Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 276 • What is the applicable legislation and what specific sections are engaged. • What safeguards, policies, and procedures were in place at the time of the privacy breach. • Was the duty to protect met. o Were the safeguards, policies, and procedures followed. o If no safeguards, policies, or procedures were in place, why not. o Were the individuals involved aware of the safeguards, policies, and procedures. • Who are the affected individuals. o How many are there. o What are the risks associated to a privacy breach involving this information (e.g., is the affected individual at risk for identity theft, credit card fraud, etc.). o Have affected individuals been notified of the privacy breach. Once the necessary information has been collected, it is a good idea to prepare an internal privacy breach investigation report. The report should include the following: • Summary of the incident and immediate steps taken to contain the breach. • Background of the incident, timelines, and a chronology of events. • Description of the personal information involved and affected individuals. • Description of the investigative process. • The root and contributing causes of the incident. • A review of applicable legislation, safeguards, policies, and procedures. • Summary of possible solutions and recommendations for preventing future breaches. This should include specific timelines and responsibility for implementation of each action. During an investigation by the IPC (or when proactively reporting a privacy breach to the IPC – see below for more), the IPC will also request that government institutions complete the IPC’s Privacy Breach Investigation Questionnaire.
RkJQdWJsaXNoZXIy MTgwMjYzOA==