Implement prevention measures

On this page:

Measures to prevent another breach from reoccurring can take two forms:

  1. corrective actions to address the role of an individual in a privacy breach
  2. changes to internal processes or safeguards to address a shortcoming brought to light by a privacy breach

Depending on the circumstances of the breach and its severity, one or both measures may be appropriate.

Addressing the role of an individual

Corrective actions to address the role of an individual should be determined on a case-by-case basis. Typically, for a less serious infraction, such as failing to log off a computer that holds personal information, an appropriate response may be training or mentoring. More serious infractions or multiple breaches may warrant a more serious response.

Examples of corrective actions
  • disciplinary reprimand (oral or written)
  • training and education
  • coaching and/or mentoring
  • revocation of certain privileges and/or user access to system or records
  • revocation of security clearance
  • reassignment (transfer or deployment)
  • suspension
  • termination

Disciplinary actions

In cases where the breach is a result of misconduct so serious that the employee-employer relationship is irrevocably damaged, disciplinary actions up to and including termination of employment or release from the organization may be the most appropriate measure. Privacy and program officials should consult human resources and/or labour relations when considering disciplinary actions.

Situations that may warrant administrative or disciplinary action include:

  • failure to implement and maintain security controls for personal information for which an individual is responsible, regardless of whether such action results in a privacy breach
  • exceeding authorized access to personal information or intentional disclosure of personal information to unauthorized persons
  • failure to report any known or suspected loss of control or unauthorized disclosure of personal information
  • for managers and supervisors:
    • failure to adequately instruct, train or supervise individuals in their responsibilities
    • failure to take appropriate action pursuant to personal information-handling requirements upon discovering a breach
    • failure to implement and maintain required security controls
    • failure to prevent a breach from occurring

Key considerations

When considering disciplinary action against an employee, the Office of the Primary Interest (OPI) and privacy officials should:

  • involve the institution’s human resources and/or labour relations units
  • consult the Treasury Board of Canada Secretariat’s (TBS) Guidelines for Discipline and any institutional policies or procedures

When a privacy breach affects personal information held by a third party, such as a contractor, on behalf of the institution, the institution should:

  • alert Public Services and Procurement Canada’s (PSPC) Special Investigations and Internal Disclosure Directorate (Contact: TPSGC.Divulgations-Disclosures.PWGSC@tpsgc-pwgsc.gc.ca). If PSPC manages the contract, they are responsible for investigating privacy breaches that involve third-party contractors
  • determine, in consultation with privacy officials and the institution’s business authority, what measures can be taken by the institution in accordance with the terms of the contract

Changes to internal processes and safeguards

Changes to internal processes or safeguards may be required to address shortcomings that put the institution at risk of further privacy breaches.

Such changes are important, particularly when:

  • the breach assessment uncovers weak points in the OPI’s or institution’s plans and practices
  • multiple breaches share a similar cause
Examples of changes to internal processes and safeguards
  • reviewing the way in which information is collected
  • ensuring that employees receive education and training
  • conducting or reviewing Privacy Impact Assessments or Security Assessments and Authorizations
  • reviewing or terminating contracts or agreements if the breach occurred within a third party
  • strengthening engagement with privacy officials on the collection, use, disclosure, retention and disposal of personal information
  • undertaking a security audit for both physical and information technology security
  • implementing encryption
  • putting in place monitoring and audit trails
  • conducting an inventory of records that contain personal information
  • ensuring that records are disposed of in accordance with records disposition authorities and with internal information management policies and procedures
  • privacy officials considering actions such as:
    • updating policies and guidance to address legal and policy requirements
    • reviewing and updating the institution’s plans for addressing privacy breaches
    • reviewing employee training practices

Additional measures

Institutions should also abide by the following practices to prevent privacy breaches:

  • before making contracting decisions, consult the TBS Guidance Document: Taking Privacy into Account Before Making Contracting Decisions
  • before disclosing personal information to another federal institution or public sector entity, consult the TBS Guidance on Preparing Information Sharing Agreements Involving Personal Information
  • ensure that personnel working off-site are aware of their privacy and security responsibilities, including:
    • ensuring that appropriate measures are taken to safeguard the personal information that personnel handle off-site
    • keeping personal information in-house when telework or similar arrangements would involve considerable privacy risks (for example, a large volume of personal information or sensitive personal data)
  • use encryption to protect sensitive personal information stored in a computer or a portable storage device or being transmitted through email, on a government network, a wireless network, or across the Internet (see the Policy on Government Security)
  • avoid sending personal information by facsimile (fax) unless absolutely necessary; if personal information must be faxed, refer to the Office of the Privacy Commissioner of Canada’s Consider the Risk: Faxing Personal information

Page details

Date modified: