Policies
Map.ca policy

Privacy Breach Policy

How Map.ca detects, contains, reports, and learns from privacy breaches — aligned with PIPEDA's breach reporting framework.

Under PIPEDA, organizations must report breaches of security safeguards involving personal information to the Office of the Privacy Commissioner of Canada and notify affected individuals where there is a real risk of significant harm. The Privacy Breach Policy operationalizes that within Map.ca: detection, containment, evaluation of real-risk-of-significant-harm, notification timelines, and the post-breach review that feeds back into the Security Policy and the Incident Response Policy. Three-month review cycle, deliberately short.

It applies to Map.ca security, privacy, legal, and communications teams.

Requirements

  • Evaluate real-risk-of-significant-harm on every detected breach.
  • Notify the Office of the Privacy Commissioner of Canada and affected individuals within required timelines.

Prohibitions

  • Do not delay notification to manage public perception.
  • Do not close a breach without a post-incident review.

Related policies

Incident Response PolicyHow Map.ca classifies, responds to, and communicates about security and operational incidents.Security PolicyHow Map.ca protects accounts, infrastructure, secrets, and operational data day to day.Privacy PolicyWhat Map.ca collects, why, how long it is kept, who it is shared with, and what rights people have.