirement to notify the individual(s) affected by the breach, or else to advise TBS and the OPC of the justification for not notifying the individuals
- affected individuals’ right to complain to the OPC and the potential for an OPC investigation
- actions to prevent breach reoccurrence
Security and cyber security
Security and cyber security
Communication between institutional privacy officials and institutional security officials is an important part of managing privacy breaches as privacy breaches are frequently caused by or involve security or cyber security incidents. Although privacy officials are responsible for coordinating with security and cyber officials in the event of a privacy breach, close collaboration between the OPI and security officials is also important.
Security incidents are defined in the Policy on Government Security as “any event (or collection of events), act, omission or situation that has resulted in a compromise.”
A compromise is, in turn, defined as “a breach of government security”. This includes, but is not limited to:
- unauthorized access to, disclosure, modification, use, interruption, removal, or destruction of sensitive information or assets, causing a loss of confidentiality, integrity, availability or value
- any action, conduct, threat or gesture of a person toward an employee in the workplace or an individual within federal facilities that caused harm or injury to that employee or individual
- an event causing a loss of integrity or availability of government services or activities
A cyber security incident constitutes any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource. See Privacy Implementation Notice 2022-01: Cyber security incidents involving personal information for more detail.
Legal services
Legal services
The institution’s legal services unit should be informed during the coordination and assessment phase if the breach poses a risk of litigation or other legal harm. Legal services should also liaise with procurement officials if the breach involves legal risks related to a contract.
Communications
Communications
If a privacy breach has or could become a matter of public interest, communications officials should be advised to be prepared to answer questions from the public, the media, or Parliamentarians.
Although many factors may result in a privacy breach becoming a matter of public interest, the risk level of the breach should be considered. It is recommended that communications officials be made aware of any breach that has a medium or high level of risk and be provided with information and materials as requested.
Human resources
Human resources
An institution may determine that appropriate prevention measures include corrective actions addressing the role of an employee in a privacy breach. If this is the case, the institution’s human resources unit should be consulted.
Contracting and procurement
Contracting and procurement
If the privacy breach affects personal information held by a contracted partner on behalf of the institution, the institutional group responsible for contracting or procurement should be informed. They may be able to help determine whether any contract violations have occurred and what options for managing the breach are available to the institution.
If Public Services and Procurement Canada (PSPC)manages the contract, alert PSPC’s Special Investigations and Internal Disclosure Directorate at TPSGC.Divulgations-Disclosures.PWGSC@tpsgc-pwgsc.gc.ca. This group:
- is responsible for investigating privacy breaches that involve third-party contractors
- ensures that contractual obligations are met
- coordinates with the affected institution and other government stakeholders to further the investigation of a privacy breach
Page details
- Date modified: