Report a privacy breach
This form is only for public bodies or organizations reporting a privacy breach. Individuals concerned about a potential breach can go here for more information on making a complaint with our office.
Please note: Public bodies are now required under the Freedom of Information and Protection of Privacy Act to report privacy breaches that could reasonably be expected to result in significant harm. For more on this requirement, please see our updated guidance, Privacy Breaches: Tools and Resources for the public sector.
The preferred method for public bodies to report privacy breaches is by using our online form. Public bodies can also submit reports by emailing a privacy breach checklist to info@oipc.bc.ca
Privacy breaches can take many forms – from someone mistakenly sending an email containing sensitive personal information to the wrong person to a hacker stealing and exploiting someone’s information for profit. All breaches involve either the theft or loss of people’s personal information or a collection, use or disclosure of that information that contravenes BC’s privacy laws, the Personal Information Protection Act (PIPA) or part 3 of the Freedom of Information and Protection of Privacy Act (FIPPA).
A breach can cause significant harm, including identity theft, risk of physical harm, humiliation and damage to personal or professional reputations, and loss of business or employment opportunities.
The OIPC offers guidance to organizations and public bodies to assist them in making key decisions after a privacy breach occurs.
Public bodies that experience privacy breaches that could reasonably be expected to result in significant harm to affected individuals are required to notify both the individuals affected and the Commissioner.
Note for individuals: If you believe your personal information has been lost or improperly collected, used, disclosed or accessed by a public body or organization, your first step is to file a written complaint directly to the public body or organization. If you are not satisfied with the response you receive you may file a complaint.
The Commissioner continues to call on government to amend the Personal Information Protection Act to require organizations to report breaches to the OIPC and to individuals facing the risk of significant harm from a breach. In the meantime, we strongly recommend that breaches be reported to our office as a best practice. Managing privacy breaches properly is an important step towards alleviating harms – and preventing future breaches of personal information.
Where can I learn more about managing privacy breaches?
Privacy breaches: tools and resources for public bodies explains the mandatory breach notification requirements for public bodies and outlines steps to take once a breach has occurred. The guidance also includes a privacy breach checklist, notification tool, and policy template. Privacy Breaches: Tools and Resources for private sector organizations offers best practices for organizations responding to privacy breaches.
The OIPC PrivacyRight series helps small businesses and organizations in BC understand their obligations under the PIPA through webinars, videos, and podcasts. Webinar 8 deals specifically with Managing Privacy Breaches.
Securing Personal Information: A Self-Assessment Tool for Public Bodies and Organizations is like a privacy check-up for public bodies and organizations. The comprehensive checklist provides an assessment of the safeguards they may or may not have in place for protecting the personal information they collect, use, and disclose.