A Privacy Breach occurs when there is loss, unauthorized access to, or disclosure of, personal information, including personal health information—whether unintentional or intentional. As outlined in Policy 46, this might involve any kind of record containing personal information, paper or electronic, and includes the loss or theft of portable electronic media such as laptops or USB flash drives.
This procedure is to be used by Information Custodians (or delegate), as defined in Policy 46.
The purpose of this procedure is to ensure that all breaches involving personal information at the University are handled in a consistent manner with the following objectives:
- To ensure that the University complies with applicable legislation and regulatory guidelines.
- To identify the cause of the personal information breach and implement measures to prevent further incidents of a similar nature.
- Personal Information. Information Custodians (or delegate) must report personal information breaches to the University Privacy Officer for all Information Security Classifications, as defined in Policy 46, without undue delay and, where feasible, not later than 72 hours after having become aware of it.
Specifically, Information Custodians (or delegate) must contact the University Privacy Officer (firstname.lastname@example.org) and provide the following information:
- the details and extent of the breach;
- the specifics of the personal information that was compromised and approximate number of individuals and records concerned;
- to whom it was exposed;
- for how long it was exposed;
- likely consequences of the breach;
- the steps taken and planned to contain and address the breach, both immediate and long-term; and
- the reason for delay for any report not made within 72 hours.
Using the Privacy Breaches: Guidelines for Public Sector Organizations as a guide, the Information Custodian (or delegate) will work with the University Privacy Officer and Information Security Services (as applicable) to respond to and contain the breach. The Privacy Officer will advise the Information Custodian (or delegate) whether notice to affected individuals is required. If notice is required, (e.g., where the breach poses a real risk of significant harm to the individual, taking into consideration the sensitivity of the information and whether it is likely to be misused), the Privacy Officer will provide guidance to the Information Custodian (or delegate) about the contents of the notice to the individuals and, as required, will inform and liaise with the Information and Privacy Commissioner of Ontario (IPC).
- Personal Health Information. Where a Privacy Breach involves personal health information, the Health Information Custodian (HIC) will immediately advise the University Privacy Officer (email@example.com) or ext. 36101) and engage Responding to a Health Privacy Breach: Guidelines for the Health Sector.
- Cybersecurity Breaches. Where the breach involves electronic information, and the breach is a result of a theft of University equipment, the failure or misconfiguration of cybersecurity controls, or a network-based attack, the Information Custodian (or delegate) will immediately advise the IST SOC (firstname.lastname@example.org), or ext. 41125.