Deal with privacy breaches quickly
Safeguarding personal information
Deal with privacy breaches, quickly
A privacy breach is the improper or unauthorized collection, creation, use, sharing, retention or disposal of personal information.
Privacy breaches may occur because of innocent mistakes or intentional actions by:
- public service employees
- third-party service providers acting on behalf of federal institutions
- outside parties who have malicious intent
- other internal or external parties
Causes of a breach
Examples of situations that could lead to a privacy breach include:
- the theft, loss or disappearance of equipment or devices that contain personal information that were not sufficiently encrypted
- lost documents in an office (also known as loss of positive control)
- an email that contains personal information sent to an unintended recipient
- unintended disclosure of the identities of other recipients of a sensitive email sent in carbon copy (cc) instead of blind carbon copy (bcc); for example, an email pertaining to a personnel selection process
- phishing or the use of deceptive tactics to trick an employee into providing their personal information either directly or by going to a fake website
- collecting personal information that isn’t directly related or necessary for a program
- using personal information for a purpose that isn’t consistent with the purpose for which it was originally collected
- unauthorized access to personal information, such as snooping
- a cyber attack affecting a third party under contract, agreement or arrangement with the institution
- access controls not set appropriately allowing for inadvertent display of information
Scenario: Why can’t I access these files?
Who
Marie is a program manager who wants to hire a new employee from another team in her division.
Situation
Marie wants to access the employee’s performance review to determine if they would make a good fit for her team. When she tries to view the performance review, she is denied access.
Outcome
Marie is frustrated but realizes that the employee’s performance review is not directly related to her work. As such, access controls are preventing her from inappropriately accessing personal information. This is an example of a safeguard that has worked successfully to prevent a privacy breach.
Material privacy breaches
Material privacy breaches are breaches that could create a real risk of significant harm to an individual. This includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, identity theft, and financial loss.
These types of breaches must be reported to the Office of the Privacy Commissioner of Canada (OPC) and to the Treasury Board of Canada Secretariat (TBS).
Preventing a privacy breach
Ideally, you want to prevent breaches from happening. Implementing safeguards is an important first step, but you’re also advised to create a plan for dealing with a privacy breach, before it happens.
Your initiative must have a plan to respond to privacy breaches affecting any personal information under its control. This includes personal information shared with or collected by third parties as part of a contract or agreement.
The plan to respond to a privacy breach must:
- include roles and responsibilities
- align with any security requirements
- meet the privacy policy requirements
Privacy tip: When responding to a breach, be careful not to take any steps that would make the situation worse or lead to another breach, for example sharing additional personal information.
Managing a privacy breach
There are four phases to respond to a breach in privacy:
Phase 1: Identify and contain the breach
If your initiative suspects a privacy breach, employees must try to contain it right away. Then, employees should notify privacy and security officials of the potential or confirmed breach.
Phase 2: Complete a full assessment of the breach
Your initiative needs to work with the privacy experts to decide whether a full assessment of the breach is needed.
Phase 3: Mitigate the risks and communicate internally
When the breach is contained, work with your privacy experts to put in place measures to reduce the risk to individuals and the institution, including by informing the affected individuals.
Phase 4: Report and prevent another breach
Your initiative needs to put in place prevention measures to reduce the risk of a future breach occurring. These measures must be put in place within a suitable time frame.
At this point, the privacy experts will need to complete a formal report to inform the OPC and TBS if the breach is considered a material breach.
Read the complete guidance and find tools to help you manage a breach in the Privacy breach management toolkit.
Page details
- Date modified: