Annex 4 - SIN At Risk: Action Plan for Organizations

If your organization is subject to the PIPEDA or to other provincial legislations, your organization should refer to and follow any federal or provincial requirements or guidelines for handling privacy breaches and breach notification.

For situations where there are no such guidelines (e.g. breaches of employee information of non-federal works), the following guidelines will be of assistance. The guidelines explain what needs to be done when notifying the appropriate authorities in cases of suspected theft or inappropriate disclosure of personal information, including the SIN:

Step 1: Assess the Damage

Determine the type and extent of personal information that was put at risk. Estimate what time it happened. If electronic files were involved, find out whether the data were encrypted. Some other questions to consider include:

  • What information was put at risk?
  • When did it occur?
  • How did it happen?
  • Which files were affected?
  • In what format was the information stored?
  • Were any security measures in place?
  • Is other information at risk?

Step 2: Contact the Police

If any criminal activity occurred, for example, theft or fraud, contact the police. You may also wish to contact the Canadian Anti-fraud Call Centre (1-800-495-8501). This national anti-fraud call centre provides advice and assistance about identity theft. It is jointly managed by the Royal Canadian Mounted Police, the Ontario Provincial Police and Competition Bureau Canada, to help people protect themselves from fraud.

Step 3: Contact Service Canada

Service Canada's Social Insurance Registration Office can help you determine what can be done to address the situation and minimize the damage to victims. The office can be reached at 1-800-206-7218 (select option “3”) or 1-506-548-7961 if calling from outside of Canada.

Step 4: Contact Credit Bureaus

Speak to fraud specialists at Canada 's two national credit bureaus, Equifax (1-800-465-7166) and TransUnion (1-800-663-9980 (1-877-713-3393 for residents of Québec)), to discuss the type of warning and assistance that is required to handle the incident appropriately.

Step 5: Contact all affected individuals

Organizations should contact the victims in writing as soon as possible. The letter should include a brief summary of the incident, a description of the measures taken and provide advice on what the affected individual should do. The letter should also explain what type of information may have been put at risk and provide contact information for further assistance, including:

  • A representative from the organization
  • Service Canada
  • Credit bureaus

A Sample Notification Letter is found in Annex 5.

Navigation within the document