Privacy Breach Protocol
The Public Prosecution Service of Canada (PPSC) takes privacy seriously, and takes steps to protect the personal information of individuals.
This protocol outlines the steps that must be followed by a PPSC employee, agent, or contractor who discovers a possible breach of privacy. The guidance provided in this protocol ensures that when a breach does occur, it is quickly contained and similar breaches are prevented from occurring.
Roles & Responsibilities
All employees and agents of the PPSC are responsible for protecting personal information to which they have access. They are responsible for ensuring, to the greatest extent possible, that privacy breaches do not occur, and for reporting them when they do occur.
- ATIP Coordinator
- The Director General, Communications and Parliamentary Affairs, has been designated as the PPSC’s ATIP Coordinator and plays an oversight role in relation to the application of the Privacy Act (Act), its regulations, and related policies, directives, and guidelines.
- Corporate Counsel
- The Corporate Counsel, Ministerial and External Relations Secretariat, provides privacy-related legal advice to the ATIP Coordinator, the ATIP Manager, and PPSC managers.
- Director of Public Prosecutions (the DPP)
- The DPP has overall responsibility for PPSC’s compliance with the Privacy Act. Pursuant to section 73 of the Act, the DPP has delegated all related powers to the Senior Director General, Corporate Services, the Director General, Communications and Parliamentary Affairs, and the Manager, Access to Information and Privacy.
- Manager, Access to Information and Privacy (ATIP Manager)
- The ATIP Manager has direct, daily responsibility for the management of the ATIP Office by coordinating all activities relating to the operation of the Act and to the regulations, directives, guidelines and policies issued pursuant to that Act. The Manager is also responsible for ensuring that legislative policies and procedures prescribed by the Act and its regulations are met on behalf of the PPSC.
- Point(s) of Contact
- The Chief Federal Prosecutor(s) or Headquarters Director(s) within the PPSC who serve as the liaison with the ATIP Office and who are responsible for fulfilling ATIP-support functions on behalf of their region or office.
In April 2010, the Treasury Board issued the Directive on Privacy PracticesFootnote 1 which obliges government executives and senior officials who manage programs or activities involving the creation, collection or handling of personal information, to implement their institution's plan for addressing privacy breaches when circumstances warrant.
Personal Information - Personal information is defined by section 3 of the Privacy Act as information that is about an identifiable individual that is recorded in any form.
Privacy Breach - A privacy breach is an incident involving the unauthorized collection, use or disclosure of personal information. Such activity is “
unauthorized” if it occurs in contravention of the Privacy Act. A breach may be the result of inadvertent errors or of malicious actions by employees, agents, contractors, third parties, partners in information-sharing agreements, or intruders.
Potential Causes of Privacy Breaches
Circumstances that could lead to privacy breaches include:
- the theft, loss or disappearance of equipment or devices containing personal information (e.g. personal computers, laptops, external memory drives, USB memory sticks, CD-ROMs, blackberries, cell phones, photocopiers, file cabinets, briefcases and fax machines);
- the use of equipment or devices to transport/store personal information outside the office without adequate security measures;
- intrusions that result in unauthorized access to personal information held in buildings, file storage containers, computer applications, systems, LANs or other equipment and devices;
- faulty departmental procedures or operational breakdowns; and
- insufficient controls in place to protect personal information in paper and electronic files.
Key Steps In Responding To a Privacy Breach
Upon learning of a real or potential privacy breach, the followings steps must be taken immediately:
Step 1: Breach Containment and Preliminary Assessment
- The employee or agent must take immediate action to contain the breach and to secure the related records, systems or web sites in order to prevent any further privacy breach from occurring, including:
- Removing, moving or segregating exposed information/files.
- If necessary, shutting down the website, application or device temporarily to permit a complete assessment of the breach and resolve vulnerabilities.
- Attempt to retrieve any documents or copies of documents that were wrongfully disclosed or taken by an unauthorized person.
- Return the documents to their original location or to the intended recipient unless their retention is necessary for evidentiary purposes.
- The employee or agent must immediately notify his or her supervisor or manager. If the breach concerns information relating to a confidential informant, the employee or agent must also immediately inform the responsible Chief Federal Prosecutor and the relevant police agency of the breach. The Chief Federal Prosecutor must then notify the appropriate Deputy Director of Public Prosecutions.
- The supervisor/manager will, in turn, notify the Point(s) of Contact (i.e., the responsible Chief Federal Prosecutor or Headquarters Director).
- The Point of Contact will:
- Notify the ATIP Manager.
- Notify the Departmental Security Officer (DSO). If theft or other criminal activity appears to be involved, Security Services will, in turn, notify the police.
- In cases where the breach involves electronic information, the Point of Contact will also notify the Chief Information Officer.
- The ATIP Manager will immediately inform the ATIP Coordinator of the breach.
