Privacy Breach Guidelines for Government Institutions and Local Authorities
This document has two purposes. The first is to assist government institutions and local authorities (public bodies) to understand what a privacy breach is and how to deal with one. The second is to outline what to expect from a privacy breach investigation from the office of the Information and Privacy Commissioner (IPC). For more information please see Part 4 and Part 6 of The Rules of Procedure.
There are two statutes that outline the privacy rules for public bodies; The Freedom of Information and Protection of Privacy Act (FOIP) outlines rules for government institutions and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) outlines rules for local authorities. Trustees under The Health Information Protection Act (HIPA) should consult Privacy Breach Guidelines for Trustees.
What is a Privacy Breach?
What is Privacy?
“Privacy” can have many different meanings. However, in the context of FOIP and LA FOIP, the focus is on information privacy; the right of an individual to determine for themselves when, how, and to what extent their personal information or personal health information will be shared.
Personal information is defined in section 24 of FOIP and section 23 of LA FOIP. Personal health information is different from personal information. Personal health information is defined in subsection 2(m) of HIPA.
When Does a Privacy Breach Occur?
A privacy breach is often thought of as inappropriate sharing of personal information. However, a privacy breach can occur in a number of different ways:
Collection: A privacy breach could occur if a public body asks for or collects more personal information needed for the purpose for which it is being collected (e.g. a health services number is required for a non-health related service, social insurance number is required to make a job application, or personal information is not collected directly from the individual). The rules for collection are found in sections 25 and 26 of FOIP and sections 24 and 25 of LA FOIP.
Use: A privacy breach could occur when personal information already in the possession or control of the public body is used for reasons that are not consistent with the purpose for which they were collected (e.g. personal information is collected to provide one service and then used to promote a different service). The rules for use are found in section 28 of FOIP and section 27 of LA FOIP.
Disclosure: A privacy breach could occur when an unauthorized disclosure of personal information transpires (e.g. when personal information is missing or when a public body shares personal information with another organization without authority). Please note, if personal information in the possession or control of a public body is missing, even if there is no evidence that someone has viewed the personal information, it qualifies as a disclosure. The rules for disclosure are found in section 29 of FOIP and section 28 of LA FOIP.
Accuracy: Public bodies have a duty to ensure personal information is as accurate and complete as possible. A privacy breach may occur when personal information is inaccurate (see section 27 of FOIP and section 26 of LA FOIP).
Other sub-issues: Other issues that might arise during a privacy breach investigation could include need-to-know, data minimization, and consent. However, they would likely be tied to one of the other major issues.
Duty To Protect
FOIP, LA FOIP, and their Regulations provide reasons a public body should collect, use, and disclose personal information. Any collections, uses, or disclosures unauthorized by FOIP or LA FOIP would be a privacy breach. Additionally, FOIP and LA FOIP each include an explicit duty on public bodies to protect personal information (see sections 24.1 of FOIP and 23.1 of LA FOIP).
Sections 24.1 of FOIP and 23.1 of LA FOIP require that a public body have administrative, technical and physical safeguards to protect personal information.
Administrative safeguards are controls that focus on internal organization policies, procedures, and maintenance of security measures that protect personal information. Examples include written policies and procedures, annual training for employees, confidentiality agreements, agreements with information management service providers (IMSPs), auditing programs, records retention and destruction schedules, and access restrictions.
Technical safeguards are the technology and the policy and procedures for its use that protect personal information and control access to it. Examples include separate user identifications, passwords, firewalls, identification and authentication controls, virus scanners, and audit capabilities in digital systems.
Physical safeguards are physical measures, policies, and procedures to protect personal information and related buildings and equipment from unauthorized intrusion and natural and environmental hazards. Examples include locked filing cabinets, offices and storage rooms, alarm systems, and clean desk approaches.
Sections 24.1(a) of FOIP and 23.1(a) of LA FOIP indicate that a public body must protect the integrity, accuracy and confidentiality of the personal information in its possession or under its control.
Integrity refers to the condition of information being whole or complete, not modified, deleted, or corrupted.
Confidentiality implies a trust relationship between the person supplying information and the individual or organization collecting or using it.
Sections 24.1(b) of FOIP and 23.1(b) of LA FOIP indicate that public bodies must protect against any reasonably anticipated:
- threat or hazard to the security or integrity of the personal information in its possession or under its control;
- loss of the personal information in its possession or under its control; or
- unauthorized access to or use, disclosure or modification of the personal information in its possession or under its control;
Threat means a sign or cause of possible harm.
Hazard means a risk, peril, or danger.
Security means a condition of safety or freedom from fear or danger.
A need-to-know is the principle that public bodies and their staff should only collect, use, or disclose personal information needed for the purposes of the mandated service. Personal information should only be available to those employees in an organization that have a legitimate need-to-know that information for the purpose of delivering their mandated services.
Unauthorized access occurs when individuals have access to personal information that they do not need-to-know, either by accident or on purpose. This would also qualify as either an unauthorized use or unauthorized disclosure.
An unauthorized collection occurs when personal information is collected, acquired, received, or obtained by any means for purposes that are not allowed under sections 25, 26, 27, 28, or subsection 29(2) of FOIP (sections 24, 25, 26, 27, or subsection 28(2) of LA FOIP).
Unauthorized use refers to the use of personal information for a purpose that is not authorized under sections 27, 28, or subsection 29(2) of FOIP (sections 26, 27, or subsection 28(2) of LA FOIP).
Unauthorized disclosure refers to the act of revealing, showing, providing copies, selling, giving, or relaying the content of personal information in ways that are not permitted under sections, 29 or 30 of FOIP (sections 28 or 29 of LA FOIP).
Sections 24.1(c) of FOIP and 23.1(c) of LA FOIP indicate that public bodies should have education programs in place for their employees which address the public body’s duties under FOIP/LA FOIP, safeguards the public body has established, the need-to-know, and consequences for violating FOIP/LA FOIP. The Office of the Information and Privacy Commissioner (IPC) has indicated that annual training is best practice.
There’s Been a Privacy Breach – Now What?
If you have discovered a privacy breach, contact your organization’s Privacy Officer immediately. Write down all of the information related to the discovery of the breach.
If you have been tasked with dealing with the breach, consider the following guidelines.
Contain the Breach
It is important to contain the breach immediately. In other words, ensure that personal information is no longer at risk. This may involve:
- stopping the unauthorized practice;
- recovering the records;
- shutting down the system that was breached;
- revoking access to personal information; and/or
- correcting weaknesses in physical security.
The following is a list of individuals or organizations that may need to be notified as soon as possible after learning of the incident:
- your organization’s privacy officer;
- the IPC (for more information see the section on proactively reporting to the IPC later in this document);
- the police, if criminal activity is suspected (e.g. burglary); and/or
- the affected individuals (unless there are compelling reasons why this should not occur).
It is important to note that both FOIP and LA FOIP require that, if there is an unauthorized use or disclosure of personal health information, the public body must notify the affected individual if the “incident creates a real risk of significant harm” to the affected individual (see sections 29.1 of FOIP or 28.1 of LA FOIP).
What is a real risk of significant harm? For one, there must be some risk of damage, detriment, or injury to the individual that is significant in nature. In terms of PIPEDA amendments not yet in force, “significant harm” is described as follows:
10.1(7) For the purpose of this section, “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The second consideration is whether or not there is a “real risk” that the significant harm will occur. Probability of harm and sensitivity of the personal information must be considered in making this determination. The Alberta IPC, in its Personal Information Protection Act Mandatory Breach Reporting Tool, offers the following factors to consider in analyzing the circumstances surrounding the breach when making this call:
- Who obtained or could have obtained access to the information?
- Is there a security measure in place to prevent unauthorized access, such as encryption?
- Is the information highly sensitive?
- How long was the information exposed?
- Is there evidence of malicious intent or purpose associated with the breach, such as theft, hacking, or malware?
- Could the information be used for criminal purposes, such as for identity theft or fraud?
- Was the information recovered?
- How many individuals are affected by the breach?
- Are there vulnerable individuals involved, such as youth or seniors?
Does this mean that public bodies only need to provide breach notification in the above cases? Not at all. A public body needs to make that call in the course of investigating any privacy breach. And, in terms of whether or not to report to the IPC, this is always encouraged. Generally, if proactively reported, the IPC will monitor the response to the incident by the public body and if issues are sufficiently addressed may resolve the matter informally.
It is best practice to inform affected individuals and the IPC of breaches in most cases.
How to Notify Affected Individuals
Notification of individuals affected by the breach should occur as soon as possible after key facts about the breach have been established.
It is best to contact affected individuals directly, such as by telephone, letter, or in person. However, there may be circumstances where it is not possible and an indirect method is necessary or more practical. Such situations would include where contact information is unknown or where there are a large number of affected individuals. An indirect method of notification could include a notice on a website, posted notices, media advisories, and advertisements. Ensure the breach is not compounded when using indirect notification.
