IPC change in practice for privacy breach investigations
The Office of the Information and Privacy Commissioner (IPC) is recommending the following four best practice steps when responding to a breach of privacy:
- Containment (as soon as possible)
- Notification (as soon as possible)
- Prevent future breaches
We know many public bodies currently follow these steps. The IPC is changing its procedure and is introducing the Privacy Breach Questionnaire for Public Bodies (Questionnaire).
If a public body proactively notifies our office of a privacy breach, in our notification email, we will ask that you complete and send the Questionnaire to the IPC. Similarly, if a citizen initiates a complaint, in our notification to a public body, we will ask that the Questionnaire be completed.
The great thing about the Questionnaire is that it takes you through each of the best practices steps and assists you in knowing what we are looking for in our investigation. It will also assist in completing our investigation sooner. At the end of this process, public bodies should complete an internal investigation report to fully document their efforts.
As you work through the Questionnaire, there may be some questions that do not apply to the particular breach you are investigating. In those cases, simply mark the question as not applicable.
When responding to a breach of privacy, contain the breach as soon as possible after discovery and remember that it is important not to wait on providing breach notification to affected individuals. If you have questions on these steps, contact the Analyst assigned to your file.
Over the next few months, we will be updating our privacy resources and The Rules of Procedure to include references to the Questionnaire. In the meantime if you have any questions, you can discuss them with the Analyst assigned to the file.