Consultation – federal Directive on Automated Decision Making

Life Labs investigation report, Ontario and BC

Privacy cases summarized – Osler, Hoskin & Harcourt

Ontario’s IPC has podcast on indigenous data prospectives

Canada’s privacy Commissioner investigates CRA

Ontario IPC issues digital charter for schools

Blog

What to do if you Receive a Privacy Breach Notification

December 29, 2022 - Lisa Long, Intake Officer

Receiving notice that you are an affected individual in a privacy breach can be stressful, and you may be wondering what your options are. Here are some answers to common questions that our office receives when people find out that they may be impacted by a privacy breach.

Why am I receiving this notice?

Generally speaking, a privacy breach occurs when personal information or personal health information is collected, used, or disclosed inappropriately. This can be a result of many different situations, from intentional breaches like cyber-attacks or employee snooping, to more mundane things like poor policies, procedures, or training leading to mistakes in handling sensitive information. A person whose information was compromised by the breach is called an “affected individual.”

Whether or not The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and/or The Health Information Protection Act (HIPA) require that notice be provided to an affected individual in the event of a breach, our office encourages notification as a best practice.

Every breach is different, so if you’ve received a notification that you are an affected individual in a privacy breach, it’s important to read it carefully. The public body or trustee might be telling you that your information has been compromised, or it might be telling you that your information may have been compromised. To learn more about what should be included in a breach notification, check out our previous blog, Notifying Affected Individuals: What should I put in the letter?

What questions should I be asking the public body or trustee?

When I receive calls from affected individuals, a lot of people are at a loss to know what to do or even what questions they should be asking the public body or trustee. Again, every breach is different, but here some basic things you may want to clarify:

  • What information about me has or may have been breached? Who has it? Did the public body or trustee get it back?
  • What was the nature of the breach? Was it malicious (e.g. the breach involved theft or employee snooping), or was it accidental (e.g. information was left unattended or a staff member made a mistake)?
  • Could this breach harm me? If so, what steps is the public body/trustee taking to mitigate the potential risk? What steps can I take to protect myself?

Who should I call if I have questions or concerns about this notice?

 If you have questions about the breach itself or how the public body or trustee is dealing with it, you should call the individual from the organization listed in the notification; that person will have the most direct knowledge of the situation and what is being done to contain and address the breach. They often have the title of Privacy Officer.

When should I engage the IPC?

The first step is always to contact the public body or trustee to determine whether your concerns are already being addressed.

If you are not satisfied with how the public body or trustee is handling the breach, you can make a complaint to our office. If the breach has not been proactively reported to us, we will determine whether we have jurisdiction and grounds to investigate.

If the breach was proactively reported, we will likely already have an open investigation. You can request that our office add you formally as an affected individual/complainant. If you don’t want to submit a complaint, but you do want to know the results of the investigation, you can ask to receive a copy of the report, if one is created. To be included as a complainant or to receive a copy of the report of the investigation into the breach, we will ask you to submit a copy of the notification letter you received from the public body or trustee.

What does filing a complaint with the IPC do?

When you file a complaint with our office, it’s important to think about what you hope will come of an investigation – is it learning more about how your privacy was breached, assurances about what steps that will be taken to prevent a future breach, or even getting an apology? Our staff will ask you about this early in the complaint process as a way of clarifying what your concerns and expectations are in the situation. It’s important to note that our office does not have order-making powers; the results of an investigation are usually a set of recommendations to the public body or trustee to prevent a similar breach from occurring again, not to take punitive actions or award damages.

If a breach has been proactively reported to our office, we open a file and will assess the organization’s response. Filing a complaint with our office likely won’t change the outcome of our investigation; however, we are more likely to release a public report if complainants decide to come forward.

If you decide to file a complaint, it is important to note that you will be named to the public body or trustee as the complainant; however, if a report is issued by our office, you will NOT be named publicly.

I hope this helps to give you a starting point and clarify what you can do or how our office may become involved if you receive a breach notification from a public body or trustee. If you have questions or concerns about a breach notification, you can contact us at intake@oipc.sk.ca or at 306-787-8350.

Categories: BlogTags:

Back to Blog