Procedure 20-8

Privacy Breach Response Protocol

Date and Instance of Approval:

2018-04-10
Secretary-General of the University

Amendments:

2024-10-23
Responsible Service: Access to Information and Privacy Office 

PURPOSE

  1. The purpose of this Procedure is to create a Privacy Breach Response Protocol (the “Protocol”) that:
    1. identifies responsibilities in responding to a Privacy Breach, as defined in University Policy 90 – Access to Information and Protection of Privacy;
    2. establishes a Privacy Breach Response Team; and
    3. establishes a procedure to be followed when responding to a Privacy Beach.

INTERPRETATION

  1. This Procedure shall be read in a manner that is consistent with the University’s obligations under the Freedom of Information and Protection of Privacy Act (FIPPA),  Policy 90 – Access to Information and Protection of Privacy, Policy 125 – Emergency Management and Business Continuity Program as well as any other Applicable Access and Privacy Legislation or internal policies.   
  2. Capitalized words or expressions used in this Procedure are defined in Policy 90 or in this Procedure.

RESPONSIBILITIES

  1. The following persons have the following responsibilities in response to a Privacy Breach (whether confirmed or suspected):
    1. Employees, contractors, consultants or other agents working for or on behalf of the University shall:
      1. Contain the Privacy Breach by suspending the process or activity that has caused it and take any other interim steps necessary to protect other Personal Information in their custody or control on behalf of the University;
      2. Immediately report the Privacy Breach to their immediate supervisor as well as to the senior manager for their academic or administrative unit (e.g. department chair, vice-dean or dean in the case of an academic unit; a director or equivalent in the case of an administrative unit/service), as well as to the Access to Information and Privacy Office (AIPO);
      3. Cooperate fully and expeditiously with the AIPO in its investigation and remediation of the Privacy Breach. 
    2. Managers or persons in authority over the Personal Information that is subject of the Privacy Breach shall:
      1. Document the details of the Privacy Breach using the Privacy Breach Report Form;
      2. Immediately provide a copy of the Personal Information that is the subject of the Privacy Breach or, in cases where such a copy cannot be produced, as detailed a description as possible of such information, to AIPO;
      3. Cooperate fully and expeditiously with AIPO in its investigation and remediation of the Privacy Breach;
      4. Notify individuals whose privacy has been breached and respond to their questions or concerns at the direction of and in accordance with guidance provided by the AIPO; and
      5. Implement corrective actions and consequences to address the conduct of the employee, contractor, consultant or other agent, under their supervision, who is responsible for the Privacy Breach, as appropriate and in accordance with any applicable collective agreements, terms and conditions of employment or other contractual relationship, or policies. This can include the termination of the employment or relationship that the University has with the individual. 
    3. The Chief Privacy Officer (CPO) shall:
      1. Notify the Secretary-General of the University of the Privacy Breach as reported to the AIPO;
      2. Coordinate and lead all Privacy Breach responses;
      3. Contact appropriate authorities and services within the University, including without limitation Information Technology (“IT”), , Office of the Chief Risk Officer, Protection Services, Communications and Government Relations, Student Affairs, Human Resources and Advancement Services, depending on the nature and seriousness of the Privacy Breach;
      4. as required and depending on the nature or seriousness of the Privacy Breach, convene and lead meetings and activities of the Privacy Breach Response Team;
      5. provide direction and guidance to managers regarding the notification, where appropriate, of individuals whose privacy has been breached, as well as any responses to questions or concerns expressed by such individuals;
      6. determine whether and when the Information and Privacy Commissioner of Ontario should be notified of the Privacy Breach, and if so, carry out such notification;
      7. determine what other remedial actions may be necessary in response to the Privacy Breach and inform relevant persons accordingly;
      8. make a report of findings and outcomes of the Privacy Breach and response thereto to the Secretary-General of the University; and
        1. make recommendations regarding prevention of future similar Privacy Breaches, including without limitation employee training, tightening of restrictions on access to Personal Information, strengthening methods of protection of Personal Information on mobile devices, and review of policies, procedures and practices. 
    4. The Secretary-General of the University shall:

      1. inform the President and the Administration Committee of the Privacy Breach and the response thereto, as necessary and appropriate;

      2. provide oversight of, and as necessary guidance and support to, the CPO.

