Privacy Breach and Complaint Protocol

Transcription

1 Privacy Breach and Cmplaint Prtcl Effective: December 31, 2012 Apprved by: Le McKenna, CFO 1.0 General Privacy breaches and privacy cmplaints will be handled in accrdance with this prtcl. This prtcl is divided int tw parts. It will assist staff and management in their respnse t: Their discvery f a cnfirmed privacy breach; and A cmplaint abut the handling f the infrmatin we cllect (including an alleged privacy breach). 2.0 Definitins Persnal infrmatin, as defined in FOIPOP, is recrded infrmatin abut an identifiable individual. This includes: the individual's name, address r telephne number, the individual's race, natinal r ethnic rigin, clur, r religius r plitical beliefs r assciatins, the individual's age, sex, sexual rientatin, marital status r family status, an identifying number, symbl r ther particular assigned t the individual, the individual's fingerprints, bld type r inheritable characteristics, infrmatin abut the individual's health-care histry, including a physical r mental disability, infrmatin abut the individual's educatinal, financial, criminal r emplyment histry, anyne else's pinins abut the individual, and the individual's persnal views r pinins, except if they are abut smene else. A privacy breach, fr the purpses f this prtcl, ccurs when persnal infrmatin is accessed r disclsed by the WCB r a WCB service prvider t a persn r entity (either accidentally r intentinally) that is nt authrized t receive the infrmatin. A privacy breach may be discvered by a WCB staff member r an external party. A privacy cmplaint means a cncern expressed by a WCB emplyee r an external (nn- WCB staff r management member) individual r rganizatin/agency/cmpany abut the WCB s handling f the infrmatin we have cllected t administer the Wrkers Cmpensatin Act. A privacy cmplaint, as part f the investigatin, may result in the discvery f a privacy breach. Fr the purpses f this plicy, the term refers t an emplyee s immediate superir and includes the psitin titles, Directr and Vice President. 1

2 3.0 Is it a Privacy Breach? The WCB is permitted by law t disclse the persnal infrmatin f injured wrkers (withut their cnsent) t a persn r entity ther than the wrker under specific circumstances, as we administer the Wrkers Cmpensatin Act. In sme instances, anther law, such as the Incme Tax Act, may require that we release persnal infrmatin. Refer t Authrized Release f Injured Wrker Persnal Infrmatin fr an verview f the circumstances under which the WCB can disclse injured wrker persnal infrmatin. Privacy breaches mst cmmnly ccur when persnal infrmatin abut a wrker is lst, r disclsed (mistakenly r purpsely) utside the requirements f the law. Privacy breaches may be accidental r intentinal; they may be a ne-time ccurrence r due t n-ging prblems such as a faulty prcedure r technical glitches. Refer t Tips fr Identifying a Privacy Breach fr examples f breaches and tips fr identifying a privacy breach. 4.0 Accuntability WCB emplyees are required t fllw this prtcl. WCB emplyees wh are invlved in the engagement f external agents r cntractrs by the WCB are accuntable fr advising these parties that any breach r ptential breach f persnal infrmatin must be immediately reprted t the WCB. s are respnsible fr ensuring emplyee cmpliance with this prtcl. 5.0 Privacy Breach Prtcl Steps The Privacy Breach Prtcl is made up f 4 steps: Step 1. Breach Identificatin and Retrieval Step 2. Investigatin and Cntainment Step 3. Ntificatin Affected Parties Step 4. Fllw-up and Lng-Term Actin Ideally, the Privacy Breach Prtcl steps will be fllwed in sequence (refer t diagram in Appendix A). Hwever, it is recgnized that circumstances/factrs may dictate that sme be carried ut simultaneusly r ut f sequence. Management is encuraged t cnsult with the WCB Legal Cunsel (FOIPOP Administratr) r their designate fr advice/cunsel as required when carrying ut their respnsibilities as described in this dcument. Step 1. Identificatin and Retrieval The staff member wh discvers the ptential breach must immediately cmplete the Initial Breach Reprt sectin f the Privacy Breach Reprt Frm, prviding as much infrmatin as pssible abut the nature and extent f the breach. When pssible, s/he will initiate retrieval f the infrmatin (see peratinal prcedure Retrieval f Disclsed Dcuments). The staff member will frward the partially cmpleted Privacy Breach Reprt Frm t the apprpriate manager fr investigatin. Generally, the manager f the unit where a breach ccurred and/r where a relatinship exists with the individual whse privacy was breached, will be respnsible fr investigatin. If the incident invlves claim infrmatin, the manager f the unit where the claim currently resides will typically be respnsible fr investigatin. An exceptin will 2

3 be when the claim invlved has been prfiled t anther unit in the time between the breach ccurring and discvery (e.g., breach incident ccurred in the ISC and the claim has since been assigned t a case wrker; breach incident ccurred in an IST/WST and the claim has since mved t HEB). If the incident invlves assessment-related infrmatin that includes injured wrker persnal infrmatin (e.g., Experience Rating Statement, Mnthly Advice Ntice), the manager f Accunt Management will typically be respnsible fr investigatin. If the incident invlves a WCB emplyee s claim infrmatin, the manager f the unit where the claim is being managed will typically be respnsible fr investigatin. If the incident invlves a WCB emplyee s persnal infrmatin (nn-claim related), the manager f the emplyee s unit/department will typically be respnsible fr investigatin, with assistance frm the Human Resurces Department as required. If the staff member wh discvers the ptential breach des nt initially have enugh infrmatin t determine that a breach ccurred AND which department shuld take respnsibility fr investigatin, the staff member will frward the Privacy Breach Reprt Frm t his/her wn manager. Step 2. Investigatin and Cntainment The manager is respnsible fr investigating the breach and dcumenting it n the Privacy Breach Reprt Frm. In general, the bjective f an investigatin is t ensure the immediate requirements f cntainment and retrieval have been cmpleted and t facilitate any immediate and/r lnger term remedial r preventative actins. See the Privacy Breach Investigatin Guide fr guidelines n hw t carry ut an investigatin and the level/depth f investigatin that may be apprpriate. s shuld direct questins regarding the type f investigatin that shuld be carried ut t the WCB Legal Cunsel (FOIPOP Administratr) r their designate. s are respnsible t make every effrt t cmplete the investigatin and frward the Privacy Breach Reprt Frm (Initial Breach Reprt and s sectins cmpleted) t Legal Services within 5 business days f becming aware that the incident ccurred. In sme cases, it may be apprpriate t infrm and/r invlve ther internal WCB parties in the investigatin (e.g., ther managers, senir management, Cmmunicatins, Legal Cunsel). If the investigating manager believes that thers in the rganizatin may be impacted by the incident, s/he will cntact Legal Cunsel (FOIPOP Administratr) r their designate as sn as pssible fr advice n wh shuld be invlved/aware f the breach incident and/r cntribute t WCB s respnse. Step 3. Ntificatin - Affected Parties The general rule is that specific individuals impacted by a privacy breach will be ntified by the manager f the privacy breach investigatin as sn as pssible, regardless f the type f persnal infrmatin disclsed. Impacted individuals will be ntified by phne, fllwed by a letter (see Guidelines fr Advising Individuals f a Privacy Breach). If the affected individual is an injured wrker, a Cntact Sheet can be cmpleted n E-file t recrd ntificatin call(s) althugh the 3

4 infrmatin recrded shuld be minimal and must nt make any reference t any ther individuals (e.g., recipient(s)). Ideally, the privacy breach investigatin has been cmpleted prir t ntificatin, s the impacted individual can be advised f all actins taken in respnse t the breach. Hwever, ntificatin may ccur sner if it is determined the ptential harm f the breach t the individual may be avided r mitigated by the individual knwing f the breach as sn as pssible. In rare instances, it may be apprpriate t cnsider alternative appraches t ntificatin f impacted individuals (see Guidelines fr Advising Individuals f a Privacy Breach). If the investigating manager believes that direct ntificatin may nt be apprpriate given the circumstances f a specific incident, s/he will cnsult with Legal Cunsel (FOIPOP Administratr) r their designate as sn as pssible fr advice n hw t prceed with ntificatin effrts. Step 4. Fllw-up and Lng-Term Actin Fllw-up The manager will implement remedial actins (r seek apprval t implement if required) identified as a result f the investigatin in an effrt t prevent further privacy breaches. WCB Legal Cunsel (FOIPOP Administratr) r their designate will verify that all steps in the prtcl have been carried ut. review the Privacy Breach Reprt Frm t determine if the Privacy Breach Prtcl has been fllwed. If deficiencies are identified, WCB Legal Cunsel (FOIPOP Administratr) r their designate will cntact the manager t discuss the deficiencies with a view t imprved future reprting and management f privacy breaches. The WCB Legal Cunsel (FOIPOP Administratr) r their designate will, using the Privacy Breach Incident Risk Assessment Tl, assign a risk level t the privacy breach incident fr tracking and reprting purpses. Lng-Term Actin WCB Legal Cunsel (FOIPOP Administratr) r their designate will, n a Quarterly basis, cmpile the infrmatin cntained in Privacy Breach Reprt Frms and prvide a Privacy Breach Trend Reprt t the Privacy Advisry Cmmittee (PAC). The reprt will include charts and trend analysis f breach vlumes by varius dimensins (e.g., department, risk level, rt cause). The reprt may als include: Observatins and details f specific incidents in rder t prvide cntext t the statistics; Infrmatin and/r trend analysis arund privacy cmplaints (see Sectin 6.0 belw). The Privacy Advisry Cmmittee will review the reprt with the intent f identifying trends and rt causes that will ultimately help prevent future breaches and imprve rganizatinal privacy practices. The Cmmittee will develp advice r suggestins fr further, lnger-term rganizatinal actins based n findings and bservatins supprted by the Privacy Breach Trend Reprt and submit t senir management fr cnsideratin and/r priritizatin. 4

5 6.0 Privacy Cmplaint Prcess WCB emplyees may receive a call r letter frm a citizen r anther WCB emplyee: cmplaining f an alleged breach f that persn s persnal infrmatin; cmplaining that they have received smene else s persnal infrmatin in errr; expressing a general cncern abut the WCB s handling f the infrmatin we cllect. This is a privacy cmplaint. It may be determined, upn initial r mre in-depth review, a privacy breach has ccurred. In these instances, the WCB Privacy Breach Prtcl (abve) will be used. Step 1. Receive and Dcument the Cmplaint When a cmplaint is received by telephne r in persn, discuss the details f the cmplaint with the cmplainant and dcument what the cmplainant believes has happened. When a cmplaint is received by r letter, r nce the details prvided t yu in persn r by phne have been dcumented, frward the cmplaint t yur manager. If the cmplaint is an injured wrker cmplaining they have received the persnal infrmatin f anther injured wrker, use the Privacy Breach Prtcl (abve) and discntinue use f the Privacy Cmplaint Prcess. NOTE: Dcumentatin f privacy cmplaints must NOT be added t a claim file (i.e., n E-file). This will help t prevent any misperceptin that claim adjudicatin may be affected by initiating a cmplaint. Step 2. WCB Respnse Crdinatin The manager will reprt the cmplaint t the WCB Legal Cunsel (FOIPOP Administratr) r their designate. Cmplaints received by the Client Relatins Officer may be sent directly t the WCB Legal Cunsel (FOIPOP Administratr) r their designate, instead f first ging t a manager. WCB Legal Cunsel (FOIPOP Administratr) r their designate will be respnsible fr the WCB s respnse and decide wh within the WCB shuld be ntified. Step 3. Investigatin and Cmmunicatin with the Cmplainant The WCB Legal Cunsel (FOIPOP Administratr) r their designate will: Send written acknwledgement t the cmplainant, restating the details presented by the cmplainant. Cntact the cmplainant as sn as pssible, but n later than 30 days f receiving the cmplaint, and advise them: They may need t cntact the cmplainant fr mre infrmatin as the investigatin prgresses discuss the cmplaint with ther in the WCB t fully understand the cmplaint. They may als need t get in tuch with ther peple t fully understand the cmplaint and this culd require the mentin f the cmplainants name and sme f the details f their persnal infrmatin as part f the investigatin. 5

6 If the privacy cmplaint is abut the cnduct f ne r mre WCB emplyees, the matter will be discussed with the staff members(s) during the investigatin. If necessary, send a written update f prgress f the investigatin (stage f investigatin, fllw-up activities, expected r updated time-frames etc.). This will be dne after n mre than tw mnths has elapsed since the initial acknwledgement f the cmplaint. Prduce an investigatin reprt. The reprt will, at a minimum, include: A summary f the initial cmplaint. The utcme f the cmplaint (substantiated/nt substantiated). Dcumentatin f the investigative prcess and findings. Mitigating activities. Other fllw-up activities. Cmmunicate a summary f the final results f the investigatin t the cmplainant. Advise the cmplainant that they may cntact the WCB s Client Relatins Officer if they are nt satisfied with the WCB s investigatin. The Client Relatins Officer is required t fllw Plicy R Quality f Service Delivery and will review the WCB s investigatin f the privacy cmplaint t determine if the WCB fllwed apprpriate prcesses in handling the cmplaint. The Client Relatins Officer will cntact the cmplainant with the results f their review. Advise the cmplainant that if they are nt satisfied with the Client Relatins Officer s review f their cmplaint, they may make a cmplaint t the Nva Sctia Privacy Review Officer. 6

7 APPENDIX A - WCB Privacy Breach Management Prcess e.g., Phne call, self-identified, misdirected fax Initiate Retrieval (templated t PPS per Retrieval f Disclsed Dc prcedure) YES Ptential Breach is Identified Cmplete Initial Sectin f Privacy Breach Reprt Frm Knwn Breach? Enugh inf initially available t determine that a breach ccurred AND which WCB dept shuld investigate & manage breach UNCONFIRMED Frward Privacy Breach Reprt Frm t YOUR Frward Privacy Breach Reprt Frm t apprpriate may frward Frm and initial findings t anther if mre apprpriate Initiate Retrieval (templated t PPS per Retrieval f Disclsed Dc prcedure) YES Initiates Investigatin Did a Breach Occur? NO Fllw-up/share learnings (Emplyee wh identified ptential breach, ther emplyees) Cmpletes Investigatin (per Investigatin Guide) Ntifies Injured Wrker (per Guidelines fr Advising Injured Wrkers f a Privacy Breach) Cmpletes Privacy Breach Reprt Frm prepares additinal dcumentatin when warranted (e.g., unusual circumstances, additinal factrs influencing breach/ utcme) If investigatin is delayed (e.g., awaiting dcument retrieval) may submit partial reprt OR prvide ntificatin f circumstances t Privacy Crdinatr submits dcumentatin t Privacy Crdinatr cmpletes fllwup activities where applicable May include preventative initiatives, fllw-up with staff, sharing f circumstances/learnings/utcmes with team