Introduction 3. What is a Privacy Breach? 3. Authority to Review Privacy Breaches 5. Survey Highlights 6. Survey Results 8

Transcription

1

2 Table of Contents Introduction 3 What is a Privacy Breach? 3 Authority to Review Privacy Breaches 5 Survey Highlights 6 Survey Results 8 Response Rate 8 Personal and Personal Health Information 9 Privacy Breaches 10 Privacy Breach Policies, Procedures and Guidelines 13 Privacy Breach Training 14 Internal Reporting of Privacy Breaches 15 Privacy Breach Documentation 15 Service Agencies and Contractual Obligations 16 Notification 17 Resources to Manage Privacy Breaches 18 Conclusion 19 Appendix: Privacy Breach Practices Survey 21

3 3 Introduction Public-sector organizations collect, use and disclose information about Manitobans in order to deliver various programs, services and benefits. Manitoba s Freedom of Information and Protection of Privacy Act (FIPPA) and Personal Health Information Act (PHIA) regulate how personal information and personal health information is handled by public bodies and trustees (organizations) and these laws also require reasonable safeguards in place to protect that information. Manitoba Ombudsman upholds privacy and access to information rights under FIPPA and PHIA by investigating complaints from the public and by conducting reviews and audits to monitor and ensure that organizations comply with these laws. Although organizations may strive to handle personal and personal health information in accordance with these laws and implement safeguards, privacy breaches can occur due to human error, use of technology or malicious actions. The increased use of technology and electronic records facilitates storing and sharing more information than was possible in a paper-based work environment. A privacy breach can have significant consequences for the individuals affected, including identity theft, a damaged reputation, embarrassment, and loss of employment. FIPPA and PHIA do not require that affected individuals be notified of a breach of their information or that breaches be reported to the ombudsman. Given the impact that privacy breaches can have on Manitobans, and given that privacy breach notification and reporting is voluntary in Manitoba, we wanted to gain a better understanding of how organizations in the province prepare for and manage privacy breaches. Specifically, we set out to determine how prepared organizations are to respond effectively to privacy breaches, whether notification to affected individuals and the ombudsman was considered when breaches occurred, if there are potential gaps in the system, and ultimately, how we can better assist with any identified issues. To do this, we distributed a survey of privacy breach practices to 238 public-sector organizations. This report provides a summary of our findings and our analysis of some of the issues raised by the responses. What is a Privacy Breach? For the purpose of this review, we have described a privacy breach as the improper or unauthorized collection, use, disclosure, retention or disposal of personal and/or personal health information. Such activity is considered unauthorized if it is not permitted by FIPPA and PHIA.

4 4 Personal and personal health information are defined in FIPPA and PHIA as follows: Personal information is recorded information about an identifiable individual. Some examples include a person s name, age, ancestry, education, employment history, financial information, home address, and a number that can identify them (for example, case file number or social insurance number). Personal health information is recorded information about an identifiable individual that relates to: (a) the individual's health, or health-care history, including genetic information about the individual, (b) the provision of health care to the individual, or (c) payment for health care provided to the individual, and includes (d) the PHIN and any other identifying number, symbol or particular assigned to an individual, and (e) any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care. Before the adoption of electronic records, a privacy breach involving paper records could occur by simply misdirecting mail or disposing of records in the trash. So, what does a privacy breach look like today and how does it happen? Privacy breaches can happen in a variety of ways. For example: Lost or stolen electronic devices, such as laptops, flash drives and smartphones, containing personal and/or personal health information. Misdirecting mail, , or faxes to the wrong party. Employees inappropriately accessing and/or disclosing personal and/or personal health information for purposes unrelated to their work. Improperly disposing of personal and/or personal health information records in a manner that is not secure. Individuals posing as someone else to gain access to information. Databases containing personal and/or personal health information being hacked. A privacy breach does not discriminate; it can happen to an organization of any size, it can affect one person or many and it can involve information that varies in sensitivity. As a result, privacy breaches will have widely different outcomes. The impact of a privacy breach can depend on the function of the organization, the type of information being managed and the nature of the breach. Some organizations have such sensitive information that a privacy breach will have a much greater impact on those affected. For example, an inadvertent disclosure of a social insurance number may result in severe consequences. Due to the multitude of circumstances surrounding a privacy breach, each breach needs to be considered on a case-by-case basis.

