Dec 4, 2018

Manitoba Ombudsman has developed new privacy breach resources for Manitoba public bodies and trustees, including an online reporting form and new guidance documents.

The Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Act (PHIA) set out requirements for managing personal and personal health information that Manitoba public bodies and trustees must follow. A privacy breach can occur when personal information or personal health information is lost, stolen, improperly accessed or mistakenly disclosed.

When a privacy breach occurs, it is important for public bodies and trustees to take immediate action to respond to the breach. Our practice note, Key Steps in Responding to Privacy Breaches under FIPPA and PHIA, is intended help facilitate a rapid response by outlining the actions to take within the following four key steps:

1. Take immediate common sense steps to contain the breach.
2. Evaluate the risks associated with the breach to determine what action is necessary and the urgency of action.
3. Consider notifying the individuals affected by the breach and others, and whether to report the breach to Manitoba Ombudsman.
4. Develop or improve safeguards to prevent future breaches.

Privacy breaches can have significant consequences for affected individuals, including identity theft, physical or mental harm, a damaged reputation, embarrassment, and loss of employment. Our Privacy Breach Notification Letter Checklist offers guidance on what to include in a notification letter to affected individuals to provide them with information about the breach and on what steps they could take, including their right to make a privacy complaint to our office. 

“Even though reporting a privacy breach to my office is not mandatory under FIPPA and PHIA, we encourage reporting when there may be a risk of harm to affected individuals,” said Acting Ombudsman Marc Cormier. “Our new resources make it easier for public bodies and trustees to report a privacy breach to us. When we know a breach has occurred, we can offer guidance on how to respond to it and we’re also better prepared to handle any complaints that we might receive as a result of it.”

New resources available on the ombudsman’s website include:

• A privacy breach reporting form that allows public bodies and trustees to complete an analysis of the privacy breach and submit the details to Manitoba Ombudsman. The form is available online and as a fillable PDF file.
• A revised practice note, Key Steps in Responding to Privacy Breaches under FIPPA and PHIA, which outlines four key steps to consider when responding to a privacy breach.
• A new practice note, Privacy Breach Notification Letter Checklist, which provides guidance on notifying affected individuals.

Visit www.ombudsman.mb.ca/info/privacy-breaches.html to access the form and practice notes.

About Manitoba Ombudsman

Under FIPPA and PHIA, Manitoba Ombudsman investigates complaints from people who have concerns about any decision, act or failure to act that relates to their requests for information from public bodies or trustees, or a privacy concern about the way their personal or personal health information has been handled. In addition to the investigation of complaints, FIPPA and PHIA enable the ombudsman to undertake other activities including consultation, advice and comments to public bodies and trustees about access and privacy implications of their programs or practices.