Privacy Breach Guidelines

The purpose of the Guidelines is to guide private sector organizations, both small and large, when a privacy breach occurs. Organizations should take preventative steps prior to a breach occurring by having reasonable policies and procedural safeguards in place, and conducting necessary training.

Eligibility Criteria

For matters relating to personal information in the private sector, the Commissioner may investigate all complaints under Section 11 of the Personal Information Protection and Electronic Documents Act (PIPEDA) except in the provinces that have adopted substantially similar privacy legislation, namely Quebec, British Columbia, and Alberta.  Ontario now falls into this category with respect to personal health information held by health information custodians under its health sector privacy law. However, even in those provinces with substantially similar legislation, and elsewhere in Canada, PIPEDA continues to apply to personal information collected, used or disclosed by all federal works, undertakings and businesses, including personal information about their employees. PIPEDA also applies to all personal data that flows across provincial or national borders, in the course of commercial transactions involving organizations subject to the Act or to substantially similar legislation.

Summary

The guidelines outline some of the key steps in responding to a breach, such as containing the breach, evaluating the risks associated with it, notifying the people affected and preventing future breaches.

A privacy breach occurs when there is unauthorized access to or collection, use, or disclosure of personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), or similar provincial privacy legislation. Some of the most common privacy breaches happen when personal information of customers, patients, clients or employees is stolen, lost or mistakenly disclosed (e.g., a computer containing personal information is stolen or personal information is mistakenly emailed to the wrong people). A privacy breach may also be a consequence of faulty business procedure or operational break-down.

There are four key steps to consider when responding to a breach or suspected breach:

• breach containment and preliminary assessment;
• evaluation of the risks associated with the breach;
• notification; and
• prevention.

Be sure to take each situation seriously and move immediately to investigate the potential breach. You should undertake the first three steps either simultaneously or in quick succession. The last step provides recommendations for longer-term solutions and prevention strategies. The decision on how to respond should be made on a case-by-case basis.

Associated with the guidelines is a checklist that organizations can use to help ensure they have made the appropriate considerations in dealing with a possible privacy breach.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians. For further information, visit the Web site of the Office of the Privacy Commissioner of Canada.

Manitoba Contact(s):
See National Contact.

---

National Contact(s):
Privacy Commissioner of Canada
3rd Floor, Tower B
Place de Ville
112 Kent Street
Ottawa, Ontario  K1A 1H3
Telephone: 613- 995-8210
Fax: 613-947-6850
Toll-free (information): 1-800-282-1376
TTY (hearing impaired): 613-992-9190
Web site: http://www.privcom.gc.ca/index_e.asp