Government of Canada
Symbol of the Government of Canada

Guidelines for Privacy Breaches

1. What is a Privacy Breach?

A privacy breach involves improper or unauthorized collection, use, disclosure, retention and/or disposal of personal information. These guidelines will focus primarily on the improper or unauthorized access to or disclosure of personal information as defined in the Privacy Act.

A breach may be the result of inadvertent errors or malicious actions by employees, third parties, partners in information-sharing agreements or intruders.

2. Potential causes of privacy breaches

The following situations could result in the disclosure of or access to personal information by unauthorized parties.

  • The theft, loss or disappearance of equipment or devices See footnote[1] containing personal information.
  • The sale or disposal of equipment or devices containing personal information without a total purging of the item prior to its sale or disposal.
  • The transfer of equipment or devices without adequate security measures.
  • The use of equipment or devices to transport/store personal information outside the office for telework or off-site work arrangements without adequate security measures.
  • The inappropriate use of electronic devices to transmit personal information including telecommunication devices.
  • Intrusions that result in unauthorized access to personal information held in buildings, file storage containers, computer applications, systems, LANs or other equipment and devices.
  • Low level of privacy awareness among institutional staff, contractors or other third parties that handle personal information.
  • Inadequate security and access controls for information in hard copy or electronic format, on site or off-site.
  • The absence of or inadequate provisions to protect privacy in contracts or in information-sharing agreements involving personal information.
  • Insufficient measures to control access and editing rights to personal information. This may result in wrongful access to and the possible tampering of records containing personal information.
  • There are also more complex ways to fraudulently obtain personal information. For example:
  • The use of deceptive tactics to trick individuals into providing their personal information either directly or by going to a fake website. This is also referred to as "phishing". An example of this would be if an individual pretending to perform system maintenance calls an employee of an institution to obtain his/her security password.
  • The use of a fake copy of an official Government of Canada website to redirect users to a malicious website in order to steal information without the users knowledge. This method takes advantage of the weaknesses in the DNS; it is also referred to as "pharming". An example of this would be ifan individual accesses what he/she believes is an official government website and submits personal information as requested by the site. The individual is unaware that he/she was redirected to a fake copy of the official website.

3. How to prevent privacy breaches

To avoid privacy breaches, the following preventive measures are strongly recommended:

  • Follow the requirements of the Policy on Government Security (PGS) and other security direction issued by the Treasury Board Secretariat. The RCMP and the Communications Security Establishment (CSE) also issue direction on Physical and Information Technology Security, respectively. Government institutions may wish to establish customized security policies, procedures and guidelines that are consistent with these standards.
  • Conduct Privacy Impact Assessments (PIAs) and Threat and Risk Assessments (TRAs) where necessary.
  • Take privacy into account before making contracting decisions or entering into information-sharing agreements. Government institutions should include adequate privacy protection provisions such as a requirement to immediately notify the government institution of a privacy breach (see TBS Guidance Document on Taking Privacy into account before making Contract Decisions).
  • Obtain advice from institutional privacy and legal experts, and the Information, Privacy and Security Policy Division of the Treasury Board Secretariat when needed.
  • Provide training to employees, managers and executives to ensure they are aware of the requirements of the Code of Fair Information Practices (sections 4-8, Privacy Act) and related TBS policies.
  • Ensure that personnel working off-site are aware of their privacy and security responsibilities. This means ensuring that appropriate measures are taken to safeguard the personal information they handle off-site. Government institutions should consider keeping personal information in-house where telework or similar arrangements would involve considerable privacy risks (Ex: large volume of personal information or particularly sensitive personal data). Institutions should complete a Privacy Impact Assessment prior to implementing wide-scale telework or other arrangements involving privacy risks.
  • Establish clear administrative controls to limit access and editing rights to records containing personal information to only those individuals who have a legitimate need to know.
  • Use encryption when transmitting sensitive personal information (protected B or above) through email, across the Internet or through wireless devices, and establish clear procedures for the use of wireless devices (Ex: use of peer-to-peer (PIN-to-PIN) communications). Encryption of "data at rest" (i.e. data in computer storage as opposed to "data in motion") should be considered as a standard practice. The security of back-up tapes, particularly when not encrypted, should also be carefully considered.
  • As a general rule, do not send personal information by facsimile unless absolutely necessary. If you must fax personal information, consider the safeguards recommended by the Office of the Privacy Commissioner of Canada for faxing personal information.
  • Purge all equipment and other electronic devices containing personal information before selling, disposing of or transferring such equipment or devices in accordance with RCMP and CSE guidelines.
  • Note that certain fax machine cartridges such as "Thermofax rolls" contain a thin sheet of paper and a clear film-like substance.  The used film has the negative image of every fax that came through the machine. Hence, cartridges that have been used to fax classified information should not be thrown out. The only secure way of disposing of such cartridges is to open the cartridge, remove the material, cut it into pieces and then run it through a shredder.  (Burning the film is not an option as the fumes are toxic).
  • Before selling or transferring security containers such as file cabinets, safes or mobile shelving units, to other responsibility centres or outside the government, the institution should empty them and ensure that no classified or protected material is left inside.
  • To take precautions against "phishing" and "pharming":

