Privacy Breach and Complaint Protocol



Similar documents
Process for Responding to Privacy Breaches

Key Steps for Organizations in Responding to Privacy Breaches

Personal Data Security Breach Management Policy

Accident Investigation

nbn is committed to identifying hazards, preventing workplace accidents and minimising dangerous health safety and environment incidents.

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

WORKPLACE INJURY/ILLNESS/INCIDENT INVESTIGATION & REPORTING POLICY (BC VERSION)

CROPREDY SURGERY Dr J Wright & Dr B Tucker

FINANCIAL OPTIONS. 2. For non-insured patients, payment is due on the day of service.

Workers Compensation Employee Packet

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

Chris Chiron, Interim Senior Director, Employee & Management Relations Jessica Moore, Senior Director, Classification & Compensation

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

Malpractice and Maladministration Policy

Heythrop College Disciplinary Procedure for Support Staff

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

Systems Support - Extended

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

CORPORATE CREDIT CARD POLICY

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES

Customer Care Policy

Accessible Service Policy

Data Protection Act Data security breach management

The Ohio Board of Regents Credit When It s Due process identifies students who

Change Management Process

Privacy and Security Training Policy (PS.Pol.051)

Data Protection Policy & Procedure

How To Ensure Your Health Care Is Safe

DisplayNote Technologies Limited Data Protection Policy July 2014

Thank you for your interest in this leadership position. Please find enclosed an application and information package to assist you.

Chapter 7 Business Continuity and Risk Management

COMPREHENSIVE SAFETY ASSESSMENT INSTRUCTIONS for STUDY ABROAD PROGRAMS

Symantec User Authentication Service Level Agreement

Purpose Statement. Objectives

Corporate Standards for data quality and the collation of data for external presentation

Internet and Policy User s Guide

Briefing 4 Inquests and the disclosure of information to the coroner

Cell Phone & Data Access Policy Frequently Asked Questions

IMPORTANT INFORMATION ABOUT MEDICAL CARE FOR YOUR WORK-RELATED INJURY OR ILLNESS

How To Get A Job At A Farmhouse Farmhouse

First Global Data Corp.

VCU Payment Card Policy

ES PROCEDURES FOR OVERPAYMENT RECOVERY

Project Management Fact Sheet:

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Frequently Asked Questions About I-9 Compliance

LOUISIANA TECH UNIVERSITY Division of Student Financial Aid Post Office Box 7925 Ruston, LA 71272

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

CUSTOMER SERVICE CHARTER

All Harvard University schools, tubs, local units, Affiliate Institutions, Allied Institutions and University-wide Initiatives.

DATA REQUEST GUIDELINES

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

WITS Implementation Toolkit. For All Substance Use Disorder Network Service Providers

WRHA Health Interpreter Guidelines 1 for Message Relay, Reminder Call and Conference Call

Enrollee Health Assessment Program Implementation Guide and Best Practices

ONGOING FEEDBACK AND PERFORMANCE MANAGEMENT. A. Principles and Benefits of Ongoing Feedback

CSUSB Containment Guidelines CSUSB, Information Security Office

AMWA Chapter Subgroups on LinkedIn Guidance for Subgroup Managers and Chapter Leaders, updated

PADUA COLLEGE LIMITED ACN ABN

The Importance of Market Research

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

Wire Transfer Request

I. POLICY. their individual assets.

LOAN MODIFICATION SCAM PREVENTION NETWORK Client Interview Form

Revised October 27, 2011 Page 1 of 6

Change Management Process For [Project Name]

Human Resources Policy pol-020

State Fleet Card Oversight Usage and Responsibilities

The HR Coach Certification Student Information Sheet

Financial Accountability Handbook

- Upfront fee of $ + GST - Ongoing fee commencing immediately after plan implementation of $ GST per fortnight.

