Privacy Breaches

Image of a keyboard with a key with a padlock on it with Privacy Breach


Privacy Breach

Canadians value their privacy and the protection of their personal information and they expect government institutions to respect the spirit and requirements of the Privacy Act.  The Government of Canada and DND/CAF are committed to protecting the privacy of individuals with respect to the personal information that is under institutional control.  DND/CAF recognizes that this protection is an essential element in maintaining trust both internal and external to the Department.


What is a Privacy Breach?

A Privacy Breach is an incident involving the improper or unauthorized access, collection, use, disclosure, or retention and/or disposal of personal information.  Such activity is deemed to be “improper” or “unauthorized” if it occurs in contravention of the Privacy Act.

A privacy breach may be the result of inadvertent errors or intentional actions by DND employees or CAF members, contractors, third parties, partners in information-sharing agreements, or intruders.

What are some examples of Privacy Breaches?

Privacy Breaches may involve, but are not limited to, the following: 

Unauthorized collection

Collecting personal information for a new program or initiative without the legitimate parliamentary authority for the program (i.e without a Privacy Impact Assessment).

Collecting personal information that is not required to administer the program (i.e., “just in case” collection).

Improper use

Using personal information for a reason other than a consistent use as described in the corresponding Personal Information Bank (PIB).

Accessing personal information belonging to another individual for personal reasons.

Unauthorized disclosure Giving personal information without the individual’s consent and not in accordance with the permissible disclosure provisions outlined in subsection 8(2) of the Privacy Act.
Improper retention Keeping personal information beyond its retention period.
Improper disposal

Placing documents or electronic media containing sensitive personal information in the recycle bin instead of using proper disposal methods.

Disposing of personal information used for an administrative action before the end of its retention period.

 

What is the Privacy Breach Management Process?

The DND/CAF Directive on Privacy Breach Management (in progress) provides guidance and direction to DND/CAF on the management of privacy breaches.

The privacy breach management process follows multiple stages.  These stages may overlap or take place concurrently.  In some incidents, certain stages or actions may not be required. 

How do I report a Privacy Breach?

All privacy breaches must be reported to the Directorate of Access to Information and Privacy (DAIP).  DAIP has the authority for all matters pertaining to compliance with the Privacy Act. 

To report a privacy breach, forward a completed copy of the Preliminary Privacy Breach Report (download a copy) to DAIP via one of the following ways:

 

Contact us 
Email

   Privacy Breach - Atteinte à la vie Privée

Regular Mail

Director Access to Information and Privacy

National Defence Headquarters

Major-general George R. Pearkes Bldg.

101 Colonel By Drive

Ottawa, Ontario

K1A 0K2

Fax 613-995-5777

 Back to DAIP home page