Identifying a privacy breach: definitions and scenarios
On this page:
Defining a breach
A privacy breach is the improper or unauthorized access to, creation, collection, use, disclosure, retention or disposal of personal information.
Privacy breaches may occur because of innocent mistakes or intentional actions by:
- public service employees
- third-party service providers acting on behalf of federal institutions
- outside parties who have malicious intent
- other internal or external parties
Privacy tip
Personal information is defined in the Privacy Act as “information about an identifiable individual that is recorded in any form.” Information may be personal depending on the context because a particular piece of information can identify an individual in one context but not in another.
For more information on personal information refer to the Digital Privacy Playbook.
Material breaches
A material privacy breach is a privacy breach that could reasonably create a real risk of significant harm to an individual. Significant harm includes:
- bodily harm
- humiliation
- damage to reputation or relationships
- loss of employment, business or professional opportunities
- financial loss
- identity theft
- negative effects on a credit record
- damage to or loss of property
If a privacy breach is determined to be material, privacy officials need to report the breach to the Treasury Board of Canada Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).
Security incidents and breaches involving third parties
A privacy breach may involve a security incident or a third party.
Security incidents
A privacy breach may involve a security incident, which must be reported to the institution’s security officials. If a security incident is suspected, privacy officials must coordinate with their institution’s security officials to ensure that the privacy of individuals and the security of people and assets are considered in the response. The office of primary interest’s (OPI) management must also report the suspected incident to their institution’s Chief Security Officer (CSO) and coordinate with privacy and security officials as needed.
Breaches involving third parties
Institutions may be notified of a breach that affects information held by a third party as part of a contract, agreement or arrangement with the institution. If Public Services and Procurement Canada (PSPC) manages the contract or agreement that is subject to the breach the OPI, in coordination with privacy officials, must alert PSPC’s Special Investigations and Internal Disclosure Directorate. This directorate is responsible for investigating privacy breaches that involve third-party contractors. If necessary, PSPC will coordinate with the institution and other government stakeholders to further investigate the breach.
Causes of a breach
Examples of situations that could lead to a privacy breach include:
- the theft, loss or disappearance of equipment or devices that contain personal information that were not sufficiently encrypted
- lost documents in an office (also known as loss of positive control)
- an email that contains personal information sent to an unintended recipient
- unintended disclosure of the identities of other recipients of a sensitive email sent in carbon copy (cc) instead of blind carbon copy (bcc), for example, an email pertaining to a personnel selection process
- phishing or the use of deceptive tactics to trick an employee into providing their personal information either directly or by going to a fake website
- collecting personal information that isn’t directly related or necessary for a program
- using personal information for a purpose that isn’t consistent with the purpose for which it was originally collected
- unauthorized access to personal information, such as snooping
- a cyber attacking affecting a third party under contract, agreement or arrangement with the institution
Examples of privacy breaches
The following cases and scenarios provide examples of situations that could constitute a privacy breach.
Case 1: Lost records
Case 1: Lost records
Scenario A
A hard copy of a human resources report that contains an employee’s disciplinary history is lost by a manager on their way to work. They accidentally left their bag containing the report on the bus. Attempts to track down the bag by contacting the transit authority are unsuccessful.
This scenario constitutes a privacy breach, as it must be assumed that someone was able to access the records.
Scenario B
A manager sends a file containing personal information of a prospective employee to the wrong email address. The files are encrypted.
If there is no reason to believe the records can be unencrypted, this scenario does not constitute a privacy breach. However, the institution should take steps to ensure that the file is returned or deleted in order to minimize the risk of a breach occurring.
Case 2: Accidental disclosure
Case 2: Accidental disclosure
Scenario A
A department’s cyber security group provides training for employees that includes examples of employee behaviour that has led to cyber incidents. The training highlights the disciplinary measures faced by the employees involved.
Although not disclosing names or positions, the examples included events that occurred relatively recently at the department and may be familiar to some of the employees receiving the training.
This scenario constitutes a privacy breach because it is possible that:
- employees who recognize the events could identify the individuals involved
- therefore, some of the information communicated in the session would be considered personal information
Although not all information about public servants is considered personal information, in this scenario, information on employee discipline is considered personal information.
Scenario B
A department’s cyber security group provides training for employees that includes examples of scenarios where employee behaviour could cause cyber incidents. Details of the scenarios are informed by real events but are sufficiently altered so that the actions of any one employee are not recognizable.
This would not constitute a privacy breach, as no personal information has been improperly disclosed.
Case 3: Over collection
Case 3: Over collection
A department sends out a survey to individuals who are receiving one of the services the department provides to seek anonymous user feedback on the application process.
All of the survey questions are directly related to the process itself and offer multiple-choice answers or drop-down lists. However, the final question is an open text box with the prompt, “Do you have any other information to share with us?”
An individual answers this question by:
- describing the frustration they felt going through the application process
- explaining that they applied for another program provided by another department without experiencing the same difficulties
This scenario illustrates a privacy breach, as the fact that the individual also applied to another program constitutes personal information that is not directly related to the purpose of the survey.
Information gathering and collection methods that allow individuals to provide more information than is required, such as open text boxes, increase the likelihood of privacy breaches.
Case 4: Misdirected email
Case 4: Misdirected email
A department sends an envelope of documents that contain an individual’s benefit information to the wrong address.
The receiver returns the envelope to the post office unopened with an indication of the incorrect address. The department recovers the envelope and sends it to the correct address. Information that appears on the envelope includes:
- the intended recipient’s name
- the incorrect address
- the return address that indicates the department and the branch responsible for the benefit program
This scenario illustrates a privacy breach, as the fact that the intended recipient is receiving documents from the benefits program constitutes personal information.
Page details
- Date modified: