Notifying affected individuals: What should I put in the letter?
Notifying affected individuals that their privacy has been breached is a very important step in responding to a privacy breach and should happen very quickly once you have identified who has been affected by the privacy breach.
In cases where the privacy breach is potentially very large, or you may not be able to identify the affected individuals, indirect notification may be more appropriate. Types of indirect notifications include notices on websites, posts on your organization’s social media accounts (Facebook, Twitter, Instagram), notices posted in public areas of your office, media advisories and advertisements. An indirect notification must not contain personal information or personal health information of an identifiable individual.
Just as important as getting notifications out quickly is what information is included in notifications. As outlined in The Rules of Procedure, if the Office of the Information and Privacy Commissioner (IPC) is investigating a breach, it will look to see if the following has been included in the notification:
- a description of what happened, including the date, time, location and who was involved;
- how the breach was contained;
- a detailed description of the elements of personal information that was involved;
- if known, a description of possible types of harm that may come to them as a result of the privacy breach;
- steps that can be taken to mitigate harm;
- steps the organization is taking to prevent the occurrence of similar privacy breaches in the future;
- the contact information of an individual within the organization who can answer questions and provide further information regarding the breach;
- a reference to the fact that individuals have a right to complain to the IPC;
- the contact information of the IPC; and
- where appropriate, recognition of the impact of the privacy breach on affected individuals and an apology.
Depending on the breach, it is also important to consider additional protections you are prepared to offer affected individuals in your notification to them. For example, the Commissioner has recommended five years of cyber security protection for affected individuals (Investigation Report 398-2019, 399-3019, 417-2019, 005-2020, 019-2019, 021-2020) and five years of credit monitoring for affected individuals (Investigation Report 103-2017).
If you have any questions about information to include in a specific notification, contact the Analyst that has been assigned to your file.