Date and Instance of Approval:
2018-04-10
Administration Committee
Amendments:
2024-10-23
Responsible Service: Access to Information and Privacy Office
PURPOSE
- The purpose of this Procedure is to create a Privacy Breach Response Protocol (the “Protocol”) that:
- identifies responsibilities in responding to a Privacy Breach, as defined in University Policy 90 – Access to Information and Protection of Privacy;
- establishes a Privacy Breach Response Team; and
- establishes a procedure to be followed when responding to a Privacy Beach.
INTERPRETATION
- This Procedure shall be read in a manner that is consistent with the University’s obligations under the Freedom of Information and Protection of Privacy Act (FIPPA), Policy 90 – Access to Information and Protection of Privacy, Policy 125 – Emergency Management and Business Continuity Program as well as any other Applicable Access and Privacy Legislation or internal policies.
- Capitalized words or expressions used in this Procedure are defined in Policy 90 or in this Procedure.
RESPONSIBILITIES
- The following persons have the following responsibilities in response to a Privacy Breach (whether confirmed or suspected):
- Employees, contractors, consultants or other agents working for or on behalf of the University shall:
- Contain the Privacy Breach by suspending the process or activity that has caused it and take any other interim steps necessary to protect other Personal Information in their custody or control on behalf of the University;
- Immediately report the Privacy Breach to their immediate supervisor as well as to the senior manager for their academic or administrative unit (e.g. department chair, vice-dean or dean in the case of an academic unit; a director or equivalent in the case of an administrative unit/service), as well as to the Access to Information and Privacy Office (AIPO);
- Cooperate fully and expeditiously with the AIPO in its investigation and remediation of the Privacy Breach.
- Managers or persons in authority over the Personal Information that is subject of the Privacy Breach shall:
- Document the details of the Privacy Breach using the Privacy Breach Report Form;
- Immediately provide a copy of the Personal Information that is the subject of the Privacy Breach or, in cases where such a copy cannot be produced, as detailed a description as possible of such information, to AIPO;
- Cooperate fully and expeditiously with AIPO in its investigation and remediation of the Privacy Breach;
- Notify individuals whose privacy has been breached and respond to their questions or concerns at the direction of and in accordance with guidance provided by the AIPO; and
- Implement corrective actions and consequences to address the conduct of the employee, contractor, consultant or other agent, under their supervision, who is responsible for the Privacy Breach, as appropriate and in accordance with any applicable collective agreements, terms and conditions of employment or other contractual relationship, or policies. This can include the termination of the employment or relationship that the University has with the individual.
- The Chief Privacy Officer (CPO) shall:
- Notify the Secretary-General of the University of the Privacy Breach as reported to the AIPO;
- Coordinate and lead all Privacy Breach responses;
- Contact appropriate authorities and services within the University, including without limitation Information Technology (“IT”), , Office of the Chief Risk Officer, Protection Services, Communications and Government Relations, Student Affairs, Human Resources and Advancement Services, depending on the nature and seriousness of the Privacy Breach;
- as required and depending on the nature or seriousness of the Privacy Breach, convene and lead meetings and activities of the Privacy Breach Response Team;
- provide direction and guidance to managers regarding the notification, where appropriate, of individuals whose privacy has been breached, as well as any responses to questions or concerns expressed by such individuals;
- determine whether and when the Information and Privacy Commissioner of Ontario should be notified of the Privacy Breach, and if so, carry out such notification;
- determine what other remedial actions may be necessary in response to the Privacy Breach and inform relevant persons accordingly;
- make a report of findings and outcomes of the Privacy Breach and response thereto to the Secretary-General of the University; and
- make recommendations regarding prevention of future similar Privacy Breaches, including without limitation employee training, tightening of restrictions on access to Personal Information, strengthening methods of protection of Personal Information on mobile devices, and review of policies, procedures and practices.
- The Secretary-General of the University shall:
inform the President and the Administration Committee of the Privacy Breach and the response thereto, as necessary and appropriate;
provide oversight of, and as necessary guidance and support to, the CPO.
- Employees, contractors, consultants or other agents working for or on behalf of the University shall:
PRIVACY BREACH RESPONSE TEAM
- The CPO decides whether to convene the Privacy Breach Response Team (the “Response Team”). Normally, the CPO convenes the Response Team in the event of a large-scale or complex Privacy Breach, as determined by the CPO. The Response Team shall have two purposes: (1) to prepare and practice the Privacy Breach Response Plan (the “Response Plan”); and (2) to assist and support the CPO in the implementation and execution of the Response Plan.
The Response Team shall include pre-identified representatives from but not limited to the following offices: Information Technology (IT), Office of Risk Management, Protection Services, Communications and Government Relations, Enrollment Management, Human Resources and Advancement Services.
Once convened by the CPO, the CPO shall lead the Response Team to ensure timely coordination of the efforts of the various services and sectors of the University in its overall response to the Privacy Breach.
Once the Privacy Breach has been addressed, the CPO may reconvene the Response Team for an incident debriefing for the purpose of considering potential revisions to the Response Plan or this Procedure and formulating other recommendations to the CPO or other appropriate authority within the University relating to prevention of and preparedness for any potential future Privacy Breaches.
The CPO may convene a meeting of the Response Team as frequently as the CPO may determine for the following purposes or for other relevant purposes determined by the CPO:
- to ensure that members of the Response Team understand their roles and responsibilities;
- to review the Response Plan in order to consider whether it is in need of revision, and formulate recommendations for any such revisions;
- to verify whether external consultants, experts or contractors who may have provided services in support of past privacy breach response efforts have adequately fulfilled the University’s needs, and if necessary identify other potential consultants, experts or contractors who may be retained in the event of future privacy breach response efforts;
- to simulate the implementation of the Response Plan in response to different types of Privacy Breach incidents; and
- to undertake such other preparatory activities as the Response Team may consider advisable from time to time.
PRIVACY BREACH RESPONSE PROCEDURE
- There are six steps that should be followed when responding to a Privacy Breach (whether confirmed or suspected) as shown in Appendix A of this Procedure. Steps 1, 2 and 3 should occur simultaneously or in quick succession.
AMENDMENTS
- In the event of a confirmed or suspected Privacy Breach resulting from a cybersecurity incident, the Response Plan will be executed in conjunction with the University's Cybersecurity Incident Response Plan.
APPENDIX A: Privacy Breach Management Procedure
Step 1 - Contain the breach |
|
---|---|
Step 2 - Report the breach internally |
|
Step 3 - Conduct a preliminary assessment |
|
Step 4 - Evaluate the risks |
|
Step 5 - Consider breach notification |
|
Step 6 - Mitigate and prevent |
|