Guidelines for Privacy Breaches
1. What is a Privacy Breach?
A privacy breach involves improper or unauthorized collection, use, disclosure, retention and/or disposal of personal information. These guidelines will focus primarily on the improper or unauthorized access to or disclosure of personal information as defined in the Privacy Act.
A breach may be the result of inadvertent errors or malicious actions by employees, third parties, partners in information-sharing agreements or intruders.
2. Potential causes of privacy breaches
The following situations could result in the disclosure of or access to personal information by unauthorized parties.
- The theft, loss or disappearance of equipment or devices See footnote containing personal information.
- The sale or disposal of equipment or devices containing personal information without a total purging of the item prior to its sale or disposal.
- The transfer of equipment or devices without adequate security measures.
- The use of equipment or devices to transport/store personal information outside the office for telework or off-site work arrangements without adequate security measures.
- The inappropriate use of electronic devices to transmit personal information including telecommunication devices.
- Intrusions that result in unauthorized access to personal information held in buildings, file storage containers, computer applications, systems, LANs or other equipment and devices.
- Low level of privacy awareness among institutional staff, contractors or other third parties that handle personal information.
- Inadequate security and access controls for information in hard copy or electronic format, on site or off-site.
- The absence of or inadequate provisions to protect privacy in contracts or in information-sharing agreements involving personal information.
- Insufficient measures to control access and editing rights to personal information. This may result in wrongful access to and the possible tampering of records containing personal information.
- There are also more complex ways to fraudulently obtain personal information. For example:
- The use of deceptive tactics to trick individuals into providing their personal information either directly or by going to a fake website. This is also referred to as "phishing". An example of this would be if an individual pretending to perform system maintenance calls an employee of an institution to obtain his/her security password.
- The use of a fake copy of an official Government of Canada website to redirect users to a malicious website in order to steal information without the users knowledge. This method takes advantage of the weaknesses in the DNS; it is also referred to as "pharming". An example of this would be ifan individual accesses what he/she believes is an official government website and submits personal information as requested by the site. The individual is unaware that he/she was redirected to a fake copy of the official website.
3. How to prevent privacy breaches
To avoid privacy breaches, the following preventive measures are strongly recommended:
4. How to respond to a privacy breach
Offices of Primary Interest (OPIs)
1. Take immediate action to stop the breach and to secure the affected records, systems or web sites.
- Remove, move or segregate exposed information/files. That is, take necessary action to prevent further wrongful access.
- In some cases, it may be necessary to shut down the website, application or device temporarily to permit a complete assessment of the breach and resolve vulnerabilities.
- Attempt to retrieve any documents or copies of documents that were wrongfully disclosed or taken by an unauthorized person.
- Return the documents to their original location or to the intended recipient unless its retention is necessary for evidentiary purposes (To determine the latter, institutions should consult legal counsel).
2. Document the privacy breach
- Document in detail the circumstances that gave rise to the privacy breach.
- Take inventory of the personal information that was or may have been compromised.
- Identify the parties whose personal information has been wrongfully disclosed or accessed, stolen or lost.
- Identify the institutional sector or third party that is responsible for the personal information involved.
- Include other relevant information (ex: previous similar or related incidents).
Note: the institution should make reasonable efforts to identify the individuals affected by the breach. If this is not possible, efforts should be made to identify the groups of individuals likely to have been affected. The institution should also document the process that it carries out to identify affected individuals.
3. Notify both the departmental Access to Information and Privacy (ATIP) Coordinator and the Departmental Security Officer (DSO) as most privacy breaches involve a breach of security. As required by the Policy on Government Security (PGS), departments must establish policies/procedures to deal with breaches of security. DSO's are charged with investigating security breaches within most departments.
- It is important to involve the ATIP Coordinator and the DSO to ensure that the privacy of individuals and the security of assets are taken into account in the resolution process.
Note: A privacy breach may constitute a wrongdoing under the Policy on the Internal Disclosure of Information Concerning Wrongdoing in the Workplace. As a result, an employee that reports such a wrongdoing should be protected against reprisal, in keeping with the requirements of the Policy.