- The PPSC employee or agent who discovers the privacy breach must complete the Privacy Breach Reporting Form and forward it to the ATIP Office, attention ATIP Manager, by email at email@example.com. A copy of this form will also be forwarded to the responsible Point of Contact.
- The ATIP Manager and the Point(s) of Contact will immediately commence the following steps to document the privacy breach:
- Document in detail the circumstances that gave rise to the privacy breach.
- Take inventory of the personal information that was or may have been compromised.
- Identify the individuals whose personal information has been wrongfully disclosed or accessed, stolen or lost.
- Identify the Office of Primary Interest (OPI) that is responsible for the personal information involved.
- Compile other relevant information (e.g. previous, similar or related incidents).
- The ATIP Manager will confer with the Corporate Counsel to assess the possibility of obtaining and/or preserving evidence relating to the privacy breach.
- The ATIP Coordinator will determine if communications are required, either internal or external. If necessary, the ATIP Coordinator will:
- determine if media or other public communication material may need to be developed and assist with the preparation of those materials;
- work with Communications to prepare internal communications material; and
- notify the relevant Deputy Director of Public Prosecutions and the Director of Public Prosecutions.
Throughout the preliminary assessment, all those involved must be careful not to destroy evidence that may be valuable in determining the cause of the breach, or in allowing appropriate corrective action to be taken.
Step 2: Evaluation and Analysis of the Breach and Associated Risks
The ATIP Manager, in collaboration with the ATIP Coordinator, the Departmental Security Officer and the Point(s) of Contact, will determine what other steps are immediately necessary to assess the risks associated with the breach. This may include the participation of the Manager, Security Services, in cases involving a breach of security, and the Chief Information Officer, in cases where the breach involves electronic information.
This assessment will help determine how to respond to the breach, who should be informed, and what form of notification is appropriate. For example, if a laptop containing adequately encrypted information is stolen, subsequently recovered, and investigations show that the information was not tampered with, notification to individuals may not be necessary.
Factors to Consider In Assessing the Breach & Associated Risks
The Personal Information Involved
- What data elements have been compromised? (e.g. name, address, SIN, financial, etc)
- How sensitive is the information? Generally, the more sensitive the information, the higher the risk of harm to individuals. However, sensitivity alone is not the only criterion in assessing the risk, as foreseeable harm to the individual is also important.
- What is the context of the personal information involved?
- Is the personal information adequately encrypted, anonymized or otherwise not easily accessible?
- How can the personal information be used? Can the information be used for fraudulent or otherwise harmful purposes? The combination of certain types of sensitive personal information along with name, address and date of birth suggest a higher risk due to the potential for identity theft.
The Cause and Extent of the Breach
- What is the cause of the breach?
- Is there a risk of ongoing breaches or further exposure of the information?
- What was the extent of the breach? What is the number of and who are the likely recipients of the information?
- What is the likelihood of further access, use or disclosure, including via mass media or online?
- Was the information lost or was it stolen? If it was stolen, can it be determined whether the information was the target of the theft or not?
- Has the personal information been recovered?
- What steps have already been taken to mitigate the harm?
- Is this a systemic problem or an isolated incident?
The Individuals Affected by the Breach
- How many individuals’ personal information is affected by the breach?
- Who is affected by the breach: employees, agents, contractors, public, clients, service providers, other organizations?
The Foreseeable Harm from the Breach
- Who is/are the unauthorized recipient(s) of the information?
- Is there any relationship between the unauthorized recipient(s) and the individual whose privacy was breached?
- What harm to the organization could result from the breach? (e.g. loss of trust, legal proceedings).
- What harm to the affected individuals could result from the breach? (e.g., physical safety risk, identity theft, financial loss, loss of business or employment opportunities, humiliation, or damage to reputation).
- What harm could come to the public as a result of notification of the breach? (e.g., risk to public safety).
Step 3: Notification
If the privacy breach creates a risk of harm to an individual, those affected should be notified. Prompt notification can help individuals mitigate the damage by taking steps to protect themselves. The challenge is to determine when notice is required. Each incident is to be considered on a case-by-case basis to determine whether notification is required. A key consideration in deciding whether to notify affected individuals is whether notification is necessary to mitigate the harm to any individuals whose personal information has been inappropriately collected, used or disclosed as a result of the breach.
Notify Affected Individuals
While the PPSC will evaluate each incident to determine on a case-by-case basis whether notification is required, to the extent possible, the responsible Chief Federal Prosecutor or Headquarters Director, as the Point of Contact, should strongly consider notifying all affected individuals whose personal information has been or potentially has been compromised through theft, loss or unauthorized disclosure, if the breach:
- involves sensitive personal data such as financial or medical information, or personal identifiers such as the SIN;
- can result in identity theft or some other related fraud; or
- can otherwise cause harm or embarrassment which could have detrimental effects on the individual's career, reputation, financial position, safety, health or well-being.
Notification is to be provided as soon as possible following the breach to allow affected individuals to take action to protect themselves against, or mitigate the damage from, identity theft or other possible harm.
