Privacy Breach Resources
What is a privacy breach?
A privacy breach occurs when there is unauthorized collection, use, disclosure or disposal of personal or personal health information. Such activity is “unauthorized” if it is not permitted by the Freedom of Information and Protection of Privacy Act (FIPPA) or the Personal Health Information Act (PHIA).
Privacy breaches can occur in various ways including when personal or personal health information about clients, patients, students or employees is stolen, lost or mistakenly disclosed. Examples include the loss or theft of mobile devices (ex: laptops, USB sticks) or misdirected communication (ex: fax, email, mail).
A privacy breach does not discriminate; it can happen to an organization of any size, it can affect one person or many and it can have significant consequences for the individuals affected, including identity theft, physical or mental harm, a damaged reputation, embarrassment, and loss of employment.
Responding to a Privacy Breach
Our practice note Key Steps in Responding to Privacy Breaches under FIPPA and PHIA is intended to assist public bodies and trustees in managing a privacy breach. It provides guidance on the four key steps in responding to a breach:
- Step 1: Contain the Breach: Take immediate common sense steps to limit the breach.
- Step 2: Evaluate the Risks Associated with the Breach: Assess the risks associated with the breach to determine what other steps are necessary and the urgency of action.
- Step 3: Notify Affected Individuals and Others: Consider whether to notify the individuals affected by the breach and others and whether to report the breach to Manitoba Ombudsman.
- Step 4: Prevent Further Breaches: After evaluating the cause of the breach, develop or improve safeguards to prevent future breaches.
Our practice note Privacy Breach Notification Letter Checklist provides guidance on notifying affected individuals.
Reporting a Privacy Breach to Manitoba Ombudsman
FIPPA and PHIA do not require public bodies and trustees to report privacy breaches to our office. We encourage the voluntary reporting of breaches where there may be risk of harm to affected individuals (for example, physical harm, identity theft or harm to reputation).
For public bodies and trustees who wish to report a breach to our office, please use the Privacy Breach Reporting Form:
- the form can be submitted online, or
- filled out and submitted by fax or email (download the fillable pdf form). Note: If you are unable to open the fillable pdf form in your browser, please right click on the link, save the file to your computer and open it with Adobe Reader or Acrobat.