Handling privacy breaches

The Right to Information and Protection of Privacy Act (RTIPPA) requires public bodies to undertake certain measures when handling a privacy breach. A privacy breach is when personal information is accessed, used, shared, or disposed of without authorization. Examples include sending personal information to the wrong person or not securely destroying documents with personal information. When a breach is suspected, public bodies need to act quickly.

The information provided on this page is intended to provide guidance to public bodies. The purpose is to help New Brunswick public bodies understand how they can manage privacy breaches and their requirements under the Right to Information and Protection of Privacy Act (RTIPPA). Information provided on this page is for information purposes only and does not constitute legal advice. Public bodies should consult with their own legal counsel for legal advice related to RTIPPA.

RTIPPA defines a privacy breach as any incident of unauthorized access, use, disclosure, or disposal of personal information in the custody of or under the control of a public body.

Privacy breaches may be accidental or deliberate. Some examples include:

• sending an email that contains personal information to the wrong person
• snooping through files or systems that contain personal information with no legitimate business reason for doing so
• non-secure disposal of personal information. For example, placing documents containing personal information in a recycle bin rather than securely shredding them
• a network security breach where personal information is accessed

Take immediate action as soon as a privacy breach is suspected or discovered.

Step 1: Contain the breach

As soon as a breach is discovered or suspected:

• immediately report the breach internally to your supervisor and Privacy Officer
• conduct an initial assessment of what happened
• take immediate steps to stop the breach and prevent any further disclosure of the personal information
• secure and recover any personal information already disclosed
• identify who within your organization needs to be notified, possibly including senior management, legal counsel, IT security, and communications
• establish a response team, if necessary, and define each person’s role and responsibilities

Step 2: Evaluate the risk

• Identify the type of personal information involved in the breach and assess its risk level.
• Determine the context of the breach and how it plays a significant role in determining sensitivity.
• Determine the cause and extent of the breach, how the breach happened, which systems were affected, the risk of ongoing exposure, the amount of data accessed, and potential recipients.
• Understand who is affected by the breach and how many people are affected.
• Identify foreseeable harm to affected individuals and factors such as:
  • whether the information can be used for malicious purposes like fraud or identity theft
  • the recipient of the personal information - an employee who received the information in error and notifies the sender of the mistake is less likely to misuse the information
  • the relationship between the affected person and the recipient

Step 3: Provide notification

Notifying people about breaches may not always be needed but, in some cases, it can help people reduce the potential harm arising from a breach. RTIPPA requires public bodies to inform affected individuals as soon as possible if a privacy breach poses a risk of significant harm. In such cases, RTIPPA also requires the Ombud to be notified.

Significant harm is defined in RTIPPA as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property.

Consider the following factors to determine if a privacy breach creates a risk of significant harm:

• the sensitivity of the personal information that has been breached
• the probability that the personal information has been, is being, or will be misused
• who has access to the personal information that was breached
• how quickly the breach was contained

Step 4: Prevent future breaches

• investigate the breach to determine how the breach occurred, identify areas of weakness, and make recommendations to prevent a similar breach from occurring again
• develop a plan to implement the recommendations and corrective measures. This may include changing policies or procedures, improving security safeguards, or providing training to staff

Subsection 4.2(4)(b) of the General Regulation under RTIPPA requires that public bodies maintain a registry of every actual privacy breach and the corrective measures taken. At a minimum, the log should include a brief description of the event, the date it occurred, outcome, recommended mitigations, and corrective measures taken to reduce the likelihood of a similar occurrence. Tracking breaches helps the organization report on breaches to management and identify trends that need to be addressed to prevent future breaches.

A guide for managing privacy breaches, a sample privacy breach reporting form, and a privacy breach registry template will be made available to public bodies soon. Continue to check here for updates.