Guidelines

Privacy Breach Checklist

For more details, please see Key Steps for Organizations in Responding to Privacy Breaches.

Incident Description

Step 1: Breach Containment and Preliminary Assessment

Step 2: Evaluate the Risks Associated with the Breach

(i) What personal information was involved?

(ii) What was the cause and extent of the breach?

(iii) How many individuals have been affected by the breach and who are they (e.g., employees, contractors, public, clients, service providers, other organizations)?

(iv) Is there any foreseeable harm from the breach?

Step 3: Notification

(i) Should affected individuals be notified?

If you decide that affected individuals do not need to be notified, note your reasons.

(ii) If affected individuals are to be notified, when and, how will they be notified and who will notify them?

(iii) What should be included in the notification?

Depending on the circumstances, notifications could include some of the following, but be careful to limit the amount of personal information disclosed in the notification to what is necessary:

(iv) Are there others who should be informed about the breach?

Step 4: Prevention of Future Breaches

This checklist is based on the Four Key Steps for Organizations Responding to Privacy Breaches.