Process for Responding to Privacy Breaches

Transcription

1 Prcess fr Respnding t Privacy Breaches 1. Purpse 1.1 This dcument sets ut the steps that ministries must fllw when respnding t a privacy breach. It must be read in cnjunctin with the Infrmatin Incident Management Prcess, which says: 1. The Gvernment Chief Infrmatin Officer is respnsible fr the crdinatin, investigatin, and reslutin f infrmatin incidents. 2. All actual r suspected infrmatin incidents must be reprted immediately t yur supervisr and t the Gvernment Chief Infrmatin Officer, using the Infrmatin Incident Management Prcess. 3. The Gvernment Chief Infrmatin Officer is slely respnsible fr liaising with the Office f the Infrmatin and Privacy Cmmissiner regarding an actual r suspected privacy breach. If there is incnsistency between the Infrmatin Incident Management Prcess and this dcument, the Infrmatin Incident Management Prcess prevails. 2. What is a Privacy Breach and What is an Infrmatin Incident? 2.1 A privacy breach is a cllectin, use, disclsure, access, dispsal, r strage f persnal infrmatin, whether accidental r deliberate, that is nt authrized by the Freedm f Infrmatin and Prtectin f Privacy Act. A privacy breach is a type f infrmatin incident. Infrmatin incidents ccur when unwanted r unexpected events that threaten privacy r infrmatin security. They can be accidental r deliberate and include the theft, lss, alteratin r destructin f infrmatin. Other definitins can be fund in the Infrmatin Incident Management Prcess. 3. Prcess 3.1 All knwn r suspected privacy breaches require immediate remedial actin, n matter the sensitivity f the persnal infrmatin. Given the varied nature f privacy breaches, n ne-size-fits-all respnse is pssible, and actins are prprtinal and apprpriate t each privacy breach. 3.2 The fllwing steps are used t address privacy breaches. As the circumstances fr each privacy breach vary, these steps might ccur cncurrently r in quick successin; they d nt necessarily need t fllw the rder given belw: A. Reprt Immediately Emplyees, service prviders r thers must reprt suspected r actual privacy breaches immediately t their supervisr. The supervisr and/r emplyee, r ther persn als reprts immediately t the Office f the Gvernment Chief Infrmatin Officer (OCIO)by:

2 Calling the Shared Services BC Service Desk at r tll-free at (available 24 hurs a day); and Selecting Optin 3 and requesting an Infrmatin Incident Investigatin. Service prviders must reprt t their Gvernment cntract manager, wh in turn must reprt t the Office f the Gvernment Chief Infrmatin Officer as abve. In all cases, the persn wh identifies a breach must make the call themselves if they are nt able t reach a supervisr r ther designated individual immediately. This will invke the Infrmatin Incident Management Prcess. Privacy breaches must als be reprted t the Ministry Chief Infrmatin Officer. B. Cntain the Privacy Breach Emplyees, business wners (including supervisrs and service prviders) r thers shuld take immediate actin t cntain the privacy breach and t limit its impact. Apprpriate actins will depend n the nature f the breach and may include: Islating r suspending the activity that led t the privacy breach; Crrecting all weaknesses in physical security; Taking immediate steps t recver the persnal infrmatin, recrds r equipment frm all surces, where pssible; Determining if any cpies have been made f persnal infrmatin that was breached, and recvering where pssible. Nte: Where the privacy breach invlves infrmatin technlgy, the directin f the Investigatins Unit must be sught befre taking any cntainment steps. C. Assess the Extent and Impact f the Privacy Breach As part f the Infrmatin Incident Management Prcess, business wners (including supervisrs and service prviders) r thers will wrk with the OCIO Investigatins Unit, Incident Respnse Lead, r thers t determine the: (i) Persnal Infrmatin Invlved What persnal infrmatin has been breached? Is the persnal infrmatin sensitive? Examples are health infrmatin, scial wrker case histries, scial insurance numbers, financial infrmatin r infrmatin that can be used fr identity theft. A cmbinatin f persnal infrmatin is typically mre sensitive than a single piece f persnal infrmatin. (ii) Cause and Extent f the Breach What was the cause f the breach? What prgrams and systems are invlved? Is the persnal infrmatin encrypted r therwise nt readily accessible? Has the persnal infrmatin been recvered? What steps have already been taken t minimize the harm? Is this a ne-time ccurrence r an nging prblem?

3 (iii) Individuals Affected by the Breach Wh is affected by the breach? Fr example, emplyees, public, cntractrs, clients, service prviders, ther rganizatins. Hw many individuals are, r are estimated t be, affected by the breach? (iv) Freseeable Harm frm the Breach What pssible use is there fr the persnal infrmatin? Can the infrmatin be used fr explitatin, fraud r ther harmful purpses? Wh is in receipt f the persnal infrmatin? Fr example, a stranger wh accidentally receives persnal infrmatin and vluntarily reprts the mistake is less likely t misuse the infrmatin than an individual suspected f criminal activity. Is there a relatinship between the unauthrized recipient(s) and the data subject(s)? A clse relatinship between the tw might affect the likelihd f harm. Is there a risk f significant harm t the individual as a result f the breach? Fr example: security risk (e.g., physical safety) identity theft r fraud access t assets r financial lss lss f business r emplyment pprtunities breach f cntractual bligatins hurt, humiliatin, embarrassment, damage t reputatin r relatinships Is there a risk f significant harm t the public bdy r rganizatin as a result f the breach? Fr example: lss f public trust in the public bdy lss f assets financial expsure lss f cntracts r business risk t public health risk t public safety D. Dcument the Privacy Breach and Crrective Actin Taken As part f the Infrmatin Incident Management Prcess, business wners (including supervisrs and service prviders) r thers will wrk with the OCIO Investigatins Unit, Incident Respnse Lead, r thers t: 1) ensure that evidence f the privacy breach is preserved; and 2) dcument the privacy breach in detail, including: what happened and when; hw and when the privacy breach was discvered; the persnal infrmatin invlved and scpe f the breach; wh was invlved, if knwn; individuals interviewed abut the breach; whether privacy the breach has been cntained and any lst persnal infrmatin retrieved; wh has been ntified; the crrective actin taken, including any steps t assist affected individuals in mitigating harm (fr example, prviding credit watch services if apprpriate); and recmmendatins, including crrective actin that still needs t be taken.