5 5 Authority to Review Privacy Breach Practices In addition to the investigation of complaints from the public under FIPPA and PHIA, the ombudsman may conduct investigations and audits to monitor and ensure that organizations comply with these laws. Both FIPPA and PHIA impose obligations on Manitoba organizations to protect personal and personal health information by implementing reasonable safeguards. FIPPA has the following requirement: Protection of personal information 41 The head of a public body shall, in accordance with any requirements set out in the regulations, protect personal information by making reasonable security arrangements against such risks as unauthorized access, use, disclosure or destruction. PHIA sets out this obligation: Duty to adopt security safeguards 18 In accordance with any requirements of the regulations, a trustee shall protect personal health information by adopting reasonable administrative, technical and physical safeguards that ensure the confidentiality, security, accuracy and integrity of the information. PHIA contains several additional requirements for the security of personal health information. This includes a requirement in the regulation under PHIA to have a written policy and procedures with provisions to record security breaches and corrective procedures to address breaches, as follows: Written security policy and procedures 2 A trustee shall establish and comply with a written policy and procedures containing the following: (a) provisions for the security of personal health information during its collection, use, disclosure, storage, and destruction, including measures (i) to ensure the security of the personal health information when a record of the information is removed from a secure designated area, and (ii) to ensure the security of personal health information in electronic form when the computer hardware or removable electronic storage media on which it has been recorded is being disposed of or used for another purpose; (b) provisions for the recording of security breaches; (c) corrective procedures to address security breaches.

6 6 Survey Highlights In June 2016 our office distributed a link to an electronic survey to 238 organizations, which included municipalities, school divisions, hospitals, regional health authorities (RHAs), health-care bodies (that do not fall under an RHA), boards, commissions, provincial departments, universities and colleges. The intent of this survey was to gather information which would help provide an overall picture of privacy breach practices across the province and not to highlight the practices of any specific organization. As such, the survey results are presented in aggregate form. The survey consisted of a maximum of 19 questions (dependent on whether a participant was asked to elaborate; see appendix). The survey questions focused on privacy breach management practices occurring over the past three years. The questions addressed several areas: breach management policy; training on dealing with breaches; breach reporting by third-party service providers; types of privacy breaches experienced; documentation about breaches; notifying affected individuals and contacting the ombudsman; and resources to assist in managing breaches. Of the 238 organizations surveyed, 187 participants responded to the survey. Of those, 62 surveys were incomplete. To maintain the integrity of the results, these incomplete responses were excluded from our analysis. While 125 respondents fully completed the survey, some provincial departments responded more than once on behalf of different divisions, resulting in a total of 118 organizations being represented. This indicates that 50% of organizations responded to the survey, which provided a reasonable sample size to give us insight into privacy breach practices within Manitoba. For the purposes of our analysis, we have used the number of respondents (125) in the calculation of our statistics. The survey revealed many positive findings and also identified some areas where further work can be done: 51% of respondents indicated that they manage a combination of both personal and personal health information. The remaining 49% reported that they manage only personal information. 38% of respondents reported that their organization has a written policy or guideline in place to manage a privacy breach. In spite of having only 38% reporting that they had written policies in place, 46% of respondents reported that they do track privacy breaches. Some organizations have taken

7 7 it upon themselves to track privacy breaches even though they may not have policies in place. 78% of respondents reported that their organization does not provide training specific to privacy breach management. Despite the fact that many organizations do not have privacy breach training, 72% of respondents reported that a specific person had been designated to manage privacy breaches. 59% of respondents reported that the most common privacy breach was losing hardcopy (paper) records. Where a privacy breach involved loss or theft, 38% of respondents reported that the loss or theft occurred in the office and 26% experienced loss or theft from a vehicle. The majority of respondents (61%) reported they have experienced a disclosure privacy breach, meaning that the information was shared outside of the organization. 46% of those who contracted a third party for service included general privacy breach provisions within their contracts. However, when asked whether the contract included a requirement to notify the organization in the event of a privacy breach, 37% reported that they did not include a notification provision. 55% of respondents reported that they had contacted (either by , mail, fax or phone) Manitoba Ombudsman in response to a privacy breach. 74% of respondents reported that they have notified an affected third party as a result of a privacy breach. Of those who have notified an affected third party, 69% reported that they notified a third party based on the potential risk of hurt, embarrassment or damage to one s reputation. 63% of respondents identified that training to deal with privacy breaches and sample polices for managing privacy breaches were the most needed resources.

