Updated: There’s Been a Privacy Breach… Now What?
Your public body has been notified of a privacy breach, what are some of the questions that cross your mind?
Maybe they include: What steps should I take now? What information should I be recording during my investigation? Should I proactively report the privacy breach to the IPC? What information does the IPC need from me?
Some guidelines to answer these questions include the following:
What steps should I take now?
- Record any information provided at the time your organization learns of the privacy breach.
- Take steps to contain the privacy breach. It is important to contain the breach immediately. In other words, ensure the personal information or personal health information is no longer at risk.
- A public body must determine who needs to be notified of the breach and provide notification as soon as possible after learning of the incident. This could include: your organization’s privacy officer, the IPC, the police (if criminal activity is suspected) and the affected individuals (unless there are compelling reasons why this should not occur).
- It is important to note that The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) have a provision that require the public body to consider if, as a result of the incident, there is a real risk of significant harm that may come to the affected individual. If so, then breach notification is mandatory. For more information on this provision, please refer to our blog: Real Risk of Significant Harm.
- Decide if the privacy breach should be proactively reported to the IPC. Please use our reporting form: Proactively Reported Breach of Privacy Reporting Form: for Public Bodies.
- Conduct an internal privacy breach investigation. For more guidance on conducting an internal privacy breach investigation, refer to our resource: Guide to Creating an Internal Privacy Breach Investigation Report.
What information should I be recording during my investigation?
As outlined in my office’s resource, Privacy Breach Guidelines for Government Institutions and Local Authorities, some of the key questions to ask during a privacy breach investigation are:
- When and how did your organization learn of the privacy breach?
- Has the privacy breach been contained?
- What efforts has our organization made to contain the breach?
- What occurred?
- What type of breach occurred (e.g. collection, use, disclosure, accuracy, etc.)
- What personal information was involved in the privacy breach?
- When did the privacy breach occur? What are the timelines?
- Where did the privacy breach occur?
- How did the privacy breach occur?
- Who was involved?
- What employees, if any, were involved with the privacy breach? What privacy training have they received?
- Who witnessed the privacy breach?
- What factors or circumstances contributed to the privacy breach?
- What is the root cause of the breach?
- What is the applicable legislation and what specific sections are engaged?
- What safeguards, policies, and procedures were in place at the time of the privacy breach?
- Was the duty to protect met?
- Were the safeguards, policies, and procedures followed?
- If no safeguards, policies, or procedures were in place, why not?
- Were the individuals involved aware of the safeguards, policies, and procedures?
- Who are the affected individuals?
- How many are there?
- What are the risks associated to a privacy breach involving this information(e.g. is the affected individual at risk for identity theft, credit card fraud, etc.)?
- Have affected individuals been notified of the breach?
Should I proactively report the privacy breach to the IPC?
- While not mandatory, our office does encourage organizations to proactively report a privacy breach, please see our blog Proactively Reporting Breaches to the IPC for more information. Some of the benefits of proactively reporting include:
- Receiving timely, expert advice from our office. We can guide the public body on what to consider, what questions to ask and what parts of legislation may be applicable.
- Should the media get wind of the privacy breach, a public body can assure the public that it is working with our office to address the matter.
- If we are satisfied with your organization’s internal investigation report, we may close the file informally rather than issuing a public report.
- Should affected individuals contact our office, we can assure the individuals that it is working with your organization to address the breach which may prevent a formal complaint to our office.
What information does the IPC need from me?
- Our office may need all or some of the following information. Please contact our office if you have any questions about what documentation to provide our office.
- A completed Privacy Breach Investigation Questionnaire
- Copies of any relevant materials (such as contracts, letters, relevant policies and procedures, etc.)
- Copies of letters to affected individuals (if applicable)
Resources that public bodies may find helpful to reference during their investigations can be found on our website www.oipc.sk.ca under the Resources tab. Our office is working to update our resources and develop additional resources to assist Privacy Officers. To be notified when new information is published to our website, visit our website and provide your email address to receive email alerts when new reports, articles, events and resources are available. You can also follow us on Twitter: @SaskIPC.