Directive on Privacy Practices
More information
Policy:
Terminology:
Topic:
Archives
This directive replaces:
- Data Matching [2021-04-01]
- Privacy Practices, Directive on [2014-05-06]
- Privacy Practices, Interim Directive on [2021-04-01]
- Privacy Practices, Directive on [2022-10-26]
Appendix B: Mandatory Procedures for Privacy Breaches
B.1 Effective date
- B.1.1These mandatory procedures take effect on March 1, 2024.
- B.1.2These mandatory procedures replace the Mandatory Procedures for Privacy Breaches dated October 26, 2022.
B.2 Procedures
- B.2.1These mandatory procedures for privacy breaches provide details on the requirements set out in section 4 of the Directive on Privacy Practices.
- B.2.2
Employees of government institutions must:
- B.2.2.1Take immediate measures to contain any potential or confirmed privacy breach and secure the affected personal information; and
- B.2.2.2
Once any containment measures have been taken, immediately notify the head of the institution or their delegate of the potential or confirmed privacy breach. The notification is to include:
- B.2.2.2.1The date, time and location of the potential or confirmed privacy breach; and
- B.2.2.2.2A brief description of the potential or confirmed privacy breach, including the type of personal information affected and the number of individuals potentially affected, and any containment measures taken.
- B.2.3
Executives and senior officials who manage programs or activities that involve the creation, collection or handling of personal information must:
- B.2.3.1If personal information affected by a privacy breach is the subject of a contract, information-sharing agreement or information-sharing arrangement, promptly notify the parties to that contract, information-sharing agreement or information-sharing arrangement;
- B.2.3.2If a full assessment of the breach is determined to be required by the head of the government institution or their delegate, ensure that an appropriate program official is assigned to coordinate with the head of the government institution or their delegate;
- B.2.3.3In coordination with the head of the government institution or their delegate, determine appropriate mitigation measures to reduce the risks of harm to affected individuals and to the institution from the breach, which, in the event of a material privacy breach, must include notification of the affected individuals unless such notification would be inappropriate for security, confidentiality, legal or other reasons;
- B.2.3.4In coordination with the head of the government institution or their delegate, determine appropriate prevention measures to reduce the risk of future breaches; and
- B.2.3.5Enact the mitigation and prevention measures that are determined to be appropriate within a reasonable time frame.
- B.2.4
Heads of government institutions or their delegates must:
- B.2.4.1On receiving notification of a potential privacy breach, verify whether it does, in fact, constitute a privacy breach;
- B.2.4.2
In the event of a privacy breach, determine the need for a full assessment. A full assessment identifies and documents, at a minimum:
- B.2.4.2.1The circumstances that gave rise to the breach;
- B.2.4.2.2The inventory of personal information that was affected;
- B.2.4.2.3The individuals whose personal information was affected;
- B.2.4.2.4The institutional sectors and third parties, if any, who have a direct or indirect role in handling the personal information involved in the breach;
- B.2.4.2.5The risk of harm to individuals affected and to the institution; and
- B.2.4.2.6Whether the breach constitutes a material privacy breach;
- B.2.4.3Collaborate as needed with institutional security officials, including those responsible for cyber security where appropriate, in any assessment of the privacy breach or investigation of a related security event;
- B.2.4.4
Include, at a minimum and where known, the following information when reporting a material privacy breach to the Office of the Privacy Commissioner (OPC) and to the Treasury Board of Canada Secretariat (TBS):
- B.2.4.4.1The date of the breach or the period during which it occurred and the date on which the institution discovered the breach;
- B.2.4.4.2A description of the breach, including its type and cause;
- B.2.4.4.3The number or approximate number of individuals affected by the breach;
- B.2.4.4.4The categories and elements of personal information involved;
- B.2.4.4.5The parties involved, including the class of individuals affected by the breach and the relationships between the parties involved;
- B.2.4.4.6A description of the relevant safeguards that were in place;
- B.2.4.4.7The real risks of significant harm that are anticipated;
- B.2.4.4.8All remedial actions, including containment, mitigation and prevention measures, that were or will be taken;
- B.2.4.4.9The method used to notify individuals whose personal information was affected, if applicable; and
- B.2.4.4.10Justification should individuals whose personal information was affected not be notified;
- B.2.4.4.11The physical or geographic location where the breach occurred;
- B.2.4.4.12A description of how the breach was discovered;
- B.2.4.4.13The PIBs for the information subject to the breach, if applicable; and
- B.2.4.4.14A list of any organizations that were notified of the breach.
- B.2.4.5
When reporting a material privacy breach to the OPC and TBS, use the following means:
- B.2.4.5.1The Privacy Act Material Privacy Breach form
- B.2.4.6
Maintain a record of all privacy breaches for a period of five years after the date the institution became aware of the breach. The record must include, at a minimum:
- B.2.4.6.1The date of the breach or the period during which it occurred;
- B.2.4.6.2A general description of the circumstances of the breach and the nature of the information involved;
- B.2.4.6.3The full assessment of the breach if one was undertaken; and
- B.2.4.6.4In the case of a material privacy breach, the information provided to the OPC and TBS as prescribed by subsection B.2.4.4.