Guidance on Mandatory Privacy Breach Notifications

Section 36.3 of the Freedom of Information and Protection of Privacy Act (FOIPPA) requires the head of a public body to notify an affected individual if a privacy breach could reasonably be expected to result in significant harm to the individual, including identity theft or other significant harms as described in section 36.3. Section 36.3 also requires the head of a public body to notify the Information and Privacy Commissioner (the Commissioner) when the significant harm threshold is met.

Section 11.1 (1) (b) of the Freedom of Information and Protection of Privacy Regulation (the FOIPP Regulation) further describes the elements that must be included in a notification to an affected individual.

Note that FOIPPA and the FOIPP Regulation are in the process of being updated to reflect the new requirements.

Use this guidance to understand the requirements for privacy breach notifications. This guidance is for non-ministry public bodies in B.C.

For ministries, there are existing resources on privacy breaches that should be followed. Ministries are also required to follow the Information Incident Management Policy and the Core Policy and Procedures Manual, Chapter 12 for information incidents, including privacy breaches.

Assessing Significant Harm

The determination of whether a privacy breach could result in significant harm depends on context. Several of the considerations below can help assess the likelihood of harm. They also depend on and inform each other.

The sensitivity, context, and amount of personal information involved

The sensitivity of personal information often but not always depends on context, the relationship between the individuals, and/or the individuals affected. Determining the sensitivity and being mindful of the context can help inform the potential for harm. Breaches with personal information that is highly sensitive are more likely to result in significant harm.

The number of data elements involved in the breach may increase sensitivity if each element contributes to a complete picture of an individual. The more data elements involved in the breach, the greater the overall risk of misuse of any or all of the data elements.

For example, first and last name may not be considered sensitive on their own but when paired with birth date, home address, and financial information, the sensitivity of a name may increase because more is known about the individual. This could result in a risk of significant harm, including identity theft.

The individuals affected

Different groups of people may be affected by breaches in different ways. Understanding the type of individuals affected may inform how to notify. For example, if a child’s information has been breached, the public body may need to consider who to notify in line with relevant legislation.

The relationships of those involved

Consider the relationship between the recipient of the breached information and the individual whose information was breached. An adverse relationship may result in the potential for harm to the individual or misuse of their information. For example, a letter containing sensitive personal information sent to a hostile ex-spouse who is threatening to publish it on social media would increase the potential for significant harm.

The key consideration is what is known about the person that caused the breach or received the breached personal information. For example, if there is evidence that the person receiving the breached information intends to use the information in a malicious way, this would increase the potential for harm.

If there are a large number of people that received the breached personal information or if the recipients are unknown, there may also be an increased potential for harm.

Ability to contain the breach

If a breach cannot be quickly contained by the public body, this may increase the likelihood of significant harm. On the other hand, if the person receiving the breached information agrees to destroy or return the personal information involved in the breach, then the likelihood of significant harm is lower.

For example, a public body employee who receives a misdirected email from a colleague within the same public body, who is subject to the same employment confidentiality requirements, could be quickly contained by deleting the email from the recipients’ inbox and from their deleted folder.

However, how quickly a breach can be contained is not the only factor for determining the risk of significant harm. Other factors such as sensitivity, context, and relationships between those involved should also be considered.

To continue the example above, if the misdirected email includes a sensitive human resource issue and has been sent not just to one individual by mistake but to a large distribution list, the ability to quickly contain the information has decreased and the risk of significant harm has increased.

How the information was breached will have an impact on the public body’s ability to contain the breach. If the information was breached through theft, this will generally increase the risk of misuse and of significant harm.

Public bodies may wish to connect with their organization’s privacy contact (or consider seeking legal advice) to determine if a privacy breach meets the significant harm threshold. Note that designating a privacy contact and having a documented privacy breach response process are requirements for a privacy management program. Refer to the Privacy Management Program Directions, C. 1. and C.3 and the Privacy Management Program Guidance for B.C. Public Bodies.

Conducting notifications without unreasonable delay

A public body’s ability to mitigate harm is impacted by how quickly or early notification to an individual occurs. How quickly an individual is notified may depend on how urgent the risk of harm is, the type of harm that may result, whether containment is possible and if so, the time required for containment of the breach, and the time required to investigate the extent of the breach. Standard practice for the B.C. government is to provide notification to the individual within a week of uncovering a breach unless immediate harm is possible.

Privacy breaches that may result in physical harm of an individual warrant immediate notification, even if all requirements for notification are not yet known (such as the date of the breach or all information elements involved). Public bodies can follow up with more details as they become known. Instances where it is difficult to contain the breached information and where there is likelihood of significant harm may also warrant immediate notifications.

