Privacy Implementation Notice 2024-02: Use of the Office of the Privacy Commissioner’s Online Breach Reporting Form
1. Effective date
This implementation notice takes effect on May 24, 2024.
2. Authorities
This implementation notice is issued pursuant to paragraph 71(1)(d) of the Privacy Act.
3. Purpose
This implementation notice is meant to advise institutions that they may use the Office of the Privacy Commissioner of Canada’s (OPC’s) Online Breach Reporting Form to meet their obligation to report material privacy breaches to the OPC and the Treasury Board of Canada Secretariat (TBS).
4. Context
Federal institutions subject to the Privacy Act are required to notify the OPC and TBS of all material privacy breaches under section 4.2.8 of the Policy on Privacy Protection.
Institutions must report material privacy breaches after making efforts to contain, assess and mitigate the breach, and no later than 7 days after the institution determines the breach is material. The Directive on Privacy Practices, Appendix B: Mandatory Procedures for Privacy Breaches prescribes how institutions must fulfil their obligations, including reporting of material privacy breaches.
The Privacy Breach Action Plan was launched in July 2019 to strengthen privacy breach management across government. As part of that plan, the OPC and TBS collaborated on the development of the Privacy Act Material Privacy Breach form. In March 2024, the Directive on Privacy Practices was updated to prescribe the use of this PDF form. The update also expanded what information is to be included in breach reports. The OPC Online Breach Reporting Form mirrors and is equivalent to the PDF form.
Reporting breaches alerts officials to incidents and emerging issues so that they can be addressed and managed appropriately. The new forms have been designed to provide officials with consistent data to analyze privacy breaches and make any necessary updates to the privacy policy suite.
5. Guidance
Using the online form is considered the equivalent of using TBS’ Privacy Act Material Privacy Breach form prescribed by B.2.4.5.1 of the Directive on Privacy Practices. The online form mirrors the structure and content of the prescribed PDF form, covering all the information that institutions must report under the Directive on Privacy Practices.
Using the online form will help institutions meet their obligation to report any privacy breach that involves sensitive personal information that could reasonably be expected to cause injury or harm to the individual (that is, a material privacy breach) to the OPC and TBS.
Data inputted through the online form will be automatically sent to both TBS and the OPC. A copy of the report will also be sent to the reporting institution with the OPC file number.
Institutions can also use the online form and their OPC file number to provide timely updates on a previously reported breach. The new or updated information will be automatically added to the breach record in the OPC and TBS systems.
For more information on how to respond to privacy breaches and mitigate their risks, institutions should refer to the Privacy Breach Management Toolkit, which provides tools and guidance on privacy breach management in four phases.
6. Application
This implementation notice applies to the government institutions as defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.
7. References
Legislation
Related Treasury Board policy instruments
8. Inquiries
Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this implementation notice.
Employees of federal institutions may contact their Access to Information and Privacy (ATIP) coordinator for information about this implementation notice.
ATIP coordinators may contact the Treasury Board of Canada Secretariat’s Privacy and Responsible Data Division for information about this implementation notice.
Page details
- Date modified: