This document, created by the Access to Information and Privacy Office (AIPO) and Information Technology (IT), provides you with best practices to prevent the most common privacy breaches. These best practices must be read in conjunction with Policy 90 — Access to Information and Protection of Privacy and Procedure 20-5 — Handling Access to Information Requests and Privacy Breach Complaints, as well as Information Technology policies and procedures.
What is a privacy breach?
A privacy breach is the loss of, unauthorized access to, or unauthorized disclosure of personal information under the University’s custody or control. Situations that can result in a privacy breach include the theft or loss of a mobile device containing personal information, accessing personal information that one does not need to know for one’s job, or sharing a password.
To prevent a privacy breach, follow these best practices:
- Ensure strong physical security measures for storing personal information. Lock your office door when you leave your desk, store records containing personal information (both paper and electronic) under lock and key and limit access to employees who require it in order to perform their duties.
- Ensure mobile devices containing personal information are protected by strong encryption and strong passwords.
- Use strong passwords to access University accounts and never share your password with anyone.
- Don’t send personal information by email unless absolutely necessary. Never send the following personal information by email: medical information, SIN, credit card numbers, driver’s licence numbers, personal health card numbers, passwords and any other information that can be used to commit financial fraud.
- Install anti-virus and anti-malware software and make sure it is always up-to-date.
- Regularly update your software. If you have Windows, click the Start menu, type “Windows Update” in the Search box and press Enter. In the Windows Update screen, click Check for updates. If updates are available, click Install updates.
If you have a Mac, open the App Store app and click Updates in the toolbar. If updates are available, click the Update buttons.
Make sure that other third party software such as Adobe, Java, Firefox or Chrome is also updated on a regular basis.
- Avoid saving personal information directly on your computer or mobile device. Save personal information on a secured network drive such as your unit’s shared drive or the Home drive that the University assigns to you.
- Don’t use cloud storage services such as Dropbox, Box, One Drive or Google Drive to store University information, unless this has already been reviewed and approved by the IT and Procurement services.
- Only connect University mobile devices to trusted Wi-Fi networks.
- Don’t install unknown or suspicious programs on your computer or mobile device.
- Set the secure print only option as the default setting when printing on a shared printer.
- Confirm the identity of a person seeking access to his or her own personal information before giving the person access to it.
- Don’t use personal information that can identify you when testing or training.
- Thoroughly shred documents containing sensitive or personally identifiable information before disposal.
- You must keep personal information for at least one year after last use. Beyond that, only keep it as long as needed for business purposes.
- Use common sense and stop or contain a breach. For example, secure an unattended mobile device and report it to Protection Services. Privacy and data security is a shared responsibility.
- Contact the Access to Information and Privacy Office if you have concerns about the collection, use or disclosure of personal information.
To report a privacy breach
When responding to privacy breaches, you must follow the University’s privacy breach response guidelines in section 14 of Procedure 20-5 — Handling Access to Information Requests and Privacy Breach Complaints.
As well, you must report the loss, theft or inadvertent disclosure of personal information to your immediate manager or supervisor, the Access to Information and Privacy Office and the Security Architect.
Access to Information and Privacy Office
Tabaret Hall, Room M407
550 Cumberland Street
Tel.: 613-562-5800 ext. 1667
Access to Information and Privacy Office website
 See the Acceptable Encryption Procedure for the minimum security baseline required for the encryption of information.
 See the Password Protection Procedure for guidance on how to create strong passwords, how to protect them and how often to change them.
 See Virus Protection Procedure for guidance on minimizing the risk of virus infections and attacks on University IT assets.
 See section 14 of Policy 90 for more on the retention and disposal of personal information.