4 E. Cnsider Ntifying Affected Individuals The impact f privacy breaches must be reviewed t determine if it is apprpriate t ntify individuals whse persnal infrmatin has been affected by the breach. As part f the Infrmatin Incident Management Prcess, the Incident Respnse Lead will wrk with the affected ministry s the ministry can ntify affected parties and take ther required actins, as apprpriate. (i) Ntifying affected individuals The key cnsideratin in deciding whether t ntify an affected individual is whether it is necessary t avid r mitigate harm t an individual, such as: A risk f identity theft r fraud (usually because f the type f infrmatin that has been cmprmised such as SIN, banking infrmatin, identificatin numbers); A risk f physical harm (fr example, if the cmprmised infrmatin puts an individual at risk f stalking r harassment); A risk f hurt, humiliatin r damage t reputatin (fr example, when the cmprmised infrmatin includes medical r disciplinary recrds, criminal histries r family case files); r A risk t business r emplyment pprtunities. Other cnsideratins in determining whether t ntify individuals include: Legislative requirements fr ntificatin; Cntractual bligatins requiring ntificatin; A risk f lss f cnfidence in the public bdy and/r gd custmer/client relatins dictates that ntificatin is apprpriate. (ii) When and hw t ntify If it is determined that ntificatin f individuals is apprpriate: When: Ntificatin shuld ccur as sn as pssible fllwing the breach. (Hwever, if law enfrcement authrities have been cntacted, it may be apprpriate t wrk with thse authrities in rder nt t impede their investigatin.) Hw: Affected individuals shuld be ntified directly by phne, , letter r in persn whenever pssible. Indirect ntificatin using general, nn-persnal infrmatin shuld generally nly ccur when direct ntificatin culd cause further harm, is prhibitive in cst, r cntact infrmatin is lacking. Using multiple methds f ntificatin website publicatin, psted ntices, media in certain cases may be the mst effective apprach. (iii) What shuld be Included in the ntificatin Ntificatins shuld include the fllwing infrmatin, as apprpriate: Date f the breach. Descriptin f the breach (extent). Descriptin f the infrmatin cmprmised. Risk(s) t individual caused by the breach. Steps taken t mitigate the breach and any harms. Next steps planned and any lng-term plans t prevent future breaches. Steps the individual can take t further mitigate the harm, r steps the public bdy has taken t assist the individual in mitigating harm. Fr example, hw t cntact credit reprting agencies t set up a credit watch, r infrmatin explaining hw t change a persnal health number r driver s licence.

5 Cntact infrmatin f an individual within the public bdy r rganizatin wh can answer questins r prvide further infrmatin. The right t cmplain t the Office f the Infrmatin and Privacy Cmmissiner and the necessary cntact infrmatin. If the public bdy has already cntacted the Cmmissiner s ffice, include this detail in the ntificatin letter. Ntificatins shuld nt include the fllwing infrmatin: Persnal infrmatin abut thers r any infrmatin that culd result in a further privacy breach. Infrmatin that culd be used t circumvent security measures. Infrmatin that culd prmpt a misuse f the stlen infrmatin (fr example, if hardware was stlen fr simple 'wiping and resale', but the breach ntificatin prmpts smene t realize that persnal infrmatin is n the hardware and culd be f sme value if accessed). F. Infrm Other Parties as Apprpriate As part f the Infrmatin Incident Management Prcess, the Incident Respnse Lead will wrk with the affected ministry s the ministry can ntify affected parties and take ther required actins, as apprpriate. Affected parties may include, fr example: insurers, prfessinal r ther regulatry bdies, third-party cntractrs, internal business units, r unins. The Gvernment Chief Infrmatin Officer is slely respnsible fr liaising with the Office f the Infrmatin and Privacy Cmmissiner regarding an actual r suspected privacy breach. The fllwing factrs are relevant in determining whether t reprt a privacy breach t the Office f the Infrmatin and Privacy Cmmissiner: The sensitivity f the persnal infrmatin Whether the breached infrmatin culd result in identity theft r ther harm, including pain and suffering r lss f reputatin A large number f peple are affected by the breach The infrmatin has nt been fully recvered The breach is the result f a systemic prblem r a similar breach has ccurred befre G. Prevent Future Privacy Breaches Business wners (including supervisrs and service prviders) r thers will wrk with the OCIO Investigatins Unit, Incident Respnse Lead, r thers t investigate and manage the privacy breach. Gvernment, the ministry, r the ministry business wner will, as applicable, implement recmmendatins in accrdance with the Infrmatin Incident Management Prcess.