STEP 1: IMPLEMENT PRIVACY BREACH PROTOCOL
- Notify all relevant staff of the breach, including Chief Privacy Officer.
- Develop and execute a plan designed to contain the breach and notify those affected.
STEP 2: NOTIFY THE POLICE IF REQUIRED
- Determine if the nature of the breach requires engagement by law enforcement.
- If law enforcement is required, determine the jurisdiction responsible and report the breach at the first reasonable opportunity, either online or by mail.
STEP 3: STOP AND CONTAIN THE BREACH
Identify the scope of the breach and take the necessary steps to contain it, including:
- Retrieve and secure any personal information that has been disclosed.
- Ensure that no copies of the personal information have been made or retained by the individual who was not authorized to receive the information. The contact information of impacted users should be obtained, in the event that follow-up is required.
- Determine whether the privacy breach would allow unauthorized access to any other personal information (e.g. an electronic information system) and take necessary steps, such as changing passwords, identification numbers and/or temporarily shutting the system down.
STEP 4: NOTIFY THOSE AFFECTED BY THE BREACH
Take the necessary steps to notify those individuals whose privacy was breached, including:
- Identify all affected individuals and notify them of the breach at the first reasonable opportunity.
- When notifying individuals affected by a breach:
- Provide details of the breach to affected individuals, including the extent of the breach and what personal information was involved.
- Advise all affected individuals of the steps that you are taking to address the breach, and that they are entitled to make a complaint to the Police. If you have reported the breach to the Police, advise them of this fact.
- Provide contact information for someone within your organization who can provide additional information, assistance, and answer questions.
STEP 5: INVESTIGATION AND REMEDIATION
Conduct an internal investigation, including:
- Ensure that the immediate requirements of containment and notification have been met.
- Review the circumstances surrounding the breach.
- Review the adequacy of your existing policies and procedures in protecting personal information.
Ensure all staff are appropriately educated and trained with respect to compliance with the privacy protection.