FINANCE SCRUTINY SUB-COMMITTEE

April In addition, we encounter valuation practices that present concerns in certain contexts, including:

7/25/14 FAIRFAX COUNTY PUBLIC SCHOOLS SUPPORT EMPLOYEE PERFORMANCE ASSESSMENT HANDBOOK

FORM ADV (Paper Version) UNIFORM APPLICATION FOR INVESTMENT ADVISER REGISTRATION AND REPORT FORM BY EXEMPT REPORTING ADVISERS

Information Services Hosting Arrangements

CHANGE MANAGEMENT STANDARD

Transcription:

Privacy Breach and Cmplaint Prtcl Effective: December 31, 2012 Apprved by: Le McKenna, CFO 1.0 General Privacy breaches and privacy cmplaints will be handled in accrdance with this prtcl. This prtcl is divided int tw parts. It will assist staff and management in their respnse t: Their discvery f a cnfirmed privacy breach; and A cmplaint abut the handling f the infrmatin we cllect (including an alleged privacy breach). 2.0 Definitins Persnal infrmatin, as defined in FOIPOP, is recrded infrmatin abut an identifiable individual. This includes: the individual's name, address r telephne number, the individual's race, natinal r ethnic rigin, clur, r religius r plitical beliefs r assciatins, the individual's age, sex, sexual rientatin, marital status r family status, an identifying number, symbl r ther particular assigned t the individual, the individual's fingerprints, bld type r inheritable characteristics, infrmatin abut the individual's health-care histry, including a physical r mental disability, infrmatin abut the individual's educatinal, financial, criminal r emplyment histry, anyne else's pinins abut the individual, and the individual's persnal views r pinins, except if they are abut smene else. A privacy breach, fr the purpses f this prtcl, ccurs when persnal infrmatin is accessed r disclsed by the WCB r a WCB service prvider t a persn r entity (either accidentally r intentinally) that is nt authrized t receive the infrmatin. A privacy breach may be discvered by a WCB staff member r an external party. A privacy cmplaint means a cncern expressed by a WCB emplyee r an external (nn- WCB staff r management member) individual r rganizatin/agency/cmpany abut the WCB s handling f the infrmatin we have cllected t administer the Wrkers Cmpensatin Act. A privacy cmplaint, as part f the investigatin, may result in the discvery f a privacy breach. Fr the purpses f this plicy, the term refers t an emplyee s immediate superir and includes the psitin titles, Directr and Vice President. 1

3.0 Is it a Privacy Breach? The WCB is permitted by law t disclse the persnal infrmatin f injured wrkers (withut their cnsent) t a persn r entity ther than the wrker under specific circumstances, as we administer the Wrkers Cmpensatin Act. In sme instances, anther law, such as the Incme Tax Act, may require that we release persnal infrmatin. Refer t Authrized Release f Injured Wrker Persnal Infrmatin fr an verview f the circumstances under which the WCB can disclse injured wrker persnal infrmatin. Privacy breaches mst cmmnly ccur when persnal infrmatin abut a wrker is lst, r disclsed (mistakenly r purpsely) utside the requirements f the law. Privacy breaches may be accidental r intentinal; they may be a ne-time ccurrence r due t n-ging prblems such as a faulty prcedure r technical glitches. Refer t Tips fr Identifying a Privacy Breach fr examples f breaches and tips fr identifying a privacy breach. 4.0 Accuntability WCB emplyees are required t fllw this prtcl. WCB emplyees wh are invlved in the engagement f external agents r cntractrs by the WCB are accuntable fr advising these parties that any breach r ptential breach f persnal infrmatin must be immediately reprted t the WCB. s are respnsible fr ensuring emplyee cmpliance with this prtcl. 5.0 Privacy Breach Prtcl Steps The Privacy Breach Prtcl is made up f 4 steps: Step 1. Breach Identificatin and Retrieval Step 2. Investigatin and Cntainment Step 3. Ntificatin Affected Parties Step 4. Fllw-up and Lng-Term Actin Ideally, the Privacy Breach Prtcl steps will be fllwed in sequence (refer t diagram in Appendix A). Hwever, it is recgnized that circumstances/factrs may dictate that sme be carried ut simultaneusly r ut f sequence. Management is encuraged t cnsult with the WCB Legal Cunsel (FOIPOP Administratr) r their designate fr advice/cunsel as required when carrying ut their respnsibilities as described in this dcument. Step 1. Identificatin and Retrieval The staff member wh discvers the ptential breach must immediately cmplete the Initial Breach Reprt sectin f the Privacy Breach Reprt Frm, prviding as much infrmatin as pssible abut the nature and extent f the breach. When pssible, s/he will initiate retrieval f the infrmatin (see peratinal prcedure Retrieval f Disclsed Dcuments). The staff member will frward the partially cmpleted Privacy Breach Reprt Frm t the apprpriate manager fr investigatin. Generally, the manager f the unit where a breach ccurred and/r where a relatinship exists with the individual whse privacy was breached, will be respnsible fr investigatin. If the incident invlves claim infrmatin, the manager f the unit where the claim currently resides will typically be respnsible fr investigatin. An exceptin will 2

