Privacy Breach Report Formfor Use by Public Bodies, Custodians and Organizations

This form is not meant for individuals to use when submitting a privacy complaint.

Report Date:
Incident Description
  1. Describe the circumstances of the breach and its cause*

  1. Date of incident or time period during which the incident occurred*:

  1. Date incident discovered:

  1. How was the incident discovered and who discovered it?

  1. Location of incident:

Personal Information Involved
  1. Describe the personal information involved in the breach*(e.g., name, address, social insurance number (SIN), financial, and/or medical information) and the form it was in (e.g. paper records, electronic database, etc.).Do notsend the OIPC identifiable personal information.

Safeguards
  1. Describe the physical security at the time of the incident (e.g., locks, alarm systems, etc.):

  1. Describe technical security (e.g., encryption, passwords, etc.):

Harm
  1. Provide an assessment of the type of harm(s) that may result from the breach* (e.g., bodily harm, humiliation, damage to reputation or relationship, loss of employment,business or professional opportunities, financial loss, fraud, identity theft, negativeeffects on a credit record, and damage to or loss of property).

  1. In your assessment, indicate the level of sensitivity of the information and why you chose this level (e.g., driver’s licence information, SIN, credit card information, and some types of diagnostic, treatment and care information are considered more sensitive).

  1. Provide an assessment of whether you think the harm is significant and why*

Risk
  1. Provide an assessment of the likelihood that harm could result*
Some factors you may wish to consider include the following:
  • Who obtained or could have obtained access to the information?
  • Were there security measures in place to prevent unauthorized access, such as encryption?
  • Is the information highly sensitive?
  • How long was the information exposed?
  • Is there evidence of malicious intent or purpose, such as theft, hacking, or malware?
  • Could the information be used for criminal purposes, such as for identity theft or fraud?
  • Was the information recovered?
  • How many individuals are affected by the breach?
  • Are there vulnerable individuals involved, such as youth or seniors?

  1. Estimated number of individuals to whom there is a real risk of significant harm as a result of the incident*. This is the number of people that you determine will suffer a real risk of significant harm.

  1. Type of individual(s) affected (use checkbox):
Client/Customer/Patient
Employee
Other (please indicate):
  1. Describe any steps that have been taken to reduce the risk of harm to individuals*(e.g., recovery of information, locks changed, computer systems shut down).

Notification
  1. Has your privacy officer and/or the person responsible for security in your organization been notified?
YesWho was notified and when?
NoWho and when to be notified?
  1. Have police or other authorities been notified (e.g., professional bodies or individual(s) required under contract)?
YesWho was notified and when?
NoWho and when to be notified?
  1. Have affected individuals been notified?*
YesWhat the form of notification (e.g., in writing, verbal, etc.)?
NoWho and when to be notified?
  1. Describe any steps taken to notify individuals*(e.g., who was notified and what the form and content of notification was). Please provide a copy of notification to the OIPC.

Contact Information
  1. Name of organization:

  1. Contact information for a person who can answer the OIPC’s questions about the breach*.
Name:
Title:
Phone:
Email:
Fax:
Mailing Address:

You may wish to provide the OIPC with any additional information you have collected regarding the breach, includinginternal investigation reports or findings, or long-term strategies you intend to implement to correct the situation (e.g., staff training, policy development). You may also choose to complete the attached Optional Addition to the Privacy Breach Form.

As noted above, however, if you intend to seek advice from the OIPC regarding how to respond to the breach and what actions should be taken, you should report the incident as soon as possible even where the above information is not yet available. PIPA organizations are required to notify the Commissioner of reportable breaches without unreasonable delay.

Submit the Breach Report Form (and the attached optional addition) to the OIPC at the address below. It is preferable to submit the form by fax where timing is an issue.

410, 9925 - 109 Street
Edmonton, AB T5K 2J8
Phone: (780) 422-6860 Fax: (780) 422-5682
Toll-free: 1-888-878-4044
Email:

Optional Addition to thePrivacy Breach Report Form

There is no requirement to provide this information to the Office of the Information and Privacy Commissioner. However, it will be useful in determining whether notification is required.

Describe the type of business you are engaged in:
Provide any additional information not already included that you used to assess whether there is a real risk of significant harm to an individual:
Identify any authorities (e.g., police, etc.) or other organizations (e.g., other privacy commissioner’s offices, credit card companies, etc.) that were notified about the breach and when:

Updated October 20151