8 8 1. Response Rate The survey was sent to a cross section of public-sector organizations including public bodies under FIPPA and trustees under PHIA. Of the 238 organizations surveyed, 125 participants representing 118 organizations fully completed the survey representing a 50% organizational response rate. An additional 62 respondents partly completed the survey and these were not included in our analysis to maintain the integrity of the results. Number of Respondents by Organization Municipalities School Divisions 15 Boards and Commissions 11 Provincial Departments * 8 6 Hospitals and Health Care Bodies** Universities and Colleges 4 Regional Health Authorities *** * 18 total responses that reflected 11 provincial departments. ** Hospitals and health-care bodies that do not fall under the authority of a regional health authority. *** The regional health authorities responded on behalf of all trustees that fall under their specific jurisdiction.

9 9 2. Personal and Personal Health Information 51% of respondents indicated that they manage a combination of both personal and personal health information. The remaining 49% responded that they manage only personal information. We believe that these results underrepresent the existence of personal health information in records held by organizations. It is likely that some organizations do not realize that in addition to personal information, they also have personal health information. Personal health information can take many forms, including any information relating to the health of an individual, provision of health care or health-care history of the individual. This could include information about a client, student or employee s injury, illness, medication or health-care treatment. Most organizations have some personal health information, even if it is limited to that of their employees. For example, this can include information about employee absences due to illness or medical appointments, or it may be a doctor s note, or information about accommodating an employee s disability. Preparing for the possibility of a privacy breach includes having a thorough understanding of what personal or personal health information is in the organization s custody and/or control. When managing a privacy breach, it is important to know what information was compromised. Additionally, the privacy rules in PHIA for personal health information differ from those in FIPPA for personal information. If an organization is not aware that it actually has personal health information, there is a risk that the organization is not complying with PHIA when it collects, uses or discloses that information. We suggest that organizations review what type of information they manage (ex. personal and/or personal health information) to ensure that the organization is adhering to the appropriate legislation (FIPPA and/or PHIA). While FIPPA and PHIA share many similarities, PHIA has specific requirements for the handling of personal health information.

10 10 Number of Respondents that Manage Personal and/or Personal Health Information Municipalities Provincial Departments Boards and Commissions School Divisions Regional Heath Authorities Hospital and Health Care Bodies Universities / Colleges Personal Information Combination Personal and Personal Health Information 3. Privacy Breaches 29% of organizations reported that they have experienced a privacy breach within the past three years. We asked respondents to identify the type of privacy breach that was experienced. Specifically, whether the privacy breach occurred as a result of a loss or a theft of personal and/or personal health information. Of those who had experienced a privacy breach, 59% had experienced a privacy breach that resulted from losing paper records. When it was reported that a privacy breach was a result of theft, 24% reported it was due to a computer/laptop/tablet being stolen. 38% of respondents reported that the loss or theft of personal and/or personal health information occurred in the workplace.

11 11 Privacy Breach Experienced 59% 24% 21% 17% Lost File/Paper Record Stolen Computer Stolen File/Paper Record Lost Cellphone 10% 10% 7% Lost Computer Lost Flash Drive Stolen Cellphone 3% Stolen Flash Drive Records containing personal or personal health information, such as those concerning clients, patients, students or employees, can be vulnerable to a privacy breach when removed from the office or workplace. This may occur when employees make home visits to clients, travel to other work locations, attend meetings off-site, take work home or work from home on a regular basis. We asked respondents to identify the location of loss or theft with choices including: office, public location, vehicle, other and don t know. Organizations reported that 29% of the identified losses or thefts occurred in a public location such as a restaurant, park, or street and 26% occurred in a vehicle. Participants were provided the option of selecting the other category if the respondent felt that the location did not fit into the listed options. 24% of respondents selected the other category. Some participants provided additional information describing the location of the loss or theft of personal and/or personal health information. For example, respondents added that the location of the loss or theft occurred on an airplane, at the home of staff member and through Canada Post. Organizations should create a policy that sets out procedures for ensuring the security of personal and personal health information when it is removed from the workplace. The following information may assist organizations when developing a policy for taking personal and/or personal health information outside the workplace: Identify categories of records that should never be removed from the workplace. Establish a procedure for tracking records when removed from the workplace.