    1. Ensure that requests for personal information are valid and that individuals asking for personal information are in fact who they claim to be.
    2. Never provide personal information in response to an unsolicited telephone call, fax, letter, email attachment, or Internet advertisement.
    3. Be on the lookout for clues that would indicate a website may be fraudulent (e.g. spelling errors, unusual advertisements, portions of the site that do not work properly).
    4. Sites requesting personal information generally do so over a secure connection. Look for the lock icon at the bottom of your browser.
    5. If you are suspicious, look up the phone number and call the organization to determine the validity.
  • Individuals should notify the Departmental Security Officer immediately of situations where personal data is at risk of being compromised and a potential breach may occur.

4. How to respond to a privacy breach

Offices of Primary Interest (OPIs)

  • 1. Take immediate action to stop the breach and to secure the affected records, systems or web sites.

    • Remove, move or segregate exposed information/files. That is, take necessary action to prevent further wrongful access.
    • In some cases, it may be necessary to shut down the website, application or device temporarily to permit a complete assessment of the breach and resolve vulnerabilities.
    • Attempt to retrieve any documents or copies of documents that were wrongfully disclosed or taken by an unauthorized person.
    • Return the documents to their original location or to the intended recipient unless its retention is necessary for evidentiary purposes (To determine the latter, institutions should consult legal counsel).
  • 2. Document the privacy breach

    • Document in detail the circumstances that gave rise to the privacy breach.
    • Take inventory of the personal information that was or may have been compromised.
    • Identify the parties whose personal information has been wrongfully disclosed or accessed, stolen or lost.
    • Identify the institutional sector or third party that is responsible for the personal information involved.
    • Include other relevant information (ex: previous similar or related incidents).

    Note: the institution should make reasonable efforts to identify the individuals affected by the breach. If this is not possible, efforts should be made to identify the groups of individuals likely to have been affected. The institution should also document the process that it carries out to identify affected individuals.

  • 3. Notify both the departmental Access to Information and Privacy (ATIP) Coordinator and the Departmental Security Officer (DSO) as most privacy breaches involve a breach of security. As required by the Policy on Government Security (PGS), departments must establish policies/procedures to deal with breaches of security.  DSO's are charged with investigating security breaches within most departments.

    • It is important to involve the ATIP Coordinator and the DSO to ensure that the privacy of individuals and the security of assets are taken into account in the resolution process.

    Note: A privacy breach may constitute a wrongdoing under the Policy on the Internal Disclosure of Information Concerning Wrongdoing in the Workplace.  As a result, an employee that reports such a wrongdoing should be protected against reprisal, in keeping with the requirements of the Policy.

Departmental Security Officers and ATIP Coordinators

  • 4. Depending on the process established at the institution, either the ATIP coordinator or the official responsible for security should notify the Deputy Head and the Communications Branch.

    • If the breach has or could become a matter of public interest, communications officials should be notified in order that communications material may be prepared to answer questions from the public, media or in the House of Commons. However, personal information should not be disclosed to Communications staff.
    • The Security and Administration Operational Standard of the PGS also recommends immediate notification of the Deputy Head.
  • 5. Conduct an internal investigation and make recommendations to prevent recurrence.

    • Where a security breach has resulted in a privacy breach, the DSO will undertake an investigation to identify deficiencies in security procedures or processes and to make recommendations.  If the PGS requires, it may be necessary to report the matter to law enforcement agencies. The incident should also be reported to CSIS if the breach has an impact on national security.
    • The departmental ATIP office should also conduct an assessment to uncover any deficiency in personal information management practices. This assessment and the related recommendations should focus on issues that are not strictly linked to security problems.
    • Both the Privacy and the Security offices may wish to work together to formulate recommendations, which may include some of the following proposals:

      • The revision of internal procedures and policies
      • Additional training for employees
      • Restrictions on access to certain personal information based on roles and responsibilities and a need-to-know basis
      • Encryption of particularly sensitive personal information etc.
      • Prescribing stricter measures in contracts to deal with breaches of privacy

ATIP Coordinators

  • 6. Notify the Office of the Privacy Commissioner (OPC)

