Report a Privacy Breach
Public bodies and trustees are required to report a privacy breach to Manitoba Ombudsman if it has been determined there is a real risk of significant harm to an individual resulting from the breach. In such cases, public bodies and trustees are required to notify our office as well as the individuals(s) affected by the privacy breach.
What is a privacy breach
A privacy breach occurs when there is theft or loss, or unauthorized use, disclosure, destruction or alteration of personal or personal health information. Such activity is “unauthorized” if it is not permitted by the Freedom of Information and Protection of Privacy Act (FIPPA) or the Personal Health Information Act (PHIA).
Privacy breaches can occur in various ways including when personal or personal health information about clients, patients, students, or employees is stolen, lost or mistakenly disclosed. Examples include the loss or theft of mobile devices (ex: laptops, USB sticks) or misdirected communication (ex: fax, email, mail). Privacy breaches can also be intentional. Examples of intentional breaches may include snooping, hacking, phishing, and ransomware.
A privacy breach does not discriminate – it can happen to an organization of any size. It can affect one person or many and it can have significant consequences for the individuals affected, including identity theft, physical or mental harm, humiliation, damage to reputation, employment or financial loss, negatively impact credit ratings, or cause damage or loss of the individual’s property.
Responding to a privacy breach
- Contain the Breach: Take immediate common-sense steps to limit the breach.
- Evaluate the Risks Associated with the Breach: Determine if there is a real risk of significant harm to the affected individual(s), what other steps are necessary to mitigate the risk and the urgency of action.
- Notify and Report: Notify both the individual(s) affected by the breach, as well as Manitoba Ombudsman, if it has been determined that the privacy breach poses a real risk of significant harm.
- Prevent Further Breaches: Develop or improve safeguards to prevent future breaches after evaluating the cause and severity of the breach.
Tools public bodies can use to assess risk and respond:
- FIPPA Privacy Breach Risk Rating Tool [PDF]
- PHIA Privacy Breach Risk Rating Tool [PDF]
- Privacy Breach Notification Letter Checklist [PDF]
- Key Steps in Responding to Privacy Breaches under FIPPA and PHIA [PDF]
Reporting a privacy breach to Manitoba Ombudsman
For public bodies and trustees who have determined that a privacy breach has created a real risk of significant harm to individuals and are required under the legislation to report the breach to Manitoba Ombudsman, completion of our Privacy Breach Reporting Form fulfills the requirement to report to the ombudsman. The form may also be completed, should a public body or trustee voluntarily wish to report the privacy breach to the office, or if consultation is being sought.
Privacy Breach Reporting Form
The ombudsman’s role
After receiving a privacy breach report our team would conduct a review. We determine if the public body or trustee took all reasonable steps to respond to the breach. We assess the public body or trustee’s compliance with legislation and regulation for determining real risk of significant harm and review how affected individuals were notified. We may identify gaps in the response and ask the public body or trustee to address them. We may also give guidance and make recommendations, if needed, for appropriate action.