Notifications should include the following:
- a description of the breach (a general description of what happened);
- a detailed description of the personal information involved (e.g. name, credit card numbers, medical records, financial information, etc.);
- steps taken and planned to mitigate the harm and to prevent future breaches;
- if necessary, advice on actions the individual can take to further mitigate the risk of harm and protect themselves (e.g. how to contact credit reporting agencies, how to change a health services number or driver’s license number etc.);
- contact information of an individual within your organization who can answer questions and provide further information;
- a notice that individuals have a right to complain to the IPC (provide contact information); and
- recognition of the impacts of the breach on affected individuals and, an apology.
Investigate the Breach
Once a breach has been contained the next step is to investigate the breach. Here are some key questions to ask during a privacy breach investigation:
- When and how did your organization learn of the privacy breach?
- Has the privacy breach been contained?
- What efforts has your organization made to contain the breach?
- What occurred?
- What type of breach occurred (e.g. collection, use, disclosure, accuracy, etc.)?
- What personal information was involved in the privacy breach?
- When did the privacy breach occur? What are the timelines?
- Where did the privacy breach occur?
- How did the privacy breach occur?
- Who was involved?
- What employees, if any, were involved with the privacy breach? What privacy training have they received?
- Who witnessed the privacy breach?
- What factors or circumstances contributed to the privacy breach?
- What is the root cause of the breach?
- What is the applicable legislation and what specific sections are engaged?
- What safeguards, policies, and procedures were in place at the time of the privacy breach?
- Was the duty to protect met?
- Were the safeguards, policies, and procedures followed?
- If no safeguards, policies, or procedures were in place, why not?
- Were the individuals involved aware of the safeguards, policies, and procedures?
- Who are the affected individuals?
- How many are there?
- What are the risks associated to a privacy breach involving this information (e.g. is the affected individual at risk for identity theft, credit card fraud, etc.)?
- Have affected individuals been notified of the privacy breach?
Prevent Future Breaches
The most important part of responding to a privacy breach is to implement measures to prevent future breaches from occurring.
- What steps can be taken to prevent a similar privacy breach?
- Can your organization create or make changes to policies and procedures relevant to this privacy breach?
- Are additional safeguards needed?
- Is additional training needed?
- Should a practice be stopped?
Privacy Breach Report
Once the necessary information has been collected, it is a good idea to prepare an internal privacy breach investigation report. The report should include the following:
- summary of the incident and immediate steps taken to contain the breach;
- background of the incident, timelines, and a chronology of events;
- description of the personal information involved and affected individuals;
- description of the investigative process;
- the root and contributing causes of the incident;
- a review of applicable legislation, safeguards, policies, and procedures; and
- summary of possible solutions and recommendations for preventing future breaches. This should include specific timelines and responsibility for implementation of each action.
The IPC will also request that public bodies complete the IPC’s Privacy Breach Investigation Questionnaire (Questionnaire). The Questionnaire is described later in this resource.
When Employee Snooping is Suspected
Sometimes the privacy breach involves an employee or contractor who purposely accessed personal information of individuals without a need to know. The following are steps or items to consider when investigating this type of breach:
- record details of how the breach came to light;
- suspend employee’s access to the personal information;
- retrieve log information if available;
- interview the employee in question (establish if the employee may have shared their user account and identification and routinely logged out of account);
- identify and interview any witnesses;
- review the privacy training the employee in question has received (have warnings of routine audits been given?);
- review any relevant contracts;
- consider who needs to be notified (e.g. supervisor, union, police, etc.);
- decide if the identity of the employee in question will be disclosed to the affected individual when providing notification; and/or
- proactively report to the IPC for further advice.
The IPC recommends that a public body share any discipline measures taken against an employee who has snooped to the rest of the employees in the organization and the affected individuals. Please also include any details of employee discipline in your Investigation Report to the IPC.
What Can I Expect if the IPC is Involved?
How IPC Investigations are Initiated
The IPC can learn of a privacy breach and begin an investigation in several different ways. Some of them include:
- a citizen comes to the IPC with a complaint about a public body’s actions or practices;
- a third party in possession of personal information could notifies the IPC;
- employees of a public body inform the IPC of inappropriate practices within the organization;
- the IPC acts on media reports; and/or
- the public body proactively reports a breach to the IPC.
What Happens When a Public Body Proactively Reports a breach to the IPC?
Public bodies should consider proactively reporting privacy breaches to the IPC. This means that when a public body learns of a breach, it reports it to the IPC. While not mandatory, the IPC does encourage public bodies to proactively report. To assist public bodies, the IPC has developed a reporting form to proactively report a privacy breach to the IPC: Proactively Reported Breach of Privacy Reporting Form for Public Bodies.
