Report and prevent another breach
On this page:
Implement prevention measures
An institution’s office of primary interest (OPI) is responsible for determining and implementing appropriate prevention measures after a privacy breach has occurred to reduce the risk of it happening again. The OPI is required to coordinate with privacy officials to determine what measures are needed after a privacy breach has occurred to reduce the risk of it happening again. The OPI is required to coordinate with privacy officials to determine what measures are needed.
There are two primary forms of prevention measures:
- corrective actions to address the role of an individual in a privacy breach
- changes to internal processes or safeguards to address a shortcoming brought to light by a privacy breach
These measures:
- may need to be developed with other sectors within the institution, such as the human resources and security units
- can vary based on seriousness of the breach and any mitigating or aggravating factors
- must be implemented in a reasonable time frame, which will depend on the measure; for example, revoking an employee’s access to personal information should occur quickly, while undertaking a security audit will take more time
Privacy tip
The enabling legislation for some institutions, such as Employment and Social Development Canada, incorporates a Code of Privacy which contains punitive consequences for employees who intentionally disclose personal information.
Report a material breach
Institutions must report a material privacy breach to the Office of the Privacy Commissioner of Canada (OPC) and the Treasury Board of Canada Secretariat (TBS). The delegated head for privacy may notify the OPC and TBS informally of a material privacy breach at any point during the breach management process, but a formal report is still required.
When to report
The delegated head for privacy must report any material privacy breach to TBS and the OPC after making efforts to contain, assess and mitigate the breach but no later than seven days after the institution determines that a breach is material.
Given this time frame, the institution will likely formally report the breach to the OPC and TBS as soon as appropriate prevention measures have been determined, but not yet implemented. Institutions that have experienced a material breach must use the Office of the Privacy Commissioner of Canada’s Online Breach Reporting Form or the accessible pdf Privacy Act Material Breach Report form. For full functionality of the accessible pdf Privacy Act Material Breach Report form, the form must be downloaded and opened in Adobe Acrobat, Foxit PDF Editor, or Kofax Power PDF with java script enabled.
Keep a record
Privacy officials must maintain a record of all privacy breaches. Tracking and monitoring privacy breaches within the institution is critical to ensuring that the institution is accountable for privacy breaches that occur and can take steps to decrease the likelihood of further breaches.
The record of the privacy breach must include, at minimum:
- the date of the breach or the period during which it occurred
- a general description of the circumstances of the breach and the nature of the information involved
- the full assessment of the breach, if one was undertaken
- in the case of a material privacy breach, the report provided to the OPC and TBS
Duration
An institution’s delegated head for privacy must keep a record of every privacy breach for five years after the institution discovered the breach.
Record keeping and trend analysis tool
The Privacy officials’ Record-keeping and trend analysis tool can be used to keep a record of privacy breaches within the institution. The tool can also be used to identify trends in the occurrence of privacy breaches and how they are managed. Collecting and reviewing this information can facilitate identifying underlying patterns and inform improvements to privacy practices and policies.
Related links
Page details
- Date modified: