Breach Reporting

One of the requirements in Access to Information and Protection of Privacy Act (ATIPPA, 2015) is that public bodies must report any and all privacy breaches to the Commissioner. In the Report of the 2014 Statutory Review of the ATIPPA, Chair Clyde Wells wrote:

"Since relatively few data breaches from public bodies are documented, the optimal requirement would be to report all breaches to the Commissioner, who could recommend any necessary follow up, notification of the affected parties if that has not already been done, preventative measures for the future, and so on."

Mr. Wells noted the following benefits to reporting privacy breaches:

"Data breach reporting better informs and protects individuals who may be the victims. It also sensitizes the public body and its personnel to the importance of data security at all times."

A privacy breach occurs when personal information is: inappropriately collected, used or disclosed; information is lost, stolen, mistakenly disclosed; or information is accessed without a legitimate work purpose.

Section 64(4) of the ATIPPA, 2015 makes it mandatory for all public bodies to report all privacy breaches to the OIPC.