Proactively Reporting Breaches to the IPC
As our office is always trying to improve our processes, we have recently formalized the way we treat privacy breaches that are proactively reported to our office.
Proactively reporting a breach means that when a public body or trustee learns of a privacy breach in its organization, it reports it to our office. While not mandatory, we generally encourage public bodies to consider proactively reporting privacy breaches to us.
Some of the benefits of proactively reporting include:
- Receiving timely, expert advice from our office. We can help guide the public body on what to consider, what questions to ask and what parts of legislation may be applicable.
- Should the media get wind of the privacy breach, a public body can assure the public that it is working with our office to address the matter.
- If we are satisfied with your organization’s internal investigation report, we may close the file informally rather than issuing a public report.
- Should affected individuals contact our office, we can assure the individuals that it is working with your organization to address the breach which may prevent a formal complaint to our office.
When a public body proactively reports a privacy breach to us, a file will be opened. The public body will be asked to provide its investigation report and other material within 14 days.
Once our office receives the relevant material, it will review the file and make a decision. The possible outcomes are as follows:
- If the Commissioner is satisfied with the public body’s overall response to the breach, the file will be closed informally and without a public report. This process may include some informal recommendations from our office.
- If the Commissioner is satisfied with the public body’s overall response to the breach, but the breach is egregious or it involves a large number of affected individuals, we may determine that a report will be issued.
- If the Commissioner is satisfied with the public body’s overall response to the breach, but an affected individual makes a formal complaint, we may determine that a report will be issued.
- If the Commissioner is not satisfied with the public body’s response, we will issue a report.
Once we have made a decision, the public body will be advised if a report will be issued or not. The public body will also be notified if an affected individual makes a formal complaint which could also result in a formal report.
If you have any questions about proactively reporting privacy breaches, please do not hesitate to contact our office.