12 12 Take personal and/or personal health information off-site only when necessary and only the information that is required. If possible take copies of the originals and de-identify personal and/or personal health information. All personal and/or personal information contained on an electronic device should be encrypted and password protected. Personal and/or personal health information should not be left in a vehicle unless there is no other option. In most situations, it is possible, although perhaps not always convenient, to require employees to take the information with them. For further information, please refer to our practice note Protecting Personal and Personal Health Information When Working Outside the Office, which can be found on our website. Location Of Loss or Theft 38% 29% 26% 24% Office Public Location Vehicle Other * Don't Know 6% Respondents were asked to categorize the nature of the privacy breach they encountered. For the purpose of this survey we provided the following examples of privacy breaches involving collection, use, disclosure, and disposal of personal and/or personal health information: Inappropriate collection or over collection of personal and/or personal health information ex. collecting information when not required for the task at hand or collecting information without authority under legislation. Inappropriate use of personal and/or personal health information ex. employee snooping, or use of information for a different unauthorized purpose.

13 Inappropriate disclosure of personal and/or personal health information ex. sharing information with others outside your organization without authority under legislation, i.e. posting information to social media, theft of records. Inappropriate disposal of personal and/or personal health information ex. electronic data not erased from computers, fax or photocopying machines prior to sale/disposal, dumping paper records in trash or recycling bins. The majority of respondents (61%) reported they have experienced a disclosure privacy breach, meaning that the information was shared outside of the organization. It was reported that the unauthorized disclosures included mailing or faxing to the wrong recipient, theft, s directed to the wrong party, and employees discussing personal information with people outside of the organization. 13 Nature of Privacy Breach 61% 47% 26% 21% Disclosure Use Disposal Collection 4. Privacy Breach Policies, Procedures and Guidelines A privacy breach policy or procedure provides guidance to staff when they believe that a breach may have occurred. Having this type of policy enables organizations to recognize and respond to a breach immediately, which may assist in reducing the impact of a breach. In the absence of a policy, staff may not know who they should report it to, who is responsible for responding to the breach or what steps should be taken. There are many benefits to having a privacy breach policy, such as: providing guidance for what to do if a privacy breach occurs

14 14 assisting staff to adopt a thorough and consistent response ensuring all steps are identified and considered providing a framework that outlines a breach reporting structure providing a way of communicating expectations to new employees and serving as a training tool Overall, 38% of the 125 respondents reported that they did have privacy breach policies, guidelines or procedures. Regional health authorities, hospitals and other health-care bodies that completed the survey reported that they have privacy breach policies. PHIA requires that organizations adopt reasonable administrative, technical and physical safeguards to ensure the confidentiality, security, accuracy and integrity of personal health information. In addition, PHIA requires organizations to have written policies and procedures that specifically address the recording of security breaches and corrective procedures to address privacy breaches. It is positive that 100% of the responding health-sector organizations have privacy breach policies in place. While FIPPA does not require written policies, it is considered to be a best practice. Overall, 62% of respondents reported they did not have privacy breach policies, guidelines or procedures. More specifically, 81% of municipalities, 67% of boards and commissions, 53% of school divisions and 55% of provincial departments reported that they do not have a written privacy breach policy. For those respondents that reported having privacy breach policies, over half reported that the policies are reviewed during orientation for new employees. In addition to having a privacy breach policy, an organization should review the policy on an ongoing basis to ensure it remains current. 5. Privacy Breach Training Training on how to manage privacy breaches ensures staff know what to do in the event of a privacy breach and enables organizations to respond effectively to breaches. Training can include a review of the internal processes for reporting a breach, the steps to follow in the internal investigation of breaches and what to do afterward. Training prepares and empowers staff to respond when confronted with a breach. Organizations that have a privacy breach policy or procedures can use these as a training tool. The majority (78%) of respondents reported that their organization does not provide training specific to privacy breach management.

15 15 6. Internal Reporting of Privacy Breaches Following the discovery of a privacy breach, an organization should start a full assessment of the circumstances. Having a designated person as the privacy breach lead provides support and guidance throughout the privacy breach process. A framework for reporting and responding to breaches must be clear so all employees of the organization understand what their responsibilities are in the event of a privacy breach. Each employee benefits by knowing who to turn to for direction. Despite the fact that 78% of respondents reported that they did not have privacy breach training, we found that 72% of respondents reported that a specific person had been designated to manage privacy breaches in their organization. 45% of respondents who reported having a designated person indicated that it was an access and privacy officer/coordinator. The remaining respondents reported that chief administrative officers, school division superintendents, human resources or IT management managed privacy breaches. 7. Privacy Breach Documentation Tracking and documenting privacy breaches that have occurred are important for proper privacy breach management. Documenting the breach incident and its outcomes is beneficial for several reasons: It provides a record of what occurred and supports decisions made for a particular course of action. It can help prevent future privacy breaches by identifying and addressing the causes of a breach. Documentation may also assist by highlighting any patterns in breaches occurring over a period of time. It demonstrates accountability and provides evidence of the organization s commitment to protecting citizens personal and personal health information, which are important for maintaining the public s trust. Having a record of how the organization managed the breach is helpful in dealing with inquiries from individuals who may have been affected by the breach, inquiries from others if the breach becomes a matter of public interest, and inquiries from the ombudsman in the event of an investigation. The majority of respondents (54%) indicated that their organization does not track privacy breaches. For the remaining organizations (46%) that track their privacy breaches, most used Excel and Word documents for tracking purposes. Other identified tracking methods included maintaining specific case files with handwritten notes, records and other documents.

16 A privacy breach record should include information such as a description of the circumstances and cause, time, date and location of the privacy breach, the type of personal and personal health information involved, the parties involved (including affected individuals), an assessment of anticipated risks, steps taken or to be taken to notify individuals, and any corrective measures taken. We encourage using a system to document a breach that makes sense for an organization s needs. Organizations may refer to the ombudsman s reporting form as guidance for documenting a privacy breach. For further information please refer to the practice note Reporting a Privacy Breach to Manitoba Ombudsman, which can be found on our website. 8. Service Agencies and Contractual Obligations A service agency is described as an entity that provides a particular service to, or acts on behalf of an organization under a contract (ex. a funded third party providing service on behalf of the organization). 26% of respondents reported that they have contracts with third-party service agencies. Of those, 46% indicated that their contracts/agreements outline the service agency s responsibilities in the event of a privacy breach. Where those provisions do exist, 49% reported that there is an obligation in their contract to notify the organization when a privacy breach has occurred. Contracts or agreements with a third party should include provisions that require the third party to maintain the integrity, security and privacy of personal and personal health information. Organizations have a responsibility to protect the personal and personal health information in their custody and/or control. The personal and personal health information managed by a third party is still considered to be in the organization s control. As such, including a requirement to immediately notify the organization when a privacy breach occurs is considered a best practice. 16 Contracts Containing Privacy Breach Provisions 46% 37% 17% Yes No No Answer

