Privacy Breach Response Protocol

Adoption
Date : 2018-04-10
Instance of approval : University Secretary-General
Originating/Responsible Department : Office of the Secretary-General

PURPOSE

  1. The purpose of this Procedure is to create a Privacy Breach Response Protocol (the “Protocol”) that:
    1. identifies responsibilities in responding to a Privacy Breach, as defined in University Policy 90 – Access to Information and Protection of Privacy;
    2. establishes a Privacy Breach Response Team; and
    3. establishes a procedure to be followed when responding to a Privacy Beach.

INTERPRETATION

  1. This Procedure shall be read in a manner that is consistent with the University’s obligations under FIPPA and other Applicable Access and Privacy Legislation as well as Policy 90 – Access to Information and Protection of Privacy.
  2. Capitalized words or expressions used in this Procedure are defined in Policy 90 or in this Procedure.

RESPONSIBILITIES

  1. The following persons have the following responsibilities in response to a Privacy Breach (whether confirmed or suspected):
    1. Employees, contractors, consultants or other agents working for or on behalf of the University shall:
      1. contain the Privacy Breach by suspending the process or activity that has caused it and take any other interim steps necessary to protect other Personal Information in their custody or control on behalf of the University;
      2. immediately report the Privacy Breach to their immediate supervisor as well as to the senior manager for their academic or administrative unit (e.g. department chair, vice-dean or dean in the case of an academic unit; a director or equivalent in the case of an administrative unit/service), as well as to the AIPO;
      3. cooperate fully and expeditiously with the AIPO in its investigation and remediation of the Privacy Breach.
    2. Managers or person in authority over the Personal Information that is subject of the Privacy Breach shall:
      1. document the details of the Privacy Breach using the Privacy Breach Report Form;
      2. immediately provide a copy of the Personal Information that is the subject of the Privacy Breach or, in cases where such a copy cannot be produced, as detailed a description as possible of such information, to AIPO;
      3. cooperate fully and expeditiously with AIPO in its investigation and remediation of the Privacy Breach;
      4. at the direction of and in accordance with guidance provided by the AIPO, notify individuals whose privacy has been breached and respond to their questions or concerns; and
      5. implement corrective actions and consequences to address the conduct of the employee, contractor, consultant or other agent, under their supervision, who is responsible for the Privacy Breach, as appropriate and in accordance with any applicable collective agreements, terms and conditions of employment or other contractual relationship, or policies. This can include the termination of the employment or relationship that the University has with the individual.
    3. The Director shall:
      1. notify the Secretary-General of the University of the Privacy Breach as reported to the AIPO;
      2. coordinate and lead the Privacy Breach response;
      3. contact appropriate authorities and services within the University, including without limitation Information Technology, Legal Services, Office of Risk Management, Communications Directorate, Strategic Enrollment Management, Human Resources and Advancement Services, depending on the nature and seriousness of the Privacy Breach;
      4. as required and depending on the nature or seriousness of the Privacy Breach, convene and lead meetings and activities of the Privacy Breach Response Team;
      5. provide direction and guidance to managers regarding the notification, where appropriate, of individuals whose privacy has been breached, as well as any responses to questions or concerns expressed by such individuals;
      6. determine whether and when the Information and Privacy Commissioner of Ontario should be notified of the Privacy Breach, and if so, carry out such notification;
      7. determine what other remedial actions may be necessary in response to the Privacy Breach and inform relevant persons accordingly;
      8. make a report of findings and outcomes of the Privacy Breach and response thereto to the Secretary-General of the University; and
        1. make recommendations regarding prevention of future similar Privacy Breaches, including without limitation employee training, tightening of restrictions on access to Personal Information, strengthening methods of protection of Personal Information on mobile devices, and review of policies, procedures and practices.
    4. The Secretary-General of the University shall:
      1. inform the President and the Administration Committee of the Privacy Breach and the response thereto, as necessary and appropriate;
      2. provide oversight of, and as necessary guidance and support to, the Director.

PRIVACY BREACH RESPONSE TEAM

  1. The Director decides whether to convene the Privacy Breach Response Team (the “Response Team”). Normally, the Director convenes the Response Team in the event of a large-scale or complex Privacy Breach, as determined by the Director. The Response Team shall have two purposes: (1) to prepare for implementation of the Privacy Breach Protocol; and (2) to assist and support the Director in the implementation of the Privacy Breach Protocol.
  2. The Response Team shall include pre-identified representatives from but not limited to the following offices: Information Technology (IT), Legal Services, Office of Risk Management, Communications Directorate, Strategic Enrollment Management, Human Resources and Advancement Services.
  3. Once convened by the Director, the Director shall lead the Response Team, as necessary and lead the Response Team to ensure timely coordination of the efforts of the various services and sectors of the University in its overall response to the Privacy Breach.
  4. Once the Privacy Breach has been addressed, the Director may reconvene the Response Team for an incident debriefing for the purpose of considering potential revisions to this Privacy Breach Protocol or formulating other recommendations to the Director or other appropriate authority within the University relating to prevention of and preparedness for any potential future Privacy Breaches.
  5. The Director may convene a meeting of the Response Team as frequently as the Director may determine for the following purposes or for other relevant purposes as the Director may determine:
    • to ensure that members of the Response Team understand their roles and responsibilities;
    • to review the Privacy Breach Protocol in order to consider whether it is in need of revision, and formulate recommendations for any such revisions;
    • to verify whether external consultants, experts or contractors who may have provided services in support of past privacy breach response efforts have adequately fulfilled the University’s needs, and if necessary identify other potential consultants, experts or contractors who may be retained in the event of future privacy breach response efforts;
    • to simulate the implementation of the Privacy Breach Protocol in response to different types of Privacy Breach incidents; and
    • to undertake such other preparatory activities as the Response Team may consider advisable from time to time.

PRIVACY BREACH RESPONSE PROCEDURE

  1. There are six steps that should be followed when responding to a Privacy Breach (whether confirmed or suspected) as shown in Appendix A of this Procedure. Steps 1, 2 and 3 should occur simultaneously or in quick succession.

AMENDMENTS

  1. The Secretary-General of the University may approve exceptions or make amendments to this Procedure.

APPENDIX A: Privacy Breach Management Procedure

Step 1 - Contain the breach
  • Immediately take steps to contain the breach.
    • E.g. change of password, shutdown of the compromised application or website, removal of access, or implementation of a physical safeguard.
Step 2 - Report the breach internally
  • Immediately report Privacy Breach (confirmed or suspected) to:
    • AIPO ([email protected] or (613)562-5800, ext. 1851); and
    • immediate supervisor as well as to the senior manager for their academic or administrative unit (e.g. department chair, vice-dean or dean in the case of an academic unit; a director or equivalent in the case of an administrative unit/service).
Step 3 - Conduct a preliminary assessment
  • The manager shall submit the Privacy Breach Report Form to AIPO within the first 24 hours of discovery of the breach accompanied by a copy of the Personal Information that is the subject of the Privacy Breach or, in cases where such a copy cannot be produced, as detailed a description as possible of such Personal Information.
  • Keep an ongoing record and timeline of events as they unfold.
Step 4 - Evaluate the risks
  • The director shall:
    • evaluate the nature of the Personal Information at issue and;
    • undertake a full assessment of the risks associated with such disclosure of Personal Information.
Step 5 - Consider breach notification
  • The following considerations shall be taken in account by the Director in determining whether notification of the affected individual(s) is required: legal obligations; contractual obligations; and the risks evaluated by the Director under Step 4 above.
  • Where it is determined that notification is required, such notification should occur as soon as reasonably possible.
  • The manager of the academic or administrative unit or office where the Privacy Breach occurred shall notify the affected individual(s).
Step 6 - Mitigate and prevent
  • The Director shall take such further measures or actions within his or her authority to mitigate or correct the Privacy Breach as may be appropriate, having regard to the seriousness of the Privacy Breach and his or her evaluation of the risks under Step 4 above.
  • The Director shall also consider what further measures may be required to prevent reoccurrence of the circumstances leading to the Privacy Breach, and inform appropriate authorities within the University of any findings and recommended remedial steps.