Notifying the Affected Individuals

As noted in the FOIPP Regulation, the breach notification must be in writing and must be provided directly to each affected individual. Note that there are specific circumstances that exist that allow indirect notification in accordance with section 11.1 (2) of the FOIPP Regulation.

Public bodies need to consider which method of notification is appropriate. While physical letters are the obvious example of notification provided “in writing,” email notification may be preferable for individuals with no permanent housing. Public bodies should be cautious using text messages for notification as they may be mistaken for false or fraudulent communications, rather than an official communication from a public body.

Verbal notification

There may be circumstances where public bodies contact the affected individual by phone, then follow up in writing. For example, if there is an imminent threat of physical harm, a written notification may cause unreasonable delay.

Affected individuals may need verbal notification for accessibility reasons or personal circumstances (e.g., limited access to a personal computer for emails or only having a shared email address). In these cases, verbal notifications should still be followed by a written notification.

Indirect notifications

As per section 11.1 (2) of the FOIPP Regulation, indirect notification may be used if:

• The public body does not have accurate contact information for the affected individual.
  • For example, when a breach occurs, the public body may learn that they do not have the correct or up-to-date contact information to reach the individual. The public body’s email may be returned as undelivered, their call might go to a disconnected phone line, or their mail might be returned to sender. The public body may also have other reasons to lack confidence that the contact information is correct.
• The head of the public body reasonably believes that providing the notice directly to the affected individual would unreasonably interfere with the operations of the public body.
• The head of the public body reasonably believes that the information in the notification will come to the attention of the affected individual more quickly if it is given in an indirect manner.
  • For example, when many people are affected, the notification may reach affected individuals sooner if it is communicated to the public rather than by contacting each affected individual directly.

An indirect notification must contain the same information that is required for direct notification of an affected individual.

When choosing the method for indirect notification, consider the circumstances of the breach, potential harms and risks to the affected individual, and the likelihood of the notification reaching the affected individual without unreasonable delay. For example, consider posting a notification on a website or social media or via some form of public announcement.

Notification Elements

The FOIPP Regulation determines what must be included in a notification to an affected individual. The following descriptions provide details on some of the required elements.

Name of the public body

Include the name of the public body that has custody or control of the personal information that was breached.

The breached personal information may be in the custody or under the control of more than one public body (e.g., two public bodies share a database that is hacked). In these circumstances, a good practice is to include the name of all public bodies involved in the breach.

Description of the nature of the personal information involved in the privacy breach

Include the nature of the personal information involved in the description of the privacy breach. For example, categories such as names, addresses, phone numbers, dates of birth, personal health information, bank account information, etc. can be used.

When providing a description, take care to provide sufficient information without revealing the actual personal information itself. This will help minimize the potential for another breach if the notification is read by someone else because it was intercepted or sent to an address that is no longer correct.

Steps the public body has taken or will take to mitigate the risk of harm

Public bodies must advise the individual about steps, if any, that they have taken or will take to reduce the risk of harm. Examples could include:

• Containment efforts, including correcting errors in a database where account errors have occurred (e.g., one person’s personal information was accidentally added to another person’s account); recovering physical documents when they are disposed of incorrectly; or confirming deletion of an email when information is sent to the wrong person.
• Prevention measures to help ensure this type of incident does not reoccur. Prevention can include training or technical/system changes (for situations where the breach originated at the system level).

Steps the affected individual can take to mitigate the risk of harm

A key reason for notifying individuals of a privacy breach is to advise them of the risk of harm and inform them of steps they may take to mitigate that risk. Examples include providing contact information for a credit reporting bureau so the individual can monitor for suspicious activity.

A best practice is for the public body to make all reasonable efforts to outline the risks they are aware of at the time of notification. The public body may also consider following up with affected individuals if they receive further information about potential risks that could be mitigated.

Exceptions to the Notification Requirements

Under FOIPPA, regardless of whether significant harm may occur, notification is not required when it could be reasonably expected to:

• result in immediate and grave harm to the individual’s safety or physical or mental health; or
• threaten another individual’s safety or physical or mental health.

Notifying the Commissioner

Public bodies must notify the Commissioner of privacy breaches that pose a reasonable expectation of significant harm. In circumstances involving significant harm where the individual is not notified (e.g., in circumstances where notification could be reasonably expected to result in immediate and grave harm to the individual’s safety or physical or mental health), public bodies must still notify the Commissioner.

Notifications to the Commissioner must be in writing and must contain the same information as the notification to affected individuals. They must also include an estimate of the number of affected individuals. Contact information for the Office of the Information and Privacy Commissioner can be found here. Note that the Commissioner provides additional resources for all public bodies for responding to breaches and securing personal information.

Note that under section 36.3 (4) of FOIPPA, the Commissioner may choose to notify affected individuals if they determine that it is appropriate.