Responding to privacy breaches

A privacy breach occurs when personal information is stolen or lost or is collected, used or disclosed without authority.

A privacy breach occurs when personal information is stolen or lost or is collected, used or disclosed without authority.

In the event of a privacy breach, you should immediately notify the relevant staff in your organization and then identify the scope of the breach and take the steps necessary to contain it. We recommend that you have a privacy breach protocol in place detailing the steps to take in response to a breach, in what order, and by whom.

You should take the following steps to contain a privacy breach:

  • retrieve and secure any personal information that has been collected, used or disclosed without authority
  • ensure that no copies, including digital copies, have been made or retained by the individual who was not authorized to receive or use the information
  • determine whether the breach would allow unauthorized access to any other personal information – for example on an electronic information system – and take necessary steps to prevent a further breach, such as changing passwords or temporarily shutting down your system

You must notify individuals at the first reasonable opportunity of any breach in which their personal information in your custody or control was lost, stolen or used or disclosed without authority.84 This notice must:

  • provide a general description of the breach in easy-to-understand language
  • inform the individual of any steps you have taken to:
    • mitigate adverse effects on the individual and
    • prevent a similar breach from happening
  • provide contact information for one of your employees who can provide additional information and
  • advise the individual of their right to complain to the IPC

You must also notify the IPC and the Minister of Children, Community and Social Services of any privacy breach that meets certain criteria.85 This includes any breach you determine to be significant based on the sensitivity and volume of the information breached, the number of service providers involved and the number of people affected.

These types of privacy breaches must also be reported to the IPC:

  • those involving stolen personal information
  • breaches in which personal information was used or disclosed by someone who knew or should have known they were doing so without authority
  • breaches where it is likely personal information has or will be further used or disclosed again without authority
  • a privacy breach that is part of a pattern of similar breaches
  • a breach that results in an employee being terminated, suspended or disciplined, or resigning

Breach reports can be submitted to the IPC by mail or fax or online. The IPC will review the information you provide, including a description of the breach and your response to it and may, in some cases, decide to conduct an investigation

To minimize the risk of further breaches, you should review your existing policies, procedures, training programs and safeguards and consider whether you need to make changes. You should also keep a record of all breaches. Statistics about breaches involving a theft, loss, or unauthorized use or disclosure of personal information must be submitted to the IPC as part of your annual statistical report.

 

A youth worker informs their supervisor that they mistakenly sent correspondence containing a client’s personal information to the wrong person.

The supervisor notifies the organization’s privacy officer, and together with the worker they take the following steps:

  • contain the breach by ensuring the person who received the letter in error has returned it or disposed of it securely
  • notify the individual whose privacy was breached (including the required information in the notice)
  • make a record of the breach
  • take action to prevent similar breaches – in this case, by sending all staff a reminder of privacy policies and tips for avoiding a similar mistake

If the breach was accidental, isolated, and limited in scope, they are not required to report it to the Minister of Children, Community and Social Services or IPC.

 

84. CYFSA, s. 308(2); O. Reg. 191/18, s. 8
85. While this guide provides a simplified summary, you should review the full list of criteria set out in section 9 of O. Reg. 191/18, to determine whether a specific privacy breach should be reported to the IPC and Minister.