17 17 9. Notification Organizations are not required under FIPPA and PHIA to notify individuals affected by a privacy breach or Manitoba Ombudsman, however they may do so voluntarily. Notifying an individual of a privacy breach enables the individual to assess the impact and take steps to mitigate potential harm. Notification is a proactive step that mitigates risk of harm and supports transparency and accountability. Contacting Manitoba Ombudsman for assistance with a privacy breach, or formally reporting significant breaches to us, can also be helpful to organizations. Manitoba Ombudsman can provide guidance that assists organizations in responding to the privacy breach and in taking steps to prevent breaches from occurring in the future. Making our office aware of breaches can also assist us in responding to inquiries and complaints from affected individuals. In our survey, 55% of respondents reported that they contacted Manitoba Ombudsman when a privacy breach occurred. 74% of respondents reported that they have notified an affected individual as a result of a privacy breach. When an organization decided to notify an affected individual the majority reported that they did so due to the potential risk of identity theft and the possibility that the affected party may be hurt or embarrassed. Respondents were provided with other notification consideration options including risk to business, identify theft or fraud, physical harm or an intentional privacy breach. There was also an option to select the other category if they wanted to provide additional information about what circumstances were considered when determining if notification was appropriate. 21% of respondents selected the other category and identified considerations such as: professional and moral obligation standard practice in an effort to promote transparency the breach posed a security risk and out of courtesy for the affected individual There has been a growing trend emerging across Canada for mandatory breach notification to affected individuals and reporting to oversight offices. Many jurisdictions have passed laws to require notification and/or reporting in certain circumstances, including Alberta, Ontario, Yukon, Northwest Territories, New Brunswick, Nova Scotia, Prince Edward Island and Newfoundland and Labrador. Some jurisdictions require this when the breach could result in harm to individuals, for example, physical, emotional or financial harm.

18 Resources to Manage Privacy Breaches In the survey, we asked what resources would assist organizations in managing a privacy breach. 63% of respondents indicated that privacy breach training and a sample privacy breach policy would be the most valuable resources. Respondents reported that in addition to training and policies, the following resources would be beneficial: resources to develop and deliver additional specialized training as well as to assist in additional auditing activity more online resources to help deal with breaches a scale to assess potential harm to an affected individual a sample notification letter to affected individuals information and training specifically targeting small organizations more training about privacy protection

19 19 Resources to Manage Privacy Breaches 63% 63% 58% 58% 46% 6% Training Specific to Privacy Breaches Written Sample Policy/Procedures Notification Letter Sample Privacy Breach Policy An Established Reporting Structure Other Organizations that do not have a policy for managing privacy breaches are encouraged to adapt our practice note Key Steps to Responding to a Privacy Breach. This document can be customized, as necessary, to meet an organization s specific needs and circumstances. To assist organizations with managing privacy breaches more effectively, our office is also developing the following resources: A practice note that can serve as a guidance tool when writing a notification letter. A risk assessment tool that will provide assistance to organizations in determining in what circumstances notification should be considered. We have also developed a new page called Privacy Breaches on our website at This page will bring together guidance documents, practice notes and other resources pertaining to privacy breach management. Conclusion We thank all the Manitoba public-sector organizations that responded to our privacy breach practices survey. This is the first time that information about privacy breach practices has been collected in this way. We hope the results can serve as a benchmark for similar surveys in the future. Survey responses revealed that many public-sector organizations in Manitoba do proactively manage privacy breaches, which for some organizations includes having privacy breach policies and practices.

20 20 Responses also identified areas where more work can be done, such as knowing what information is held by organizations, documenting privacy breaches and including breach notification provisions in third-party service contracts. In summary, being prepared in the event of a privacy breach reduces the overall impact of the breach. Organizations can reduce the occurrence and impact of a privacy breach by: developing a privacy breach policy providing privacy training assessing the impact of the privacy breach and considering notification to the affected parties tracking and documenting privacy breaches, and ensuring privacy responsibilities are outlined in service contracts Although privacy breach reporting is voluntary in Manitoba, organizations may also find it helpful to report privacy breaches to Manitoba Ombudsman, particularly in situations where a breach can pose a significant risk to individuals privacy and/or where affected individuals will be notified. It is the role of our office to ensure the privacy rights of Manitoba citizens are upheld. Citizens entrust organizations to protect and secure their personal and personal health information. To protect the privacy rights of individuals and to maintain the public trust, it is important that organizations ensure that personal and personal health information is carefully managed. Conducting this survey has provided our office with valuable insight about current privacy breach management practices in Manitoba. Organizations can use these findings to more fully develop their plans for managing privacy breaches, should they occur. For Manitoba Ombudsman, the survey responses also highlighted areas where organizations needed further assistance. As a result, we are creating guidance documents that we believe will assist in addressing the identified gaps.

21 21 Appendix: Privacy Breach Practices Survey In June 2016 our office distributed a link to this electronic survey to 238 organizations. 1. Please indicate what type of personal and/or personal health information your public body or trustee (organization) collects, uses, discloses or retains. Personal information: is any recorded information about an identifiable individual. Examples include a person s name, address, telephone number, a number that can identify them (i.e. case file number, credit card number or social insurance number), and financial information. Personal health information: means recorded information about an identifiable individual that relates to; (a) the individual's health, or health care history, including genetic information about the individual, (b) the provision of health care to the individual, or (c) payment for health care provided to the individual, and includes (d) the PHIN and any other identifying number, symbol or particular assigned to an individual, and (e) any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care; Please check one box. Personal Information Personal Health Information A combination of both

22 22 2. Does your organization have a written procedure, policy or guideline in place to manage a privacy breach? A privacy breach involves improper or unauthorized collection, use, disclosure, retention or disposal of personal and/or personal health information. Such activity is unauthorized if it is not permitted by the Freedom of Information and Protection of Privacy Act (FIPPA) and/or the Personal Health Information Act (PHIA). A privacy breach may occur within an organization or off-site and may be the result of inadvertent errors or malicious actions by employees, third parties, partners in information-sharing agreements or intruders. Yes If you answered no, please proceed to question How are the policies/procedures/guidelines communicated to staff? Please check all that apply. Memo Staff Meeting Training During Orientation Other, please specify: 3. Does your organization provide training specific to privacy breach management? Yes No 4. Do you have a specific person designated to be responsible for managing privacy breaches within your organization? Yes If you answered no, please proceed to question If so, what is their position? Access and Privacy Coordinator Access and/or Privacy Officer Other, please specify:

23 23 5. Does your organization track privacy breaches that occur within your organization? Yes No If you answered no, please proceed to question Does your organization track privacy breaches centrally for the entire organization? This would include service agencies, programs etc. that fall under your organization s responsibilities. Yes No 5.2 What method does your organization use to track privacy breaches? Excel document Specialized software/database, please specify: Other, please specify: 6. Does your organization have service agencies? A service agency is described as an entity established to provide a particular service for an organization under a contract (e.g. a funded agency providing service on behalf of the organization). Yes No If you answered no, please proceed to question If so, does the service purchase agreement or contract specifically indicate what the agencies responsibilities are in the event of a privacy breach? Yes No 6.2 Are the service agencies required to notify your organization of a breach? Yes No 7. To the best of your knowledge, over the past 3 years, has your organization experienced a privacy breach? Yes No

24 What type of privacy breach has your organization encountered? Please check all that apply. Lost personal and/or personal health information File/paper record Computer (tablet, laptop, desktop) Cell/smart phone Flash Drive Theft File/paper record Computer (tablet, laptop, desktop) Cell/smart phone Flash drive Where did the loss or theft occur? Vehicle Office Public location I don t know Other, please specify: 7.2 Describe the nature of the privacy breaches that you encountered (e.g. collection, use, disclosure, disposal of personal and/or personal health information). Inappropriate collection or over collection of personal and/or personal health information (e.g. collecting information when not required for the task at hand or collecting information without authority under legislation) Inappropriate use of personal and/or personal health information (e.g. employee snooping, or use of information for a different unauthorized purpose) Inappropriate disclosure of personal and/or personal health information (e.g. sharing information with others outside your organization without authority under legislation, i.e. posting information to social media) Inappropriate disposal of personal and/or personal health information (e.g. electronic data not erased from computers, fax or photocopying machines prior to sale/disposal, dumping paper records in trash or recycling bins) Other, please specify:

25 1 8. Has your organization ever contacted (called, ed, faxed, etc.) the Manitoba Ombudsman s office regarding a privacy breach? Contacting the ombudsman s office is voluntary and is not required by FIPPA or PHIA. Yes No 9. Has your organization ever notified the affected individual or the public of a privacy breach? Yes No If you answered no, please proceed to question If so, what factors were considered when it was decided to notify? Check all that apply. Contractual obligations require notification Risk of identity theft or fraud Risk of physical harm Risk of hurt, embarrassment or damage to reputation Risk of loss of business or employment opportunities The privacy breach was intentional in nature Other, please specify: 10. What resources would assist your organization in managing a privacy breach? Training specific to managing privacy breaches An established reporting structure Written policies/procedures/guidelines Sample notification letter Sample privacy breach management policy Other, please specify: