Although the FOI Assist Knowledge Base tends to focus on Ontario’s provincial and municipal institutions, today I want to highlight a resource provided by Government of Canada that can be of great help to privacy professionals across the country.
The Government of Canada’s Privacy Breach Management Toolkit is intended to support the management and prevention of privacy breaches. Although its guidance is directed primarily at institutions who fall under Canada’s federal privacy legislation, it can be adapted to meet the needs of other types of institutions, and it is well-suited for adoption by provincial and municipal institutions in Ontario and other provinces as well.
In describing how to respond to a privacy breach, the toolkit breaks this down into four phases:
- Identify and contain the breach
- Complete a full assessment of the breach
- Mitigate the risks and communicate internally
- Report and prevent another breach
Each of these phases has its own section in toolkit, with step-by-step guides and links to other useful tools for each phase.
One of the toolkit’s highlights is the section on identifying a privacy breach, which provides a variety of scenarios covering various types of privacy breaches. For most privacy professionals, the type of breach most likely to come to mind is when personal information is revealed or exposed to an unauthorized third party, whether entirely by mistake, or intentionally, through a malicious act. However, the toolkit’s scenarios address other types of privacy breaches as well, serving to remind us that misuse, improper disposal, or even overcollection of personal information are also all considered privacy breaches. (This is true both under Canada’s federal legislation, and under Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) and Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) as well.)
The Privacy Breach Management Toolkit offers fantastic resources for assessing a privacy breach, including the Preliminary Breach Report template, and guidelines for conducting a full assessment of a privacy breach, the Privacy Breach Checklist and a Privacy Breach Risk Assessment Tool. Privacy breach risk assessments can be thought of as “after the fact” Privacy Impact Assessments for privacy breaches, and are invaluable for determining a the proper response to a privacy breach, including what steps will be necessary to fully contain the breach, who should be notified, and whether the breach is significant enough to warrant reporting to the Information and Privacy Commissioner of Ontario (IPCO) (or the relevant privacy authority for your institution).
Provincial and municipal institutions in Ontario should also be aware of IPCO’s own guidance on privacy breaches, especially IPCO’s Privacy Breaches Guidelines for Public Sector Organizations, which provides Ontario-specific advice on how to identify a privacy breach and how to respond. IPCO also publishes helpful recommendations on preparing a Privacy Breach Protocol, as well as dedicated guidance on privacy breaches for health information custodians covered by the Personal Health Information Protection Act (PHIPA).
Understanding and managing privacy breaches effectively is increasingly crucial for privacy professionals, not only in Ontario but across Canada. With the dynamic landscape of data privacy laws and the impending changes, such as Ontario’s Bill 194, which will require provincial institutions under FIPPA to report significant privacy breaches to the IPCO, the stakes for proper breach management are higher than ever. The Government of Canada’s Privacy Breach Management Toolkit is an invaluable resource adaptable across various jurisdictions. By familiarizing themselves with the tools and strategies outlined in the toolkit—particularly those aimed at identifying, assessing, and responding to privacy breaches—privacy professionals can ensure they are well-prepared to protect the personal information entrusted to them and comply with evolving legal requirements. This proactive approach not only helps to mitigate the risks associated with privacy breaches but also builds trust within the institutions they serve.
The FOI Assist software
Responding to Freedom of Information (FOI) requests manually is labour-intensive and prone to error. Decisions made by your institution, as well as missed steps and mistakes, can lead to appeals, media attention, and privacy complaints.
Help your institution comply with Ontario’s privacy legislation with the FOI Assist software. The FOI Assist software was designed by an Ontario lawyer for full compliance with FIPPA and MFIPPA. When you use FOI Assist to track and respond to FOI requests, you can be confident you are relying on the latest legislation and guidance, because it’s always kept up-to-date.
To learn how the FOI Assist software can manage your institution’s FOI function, contact FOI Assist or book a demonstration today.
FOI Assist Knowledge Base 
Leave a comment