Privacy Breach Procedures and Checklist for (Name of
Agent/Agency)
Compliance Officer:
Date:
Definition of Privacy Breach
A privacy breach occurs when there is an unauthorized access to, or collection, use or
disclosure of personal information (PI) that contravenes privacy legislation. Typically
breaches occur because PI is lost, stolen, disclosed in error or as a consequence of an
operational breakdown. Some of the most common privacy breaches happen when PI of
customers, patients, clients or employees is stolen or personal information is mistakenly
disclosed (e.g. a computer containing personal information is stolen or personal information
is mistakenly emailed to the wrong person).
Step 1: Contain the breach.
If you discover a privacy breach has occurred or is occurring, notify the Compliance
Officer immediately and take steps to contain the breach – don’t let any more PI
escape if you can prevent it. Depending on what has happened:
□
□
□
□
□
Stop the unauthorized practice
Recover any records that can be recovered
Shut down the system that was breached
Revoke or change computer access codes or
Correct weaknesses in physical or electronic security, i.e. order the locks
changed
□
Do not destroy evidence that may be necessary to investigate and to take
corrective action.
□
Notify the police if the breach appears to involve theft or other criminal
activity.
□
Other action to be taken
______________________________________________________
Step 2: Gather information about the incident:
o
o
o
o
o
o
Date of
occurrence_______________________________________________________
Date
discovered________________________________________________________
How
discovered________________________________________________________
Location of the
incident__________________________________________________________
Cause of the
incident__________________________________________________________
Any other information you can quickly assemble__________________________
o
o
o
o
o
o
o
Is there risk of ongoing breaches or further exposure of PI? _________________
Was the PI lost or stolen? ___________________________________________
If stolen, can you determine whether the information was the target of theft?
_______________
Has the PI been recovered? _________________________________________
Is this a systemic problem or isolated incident? ___________________________
What form was the PI in?
□ Paper
□ Electronic
□ Other ________________________________________________________
What physical or technical security measures were in place at the time of the incident?
□
□
□
o
Reception area
□ Encryption
Locks
□ Alarm systems
Other ____________________________
□ Passwords
□ Anonymous info.
Did any security measures fail to perform as desired or contribute to the breach?
□
□
□
□
Reception area
□
Encryption
Locks
□
Passwords
Alarm systems
Other___________________________________________
Step 3: Evaluate the Breach and Associated Risks*:
o
o
What PI was involved?
□ Name
□ Address
□ Medical/health info.
□ Disciplinary records
□ Mental health info.
□ Financial
□ Bank account numbers
□ Credit card numbers
□ Insurance policy numbers
□ Other _________________
□ Identification information
□ SIN
□ Driver’s License
□ Health care numbers
□ Other______________________
How sensitive was the
information*?______________________________________________________
_________________________________________________________________
□ A combination of sensitive information, along with name and/or address
and/or DOB and/or government-issued ID numbers was involved. (This
represents a higher risk).
o
o
o
What kinds of harm can come to individuals from the breach?
_________________________________________________________________
o
Can this information be used for or cause:
□ Fraud
□ Identity theft
□ Financial loss
□ Loss of business or employment
□ Humiliation
□ Damage to reputation or relationships
□ Physical harm, stalking, harassment
□ Have you identified who has received the information? ___________________
□ Have you determined the risk of further access, use or disclosure? _________
o
What is the ability of the individual to avoid or mitigate possible harm?
________________________________________________________________
o
What harm can result to us? (Loss of trust, assets, financial exposure, legal
proceedings).
________________________________________________________________
o
The extent of the breach
How many individuals have been affected? __________________________
Who are they?
□ Employees
□ Contractors
□ Agents
□ Customers
□ Service providers
□ Other _______________________________________________________
What steps are needed to correct the problem?
_____________________________________________________________________
Is this a one-off issue or is it systemic?
_____________________________________________________________________
Step 4: Notification of Privacy Breach
Who should be notified?
The Privacy Commissioner states “Typically, the organization that has a direct relationship
with the customer, client or employee should notify the affected individuals, including when
the breach occurs at a third party service provider that has been contracted to maintain or
process the personal information.” The decision as to whether to notify the affected
individuals may have to be delayed in order for a full risk assessment to be conducted.
o
o
o
o
o
o
o
What are our legal and/or obligations to provide notification to individuals concerned?
What are the reasonable expectations of the individuals concerned?
___________________________________________________________________
What are our obligations to notify regulators? (At this date, Ontario, Newfoundland
and Labrador, New Brunswick and Alberta require notification of affected parties
when there are privacy breaches. Alberta specifically requires that the provincial
Privacy Commissioner also be notified. The federal Office of the Privacy
Commissioner of Canada is also seeking changes to PIPEDA, which would require
notifications).
Do we have contractual obligations to notify any insurers? _____________________
Do any insurers expect to provide the notification, rather than us? _______________
If customer information was involved, do we notify the MGA involved? ___________
Are there others who should be notified of the breach? ________________________
If it is decided that individuals and/or insurers and/or MGAs do not need to
be notified, please note the reasoning:
_____________________________________________________________________________
If affected individuals are to be notified:
o
Who will notify them? __________________________________________________
o
How will they be notified?
□ Phone
□ Letter
□ Email
□ In person
□ Website
□ Media
□ Other _____________________________________________________________
o
Do any third parties need to be involved? __________________________________
o
What needs to be included in the notification?
Depending on the circumstances, notifications could include some of the following,
but be careful to limit the amount of personal information disclosed in the notification
to only what is necessary:





Information about the incident and its timing in general terms;
A description of the personal information involved in the breach;
A general account of what we have done to control or reduce harm;
What we will do to assist individuals and steps individuals can take to
reduce the risk of harm or further protect themselves;
Sources of information designed to assist individuals in protecting against
identity theft;




Contact information of who can answer questions or provide further
information;
Whether we have notified a privacy commissioner’s office;
Additional contact information to address any privacy concerns to us; and
Contact information for the appropriate privacy commissioner (s).
Step 5: Prevent Future Breaches
What short and long term steps do we need to take to correct the situation?
□ Staff training
□ Review and revise our policy and procedures
□ Regular privacy audits
□ Investment in electronic and or/physical security safeguards
□ Other
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________