1 Key Steps t Respnding t Privacy Breaches Nva Sctia Freedm f Infrmatin and Prtectin f Privacy Review Office
3 ~ 1 ~ ~ 1 ~ 1 ~ Key Steps t Respnding t Privacy Breaches 1 Key Key Steps Steps t t Respnding t Privacy t Privacy Breaches Breaches 1 1 What is a privacy breach? A privacy breach ccurs whenever there is unauthrized access, t r cllectin, use, disclsure r What What is a privacy is a privacy breach? breach? dispsal f persnal infrmatin. Such activity is unauthrized if it ccurs in cntraventin f the A Freedm privacy A privacy f breach breach Infrmatin ccurs ccurs and whenever whenever Prtectin there there f is Privacy unauthrized is unauthrized Act (FOIPOP), access, access, the t Municipal r cllectin, t r cllectin, Gvernment use, disclsure use, disclsure Act Part r r dispsal dispsal XX (MGA) f r persnal f persnal the Persnal infrmatin. infrmatin. Health Infrmatin Such activity Such activity Act is unauthrized is unauthrized (PHIA). if it ccurs if it ccurs in cntraventin in cntraventin f the f the Freedm Freedm f Infrmatin f Infrmatin and Prtectin and Prtectin f Privacy f Privacy Act (FOIPOP), Act (FOIPOP), the Municipal the Municipal Gvernment Gvernment Act Part Act Part XX What (MGA) XX are (MGA) r the the fur r Persnal the key Persnal steps? Health Health Infrmatin Infrmatin Act (PHIA). Act (PHIA). What What are the are fur the fur key steps? key steps? Step 1: Cntain the Breach Step 2: Evaluate the Risks Step 1: Step 3: Cntain Ntificatin 1: Cntain the Breach the Breach Step 2: Step 4: Evaluate Preventin 2: Evaluate the Risks the Risks Step 3: Step Ntificatin 3: Ntificatin Step 4: Step Preventin 4: Preventin The first three steps shuld be undertaken immediately upn discvery f the breach r in very quick successin. The furth step is undertaken nce the causes f the breach are knwn, in an The first effrt The three t find first lnger three steps steps shuld term shuld be slutins undertaken be t undertaken immediately the identified immediately upn prblem. upn discvery discvery f the f breach the breach r in very r in very quick quick successin. successin. The furth The furth step is step undertaken is undertaken nce the nce causes the causes f the f breach the breach are knwn, are knwn, in an in an effrt Purpse effrt t find f t the lnger find Key lnger term Steps term slutins Dcument slutins t the t identified the identified prblem. prblem. Purpse Privacy Purpse breaches f the f Key the take Steps Key many Steps Dcument different Dcument frms, frm misdirected faxes cntaining tax data, t the lss f hard drives cntaining persnal infrmatin, t medical files blwing ut the back f a garbage Privacy truck. Privacy Public breaches breaches bdies, take municipalities many take many different different and frms, health frms, frm custdians misdirected frm misdirected in Nva faxes Sctia cntaining faxes shuld cntaining tax be prepared data, tax t data, the t t lss the lss f manage hard f hard drives their drives respnses cntaining cntaining t persnal privacy persnal infrmatin, breaches. infrmatin, The t fur medical t key medical files steps blwing files t respnding blwing ut the ut t back privacy the f back a garbage breaches f a garbage truck. are steps truck. Public that Public bdies, have bdies, been municipalities adpted municipalities acrss and health mst and health Canadian custdians custdians jurisdictins in Nva in Sctia Nva in bth Sctia shuld the shuld public be prepared be and prepared private t t manage sectr. manage They their their respnses represent respnses best t privacy privacy t privacy breaches. practices breaches. fr The mitigating fur The key fur steps the key harm steps t respnding arising t respnding frm t privacy a privacy t privacy breaches breach. breaches are steps are steps that have that have been been adpted adpted acrss acrss mst mst Canadian Canadian jurisdictins jurisdictins in bth in the bth public the public and private and private sectr. Use this They dcument represent in cmbinatin best privacy with practices the Privacy fr mitigating Breach checklist the harm (p. arising 13 f this frm dcument) a privacy breach. als sectr. They represent best privacy practices fr mitigating the harm arising frm a privacy breach. available n ur website at Use this dcument in cmbinatin with the Privacy Breach checklist (p. 13 f this dcument) als Use this dcument in cmbinatin with the Privacy Breach checklist (p. 13 f this dcument) als available n ur website at available n ur website at 1 This brchure is adapted frm material prepared by the Office f the Infrmatin Cmmissiner f British Clumbia entitled: Privacy Breaches: Tls and Resurces available at 1 guidance/guidance-dcuments. This This brchure brchure is is adapted adapted frm frm material material prepared prepared by by the the Office Office f f the the Infrmatin Infrmatin Cmmissiner Cmmissiner f f British British 1 Clumbia Clumbia This entitled: entitled: brchure Privacy Privacy is adapted Breaches: Breaches: frm Tls Tls material and and prepared Resurces Resurces by available available the Office at at f the Infrmatin Cmmissiner f British Clumbia entitled: Privacy Breaches: Tls and Resurces available at
4 ~ 2 ~ ~ 2 ~ Other Other Resurces fr fr Health Health Custdians Nte Nte that that the the Persnal Persnal Health Health Infrmatin Act Act (PHIA) (PHIA) has has particular breach breach ntificatin requirements in sectins in sectins and and Included Included in thse in thse prvisins is the is the expectatin that that ntificatin ntificatin will will ccur ccur in prescribed in circumstances, fr fr events events including when when infrmatin is is stlen, stlen, lst lst r subject r subject t unauthrized t access, access, use, use, disclsure, cpying cpying r r mdificatin. The The Gvernment Gvernment f Nva f Nva Sctia Sctia has has prduced prduced a Privacy a Privacy Breach Breach Ntificatin Decisin Decisin Making Making Tl, Tl, t t assist assist custdians custdians in determining determining what what type type f ntificatin f ntificatin is required is required under under PHIA. PHIA. Breach Breach ntificatin ntificatin is ne is ne f the f the fur fur key key steps steps discussed discussed in this in this dcument. dcument. This This dcument dcument may may be be f f assistance assistance t health t health custdians custdians in evaluating evaluating their their verall verall respnse respnse t t a breach. a breach. Ntice t Users Ntice t Users This dcument is intended t prvide general infrmatin nly. It is nt intended, This dcument is intended t prvide general infrmatin nly. It is nt intended, nr can it be relied upn, as legal advice. As an independent agency mandated t nr can it be relied upn, as legal advice. As an independent agency mandated t versee cmpliance with FOIPOP, MGA and PHIA, the Freedm f Infrmatin and versee cmpliance with FOIPOP, MGA and PHIA, the Freedm f Infrmatin and Prtectin f Privacy Review Office (Review Office) cannt apprve in advance Prtectin f Privacy Review Office (Review Office) cannt apprve in advance any prpsal frm a public bdy, municipality r health custdian. We must any prpsal frm a public bdy, municipality r health custdian. We must maintain ur ability t investigate cmplaints and t prvide recmmendatins in maintain ur ability t investigate cmplaints and t prvide recmmendatins in respnse t these cmplaints. The cntents f this dcument d nt fetter r bind respnse t these cmplaints. The cntents f this dcument d nt fetter r bind this ffice with respect t any matter, including any cmplaint investigatin r this ffice with respect t any matter, including any cmplaint investigatin r ther matter, respecting which the Review Officer will keep an pen mind. It ther matter, respecting which the Review Officer will keep an pen mind. It remains the respnsibility f each public bdy, municipality and health custdian, remains the respnsibility f each public bdy, municipality and health custdian, t ensure that they cmply with their respnsibilities under the relevant t ensure that they cmply with their respnsibilities under the relevant legislatin. Cntact infrmatin fr the Review Officer is set ut n page 22 f this legislatin. Cntact infrmatin fr the Review Officer is set ut n page 22 f this dcument; further infrmatin abut ur rle and mandate can be fund at: dcument; further infrmatin abut ur rle and mandate can be fund at:
5 ~ 3 ~ ~ 3 ~ Step 1: Cntain the Breach Step 1: Cntain the Breach Befre cntinuing, yu shuld ensure that yu recrd all steps taken t investigate and manage the Befre breach. cntinuing, The privacy yu breach shuld checklist ensure tl that can yu be recrd used all t cmplete steps taken all t f investigate the steps set and ut manage belw and the breach. t recrd The all relevant privacy breach infrmatin. checklist That tl tl can is be available used t at cmplete p. 13 f all this f dcument the steps set and ut at: belw and t recrd all relevant infrmatin. That tl is available at p. 13 f this dcument and at: Yu shuld take immediate and cmmn sense steps t limit the breach including: Yu shuld take immediate and cmmn sense steps t limit the breach including: Cntain: Immediately cntain the breach by, fr example, stpping the unauthrized Cntain: practice, shutting Immediately dwn cntain the system the breach that was by, breached, fr example, revking stpping r changing the unauthrized cmputer practice, access cdes, shutting sending dwn a remte the system kill that signal was t breached, a lst r stlen revking prtable changing strage cmputer device, access crrecting cdes, weaknesses sending a in remte physical kill security signal r t a searching lst r stlen the neighbrhd prtable strage used device, item crrecting websites (such weaknesses as Kijiji) in fr physical items stlen security frm r a searching car r huse. the neighbrhd r used item websites (such as Kijiji) fr items stlen frm a car r huse. Initial Investigatin: Designate an apprpriate individual t lead the initial investigatin. Initial Begin this Investigatin: prcess the day Designate the breach an apprpriate is discvered. individual This individual t lead the shuld initial have investigatin. the Begin authrity this within prcess the the public day the bdy breach r rganizatin is discvered. t cnduct This individual the initial shuld investigatin have the and authrity make initial within recmmendatins. the public bdy If r necessary, rganizatin a mre t cnduct detailed the investigatin initial investigatin may and make subsequently initial recmmendatins. be required. If necessary, a mre detailed investigatin may subsequently be required. Privacy Officer & Other Internal Ntificatins: Immediately cntact yur Privacy Officer Privacy and the persn Officer respnsible & Other Internal fr security Ntificatins: in yur rganizatin. Immediately Determine cntact yur thers Privacy wh Officer need and t be the made persn aware respnsible f the incident, fr security internally yur at this rganizatin. stage. It is Determine helpful t prepare thers wh in advance need t a list be f made all f aware the individuals f the incident, wh shuld internally be cntacted at this stage. alng It is with helpful current t prepare cntact in advance a infrmatin. list f all f the individuals wh shuld be cntacted alng with current cntact infrmatin. Breach Respnse Team: Determine whether a breach respnse team must be assembled Breach which culd Respnse include Team: representatives Determine frm whether apprpriate a breach business respnse areas team (labur must be relatins, assembled which legal, cmmunicatins, culd include representatives senir management). frm apprpriate Representatives business frm areas privacy (labur and relatins, security legal, shuld cmmunicatins, always be included senir and management). generally the privacy Representatives team is respnsible frm privacy fr and crdinating security shuld the respnse always t be the included incident. and generally the privacy team is respnsible fr crdinating the respnse t the incident. Plice: Ntify the plice if the breach invlves theft r ther criminal activity. Plice: Ntify the plice if the breach invlves theft r ther criminal activity. Preserve evidence: D nt cmprmise the ability t investigate the breach. Be careful Preserve nt t destry evidence: evidence D that nt may cmprmise be valuable the in ability determining t investigate the cause, the breach. r, that Be will careful allw yu nt t t destry take apprpriate evidence that crrective may be actin. valuable in determining the cause, r, that will allw yu t take apprpriate crrective actin.
6 ~ 4 ~ Step 2: Evaluate the Risks Step 2: Evaluate the Risks T determine what ther steps are immediately necessary, yu must assess the risks. Cnsider the fllwing T determine factrs: what ther steps are immediately necessary, yu must assess the risks. Cnsider the fllwing factrs: Persnal Infrmatin Invlved: Persnal Infrmatin Invlved: As sn as pssible get a cmplete list f all f the persnal infrmatin at risk. Generally this As means sn develping as pssible a get list a f cmplete the data list elements f all f lst, the stlen persnal r inapprpriately infrmatin at risk. accessed. Generally Fr this means example, develping the data culd a list f include, the data name, elements address, lst, date stlen f birth, r inapprpriately medical diagnsis accessed. and health Fr card example, number (MSI). the data At culd this stage include, it is name, imprtant address, that the date investigatr f birth, medical cnfirm diagnsis the data and at risk health as card number quickly as (MSI). pssible. At this Be stage aware it that is imprtant if the breach that is the caused investigatr by an errr, cnfirm r versight the data at by risk an as quickly emplyee as they pssible. may be Be reluctant aware that t if fully the disclse breach is the caused scpe by f an the errr, lst data. r versight by an emplyee they may be reluctant t fully disclse the scpe f the lst data. Next, evaluate the sensitivity f the persnal infrmatin. Sme persnal infrmatin is mre Next, sensitive evaluate than thers. the sensitivity Generally f the infrmatin persnal infrmatin. including: health Sme infrmatin, persnal infrmatin gvernment-issued is mre sensitive pieces f infrmatin than thers. such Generally as scial infrmatin insurance including: numbers, health health infrmatin, care numbers gvernment-issued and financial pieces accunt f numbers infrmatin such such as credit as scial card insurance numbers, numbers, is cnsidered health sensitive. care numbers and financial accunt numbers such as credit card numbers, is cnsidered sensitive. Als cnsider the cntext f the infrmatin when evaluating sensitivity. Fr example, a list f Als custmers cnsider n a the newspaper cntext f carrier s the infrmatin rute may when nt evaluating be sensitive. sensitivity. Hwever, Fr a list example, f custmers a list f custmers wh have requested n a newspaper service carrier s interruptin rute while may nt n vacatin be sensitive. wuld Hwever, be mre a sensitive. list f custmers wh have requested service interruptin while n vacatin wuld be mre sensitive. Finally, in yur evaluatin f sensitivity cnsider the pssible use f the infrmatin. Finally, Smetimes in yur it is evaluatin the cmbinatin f sensitivity f the data cnsider elements the pssible that make use the f infrmatin the infrmatin. sensitive r Smetimes capable f being it is the used cmbinatin fr fraudulent f the r data therwise elements harmful that make purpses. the infrmatin sensitive r capable f being used fr fraudulent r therwise harmful purpses. The mre sensitive the infrmatin, the higher the risk. The mre sensitive the infrmatin, the higher the risk. Cause and Extent f the Breach: Cause and Extent f the Breach: The cause and extent f the breach must als be cnsidered in yur analysis f the risks assciated with The cause the breach. and extent Answer f the all breach f the fllwing must als questins: be cnsidered in yur analysis f the risks assciated with the breach. Answer all f the fllwing questins: What is the cause f the breach? What Is there is the a risk cause f nging f the breach? r further expsure f the infrmatin? What Is there was a risk the extent f nging f the r unauthrized further expsure cllectin, f the infrmatin? use r disclsure, including the number f What likely was recipients the extent and the f the risk unauthrized f further access, cllectin, use r use disclsure, r disclsure, including including in mass the media number r f likely nline? recipients and the risk f further access, use r disclsure, including in mass media r nline?
7 ~ 5 ~ Was the infrmatin lst r stlen? If it was stlen, can it be determined whether the infrmatin was the target f the theft r nt? Is the infrmatin encrypted r therwise nt readily accessible? Has the persnal infrmatin been recvered? What steps have yu already taken t minimize the harm? Is this a systemic prblem r an islated incident? Individuals Affected by the Breach Knwing wh was affected by the breach will shape yur strategies in managing the breach and may als determine wh will help manage the breach (e.g. unin emplyees affected likely means labur relatins shuld be n the breach management team), it will als determine wh yu decide t ntify if business partners are affected, then yu will likely want t ntify them. Hw many individuals are affected by the breach? Wh was affected by the breach: emplyees, public, cntractrs, clients, service prviders, ther rganizatins? Freseeable Harm frm the Breach Wh is in receipt f the infrmatin? Fr example, a stranger wh accidentally receives persnal infrmatin and vluntarily reprts the mistake is less likely t misuse the infrmatin than an individual suspected f criminal activity. Is there any relatinship between the unauthrized recipients and the data subject? A clse relatinship between a victim and the recipient may increase the likelihd f harm an estranged spuse is mre likely t misuse infrmatin than a neighbur. What harm t the individuals will result frm the breach? Harm that may ccur includes: Security risk (e.g. physical safety) Identity theft r fraud Lss f business r emplyment pprtunities Hurt, humiliatin, damage t reputatin r relatinships Basis fr ptential discriminatry actin that may be taken against the individual Scial/relatinal harm (damage t the individual s relatinships) What harm culd result t the public bdy r rganizatin as a result f the breach? Fr example: Lss f trust in the public bdy r rganizatin Lss f assets Financial expsure including class actin lawsuits Lss f cntracts/business
8 ~ 6 ~ ~ 6 ~ What harm culd result t the public as a result f the breach? Fr example: Risk t public health What Risk harm t culd public result safety t the public as a result f the breach? Fr example: Risk t public health Risk t public safety Once yu have assessed all f the risks described abve yu will be able t determine whether r nt ntificatin is an apprpriate mitigatin strategy. Further, the risk assessment will help yu t Once yu have assessed all f the risks described abve yu will be able t determine whether r identify apprpriate preventin strategies. nt ntificatin is an apprpriate mitigatin strategy. Further, the risk assessment will help yu t identify apprpriate preventin strategies. The table belw summarizes the risk factrs and suggests a pssible risk rating. Each public bdy, health The table custdian belw r summarizes municipality the must risk factrs make and their suggests wn assessment a pssible f risk the rating. risks Each given public the unique bdy, circumstances health custdian f the r municipality situatin. The must table make is intended their wn t assessment prvide a f rugh the risks guide given t ratings. the unique circumstances f the situatin. The table is intended t prvide a rugh guide t ratings. Risk Rating Overview Factr Risk Rating Overview Risk Rating Factr Lw Medium Risk Rating High Nature f persnal Publicly Lw available Persnal Medium Medical, High psychlgical, infrmatin Nature f persnal persnal Publicly available Persnal infrmatin unique Medical, cunselling, psychlgical, r financial infrmatin infrmatin persnal nt infrmatin t the rganizatin unique cunselling, infrmatin financial r unique assciated infrmatin with nt any t that the is rganizatin nt medical infrmatin gvernment r unique identificatin assciated with any that is nt medical gvernment identificatin ther infrmatin r financial number ther infrmatin r financial number infrmatin infrmatin Relatinships Relatinships Accidental Accidental Accidental Accidental Disclsure Disclsure t an t an disclsure t disclsure disclsure t t a a individual individual with with sme sme anther stranger wh wh relatinship relatinship t r t r prfessinal wh reprted the the breach breach knwledge knwledge f the f affected the affected reprted the breach and cnfirmed destructin r and cnfirmed destructin r r return f f the the infrmatin individual(s), particularly particularly disclsures t mtivated t mtivated ex-partners, family family members, neighbrs neighbrs r return f the c-wrkers c-wrkers infrmatin Theft Theft by stranger by stranger Cause Cause f f breach breach Technical Technical errr Accidental Accidental lss lss r r Intentinal Intentinal breach. breach. that has been disclsure Cause unknwn that has been disclsure Cause unknwn reslved Technical errr if nt reslved Technical errr if nt reslved Scpe Very few affected Identified and Large reslved grup r entire Scpe Very individuals few affected limited Identified grup and f scpe Large f grup grup nt r entire individuals affected limited individuals grup f identified scpe f grup nt affected individuals identified
9 ~ 7 ~ ~ 7 ~ Factr Cntainment Factr effrts Cntainment effrts Freseeable harm frm the breach Freseeable harm frm the breach Risk Rating Overview Risk Rating Lw Risk Rating Overview Medium High Data was Prtable Risk strage Rating Data was nt encrypted adequately Lw device Medium was remtely Data, files r High device have Data encrypted was wiped Prtable within strage hurs nt Data been was recvered nt encrypted adequately Prtable strage f device lss but was there remtely is Data Data, risk files f r further device have encrypted device was n wiped evidence within t hurs disclsure nt been particularly recvered Prtable remtely strage wiped cnfirm f lss but that there is thrugh Data at mass risk media f further r and there is device was nt nline device was n evidence t disclsure particularly evidence that the accessed prir t remtely wiped cnfirm that the thrugh mass media r device was nt wiping and accessed there is prir t Hard device cpy was files nt r nline evidence wiping that the device accessed were prir t device Hard was cpy nt files r recvered wiping but accessed device were prir t sufficient Hard cpy time files r wiping recvered almst passed device between were the Hard immediately cpy files and r all lss recvered and recvery but device files appear were intact that sufficient the data time culd recvered and/r unread almst have passed been between accessed the immediately and all lss and recvery files N appear freseeable intact Lss that the f business data culd r Security risk (e.g. physical and/r harm frm unread the emplyment have been accessed safety) breach pprtunities Identify theft r fraud risk Hurt, humiliatin, Hurt, humiliatin, damage N freseeable Lss f business r Security risk (e.g. physical damage t t reputatin may als be harm frm the reputatin emplyment r a high safety) risk depending n breach relatinships pprtunities the Identify circumstances theft r fraud risk Scial/relatinal Hurt, humiliatin, Risk Hurt, t public humiliatin, health r damage harm damage t safety t reputatin may als be Lss reputatin f trust r in the a high risk depending n public relatinships bdy the circumstances Lss Scial/relatinal f public bdy Risk t public health r assets harm safety Lss f public trust in bdy the cntracts public bdy r business Lss f public bdy Financial expsure assets t public bdy Lss f public bdy including class actin cntracts lawsuits r business Financial expsure t public bdy including class actin lawsuits
10 ~ 8 ~ ~ 8 ~ Step 3: Ntificatin Step 3: Ntificatin Ntificatin can be an imprtant mitigatin strategy that has the ptential t benefit the public bdy, municipality, health custdian and the individuals affected by a breach. Prmpt ntificatin Ntificatin can be an imprtant mitigatin strategy that has the ptential t benefit the public can help individuals mitigate the damage by taking steps t prtect themselves. The challenge is t bdy, municipality, health custdian and the individuals affected by a breach. Prmpt ntificatin determine when ntice shuld be required. Each incident needs t be cnsidered n a case-by-case can help individuals mitigate the damage by taking steps t prtect themselves. The challenge is t basis t determine whether the privacy breach ntificatin is required. In additin, public bdies, determine when ntice shuld be required. Each incident needs t be cnsidered n a case-by-case municipalities and health custdians are encuraged t cntact the Nva Sctia Freedm f basis t determine whether the privacy breach ntificatin is required. In additin, public bdies, Infrmatin and Prtectin f Privacy Review Office fr assistance in managing a breach 2. municipalities and health custdians are encuraged t cntact the Nva Sctia Freedm f Infrmatin Review yur and risk Prtectin assessment f t Privacy determine Review whether Office ntificatin fr assistance apprpriate. in managing a If breach sensitive 2. infrmatin is at risk, if the infrmatin is likely t be misused, if there is freseeable harm, then Review yur risk assessment t determine whether ntificatin is apprpriate. If sensitive yu will likely want t ntify. The list belw prvides further infrmatin t assist in decisin infrmatin is at risk, if the infrmatin is likely t be misused, if there is freseeable harm, then making. yu will likely want t ntify. The list belw prvides further infrmatin t assist in decisin Nte making. t health custdians: There are additinal cnsideratins set ut specifically in PHIA. In particular PHIA requires ntificatin be given t either the affected individual r the Review Officer Nte t health custdians: There are additinal cnsideratins set ut specifically in PHIA. In in accrdance with sectins 69 and 70 f PHIA. particular PHIA requires ntificatin be given t either the affected individual r the Review Officer Neither in accrdance FOIPOP with nr sectins Part XX 69 f the and MGA 70 f requires PHIA. ntificatin. Hwever, as nted abve, ntificatin in apprpriate circumstances is best privacy practice and will help mitigate the lsses suffered by Neither FOIPOP nr Part XX f the MGA requires ntificatin. Hwever, as nted abve, ntificatin individuals as a result f the breach. The steps taken in respnse t a breach have the ptential t in apprpriate circumstances is best privacy practice and will help mitigate the lsses suffered by significantly reduce the harm caused by the breach, which will be relevant in any law suit fr individuals as a result f the breach. The steps taken in respnse t a breach have the ptential t breach f privacy. significantly reduce the harm caused by the breach, which will be relevant in any law suit fr breach f privacy. Ntifying affected individuals Ntifying affected individuals As nted abve, ntificatin f affected individuals shuld ccur if it is necessary t avid r mitigate harm t them. Sme cnsideratins in determining whether t ntify individuals affected As nted abve, ntificatin f affected individuals shuld ccur if it is necessary t avid r by the breach include: mitigate harm t them. Sme cnsideratins in determining whether t ntify individuals affected by the Legislatin breach include: requires ntificatin s. 69 and s. 70 f PHIA fr example; Cntractual Legislatin requires bligatins ntificatin require ntificatin; s. 69 and s. 70 f PHIA fr example; There Cntractual is a risk bligatins f identity require theft r ntificatin; fraud usually because f the type f infrmatin lst, stlen, accessed r disclsed, such as a SIN, banking infrmatin, identificatin numbers; There is a risk f identity theft r fraud usually because f the type f infrmatin lst, stlen, 2 accessed r disclsed, such as a SIN, banking infrmatin, identificatin numbers; The Review Office has the respnsibility fr mnitring hw privacy prvisins are administered and the ability t prvide advice and cmments n the privacy prvisins when requested by public bdies and 2 custdians. The Review Our Office cntact has the infrmatin respnsibility is included fr mnitring at page 22 hw f this privacy dcument. prvisins are administered and the ability t prvide advice and cmments n the privacy prvisins when requested by public bdies and custdians. Our cntact infrmatin is included at page 22 f this dcument.
11 ~ 9 ~ There is a risk f physical harm if the lss puts an individual at risk f stalking r harassment; There is a risk f hurt, humiliatin r damage t reputatin fr example when the infrmatin lst includes medical r disciplinary recrds; There is a risk f lss f business r emplyment pprtunities if the lss f infrmatin culd result in damage t the reputatin f an individual, affecting business r emplyment pprtunities; and There is a risk f lss f cnfidence in the public bdy r rganizatin and/r gd citizen relatins dictates that ntificatin is apprpriate. When and Hw t Ntify Ntificatin shuld ccur as sn as pssible fllwing the breach within days whenever pssible. Hwever, if yu have cntacted law enfrcement authrities, yu shuld determine frm thse authrities, whether ntificatin shuld be delayed in rder nt t impede a criminal investigatin. On very rare ccasins medical evidence may indicate that ntificatin culd reasnably be expected t result in immediate and grave harm t the individual s mental r physical health. In thse circumstances, cnsider alternative appraches, such as having the physician give the ntice in persn r waiting until the immediate danger has passed. Direct ntificatin is preferred by phne, by letter r in persn. Indirect ntificatin via websites, psted ntices r media reprts shuld generally nly ccur in rare circumstances such as where direct ntificatin culd cause further harm r cntact infrmatin is lacking. Using multiple methds f ntificatin in certain cases, may be the mst effective apprach. What shuld be included in the ntificatin? Ntificatins shuld include the fllwing infrmatin: Date f the breach; Descriptin f the breach; Descriptin f the infrmatin inapprpriately accessed, cllected, used r disclsed; Risk(s) t the individual caused by the breach; The steps taken s far t cntrl r reduce the harm; Where there is a risk f identity theft as a result f the breach, typically the ntice shuld ffer free credit watch prtectin as part f the mitigatin strategy; Further steps planned t prevent future privacy breaches;
12 ~ 10 ~ Steps the individual can take t further mitigate the risk f harm (e.g. hw t cntact credit reprting agencies t set up a credit watch, infrmatin explaining hw t change a persnal health number r driver s licence number); Cntact infrmatin f an individual within the public bdy, municipality r health rganizatin wh can answer questins r prvide further infrmatin; Review Officer cntact infrmatin and the fact that individuals have a right t cmplain t the Review Officer under the Privacy Review Officer Act and PHIA. If the public bdy, municipality r health custdian has already cntacted the Review Officer, include this detail in the ntificatin letter. Other surces f infrmatin As nted abve, the breach ntificatin letter shuld include a cntact number within the public bdy, municipality r health custdian, in case affected individuals have further questins. In anticipatin f further calls, yu shuld prepare a list f frequently asked questins and answers t assist staff respnsible fr respnding t further inquiries. Others t cntact Regardless f what yu determine yur bligatins t be with respect t ntifying individuals, yu shuld cnsider whether the fllwing authrities r rganizatins shuld als be infrmed f the breach: Plice if theft r ther crime is suspected; Insurers r thers - if required by cntractual bligatins; Prfessinal r ther regulatry bdies - if prfessinal r regulatry standards require ntificatin f these bdies; Other internal r external parties nt already ntified yur investigatin and risk analysis may have identified ther parties impacted by the breach such as third party cntractrs, internal business units r unins; Review Office - The mandate f the Review Office includes a respnsibility t mnitr hw the privacy prvisins are administered and t prvide advice and cmments n the privacy prvisins when requested by public bdies and health custdians. The fllwing factrs are relevant in deciding whether r nt t reprt a breach t the Review Office: Fr health custdians, s. 70 f PHIA sets ut when the Review Office must be cntacted. Health custdians may wish t cntact the Review Office even when ntificatin is nt required, based n sme f the factrs listed belw;
13 ~ 11 ~ The sensitivity f the infrmatin generally the mre sensitive the infrmatin at risk, the mre likely the Review Office will be ntified; Whether the disclsed infrmatin culd be used t cmmit identity theft; Whether there is a reasnable chance f harm frm the disclsure including nnpecuniary lsses; The number f peple affected by the breach; Whether the infrmatin was fully recvered withut further disclsure; Yur public bdy, municipality r health custdian wishes t seek advice r cmment frm the Review Officer t aid in managing the privacy breach; Yur public bdy, municipality r health custdian requires assistance in develping a prcedure fr respnding t the privacy breach, including ntificatin; Yur public bdy, municipality r health custdian is cncerned that ntificatin may cause further harm; and/r T ensure steps taken cmply with the public bdy s bligatins under privacy legislatin.
14 ~ 12 ~ ~ 12 ~ Step 4: Preventin Step 4: Preventin Once the immediate steps are taken t mitigate the risks assciated with the breach, yu need t take Once the time immediate t thrughly steps are investigate taken t mitigate the cause the f risks the breach. assciated This with culd the require breach, a security yu need audit t f take bth the physical time t thrughly and technical investigate security. the As a cause result f f the this breach. evaluatin, This culd yu shuld require develp a security r audit imprve f bth physical as necessary and technical adequate security. lng term As safeguards a result f this against evaluatin, further breaches. yu shuld develp r imprve as necessary adequate lng term safeguards against further breaches. Typically preventin strategies will address privacy cntrls in all f the fllwing areas: Typically preventin strategies will address privacy cntrls in all f the fllwing areas: Physical Physical Technical Technical Administrative Administrative Persnnel Persnnel S, fr example, if any physical security weaknesses cntributed t the breach, changes made t prevent S, fr example, a recurrence if any shuld physical be security undertaken. weaknesses Systems cntributed cntrls shuld t the als breach, be reviewed changes t made ensure t that prevent all necessary a recurrence technical shuld safeguards be undertaken. are in Systems place. This cntrls culd shuld mean encrypting als be reviewed all prtable t ensure strage devices that all necessary r imprving technical firewall safeguards prtectins are n in a place. database. This culd mean encrypting all prtable strage devices r imprving firewall prtectins n a database. Administrative cntrls wuld include ensuring that plices are reviewed and updated t reflect the Administrative lessns learned cntrls frm wuld the investigatin include ensuring and regularly that plices after are that. reviewed Yur resulting and updated plan shuld t reflect als include the lessns a requirement learned frm fr the an investigatin audit the end and f regularly the prcess, after t that. ensure Yur that resulting the preventin plan shuld plan als has been include fully a requirement implemented. fr If an yu audit d nt at the already end f have the prcess, a privacy t breach ensure prtcl that the in preventin place, ensure plan that has ne been is fully develped implemented. as part f If yur d plan. nt already have a privacy breach prtcl in place, ensure that ne is develped as part f yur plan. Staff f public bdies, municipalities and health custdians shuld be trained t knw the rganizatin s Staff f public bdies, privacy municipalities bligatins under and health FOIPOP, custdians MGA Part shuld XX and/r be trained PHIA. t knw the rganizatin s privacy bligatins under FOIPOP, MGA Part XX and/r PHIA. In the lnger term, public bdies, health custdians and municipalities shuld review and refresh their In privacy lnger term, management public bdies, framewrk health t custdians ensure that and they municipalities cntinue t cmply shuld with review their and privacy refresh bligatins. their privacy Fr management mre infrmatin framewrk n privacy t ensure management that they cntinue framewrks t cmply visit the with Review their privacy Office bligatins. website at: Fr mre infrmatin n privacy management framewrks visit the Review Office website at:
15 Privacy Breach Checklist Nva Sctia Freedm f Infrmatin and Prtectin f Privacy Review Office
16 ~ 13 ~ Privacy Breach Checklist Use this checklist t evaluate yur respnse t a privacy breach and t decide whether r nt t reprt the breach t the Nva Sctia Freedm f Infrmatin and Prtectin f Privacy Review Office 3. Fr a further explanatin f hw t manage a privacy breach see Key Steps t Respnding t Privacy Breaches available at: Date f reprt: Date breach initially discvered: Cntact infrmatin: Public Bdy/Health Custdian/Municipality: Cntact Persn (Reprt Authr): Title: _ Phne: Fax: Mailing Address: Incident Descriptin Describe the nature f the breach and its cause. Hw was the breach discvered and when? Where did it ccur? 3 The Review Office s mandate includes an bligatin t mnitr hw privacy prvisins are administered and t prvide advice and cmments n privacy prvisins n the request f health custdians and public bdies.
17 ~ 14 ~ Steps 1 & 2: Cntainment & Risk Evaluatin Answer each f the fllwing questins and then, based n thse answers, cmplete the risk evaluatin summary n page 17. (1) Cntainment Check all f the factrs that apply: The persnal infrmatin has been recvered and all cpies are nw in ur custdy and cntrl We have cnfirmatin that n cpies have been made We have cnfirmatin that the persnal infrmatin has been destryed We believe (but d nt have cnfirmatin) that the persnal infrmatin has been destryed The persnal infrmatin is encrypted The persnal infrmatin was nt encrypted Evidence gathered s far suggests that the incident was likely a result f a systemic prblem Evidence gathered s far suggests that the incident was likely an islated incident The persnal infrmatin has nt been recvered but the fllwing cntainment steps have been taken (check all that apply): The immediate neighburhd arund the theft has been thrughly searched Used item websites are being mnitred but the item has nt appeared s far Pawn shps are being mnitred A remte wipe signal has been sent t the device but n cnfirmatin that the signal was successful has been receive A remte wipe signal has been sent t the device and we have cnfirmatin that the signal was successful Our audit cnfirms that n ne has accessed the cntent f the prtable strage device We d nt have an audit that cnfirms that n ne has accessed the cntent f the prtable strage device All passwrds and system user names have been changed Describe any ther cntainment strategies used:
18 ~ 15 ~ (2) Nature f Persnal Infrmatin Invlved List all f the data elements invlved (e.g. name, date f birth, SIN, address, medical diagnses, cnnectin with identified service prvider such as welfare r cunselling etc.) Name Address Date f birth Gvernment ID number (specify) SIN Financial infrmatin Medical infrmatin Persnal characteristics such as race, religin, sexual rientatin Other (describe) (3) Relatinship What is the relatinship between the recipient f the infrmatin and the individuals affected by the breach? Stranger Friend Neighbur Ex-partner C-wrker Unknwn Other (describe)
19 ~ 16 ~ ~ 16 ~ (4) Cause f the breach Based (4) Cause n yur f the initial breach investigatin f the breach, what is yur best initial evaluatin f the cause f the breach? Based n Accident yur initial r versight investigatin f the breach, what is yur best initial evaluatin f the cause f the breach? Technical errr Intentinal Accident r theft versight r wrngding Unauthrized Technical errr brwsing Unknwn Intentinal theft r wrngding Other Unauthrized (describe) brwsing Unknwn Other (describe) (5) Scpe f the breach Hw (5) Scpe many f peple the breach were affected by the breach? Very few (less than 10) Hw many Identified peple and were limited affected grup by the (>10 breach? and <50) Large Very few number (less than f individuals 10) affected (>50) Numbers Identified are and nt limited knwn grup (>10 and <50) Large number f individuals affected (>50) (6) Freseeable Numbers are harm nt knwn Identify (6) Freseeable the types harm f harm that may result frm the breach. Sme relate strictly t the affected individual; but harm may als be caused t the public bdy and ther individuals if ntificatins d Identify nt ccur: the types f harm that may result frm the breach. Sme relate strictly t the affected individual; but harm may als be caused t the public bdy and ther individuals if ntificatins d nt ccur: Identify theft (mst likely when the breach includes lss f SIN, credit card numbers, driver s licence numbers, debit card infrmatin etc.) Physical Identify theft harm (mst (when likely the infrmatin when the breach places includes any individual lss f SIN, at risk credit f physical card numbers, harm frm stalking driver s licence r harassment) numbers, debit card infrmatin etc.) Hurt, Physical humiliatin, harm (when damage the infrmatin t reputatin places (assciated any individual with the at risk lss f f physical infrmatin harm such frm as mental stalking health r harassment) recrds, medical recrds, disciplinary recrds) Lss Hurt, f humiliatin, business r damage emplyment t reputatin pprtunities (assciated (usually with as the a result lss f f infrmatin damage t such as reputatin mental health t an recrds, individual) medical recrds, disciplinary recrds) Breach Lss f business f cntractual r emplyment bligatins pprtunities (cntractual prvisins (usually as may a result require f damage ntificatin t f third reputatin parties t in an the individual) case f a data lss r privacy breach) Future Breach breaches f cntractual due t bligatins technical failures (cntractual (ntificatin prvisins t the may manufacturer require ntificatin may be f necessary third parties if a in recall the case is warranted f a data lss and/r privacy t prevent breach) a future breach by ther users) Future Failure breaches t meet prfessinal due t technical standards failures r (ntificatin certificatin t standards the manufacturer (ntificatin may be may be required necessary t if a prfessinal recall is warranted regulatry and/r bdy t r prevent certificatin a future authrity) breach by ther users) Other Failure (specify) t meet prfessinal standards r certificatin standards (ntificatin may be required t a prfessinal regulatry bdy r certificatin authrity) Other (specify)
20 ~ 17 ~ (7) (7) Other Other factrs factrs The The nature nature f f the the public public bdy s bdy s relatinship with the affected individuals may may be be such such that that the the public public bdy bdy wishes wishes t t ntify ntify n n matter what the ther factrs are are because f f the the imprtance f f preserving trust trust in in the the relatinship. Cnsider the type f individuals that were affected by by the the breach. Client/custmer/patient Emplyee Student r r vlunteer Other (describe) Risk Evaluatin Summary: Fr each f the factrs reviewed abve, determine the risk rating. Risk Factr 1) Cntainment 2) Nature f the persnal infrmatin 3) Relatinship 4) Cause f the breach 5) Scpe f the breach 6) Freseeable harm frm the breach 7) Other factrs Overall Risk Rating Risk Rating Lw Medium High Use the risk rating t help decide whether ntificatin is necessary and t design yur preventin strategies. Freseeable harm frm the breach is usually the key factr used in deciding whether r nt t t ntify affected individuals. Step 3 belw analyzes this in mre detail. In general thugh, a medium r high risk rating will always result in ntificatin t the affected individuals. A lw risk rating may als result in ntificatin depending n the unique circumstances f each case.
