Privacy Breach Response Procedure

A Privacy Breach occurs when there is loss, unauthorized access to, or disclosure of, personal information, including personal health information—whether unintentional or intentional. As outlined in Policy 46, this might involve any kind of record containing personal information, paper or electronic, and includes the loss or theft of portable electronic media such as laptops or USB flash drives.

Audience

This procedure is to be used by Information Custodians, as defined in Policy 46.

Purpose

The purpose of this procedure is to ensure that all breaches involving personal information at the University are handled in a consistent manner with the following objectives:

  • To ensure that the University complies with applicable legislation and regulatory guidelines.
  • To identify the cause of the personal information breach and implement measures to prevent further incidents of a similar nature.

Procedure

  1. Personal Information.  Information Custodians must report personal information breaches to the University Privacy Officer for all Information Security Classifications, as defined in Policy 46, without undue delay and, where feasible, not later than 72 hours after having become aware of it. 

Specifically, Information Custodians must contact the University Privacy Officer (fippa@uwaterloo.ca) and provide the following information:

  • the nature of the breach;
  • the information that was exposed and approximate number of individuals and records concerned; 
  • to whom it was exposed; 
  • for how long it was exposed;
  • likely consequences of the breach;
  • measures taken or proposed to contain the breach; and
  • the reason for delay for any report not made within 72 hours.

Using the Privacy Breaches: Guidelines for Public Sector Organizations as a guide, the Information Custodian will work with the University Privacy Officer to respond to and contain the breach. As part of this, the Privacy Officer will advise whether notice to affected individuals and the Office of the Information and Privacy Commissioner of Ontario (IPC) is required. If notice is required, (i.e., where a breach is likely to result in high risk to rights and freedom of an individual) the Privacy Officer will provide guidance to the Information Custodian about the contents of the notice to the individuals and will liaise with the IPC. You will be required to provide more information regarding the breach, how it happened, and what is being done to address it at this time.

  1. Personal Health Information. Where a Privacy Breach involves personal health information, immediately advise the University Privacy Officer (fippa@uwaterloo.ca) and engage Responding to a Health Privacy Breach: Guidelines for the Health Sector.
  2. Cybersecurity Breaches. Where the breach involves electronic information, and the breach is a result of a theft of University equipment, the failure or misconfiguration of cybersecurity controls, or a network-based attack, immediately advise the IST SOC (soc@uwaterloo.ca), or ext. 41125. See also: Reporting a cybersecurity issue or information security incident.