Privacy Breach Resources
What is a privacy breach?
A privacy breach occurs when there is theft or loss, or unauthorized access, use, disclosure, destruction or alteration of personal or personal health information. Such activity is “unauthorized” if it is not permitted by the Freedom of Information and Protection of Privacy Act (FIPPA) or the Personal Health Information Act (PHIA).
Privacy breaches can occur in various ways including when personal or personal health information about clients, patients, students or employees is stolen, lost or mistakenly disclosed. Examples include the loss or theft of mobile devices (ex: laptops, USB sticks) or misdirected communication (ex: fax, email, mail). Privacy breaches can also be intentional. Examples of intentional breaches may include snooping, hacking, phishing, and ransomware.
A privacy breach does not discriminate; it can happen to an organization of any size, it can affect one person or many and it can have significant consequences for the individuals affected, including identity theft, physical or mental harm, humiliation, damage to reputation, employment or financial loss, negatively impact credit ratings or cause damage or loss of the individual’s property.
On January 1, 2022, amendments to FIPPA and PHIA came into force. These amendments now include mandatory breach reporting provisions. In accordance with the legislation, public bodies and trustees are required to report a privacy breach if it has been determined that there is a real risk of significant harm to an individual resulting from the breach. In such cases, public bodies and trustees are required to notify Manitoba Ombudsman as well as the individuals(s) affected by the privacy breach.
Responding to a Privacy Breach
Our revised practice note Key Steps in Responding to Privacy Breaches under FIPPA and PHIA is intended to assist public bodies and trustees in managing a privacy breach. It provides guidance on the four key steps in responding to a breach:
- Contain the Breach: Take immediate common-sense steps to limit the breach.
- Evaluate the Risks Associated with the Breach: Determine if there is a real risk of significant harm to the affected individual(s), what other steps are necessary to mitigate the risk and the urgency of action.
- Notify and Report: Notify both the individual(s) affected by the breach, as well as Manitoba Ombudsman, if it has been determined that the privacy breach poses a real risk of significant harm.
- Prevent Further Breaches: Develop or improve safeguards to prevent future breaches after evaluating the cause and severity of the breach.
Our Privacy Breach Risk Rating Tools -- one for FIPPA and one for PHIA -- include the factors that must be considered in determining the real risk of significant harm, provide examples, and suggest possible risk ratings for each risk factor.
Our revised practice note Privacy Breach Notification Letter Checklist provides guidance on notifying affected individuals.
Reporting a Privacy Breach to Manitoba Ombudsman
For public bodies and trustees who have determined that a privacy breach has created a real risk of significant harm to individuals and are required under the legislation to report the breach to Manitoba Ombudsman, completion of our Privacy Breach Reporting Form fulfills the requirement to report to the ombudsman. The form may also be completed, should a public body or trustee voluntarily wish to report the privacy breach to office, or if consultation is being sought.
The reporting form can filled out and submitted by email at firstname.lastname@example.org or fax at 204-942-7803.