Privacy Breach Guidelines

The Guidelines purpose are to guide private sector organizations, both small and large, when a privacy breach occurs. Organizations should take preventative steps prior to a breach occurring by having reasonable policies and procedural safeguards in place, and conducting necessary training. These guidelines are intended to help organizations take the appropriate steps in the event of a privacy breach and to provide guidance in assessing whether notification to affected individuals is required. Not all steps may be necessary, or some steps may be combined.

Eligibility Criteria

The guidelines call on businesses to notify people that their personal information has been compromised in cases where the breach raises a risk of harm. For example, there may be a risk of identity theft or fraud in cases where sensitive personal information has been lost or stolen.

Organizations are also encouraged to inform the appropriate privacy commissioner(s) of a privacy breach. (In British Columbia, Alberta and Quebec, provincially regulated businesses should speak to their provincial privacy commissioners. In Ontario, health information custodians are required to report any loss, theft or unauthorized access involving personal health information to the individual concerned. The Ontario Information and Privacy Commissioner is available to help organizations in these cases.)

Summary

The guidelines outline some of the key steps in responding to a breach, such as containing the breach, evaluating the risks associated with it, notifying the people affected and preventing future breaches.

A privacy breach occurs when there is unauthorized access to or collection, use, or disclosure of personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), or similar provincial privacy legislation. Some of the most common privacy breaches happen when personal information of customers, patients, clients or employees is stolen, lost or mistakenly disclosed (e.g., a computer containing personal information is stolen or personal information is mistakenly emailed to the wrong people). A privacy breach may also be a consequence of faulty business procedure or operational break-down.

There are four key steps to consider when responding to a breach or suspected breach:

• breach containment and preliminary assessment;
• evaluation of the risks associated with the breach;
• notification; and
• prevention.

Be sure to take each situation seriously and move immediately to investigate the potential breach. You should undertake the first three steps either simultaneously or in quick succession. The last step provides recommendations for longer-term solutions and prevention strategies. The decision on how to respond should be made on a case-by-case basis.

Associated with the guidelines is a checklist that organizations can use to help ensure they have made the appropriate considerations in dealing with a possible privacy breach.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians. For further information, visit the Office of the Privacy Commissioner of Canada's Web site.

Saskatchewan Contact(s):
See National Contact.

---

National Contact(s):
Privacy Commissioner of Canada
3rd Floor, Tower B
Place de Ville
112 Kent Street
Ottawa, Ontario  K1A 1H3
Telephone: 613- 995-8210
Fax: 613-947-6850
Toll-free (information): 1-800-282-1376
TTY (hearing impaired): 613-992-9190
Web site: http://www.privcom.gc.ca/index_e.asp