PRIVACY BREACH RESPONSE TEAM

  1. The CPO decides whether to convene the Privacy Breach Response Team (the “Response Team”). Normally, the CPO convenes the Response Team in the event of a large-scale or complex Privacy Breach, as determined by the CPO. The Response Team shall have two purposes: (1) to prepare and practice the Privacy Breach Response Plan (the “Response Plan”); and (2) to assist and support the CPO in the implementation and execution of the Response Plan. 

  2. The Response Team shall include pre-identified representatives from but not limited to the following offices: Information Technology (IT), Office of Risk Management, Protection Services, Communications and Government Relations, Enrollment Management, Human Resources and Advancement Services.

  3. Once convened by the CPO, the CPO shall lead the Response Team to ensure timely coordination of the efforts of the various services and sectors of the University in its overall response to the Privacy Breach.

  4. Once the Privacy Breach has been addressed, the CPO may reconvene the Response Team for an incident debriefing for the purpose of considering potential revisions to the Response Plan or this Procedure and formulating other recommendations to the CPO or other appropriate authority within the University relating to prevention of and preparedness for any potential future Privacy Breaches.

  5. The CPO may convene a meeting of the Response Team as frequently as the CPO may determine for the following purposes or for other relevant purposes determined by the CPO:

    1. to ensure that members of the Response Team understand their roles and responsibilities;
    2. to review the Response Plan in order to consider whether it is in need of revision, and formulate recommendations for any such revisions;
    3. to verify whether external consultants, experts or contractors who may have provided services in support of past privacy breach response efforts have adequately fulfilled the University’s needs, and if necessary identify other potential consultants, experts or contractors who may be retained in the event of future privacy breach response efforts;
    4. to simulate the implementation of the Response Plan in response to different types of Privacy Breach incidents; and
    5. to undertake such other preparatory activities as the Response Team may consider advisable from time to time.

PRIVACY BREACH RESPONSE PROCEDURE

  1. There are six steps that should be followed when responding to a Privacy Breach (whether confirmed or suspected) as shown in Appendix A of this Procedure. Steps 1, 2 and 3 should occur simultaneously or in quick succession. 

AMENDMENTS

  1. In the event of a confirmed or suspected Privacy Breach resulting from a cybersecurity incident, the Response Plan will be executed in conjunction with the University's Cybersecurity Incident Response Plan. 

APPENDIX A: Privacy Breach Management Procedure

Step 1 - Contain the breach

  • Immediately take steps to contain the Privacy Breach. 
    • Examples include changing passwords, shutting down the compromised application or website, removing access controls or implementation a physical safeguard such as a lock and key. 

Step 2 - Report the breach internally

  • Immediately report Privacy Breach (confirmed or suspected) to: 
    • AIPO ([email protected] or (613)562-5800, ext. 1851); and
    • Immediate supervisor as well as to the senior manager for their academic or administrative unit (e.g. department chair, vice-dean or dean in the case of an academic unit; a director or equivalent in the case of an administrative unit/service).

Step 3 - Conduct a preliminary assessment

  • The manager shall submit the Privacy Breach Report Form to AIPO within the first 24 hours of discovery of the breach accompanied by a copy of the Personal Information that is the subject of the Privacy Breach or, in cases where such a copy cannot be produced, as detailed a description as possible of such Personal Information.
  • The manager shall also keep an ongoing record and timeline of events as they unfold.

Step 4 - Evaluate the risks

  • The CPO shall: 
    • Evaluate the nature of the Personal Information at issue and;
    • Undertake a full assessment of the risks associated with such disclosure of Personal Information.

Step 5 - Consider breach notification

  • The following considerations shall be taken in account by the CPO  in determining whether notification of the affected individual(s) is required: legal obligations, contractual obligations, and the risks evaluated by the CPO  under Step 4 above.
  • Where it is determined that notification is required, such notification should occur as soon as reasonably possible.
  • The manager of the academic or administrative unit or office where the Privacy Breach occurred shall notify the affected individual(s).

Step 6 - Mitigate and prevent

  • The CPO shall take such further measures or actions within his or her authority to mitigate or correct the Privacy Breach as may be appropriate, having regard to the seriousness of the Privacy Breach and his or her evaluation of the risks under Step 4 above.
  • The CPO shall also consider what further measures may be required to prevent reoccurrence of the circumstances leading to the Privacy Breach, and inform appropriate authorities within the University of any findings and recommended remedial steps.