Indeed there is. The obligations of employees, Chair, in regard to the handling of personal information are set out in the code of ethics. There's a standard code of ethics for the public service overall, which is in the domain of the Treasury Board, and then each department takes that foundational code and applies it to its own mission, its own circumstances, and makes it precise.
In our case, as I've indicated, protection of personal information is so critical to our mission that it is in our code. Employees are required to abide by the code in all aspects of information and so on. Breaches of the code of ethics are considered on a case-by-case basis, and disciplinary action for breaches can include termination. Should there ever be an incident that involves criminal elements, then obviously penalties outside the department's responsibility for public service discipline would come into play through due process of law, etc.