Care should be exercised in the notification process to not unduly alarm individuals, especially where the PPSC only suspects but cannot confirm that certain individuals have been affected by the breach.
It is always preferable to notify affected individuals directly. This can be done by letter (priority post or by courier is recommended), telephone or in person, unless the individuals cannot be located or the number of individuals is so large that the task is too onerous to the organization. In such cases, the PPSC will consider posting a conspicuous notice on its internet website and/or using major local or nationwide media. The PPSC will only use electronic mail if the individual previously consented to the receipt of electronic notices.
Notification should include:
- a general description of the incident, including date and time;
- the source of the breach (whether it is a PPSC employee, an agent, a contracted party or a party to a sharing agreement);
- a list of the personal information elements relating to the individual that are thought to have been or potentially have been compromised;
- a description of the measures taken or to be taken to retrieve the personal information, to contain the breach and to prevent a reoccurrence;
- advice to the individual to mitigate risks of identity theft or to deal with compromised personal information;
- the name and contact information of a PPSC official with whom affected individuals can discuss the matter further or obtain assistance;
- if applicable, a reference to the effect that the Office of the Privacy Commissioner has been notified of the nature of the breach and that the individual has a right of complaint to that office;
- if applicable, inform affected individuals of developments as the matter is further investigated and outstanding issues are resolved; and
- where appropriate, consider informing affected parties of any risk mitigation plan that will be implemented by the PPSC.
Notify the Office of the Privacy Commissioner of Canada (OPC)
The ATIP Manager, in collaboration with the ATIP Coordinator, should strongly consider notifying the OPC of the privacy breach if the breach:
- involves sensitive personal data such as financial or medical information, or personal identifiers such as the SIN;
- can result in identity theft or some other related fraud;
- may result in physical harm; or
- can otherwise cause harm or embarrassment which would have detrimental effects on the individual's career, reputation, financial position, safety, health or well-being.
Notification to the OPC should occur as soon as reasonably possible and is to include information as to the nature and extent of the breach, the type of personal information involved, the parties involved, anticipated risks, steps taken or to be taken to notify individuals, and any remedial action taken.
The PPSC, including the ATIP Manager, ATIP Coordinator, and in some cases the Director of Public Prosecutions, will consider and respond to any advice given by the OPC to mitigate risks of reoccurrence.
The PPSC may choose to manage minor incidents internally, if the circumstances outlined above for notifying the OPC are not present. In such instances, and depending on the nature and scope of the privacy breach, the PPSC will determine whether notifying the OPC is appropriate. If a decision is taken by the PPSC not to notify the OPC, the ATIP Manager will document the rationale.
Step 4: Prevention of Future Privacy Breaches
The ATIP Manager, ATIP Coordinator, Manager for Security Services, Departmental Security Officer, Chief Information Officer, and the Point(s) of Contact (the responsible Chief Federal Prosecutor or Headquarters Director), will undertake a post-privacy breach analysis to determine the cause of the breach and identify appropriate measures to avoid a reoccurrence.
The level of effort will reflect the significance of the breach and whether it was a systemic breach or an isolated incident.
A post-privacy breach analysis may determine that the PPSC needs time to thoroughly investigate the cause of the breach and to consider whether to develop a breach prevention plan. If necessary, the plan may include the following:
- a security audit to be conducted for both physical and information technology (IT) security;
- a review of policies and procedures (e.g., security policies, record retention and collection policies, etc.) to make any changes that reflect lessons learned from the investigation;
- a review of employee training practices; and
- a review of information sharing agreements.
Depending on the circumstances, the breach prevention plan should be forwarded to the Chief Audit Executive to determine if an internal audit is required. If an audit is required, it would be carried out at a later date to ensure that the breach prevention plan has been fully implemented.
The breach prevention plan will be shared with management as necessary to ensure all are informed and action can be taken on the recommendations.
Appendix A - Privacy Breach Checklist
The following checklist should be used in conjunction with the Protocol when responding to a possible privacy breach.
- Date of the incident
- Date that the incident was discovered
- How was the incident discovered?
- Location of the incident
- Description of the breach and its cause
Steps To Be Taken By the Individual Who Discovers the Privacy Breach
- Take immediate action to contain the breach and secure the related records, systems or web sites (e.g., recover information, shut down computer system).
- Immediately notify his/her supervisor/manager.
- If the breach concerns information relating to a confidential informant, the responsible Chief Federal Prosecutor and the relevant police agency must be informed immediately. The Chief Federal Prosecutor must then notify the appropriate Deputy Director of Public Prosecutions.
- Complete the Privacy Breach Reporting Form and forward it to the ATIP Office, attention ATIP Manager, by email at firstname.lastname@example.org. A copy of this form is also to be forwarded to the responsible Chief Federal Prosecutor or Headquarters Director.
- Preserve all evidence that may be valuable in determining the cause of the breach, or to allow appropriate corrective action to be taken.
- Date modified: