What Does it Mean if a Proactively Reported Privacy Breach is Informally Resolved?
Public bodies or trustees can proactively report a privacy breach to the IPC when it has a reasonable basis to suspect or confirm a privacy breach has occurred. While not required by law, the IPC encourages public bodies and trustees to proactively report, to our office, if there is a suspected or confirmed privacy breach. For public bodies and trustees wanting to proactively report a privacy breach, they can complete the Proactively Reported Breach of Privacy Form and submit it to the IPC, ideally within seven days of discovery of the breach. For more information on what happens when a public body or trustee proactively reports a privacy breach, please refer to the Rules of Procedure, as well as the IPC resources: Privacy Breach Guidelines for Government Institutions and Local Authorities or Privacy Breach Guidelines for Trustees.
Some of the benefits of proactively reporting include:
- May reduce the need for the IPC to issue a public investigation report on the matter, if the public body or trustee has appropriately responded to the breach including taken necessary steps to prevent future breaches.
- Receive timely, expert advice from the IPC – the IPC can help guide the public body or trustee on what to consider, what questions to ask and what parts of the relevant legislation may be applicable. Depending on the legislation that the public body or trustee is subject to and the specific circumstances of the proactively reported privacy breach, the applicable parts of the legislation may vary. However, some examples may include:
- provisions related to the definitions of personal information and personal health information.
- provisions related to the collection, use and disclosure of personal information or personal health information.
- provisions related to the duty to protect personal information or personal health information.
- provisions related to the requirement to notify affected individuals where there is a real risk of significant harm.
- When engaging with the media, the public body or trustee can advise the public that it is working with the IPC to address the matter.
- Should affected individuals contact the IPC, we can advise the individuals that we are working with the public body or trustee to address the breach which may prevent a formal complaint to the IPC. The IPC also redirects affected individuals back to the public body or trustee to address any questions they may have about the information involved and the steps a public body or trustee has taken to respond to the privacy breach.
After a public body or trustee proactively reports a privacy breach to the IPC, our office will notify the public body or trustee of our intention to undertake an investigation and request the public body or trustee complete the Privacy Breach Investigation Questionnaire and submit any other relevant supporting documentation by the deadlines outlined in our notice.
The IPC will review the Privacy Breach Investigation Questionnaire and any other supporting documentation and consider if the public body or trustee appropriately managed the breach and took the following steps in responding to the privacy breach:
- Contained the breach (as soon as possible)
- Notified affected individuals (as soon as possible)
- Investigated the breach
- Taken steps to prevent future breaches
The Rules of Procedure provides that after investigating the reported privacy breach and the actions taken by the trustee, the IPC will make a decision about how to resolve the file. The possible outcomes include:
- If the IPC is satisfied with most or all of the steps taken, the file may be closed without the issuance of a public investigation report, and if applicable, with recommendations for the public body or trustee to consider implementing.
- If the IPC is not satisfied with the steps taken, an affected individual has filed a complaint with the IPC, the privacy breach is egregious, there is a systemic issue involved, there is significant educational value or where it involves a large number of affected individuals, the commissioner may direct that a public investigation report be issued.
The IPC takes all privacy breaches seriously, as every breach comes with an associated risk to the affected individuals (such as identity theft, credit card fraud, humiliation, damage to reputation, etc.). Staff at the IPC make efforts to attempt to reach early resolution for all files before a formal review or investigation is undertaken and staff are encouraged to explore any opportunities to informally resolve all files. As noted earlier, one of the benefits of proactively reporting is that the IPC may not need to issue a public investigation report, provided the Commissioner is satisfied that the public body or trustee has appropriately responded to the breach and taken steps to prevent future breaches. When a proactively reported breach of privacy is informally resolved, this reflects the efforts of the public body or trustee to appropriately respond to the breach and take steps to prevent future breaches.