Reporting breaches under the Privacy Act

Federal institutions subject to the Privacy Act are required to notify the Office of the Privacy Commissioner of Canada (OPC) and the Treasury Board of Canada Secretariat of all material privacy breaches and of the mitigation measures being implemented, if the breach involves sensitive personal information and could reasonably be expected to cause serious injury to the individual.

This reporting form outlines the information that should be provided to the OPC. Report the breach promptly rather than waiting to compile all the information requested in the form. Please note that the completed report is intended to provide detailed information about the breach itself but must not include personal information or protected/classified information.

The breach report will help determine the type of intervention required by the OPC, such as an informal discussion or an investigation.

Federal institutions should also refer to the Treasury Board’s Guidelines for Privacy Breaches. They may also wish to refer to our office’s private sector guide, Key Steps for Organizations in Responding to Privacy Breaches, and to the Privacy Breach Checklist.