Privacy Breach Protocol
Information Security Breaches are defined in Policy 46. They may involve any kind of record, paper or electronic, and include the loss or theft of portable electronic media such as laptops or USB flash drives.
This procedure is to be used by Information Custodians, as defined in Policy 46.
The purpose of this procedure is to ensure that all Information Security Breaches at UW are handled in a consistent manner with the following objectives:
- To ensure UW complies with applicable legislation and regulatory guidelines.
- To identify the cause of the breach and implement measures to prevent further incidents of a similar nature.
As outlined in the Privacy Breach Response Protocol (PDF) , Information Custodians must report Information Security Breaches to the Privacy Officer for all Information Security Classifications, as defined in Policy 46, except public, as soon as they become aware of them.
For breaches involving personal health information, please refer to #2.
Information Custodians must:
- Contact the Privacy Officer (firstname.lastname@example.org or ext. 36101) and provide the following information:
- the nature of the breach;
- the information that was exposed;
- to whom it was exposed; and
- for how long it was exposed.
Using the Privacy Breach Response Protocol (PDF) as a guide, the Information Custodian will work with the Privacy Officer who will advise whether notice to affected individuals and the Office of the Information and Privacy Commissioner of Ontario (IPC) is required. If notice is required, the Privacy Officer will provide guidance to the Information Custodian about the contents of the notice to the individuals and will liaise with the IPC. You will be required to provide more information regarding the breach, how it happened, and what is being done to address it at this time.
- Where an Information Security Breach involves personal health information, immediately advise the Privacy Officer (email@example.com or ext. 36101) and engage Responding to a Health Privacy Breach: Guidelines for the Health Sector.
- Where an Information Security Breach involves electronic information or portable electronic media, advise the information Security Officer (firstname.lastname@example.org or ext. 41125) and follow the Security Incident Response Procedure; and
- Where an Information Security Breach involves electronic commerce, advise the Manager, Accounts Receivable, Finance (email@example.com or ext. 36618); and
- Where an Information Security Breach involves Public Works and Government Services Canada contracts or other contracts governed by regulations of the Canadian and International Security Directorate, or controlled goods and technology or technical data as defined by the relevant regulations to the Defence Production Act, advise Mike Szarka, Director Research Partnerships, Office of Research (firstname.lastname@example.org or 33948) or Alan Binns, Director UW Police (email@example.com or ext. 32828); and
- Report all breaches involving the unintended exposure of information to the Information Steward, as defined in Policy 46.