Mr. Speaker, with regard to (a), in the context of the hybrid work model for the federal public service, the Information and Privacy Policy Division of the Treasury Board Secretariat, or TBS, engaged the Office of the Privacy Commissioner of Canada, or OPC, on Access to Information and Privacy Implementation Notice 2020-01: Guidance on delays resulting from measures to mitigate the impact of novel Coronavirus, or COVID-19, on federal workplaces, in March 2020; and the implementation of departmental verification processes that support the irection on prescribed presence in the workplace, in February 2023.
TBS did not consult the OPC specifically on the concern for and risk of privacy and data breaches of sensitive and confidential information of Canadian citizens that may be caused with malicious intent such as a cyberattack, accident, or negligence.
With regard to (b), Appendix A to the TBS Policy on Privacy Protection provides for the following definitions:
Privacy breach means the improper or unauthorized access to, creation, collection, use, disclosure, retention, or disposal of personal information.
Material privacy breach means a privacy breach that could reasonably be expected to create a real risk of significant harm to an individual. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
As per section 4.2.8 of the Policy, heads of government institutions or their delegates are responsible for reporting material privacy breaches to TBS and to the OPC after making efforts to contain, assess and mitigate the breach. Consequently, as per sections 5.2.6 and 5.3.4 of the policy, respectively, TBS and the Privacy Commissioner of Canada are responsible for receiving and reviewing material privacy breach reports.
While TBS centrally tracks certain details related to material privacy breach reports submitted by federal institutions subject to the Privacy Act, it does not track the employee’s work location at the time of the breach. TBS does not centrally track or otherwise receive any details related to non-material privacy reaches.