There’s Been a Privacy Breach… Now What?
You have been notified of a privacy breach in your organization – what are some of the questions that cross your mind?
Maybe they include: What steps should I take now? What information should I be recording during my investigation? Should I proactively report the privacy breach to the IPC? What information does the IPC need from me?
Some guidelines to answer these questions include the following:
What steps should I take now?
- Record any information provided at the time your organization learns of the privacy breach.
- Take steps to contain the privacy breach.
- Decide if the privacy breach should be proactively reported to the IPC.
- Determine if affected individuals should be notified.
- Conduct an internal privacy breach investigation.
What information should I be recording during my investigation?
- When and how did your organization learn of the privacy breach?
- When did the privacy breach occur?
- What occurred?
- What factors or circumstances contributed to the privacy breach?
- Where did the privacy breach occur?
- How did the privacy breach occur?
- What safeguards were in place at the time of the privacy breach?
- Were proper protocols followed?
- Who was involved?
- What employees were involved with the privacy breach?
- Who witnessed the privacy breach?
- Who are the affected individuals?
- What information was involved in the privacy breach?
- What are the risks associated to a privacy breach involving this information?
- Have affected individuals been notified of the privacy breach?
- Has the privacy breach been contained?
- What efforts has your organization made to contain the breach?
- What steps has your organization taken to prevent a similar privacy breach?
- Has your organization created or made changes to safeguards relevant to this privacy breach?
Should I proactively report the privacy breach to the IPC?
- While not mandatory, our office does encourage organizations to proactively report. Some of the benefits include:
- The IPC will monitor the situation and if satisfied with your organization’s internal investigation report may close the file rather than conducting a formal investigation.
- Should affected individuals contact our office, the IPC can assure the individuals that your organization is working with our office to address the issues which may prevent a formal investigation by the IPC.
- Should the media get wind of the privacy breach, your organization can assure the public that they are working with the IPC to address the matter.
What information does the IPC need from me?
- Our office may need all or some of the following information. Please contact our office if you have any questions about what documentation to provide our office.
- A copy of your internal investigation report
- Copies of any documents referenced in your investigation report (suchas contracts, letters, etc.)
- Copies of any relevant policies and procedures
- Copies of letters to affected individuals (if applicable)
Resources that organizations may find helpful to reference during their investigations can be found on our website www.oipc.sk.ca under the Resources tab. Our office is working to update our resources and develop additional resources to assist Privacy Officers. To be notified when new information is published to our website, visit our website and subscribe to our RSS feeds. Below are titles of some of our resources available on our website that may provide guidance and support during an investigation:
- Guide to Creating an Internal Privacy Breach Investigation Report
- Privacy Breach Guidelines for Government Institutions and Local Authorities
- Privacy Breach Guidelines for Trustees
- Faxing Personal Information and Personal Health Information: Safeguards and responding to a breach
- Checklists for Trustees: Misdirected Faxes