What is the privacy breach risk self-assessment tool?

The privacy breach risk self-assessment tool helps businesses and federal government institutions to determine whether a privacy breach creates a real risk of significant harm to an individual.

If a breach creates this risk, it must be reported to the Office of the Privacy Commissioner of Canada (OPC). Federal institutions must also report the breach to the Treasury Board of Canada Secretariat (TBS).

Organizations must also notify all individuals who have been affected by a breach that creates a real risk of significant harm.  

How does this tool work?

The privacy breach risk self-assessment tool guides users through a series of questions that will analyze key details of a breach and assess whether the circumstances create a real risk of significant harm.

The questions are dynamic and will depend on previous answers.

In order to complete the self-assessment, you must have knowledge of certain details about the breach. Entering more detailed information will lead to a more precise result.

At a minimum, you must be able to indicate:

• the types of personal information involved, and
• the number of people affected.

Other details that will support the assessment include:

• how the breach occurred,
• who received the personal information, and
• what the relationship is between the affected individuals and the unauthorized party who breached or received the personal information.

Using the answers provided, the tool assesses the sensitivity of the personal information involved in the breach and the probability that it will be misused.

How do I interpret the results?

Once you have completed the questionnaire, the tool will indicate whether a real risk of significant harm is either Likely or Unlikely. This result  will help you to determine whether you need to report it to the OPC (and to the TBS in the case of a federal government institution) and notify affected individuals.

Important: The results provide guidance for your organization and are not an official position of the OPC. They are one element to consider in assessing whether a breach creates a real risk of significant harm.

How can harm occur?

When a breach is assessed as Likely to create a real risk of significant harm, the tool will provide a list of possible ways in which compromised personal information could be misused to cause harm to an individual.

Note that the list is not exhaustive, and organizations should consider other potential harms and ways that they could occur. The list is provided to help organizations mitigate risks.  

• Bank account fraud
• Blackmail, financial
• Blackmail, other
• Financial exploitation
• Identity fraud
• Payment fraud
• Personal information inaccessible
• Public shaming
• Phishing
• Tracking