Advantages of Proactively Reporting
Some of the benefits of proactively reporting include:
- may reduce the need for the IPC to issue a report on the matter;
- receive timely, expert advice from the IPC: the IPC can help guide the public body on what to consider, what questions to ask and what parts of the legislation may be applicable;
- should the media get wind of the privacy breach, the public body can assure the public that it is working with the IPC to address the matter; and
- should affected individuals contact the IPC, we can assure the individuals that we are working with your organization to address the breach which may prevent a formal complaint to the IPC.
What are the possible outcomes when I proactively report?
When a public body proactively reports a privacy breach to the IPC, a file will be opened. The public body will be asked to complete and provide the IPC’s Questionnaire and other relevant material within 30 days.
The Questionnaire takes public bodies through the four best practice steps of responding to a breach (containment, notification, investigate, and prevent future breaches). The completed Questionnaire should provide the IPC with what is required to conduct our investigation. If further information is required, the IPC will advise.
Once the IPC receives the relevant material, it will review the file and make a decision. The possible outcomes are as follows:
- if the Commissioner is satisfied with the public body’s overall response to the breach, the file will be closed informally without a public report. This process may include some informal recommendations from the IPC;
- if the breach is egregious or it involves a large number of affected individuals, the Commissioner may determine that a report will be issued;
- if an affected individual makes a formal complaint, the Commissioner may determine that a report will be issued; or
- if the Commissioner is not satisfied with the public body’s response, the IPC will issue a report.
Once the IPC has made a decision, the public body will be advised if a report will be issued or not. The public body will also be notified if an affected individual makes a formal complaint which would also result in a public report.
Summary of Investigation Process
- A privacy complaint is received at the IPC or a public body proactively reports a breach to the IPC. It will be assigned to an Intake Officer.
- The Intake Officer will ensure all necessary information has been received from the complainant, public body, or other parties. When there is a complainant, the Intake Officer will attempt informal resolution between the parties.
- If informal resolution is not possible, the Intake Officer will send out a notification e-mail to all parties. It will request that the public body complete the Questionnaire and provide any relevant materials in 30 calendar days. Relevant materials can include copies of relevant policies and/or procedures and/or agreements (or plans to develop relevant polices and/or procedures and/or agreements) or any other relevant documentation.
- The file will be transferred to an Analyst. The Analyst will ensure materials arrive in 30 calendar days. If materials are not received in 30 calendar days, or an agreed upon deadline, the escalation guidelines are as follows:
- the Analyst will follow up and attempt to receive materials;
- the Analyst will escalate to the Manager of Compliance (MoC). MoC will attempt to get materials within seven calendar days before moving it on;
- MoC will escalate to the Director of Compliance (DoC);
- the Commissioner may contact the ‘head’.
- The Analyst will review materials received and do some initial analysis to determine the direction of the investigation.
- The Analyst will meet with the MoC and DoC and if necessary with the Commissioner to discuss the direction of the investigation. The MoC and DoC or the Commissioner may direct the Analyst to try and reach an informal resolution if a complainant is not involved. If successful, the file will be closed informally, without a report. Otherwise, the Analyst will prepare the draft report.
If it is a proactively reported breach, the analyst will review materials received and meet with the Commissioner and MoC to discuss the direction of the investigation. The possible outcomes are as follows:
- if the Commissioner is satisfied with the public body’s overall response to the breach, the file will be closed informally and without a public report. This process may include some informal recommendations from the IPC;
- if the Commissioner is satisfied with the public body’s overall response to the breach, but the breach is egregious, there is a systematic issue involved, there is significant educational value, or it involves a large number of affected individuals, the IPC may determine that a report will be issued; or
- if the Commissioner is satisfied with the public body’s overall response to the breach, but an affected individual makes a formal complaint, the IPC may determine that a report will be issued.
If the IPC decides to close the file informally, the Analyst will notify the public body. Otherwise, the Analyst will notify the public body if the IPC has decided to issue a report.
- The Analyst will prepare a draft report. The Analyst will send a PDF copy of the draft report to the Privacy Officer of the public body and request a response within seven calendar days. The public body will be asked if there are any factual inaccuracies. This has the potential to change a finding or a recommendation.
- The Analyst will put the draft report into a final format and send it to the Commissioner for final approval.
- The Analyst will e-mail the final report to any complainant(s) and public body.
