Watch Law Society video-Cyber Breaches through Third Parties

Australia’s privacy commissioner publishes its Digital ID regulatory strategy

5 takeaways from the Lifelabs case

Put Privacy First – Privacy Commissioner of Canada speaks about privacy risk mitigation.

Learn more about The Power of PETs: Privacy Enhancing Technologies during a panel discussion hosted by The Information and Privacy Commissioner of Ontario.

BC Commissioner issues report on how municipalities make records available. For more information check out the full news release, fact sheet, guidance document and video.

Thank you to our 800 registrants who registered for the Top of Mind webinar hosted on Jan 31. For those of you who missed the session, you can access both an English and French version of the recording here under “Top of Mind” Data Privacy Webinar 2025. Enjoy!

Blog

Notifying affected individuals: What should I put in the letter?

June 23, 2020 - Sherri Fowler, Analyst

Notifying affected individuals that their privacy has been breached is a very important step in responding to a privacy breach and should happen very quickly once you have identified who has been affected by the privacy breach.

In cases where the privacy breach is potentially very large, or you may not be able to identify the affected individuals, indirect notification may be more appropriate. Types of indirect notifications include notices on websites, posts on your organization’s social media accounts (Facebook, Twitter, Instagram), notices posted in public areas of your office, media advisories and advertisements. An indirect notification must not contain personal information or personal health information of an identifiable individual.

Just as important as getting notifications out quickly is what information is included in notifications. As outlined in The Rules of Procedure, if the Office of the Information and Privacy Commissioner (IPC) is investigating a breach, it will look to see if the following has been included in the notification:

  • a description of what happened, including the date, time, location and who was involved;
  • how the breach was contained;
  • a detailed description of the elements of personal information that was involved;
  • if known, a description of possible types of harm that may come to them as a result of the privacy breach;
  • steps that can be taken to mitigate harm;
  • steps the organization is taking to prevent the occurrence of similar privacy breaches in the future;
  • the contact information of an individual within the organization who can answer questions and provide further information regarding the breach;
  • a reference to the fact that individuals have a right to complain to the IPC;
  • the contact information of the IPC; and
  • where appropriate, recognition of the impact of the privacy breach on affected individuals and an apology.

Depending on the breach, it is also important to consider additional protections you are prepared to offer affected individuals in your notification to them. For example, the Commissioner has recommended five years of cyber security protection for affected individuals (Investigation Report 398-2019, 399-3019, 417-2019, 005-2020, 019-2019, 021-2020) and five years of credit monitoring for affected individuals (Investigation Report 103-2017).

If you have any questions about information to include in a specific notification, contact the Analyst that has been assigned to your file.

 

Categories: BlogTags:

Back to Blog

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.