    • It is strongly recommended that institutions notify the OPC of the breach and of the mitigation measures being implemented, if the breach:

      • involves sensitive personal data such as financial or medical information, or personal identifiers such as the Social Insurance Number;
      • can result in identity theft or some other related fraud; or
      • can otherwise cause harm or embarrassment which would have detrimental  effects on the individual's career, reputation, financial position, safety, health or well-being.
    • Notification should occur as soon as possible after the institution becomes aware of the breach (within days).
    • When notifying the OPC, provide information as to the nature and extent of the breach, the type of personal information involved, the parties involved, anticipated risks, steps taken or to be taken to notify individuals and any remedial action taken. Unless the OPC is conducting an investigation of the breach, institutions should not include personal information when informing the OPC of a privacy breach.
    • Consider and respond to any advice and recommendations given by the OPC to mitigate risks of reoccurrence
    • There may be some very minor incidents that institutions may choose to manage internally with the individuals concerned. In such circumstances and depending on the nature and scope of the privacy breach, institutions should determine whether notifying the OPC is appropriate.

    Note: The institution should document every decision to not notify the OPC in a standard corporate record, including supporting rationale.

  • 7. Notify individuals whose personal information has been wrongfully disclosed, stolen or lost

    • To the extent possible, it is strongly recommended that the institution notify all affected individuals whose personal information has been or potentially been compromised through theft, loss or unauthorized disclosure, especially if the breach:

      • involves sensitive personal data such as financial or medical information, or personal identifiers such as the Social Insurance Number;
      • can result in identity theft or some other related fraud; or
      • can otherwise cause harm or embarrassment which would have detrimental effects on the individual's career, reputation, financial position, safety, health or well-being.
    • Notification should occur as soon as possible following the breach to allow individuals to take actions to protect themselves against or mitigate the damage from identity theft or other possible harm.
    • Care should be exercised in the notification process to not unduly alarm individuals, especially where the institution only suspects but cannot confirm that certain individuals have been affected by the breach;
    • It is always preferable to notify affected individuals directly by letter (first class recommended), telephone or in person, unless the individuals cannot be located or the number of individuals is so large that the task would become too onerous. In such cases, the institution could post a conspicuous notice on its website or login screens used to access departmental data and/or use major local or nationwide media (television, radio, newspapers and magazines). The institution should only use electronic mail if the individual had previously consented to the receipt of electronic notices.
    • Notification of affected individuals should include:

      • a general description of the incident including date and time
      • the source of the breach (whether the institution, a contracted party or a party to a sharing agreement)
      • a list of the personal information elements relating to the individual that is thought to have been or potentially been compromised
      • a description of the measures taken or to be taken to retrieve the personal information, to contain the breach and to prevent recurrence
      • advice See footnote[2] to the individual to mitigate risks of identity theft or to deal with compromised personal information (example: SIN)
      • the name and contact information of an official at the institution with whom individuals can discuss the matter further or obtain assistance; and
      • if applicable, a reference to the effect that the Office of the Privacy Commissioner has been notified of the nature of the breach and that the individual has a right of complaint to that office
      • The institution should also inform affected individuals of developments as the matter is further investigated and outstanding issues get resolved.
  • 8. Follow-up

    • Ensure that a plan is developed to mitigate the risks identified during the institution's investigation and that the plan is implemented.
    • Where necessary, inform the OPC and affected parties of any risk mitigation plan to be implemented by the institution.

Any questions regarding the content of these guidelines should be directed to the institution's privacy and security experts who may in turn consult the Treasury Board Secretariat (TBS) at contact by email: for further clarifications if need be.

About These Guidelines

The President of the Treasury Board, as "designated Minister" under the Privacy Act, is responsible for issuing directives and guidelines on the operations of that Act. These guidelines deal with general requirements under section 4 to 8 of the Privacy Act with respect to the collection, retention, use, disclosure and disposition of personal information.

5. Links to relevant policies and guidelines

Treasury Board See footnote[3]

Royal Canadian Mounted Police

Communications Security Establishment

Office of the Privacy Commissioner

[1]   May involve or include any equipment or devices that have the ability to hold, transmit or store personal information. The following is a list of some examples of such equipment and devices: personal computers, laptops, external memory drives, USB memory sticks, diskettes or CD-ROMs, non-secure blackberries, cell phones, photocopiers both with and without memory capabilities, file cabinets, briefcases and fax machines.
[2]   The Privacy Commissioner's website includes a series of fact sheets containing advice for individuals about how to protect their personal information, to reduce risks of identity theft, to deal with compromised information, etc.
[3]   Note: the entire Treasury Board policy suite is currently under revision