If a Privacy Breach Occurs

1
If a Privacy Breach Occurs

• Notify the University Secretariat of a privacy
  breach involving personal information
• An investigation will most likely result

2
Managing Breach Protocol

• Inform your manager
• Manager will notify University Secretariat and/or
  University Legal counsel
• Identify the scope
• What personal information was involved?
• Who had unauthorized access to personal
  information?
• Contain the breach
• Suspend the process/activity that caused breach
• Retrieve records
• Notify
• Individuals whose privacy was breached
• University Secretariat will notify IPC if required

3
Preventing Future Breaches

• Educate staff about the privacy rules and privacy
  regulations
• Provide staff with best practices through
  training, posters, tips-sheet and e-mail
  reminders
• Ensure staff is aware of the consequences of a
  privacy breach
• Each person is accountable for personal
  information in their custody
• Staff should err on the side of protecting
  privacy
• Staff should contact the program manager and/or
  University Secretariat for advice

4
Example

• University Secretariat was notified
• Identified the scope of the breaches
• Contained the breach
• Individuals notified
• Investigation
• Improved practices
• Secretariat advised IPC of findings corrective
  action
• Took proactive steps to prevent future breaches

5
Risk-based Prioritization

• Privacy planning is more effective if approached
  from a risk management perspective than a legal
  compliance perspective
• Risk management permits the efficient allocation
  of resources
• In contrast, legal compliance requires the
  allocation of resources to all compliance issues
  regardless of risk
• Contact the Secretariat about available
  assessment options

6
Risk Map
1
3
Action not yet started No progress
reported Moderate progress reported Evidential
progress reported Action successfully completed
2
4
DefaultRisk Tolerance Line
7
Likelihood