Take immediate action as soon as a privacy breach is suspected or discovered.
Step 1: Contain the breach
As soon as a breach is discovered or suspected:
- Immediately report the breach internally to your supervisor and Privacy Officer.
- Conduct an initial assessment of what happened.
- Take immediate steps to stop the breach and prevent any further disclosure of the personal information.
- Secure and recover any personal information already disclosed.
- Identify who within your organization needs to be notified. Some examples include senior management, legal counsel, IT security, and communications.
- Establish a response team, if necessary, and define each person’s role and responsibilities.
Step 2: Evaluate the risk
- Identify the type of personal information involved in the breach and assess its risk level. The context of the breach also plays a significant role in determining sensitivity.
- Determine the cause and extent of the breach. Consider how the breach happened, which systems were affected, the risk of ongoing exposure, the amount of data accessed, and potential recipients.
- Understand who is affected by the breach (for example employees, students, etc.) and how many people are affected.
- Identify foreseeable harm to affected individuals. Consider factors such as:
- Whether the information can be used for malicious purposes like fraud or identity theft.
- The recipient of the personal information. For example, an employee who received the information in error and notifies the sender of the mistake is less likely to misuse the information.
- The relationship between the affected person and the recipient.
Step 3: Provide notification
Notifying people about breaches may not always be needed but, in some cases, it can help people reduce the potential harm arising from a breach. RTIPPA requires public bodies to inform affected individuals as soon as possible if a privacy breach poses a risk of significant harm. In such cases, RTIPPA also requires the Ombud to be notified.
Significant harm is defined in RTIPPA as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property.
Consider the following factors to determine if a privacy breach creates a risk of significant harm:
- The sensitivity of the personal information that has been breached.
- The probability that the personal information has been, is being, or will be misused.
- Who has access to the personal information that was breached.
- How quickly the breach was contained.
Step 4: Prevent future breaches
- Investigate the breach to determine how the breach occurred, identify areas of weakness, and make recommendations to prevent a similar breach from occurring again.
- Develop a plan to implement the recommendations and corrective measures. This may include changing policies or procedures, improving security safeguards, or providing training to staff.