21 ~ 18 ~ ~ 18 ~ Step 3: Ntificatin Step 3: Ntificatin 1. Shuld affected individuals be ntified? 1. Shuld affected individuals be ntified? Once yu have cmpleted yur verall risk rating, determine whether r nt ntificatin f affected individuals is required. If any f the fllwing factrs apply, ntificatin shuld ccur. If the PHIA test Once is yu satisfied, have cmpleted ntificatin yur must verall ccur. risk rating, determine whether r nt ntificatin f affected individuals is required. If any f the fllwing factrs apply, ntificatin shuld ccur. If the PHIA test Cnsideratin is satisfied, ntificatin Descriptin must ccur. Factr applies Legislatin Cnsideratin Health Descriptin custdians in Nva Sctia must cmply with sectins 69 Factr & 70 f PHIA which require ntificatin applies Risk Legislatin f identity Mst Health likely custdians when the in Nva breach Sctia includes must lss cmply f SIN, with credit sectins card 69 theft number, & 70 f PHIA driver s which licence require number, ntificatin debit card infrmatin, etc. Risk Risk f f identity physical When Mst likely the infrmatin when the breach places includes any individual lss f at SIN, risk credit f physical card harm theft harm number, frm driver s stalking licence r harassment number, debit card infrmatin, etc. Risk Risk f f hurt, physical Often When assciated the infrmatin with the places lss any f infrmatin individual at such risk as f mental physical humiliatin, harm health harm frm recrds, stalking medical r harassment recrds r disciplinary recrds damage Risk f hurt, t Often assciated with the lss f infrmatin such as mental reputatin humiliatin, health recrds, medical recrds r disciplinary recrds Lss damage f business t Where the breach culd affect the business reputatin f an r reputatin emplyment individual pprtunities Lss f business Where the breach culd affect the business reputatin f an Explanatin r emplyment The individual public bdy may wish t ntify if the affected individuals required pprtunities include vulnerable individuals, r where individuals require Explanatin infrmatin The public bdy t fully may understand wish t ntify the if events, the affected even when individuals the risks required have include been vulnerable assessed individuals, as lw r where individuals require Reputatin f Where infrmatin the public t fully bdy understand is cncerned the events, that the even breach when will the risks public bdy undermine have been assessed trust f citizens, as lw the public bdy may decide t ntify Reputatin f in Where rder the t public ease cncerns bdy is cncerned and t prvide that clear the breach infrmatin will public bdy regarding undermine the trust risks f citizens, and mitigatin the public strategies bdy may undertaken, decide t even ntify when in rder risks t ease assessed cncerns are lw and t prvide clear infrmatin regarding the risks and mitigatin strategies undertaken, even when risks assessed are lw
22 ~ 19 ~ 2. When and Hw t Ntify When: Ntificatin shuld ccur as sn as pssible fllwing a breach. Hwever, if yu have cntacted law enfrcement authrities, yu shuld determine frm thse authrities whether ntificatin shuld be delayed in rder nt t impede a criminal investigatin. Hw: The preferred methd is direct by phne, letter, r in persn. Indirect ntificatin via website infrmatin, psted ntices r media shuld generally nly ccur where direct ntificatin culd cause further harm, is prhibitive in cst, r cntact infrmatin is lacking. Using multiple methds f ntificatin in certain cases may be the mst effective apprach. Cnsideratins Favuring Direct Ntificatin The identities f individuals are knwn Current cntact infrmatin fr the affected individuals is available Individuals affected by the breach require detailed infrmatin in rder t prperly prtect themselves frm the harm arising frm the breach Individuals affected by the breach may have difficulty understanding an indirect ntificatin (due t mental capacity, age, language, etc.) Cnsideratins Favuring Indirect Ntificatin Check If Applicable A very large number f individuals are affected by the breach, such that direct ntificatin culd be impractical Direct ntificatin culd cmpund the harm t the individuals resulting frm the breach 3. What t Include in Breach Ntificatin Letters The infrmatin included in the ntice shuld help the individual t reduce r prevent the harm that culd be caused by the breach. Include all f the infrmatin set ut belw: Essential elements in breach ntificatin letters Date f breach Descriptin f breach Descriptin f persnal infrmatin affected Steps taken s far t cntrl r reduce harm (cntainment) Future steps planned t prevent further privacy breaches Steps individuals can take - Cnsider ffering credit mnitring where apprpriate Review Officer cntact infrmatin Individuals have a right t cmplain t the Review Officer Public bdy, municipality r health custdian cntact infrmatin fr further assistance Included
23 ~ 20 ~ 4. Others t cntact Authrity r Organizatin Reasn fr Cntact Applicable Law Enfrcement If theft r crime is suspected Review Officer Fr assistance with develping a prcedure fr respnding t the breach, including ntificatin t ensure steps taken cmply with bligatins under privacy legislatin The persnal infrmatin is sensitive There is a risk f identity theft r ther significant harm A large number f peple are affected The infrmatin has nt been fully recvered The breach is a result f a systemic prblem r a similar breach has ccurred befre Prfessinal r regulatry bdies If prfessinal r regulatry standards require ntificatin f the regulatry r prfessinal bdy Insurers Where required in accrdance with an insurance plicy Technlgy suppliers. If the breach was due t a technical failure and a recall r technical fix is required Cnfirm ntificatins cmpleted: Key cntact Privacy fficer within yur public bdy, municipality r health custdian Plice (as required) Affected individuals Review Officer Prfessinal r regulatry bdy identify: Ntified Technlgy suppliers Others (list)