Departmental Security Officers and ATIP Coordinators
4. Depending on the process established at the institution, either the ATIP coordinator or the official responsible for security should notify the Deputy Head and the Communications Branch.
- If the breach has or could become a matter of public interest, communications officials should be notified in order that communications material may be prepared to answer questions from the public, media or in the House of Commons. However, personal information should not be disclosed to Communications staff.
- The Security and Administration Operational Standard of the PGS also recommends immediate notification of the Deputy Head.
5. Conduct an internal investigation and make recommendations to prevent recurrence.
6. Notify the Office of the Privacy Commissioner (OPC)
Note: The institution should document every decision to not notify the OPC in a standard corporate record, including supporting rationale.
7. Notify individuals whose personal information has been wrongfully disclosed, stolen or lost
To the extent possible, it is strongly recommended that the institution notify all affected individuals whose personal information has been or potentially been compromised through theft, loss or unauthorized disclosure, especially if the breach:
- involves sensitive personal data such as financial or medical information, or personal identifiers such as the Social Insurance Number;
- can result in identity theft or some other related fraud; or
- can otherwise cause harm or embarrassment which would have detrimental effects on the individual's career, reputation, financial position, safety, health or well-being.
- Notification should occur as soon as possible following the breach to allow individuals to take actions to protect themselves against or mitigate the damage from identity theft or other possible harm.
- Care should be exercised in the notification process to not unduly alarm individuals, especially where the institution only suspects but cannot confirm that certain individuals have been affected by the breach;
- It is always preferable to notify affected individuals directly by letter (first class recommended), telephone or in person, unless the individuals cannot be located or the number of individuals is so large that the task would become too onerous. In such cases, the institution could post a conspicuous notice on its website or login screens used to access departmental data and/or use major local or nationwide media (television, radio, newspapers and magazines). The institution should only use electronic mail if the individual had previously consented to the receipt of electronic notices.
Notification of affected individuals should include:
- a general description of the incident including date and time
- the source of the breach (whether the institution, a contracted party or a party to a sharing agreement)
- a list of the personal information elements relating to the individual that is thought to have been or potentially been compromised
- a description of the measures taken or to be taken to retrieve the personal information, to contain the breach and to prevent recurrence
- advice See footnote to the individual to mitigate risks of identity theft or to deal with compromised personal information (example: SIN)
- the name and contact information of an official at the institution with whom individuals can discuss the matter further or obtain assistance; and
- if applicable, a reference to the effect that the Office of the Privacy Commissioner has been notified of the nature of the breach and that the individual has a right of complaint to that office
- The institution should also inform affected individuals of developments as the matter is further investigated and outstanding issues get resolved.
- Ensure that a plan is developed to mitigate the risks identified during the institution's investigation and that the plan is implemented.
- Where necessary, inform the OPC and affected parties of any risk mitigation plan to be implemented by the institution.
Any questions regarding the content of these guidelines should be directed to the institution's privacy and security experts who may in turn consult the Treasury Board Secretariat (TBS) at contact by email: email@example.com for further clarifications if need be.
About These Guidelines
The President of the Treasury Board, as "designated Minister" under the Privacy Act, is responsible for issuing directives and guidelines on the operations of that Act. These guidelines deal with general requirements under section 4 to 8 of the Privacy Act with respect to the collection, retention, use, disclosure and disposition of personal
5. Links to relevant policies and guidelines
Royal Canadian Mounted Police
Communications Security Establishment
Office of the Privacy Commissioner
May involve or include any equipment or devices that have the ability to hold, transmit or store personal information. The following is a list of some examples of such equipment and devices: personal computers, laptops, external memory drives, USB memory sticks, diskettes or CD-ROMs, non-secure blackberries, cell phones, photocopiers both with and without memory capabilities, file cabinets, briefcases and fax machines.
The Privacy Commissioner's website includes a series of fact sheets containing advice for individuals about how to protect their personal information, to reduce risks of identity theft, to deal with compromised information, etc.
Note: the entire Treasury Board policy suite is currently under revision