Roles and responsibilities to manage a breach
On this page:
Protecting personal information under the government’s control by preventing privacy breaches and responding appropriately to breaches when they occur is essential in maintaining public trust. All government employees and officials have a role in preventing and responding to privacy breaches.
Groups responsible for managing a breach
The tools provided in this toolkit are intended to be used by either or both of the following groups:
- the institution’s office of primary interest (OPI), which is the group that discovers or experiences a privacy breach
- the institution’s privacy officials, often located with the access to information and privacy (ATIP) office
Offices of primary interest
Offices of primary interest
The OPI is the group that discovers or experiences a privacy breach. Appendix B of the Directive on Privacy Practices establishes specific responsibilities for employees and senior managers of OPIs.
Employees of OPIs are responsible for:
- containing the breach and securing affected personal information
- notifying privacy officials
Employees of OPIs may also be assigned by their senior officials to coordinate with privacy officials to assess the breach and determine and implement breach prevention and mitigation measures.
Senior officials and executives of OPIs are responsible for:
- notifying third parties
- coordinating with privacy officials to assess the breach and determine and implement breach prevention and mitigation measures
- assigning a program official to coordinate with privacy officials throughout the breach management process
To comply with the Directive on Security Management, senior officials and executives of OPIs must also collaborate with security officials if a security incident is suspected. Different security incidents entail different reporting requirements, and a security incident must be reported to the appropriate security officials for that incident. Information on the different types of security officials and reporting paths can be found in the Directive on Security Management - Appendix I: Standard on Security Event Reporting.
Privacy officials
Privacy officials
Privacy officials are responsible for creating plans that address privacy breaches. These plans must establish roles and responsibilities, internal procedures and communications for privacy breaches that align with the requirements of the Directive on Privacy Practices.
In the event of a privacy breach, privacy officials are specifically responsible for:
- assessing breaches in collaboration with OPIs
- coordinating with OPIs and security officials to assess the breach and determine and implement breach prevention and mitigation measures
- maintaining a record of breaches
- reporting material privacy breaches to the Treasury Board of Canada Secretariat (TBS) and the Office of the Privacy Commissioner (OPC)
Collaboration with other stakeholders
The management and prevention of privacy breaches will also involve engagement with other stakeholders.
Third Parties
Third Parties
A privacy breach may involve a third party. To ensure coordination in the event of a breach involving a third party under contract, agreement or arrangement with the institution, the institution’s plans for addressing privacy breaches should:
- include internal coordination measures in the event of a third-party breach
- outline which group should manage communications with the third party – either the OPI, the privacy unit, or the procurement or contracting unit
Institutional security officials
Institutional security officials
A privacy breach may also involve a security incident. If a security incident is suspected, privacy officials and the OPI must work with their institution’s security officials to investigate and manage security-related events.
The Office of the Privacy Commissioner
The Office of the Privacy Commissioner
The OPC receives and reviews reports of material privacy breaches. After reviewing a report of a breach, the OPC will assess risks or harms that a breach can present to affected individuals. During its assessment, the OPC may contact the institution for more information. The OPC may also contact an institution if it becomes aware of a real or potential privacy breach through other means, such as media reports.
The OPC has the authority to conduct investigations when a complaint is received. It may also initiate a complaint itself. The OPC often engages informally with an institution to provide advice on how to manage the breach, including notification to affected individuals and recommended remedies.
Special Investigations and Internal Disclosure Directorate
Special Investigations and Internal Disclosure Directorate
The Special Investigations and Internal Disclosure Directorate (SIID) (TPSGC.Divulgations-Disclosures.PWGSC@tpsgc-pwgsc.gc.ca) of Public Services and Procurement Canada (PSPC) is responsible for investigating privacy breaches that involve contracts with parties managed through PSPC. This directorate:
- ensures that contractual obligations are met
- coordinates with the affected institution and other government stakeholders to further the investigation of the incident
- may publish a report of findings and lessons learned, following the investigation
Treasury Board of Canada Secretariat
Treasury Board of Canada Secretariat
TBS receives and reviews reports on material privacy breaches. Depending on the nature of the breach, TBS may work with the institution in responding to and mitigating the impacts of the breach.
Where a privacy breach affects more than one institution, TBS is responsible for advising institutions on the management of breaches that require a coordinated response.
TBS also monitors and tracks material privacy breaches across the Government of Canada. Based on its analysis of breaches, TBS may update its policies, directives, guidance or tools to reflect emerging trends.
Overview of roles and responsibilities
The following table denotes the responsibilities of different groups in the breach management process. “Responsible” indicates the group in that column is responsible for the action listed in that row, while “Not Responsible” indicates the group in that column is not the lead for the action in the row.
| Responsibilities | Employees of OPIs | Senior Officials and Executives of OPIs | Privacy Officials |
|---|---|---|---|
| Contain the breach and secure affected personal information | Responsible | Not Responsible | Not Responsible |
| Notify privacy officials | Responsible | Not Responsible | Not Responsible |
| Notify third parties (where required) | Responsible | Responsible | Not Responsible |
| Coordinate with security officials (where required) | Not Responsible | Responsible | Responsible |
| Assess the breach | Responsible | Responsible | Responsible |
| Determine and implement mitigation measures | Responsible | Responsible | Responsible |
| Notify affected individuals (where required) | Not Responsible | Responsible | Not Responsible |
| Report material privacy breaches to TBS and the OPC | Not Responsible | Not Responsible | Responsible |
| Maintain a record of privacy breaches | Not Responsible | Not Responsible | Responsible |
Page details
- Date modified: