Date effective: 2018-04-10
Authorized by: Administrative Committee
PRIVACY BREACH RESPONSE PROTOCOL
1. The purpose of this Procedure is to create a Privacy Breach Response Protocol (the “Protocol”) that:
- a) identifies responsibilities in responding to a Privacy Breach, as defined in University Policy 90 – Access to Information and Protection of Privacy;
- b) establishes a Privacy Breach Response Team; and
- c) establishes a procedure to be followed when responding to a Privacy Beach.
2. This Procedure shall be read in a manner that is consistent with the University’s obligations under FIPPA and other Applicable Access and Privacy Legislation as well as Policy 90 – Access to Information and Protection of Privacy.
3. Capitalized words or expressions used in this Procedure are defined in Policy 90 or in this Procedure.
4. The following persons have the following responsibilities in response to a Privacy Breach (whether confirmed or suspected):
4.1 Employees, contractors, consultants or other agents working for or on behalf of the University shall:
- a) contain the Privacy Breach by suspending the process or activity that has caused it and take any other interim steps necessary to protect other Personal Information in their custody or control on behalf of the University;
- b) immediately report the Privacy Breach to their immediate supervisor as well as to the senior manager for their academic or administrative unit (e.g. department chair, vice-dean or dean in the case of an academic unit; a director or equivalent in the case of an administrative unit/service), as well as to the AIPO;
- c) cooperate fully and expeditiously with the AIPO in its investigation and remediation of the Privacy Breach.
4.2 Managers or person in authority over the Personal Information that is subject of the Privacy Breach shall:
- a) document the details of the Privacy Breach using the Privacy Breach Report Form;
- b) immediately provide a copy of the Personal Information that is the subject of the Privacy Breach or, in cases where such a copy cannot be produced, as detailed a description as possible of such information, to AIPO;
- c) cooperate fully and expeditiously with AIPO in its investigation and remediation of the Privacy Breach;
- d) at the direction of and in accordance with guidance provided by the AIPO, notify individuals whose privacy has been breached and respond to their questions or concerns; and
- e) implement corrective actions and consequences to address the conduct of the employee, contractor, consultant or other agent, under their supervision, who is responsible for the Privacy Breach, as appropriate and in accordance with any applicable collective agreements, terms and conditions of employment or other contractual relationship, or policies. This can include the termination of the employment or relationship that the University has with the individual.
4.3 The Director shall:
- a) notify the Secretary-General of the University of the Privacy Breach as reported to the AIPO;
- b) coordinate and lead the Privacy Breach response;
- c) contact appropriate authorities and services within the University, including without limitation Information Technology, Legal Services, Office of Risk Management, Communications Directorate, Strategic Enrollment Management, Human Resources and Advancement Services, depending on the nature and seriousness of the Privacy Breach;
- d) as required and depending on the nature or seriousness of the Privacy Breach, convene and lead meetings and activities of the Privacy Breach Response Team;
- e) provide direction and guidance to managers regarding the notification, where appropriate, of individuals whose privacy has been breached, as well as any responses to questions or concerns expressed by such individuals;
- f) determine whether and when the Information and Privacy Commissioner of Ontario should be notified of the Privacy Breach, and if so, carry out such notification;
- g) determine what other remedial actions may be necessary in response to the Privacy Breach and inform relevant persons accordingly;
- h) make a report of findings and outcomes of the Privacy Breach and response thereto to the Secretary-General of the University; and
- (i) make recommendations regarding prevention of future similar Privacy Breaches, including without limitation employee training, tightening of restrictions on access to Personal Information, strengthening methods of protection of Personal Information on mobile devices, and review of policies, procedures and practices.
4.4 The Secretary-General of the University shall:
- a) inform the President and the Administration Committee of the Privacy Breach and the response thereto, as necessary and appropriate;
- b) provide oversight of, and as necessary guidance and support to, the Director.
PRIVACY BREACH RESPONSE TEAM
5. The Director decides whether to convene the Privacy Breach Response Team (the “Response Team”). Normally, the Director convenes the Response Team in the event of a large-scale or complex Privacy Breach, as determined by the Director. The Response Team shall have two purposes: (1) to prepare for implementation of the Privacy Breach Protocol; and (2) to assist and support the Director in the implementation of the Privacy Breach Protocol.
6. The Response Team shall include pre-identified representatives from but not limited to the following offices: Information Technology (IT), Legal Services, Office of Risk Management, Communications Directorate, Strategic Enrollment Management, Human Resources and Advancement Services.
7. Once convened by the Director, the Director shall lead the Response Team, as necessary and lead the Response Team to ensure timely coordination of the efforts of the various services and sectors of the University in its overall response to the Privacy Breach.
8. Once the Privacy Breach has been addressed, the Director may reconvene the Response Team for an incident debriefing for the purpose of considering potential revisions to this Privacy Breach Protocol or formulating other recommendations to the Director or other appropriate authority within the University relating to prevention of and preparedness for any potential future Privacy Breaches.
9. The Director may convene a meeting of the Response Team as frequently as the Director may determine for the following purposes or for other relevant purposes as the Director may determine:
- to ensure that members of the Response Team understand their roles and responsibilities;
- to review the Privacy Breach Protocol in order to consider whether it is in need of revision, and formulate recommendations for any such revisions;
- to verify whether external consultants, experts or contractors who may have provided services in support of past privacy breach response efforts have adequately fulfilled the University’s needs, and if necessary identify other potential consultants, experts or contractors who may be retained in the event of future privacy breach response efforts;
- to simulate the implementation of the Privacy Breach Protocol in response to different types of Privacy Breach incidents; and
- to undertake such other preparatory activities as the Response Team may consider advisable from time to time.
PRIVACY BREACH RESPONSE PROCEDURE
10. There are six steps that should be followed when responding to a Privacy Breach (whether confirmed or suspected) as shown in Appendix A of this Procedure. Steps 1, 2 and 3 should occur simultaneously or in quick succession.
11. The Secretary-General of the University may approve exceptions or make amendments to this Procedure.
(Office of the Secretary-General)
APPENDIX A: Privacy Breach Management Procedure
Step 1 - Contain the breach
Step 2 - Report the breach internally
Step 3 - Conduct a preliminary assessment
Step 4 - Evaluate the risks
Step 5 - Consider breach notification
Step 6 - Mitigate and prevent