- one copy of the final report will go to the complainant(s); and
- another copy of the final report will be e-mailed to the public body:
- e-mail will be sent to the Head;
- e-mail will be copied to the Privacy Officer;
- additionally, copies of the final report will be sent to the Deputy Minister of Justice, other relevant Deputy Ministers and any others as directed by the Commissioner.
The Report is now issued.
- All reports will be posted to the website on or after three to five days of issuance, unless the Commissioner directs otherwise.
- Sections 49 and 55 of FOIP (sections 38 or 44 of LA FOIP) require a public body to respond to the Commissioner’s final report within 30 days. It must also provide a copy of its response to any complainant(s). Pursuant to section 56 of FOIP (section 45 of LA FOIP), the response must be sent within 30 days of the issuance of the report. If no response is received from the public body within 23 days of issuing the final report, the Analyst will provide the public body with one reminder of its duty to respond. Public body responses are tracked by the IPC.
- Public bodies should also be aware that, because of the amendments described above, a complainant can appeal the public body’s decision to the Court of Queen’s Bench.
Where possible, the IPC will aim to achieve informal resolution for investigation files. Informal resolution is beneficial to all parties involved as it can expedite resolution for the complainant and reduce the amount of work for both the public body and the IPC.
When a privacy complaint is first received by the IPC, it will receive a file number and be assigned to an Intake Officer. The Intake Officer will first verify that the IPC has received all the necessary information and documents from the complainant. The Intake Officer will then contact both the complainant and the public body in order to facilitate a possible informal resolution.
Some of the ways an Intake Officer might facilitate an informal resolution are as follows:
- dispel any misunderstandings;
- clarify the complainant’s objectives with the public body;
- facilitate negotiations between the complainant and the public body;
- clarify the role of the IPC; and/or
- identify possible outcomes of an investigation.
If an Intake Officer is not able to reach an informal resolution, notification letters will be sent, and the file will be assigned to an Analyst. However, the IPC will be open to reaching informal resolution at any stage of the investigation process.
If the IPC is satisfied with a public body’s internal investigation report, we may close the file rather than conduct a formal investigation.
When informal resolution is achieved, the Commissioner will not issue a Report.
What Will be the IPC’s Focus?
The IPC will look at all of the elements of the breach. However, focus will be on the following areas:
- the duty to protect (did the public body meet the duty to protect?);
- compliance with the applicable legislation;
- safeguards, policies, and procedures in place at the time of the breach (were they followed and were they effective?);
- training of the employees involved; and
- potential employee snooping (if applicable).
The key questions for a privacy breach investigation can be found in the Questionnaire. It captures most issues the IPC routinely considers during our investigation. However, every investigation is unique. It is not unusual for an Analyst to ask further questions of a public body during the process.
It is important to also provide the IPC with relevant documentation such as policies and procedures, training materials, copies of the personal information in question, etc.
Once finished, the analyst will present a draft report to the public body which includes analysis of the file, findings, and recommendations.
The public body can respond to the draft report indicating if there are any factual inaccuracies.
If a public body cannot respond within seven calendar days, please contact the Analyst to discuss. If there is no response, the Analyst will move the investigation forward to a final report.
Please note that the Commissioner may paraphrase or quote from a public body or complainant’s submission, letter, or e-mails in the draft or final report.
Once an Analyst has received the response to the draft report from the public body, they will make final changes to the report and pass it to the Commissioner for final approval.
The Commissioner will issue a report for every investigation file that is not resolved informally. A copy of the investigation report will also be sent to the Ministry of Justice and any other relevant ministries or associations such as the Saskatchewan School Boards Association, Saskatchewan Association of Rural Municipalities or Saskatchewan Municipalities Association. See Part 6-10(1) of The Rules of Procedure for organizations that may receive a copy of the report.
All reports will be posted on the IPC website within three to five days from issuance.
FOIP and LA FOIP require that the public body provide a response to the report and recommendations within 30 days to the relevant parties.
The IPC is Paperless
The IPC has gone paperless. As such we prefer to receive correspondence, the completed Questionnaire, and other documentation electronically. Any documentation could be sent by e-mail, mail, or USB key.
The IPC can now offer use of our Liquid Files (file transfer system) as a means to securely deposit large and/or sensitive documents. If you would like to provide the Questionnaire and attachments using Liquid Files, please contact the Analyst and they will provide you with a file deposit link.
Please password protect any sensitive PDF or Word documents, especially if they contain personal information. Please do not hesitate to contact us if you require support.
Finally, please do not transmit the password in the same e-mail as the documents. Please send it in a separate e-mail or call the IPC.