Privacy Breaches
What to do in the event of a privacy breach
First, determine whether personal information has been lost or stolen, or has been collected, used, or disclosed without authorization. If in doubt, always err on the side of caution and notify the Privacy and Access Officer and Director of Information Security.
Personal information is recorded information about an identifiable individual. An individual will be identifiable where they can be identified by the information, either directly (e.g. name, image, job title) or in combination with other information. For example, a health report about an unnamed individual would contain personal information if the individual could be identified through a street address, personal health number, phone number, or other information that could link the information to the affected individual.
Personal information does not include contact information, which is information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual.
Where you believe a breach has occurred, immediately notify the Privacy and Access Officer at [email protected] and the Director of Information Security at [email protected]. They will follow the breach protocol, and may follow up with questions or instructions.
TRU breach protocol
The breach protocol provides guidance on the steps that TRU will follow when there is evidence that confidential information (which includes personal information) has been accessed without authorization. Examples of when the breach protocol should be used include: loss or theft of any device containing confidential information, loss or theft of any paper files containing confidential information, or when there is evidence of unauthorized access to any system or file where confidential information is stored or accessed.
When confidential information, and especially personally identifiable information about individuals in TRU’s possession or control is disclosed to unauthorized individuals TRU must:
- Conduct a prompt incident assessment to determine the risks to TRU or the people whose personal information has been disclosed (“Affected Persons”), posed by the disclosure. This assessment is to be completed by the most senior information security staff member.
- Ensure both the Director of Information Security and the Privacy and Access Officer receive and review the incident assessment and determine whether the breach could reasonably be expected to result in significant harm to the individual, including identity theft or significant:
- Bodily harm
- Humiliation
- Damage to reputation or relationships
- Loss of employment, business or professional opportunities
- Financial loss
- Negative impact on a credit record
- Damage to, or loss of, property
Where the Privacy and Access Officer and Director of Information Security determine that the breach could reasonably be expected to result in significant harm to an individual, they must immediately advise the General Counsel (who is the “head of the public body” under FIPPA), who will be responsible for notifying, without unreasonable delay, both the affected individual(s) and the Privacy Commissioner. The Privacy and Access Officer will carry out the notifications on behalf of the General Counsel.
Notice requirements
Where notice to individual is not required
TRU is not required to notify an affected individual if notification could reasonably be expected to:
- Result in immediate and grave harm to the individual's safety or physical or mental health.
- Threaten another individual's safety or physical or mental health.
Requirements for notice to individual
The notice to the individual must be in writing, and must include the following information:
- The name of the public body.
- The date on which the privacy breach came to the attention of the public body.
- A description of the privacy breach including, if known.
- The date on which or the period during which the privacy breach occurred.
- A description of the nature of the personal information involved in the privacy breach.
- Confirmation that the commissioner has been or will be notified of the privacy breach.
- Contact information for a person who can answer, on behalf of the public body, questions about the privacy breach.
- A description of steps, if any, that the public body has taken or will take to reduce the risk of harm to the affected individual.
- A description of steps, if any, that the affected individual could take to reduce the risk of harm that could result from the privacy breach.
The notice should be given directly to the affected individual(s), unless the following apply:
- The public body does not have accurate contact information for the affected individual.
- The head of the public body reasonably believes that providing the notice directly to the affected individual would unreasonably interfere with the operations of the public body.
- The head of the public body reasonably believes that the information in the notification will come to the attention of the affected individual more quickly if it is given in an indirect manner.
Where the head determines the notice should be given indirectly, the notice must be given by public communication that can reasonably be expected to reach the affected individual, and contain the information above.
Requirements for notice of Privacy Commissioner
The notice to the commissioner must also be in writing, and must contain the following information:
- The name of the public body.
- The date on which the privacy breach came to the attention of the public body.
- A description of the privacy breach including, if known.
- The date on which or the period during which the privacy breach occurred.
- A description of the nature of the personal information involved in the privacy breach.
- An estimate of the number of affected individuals.
- Contact information for a person who can answer, on behalf of the public body, questions about the privacy breach.
- A description of steps, if any, that the public body has taken or will take to reduce the risk of harm to the affected individuals.