be when the claim invlved has been prfiled t anther unit in the time between the breach ccurring and discvery (e.g., breach incident ccurred in the ISC and the claim has since been assigned t a case wrker; breach incident ccurred in an IST/WST and the claim has since mved t HEB). If the incident invlves assessment-related infrmatin that includes injured wrker persnal infrmatin (e.g., Experience Rating Statement, Mnthly Advice Ntice), the manager f Accunt Management will typically be respnsible fr investigatin. If the incident invlves a WCB emplyee s claim infrmatin, the manager f the unit where the claim is being managed will typically be respnsible fr investigatin. If the incident invlves a WCB emplyee s persnal infrmatin (nn-claim related), the manager f the emplyee s unit/department will typically be respnsible fr investigatin, with assistance frm the Human Resurces Department as required. If the staff member wh discvers the ptential breach des nt initially have enugh infrmatin t determine that a breach ccurred AND which department shuld take respnsibility fr investigatin, the staff member will frward the Privacy Breach Reprt Frm t his/her wn manager. Step 2. Investigatin and Cntainment The manager is respnsible fr investigating the breach and dcumenting it n the Privacy Breach Reprt Frm. In general, the bjective f an investigatin is t ensure the immediate requirements f cntainment and retrieval have been cmpleted and t facilitate any immediate and/r lnger term remedial r preventative actins. See the Privacy Breach Investigatin Guide fr guidelines n hw t carry ut an investigatin and the level/depth f investigatin that may be apprpriate. s shuld direct questins regarding the type f investigatin that shuld be carried ut t the WCB Legal Cunsel (FOIPOP Administratr) r their designate. s are respnsible t make every effrt t cmplete the investigatin and frward the Privacy Breach Reprt Frm (Initial Breach Reprt and s sectins cmpleted) t Legal Services within 5 business days f becming aware that the incident ccurred. In sme cases, it may be apprpriate t infrm and/r invlve ther internal WCB parties in the investigatin (e.g., ther managers, senir management, Cmmunicatins, Legal Cunsel). If the investigating manager believes that thers in the rganizatin may be impacted by the incident, s/he will cntact Legal Cunsel (FOIPOP Administratr) r their designate as sn as pssible fr advice n wh shuld be invlved/aware f the breach incident and/r cntribute t WCB s respnse. Step 3. Ntificatin - Affected Parties The general rule is that specific individuals impacted by a privacy breach will be ntified by the manager f the privacy breach investigatin as sn as pssible, regardless f the type f persnal infrmatin disclsed. Impacted individuals will be ntified by phne, fllwed by a letter (see Guidelines fr Advising Individuals f a Privacy Breach). If the affected individual is an injured wrker, a Cntact Sheet can be cmpleted n E-file t recrd ntificatin call(s) althugh the 3

infrmatin recrded shuld be minimal and must nt make any reference t any ther individuals (e.g., recipient(s)). Ideally, the privacy breach investigatin has been cmpleted prir t ntificatin, s the impacted individual can be advised f all actins taken in respnse t the breach. Hwever, ntificatin may ccur sner if it is determined the ptential harm f the breach t the individual may be avided r mitigated by the individual knwing f the breach as sn as pssible. In rare instances, it may be apprpriate t cnsider alternative appraches t ntificatin f impacted individuals (see Guidelines fr Advising Individuals f a Privacy Breach). If the investigating manager believes that direct ntificatin may nt be apprpriate given the circumstances f a specific incident, s/he will cnsult with Legal Cunsel (FOIPOP Administratr) r their designate as sn as pssible fr advice n hw t prceed with ntificatin effrts. Step 4. Fllw-up and Lng-Term Actin Fllw-up The manager will implement remedial actins (r seek apprval t implement if required) identified as a result f the investigatin in an effrt t prevent further privacy breaches. WCB Legal Cunsel (FOIPOP Administratr) r their designate will verify that all steps in the prtcl have been carried ut. review the Privacy Breach Reprt Frm t determine if the Privacy Breach Prtcl has been fllwed. If deficiencies are identified, WCB Legal Cunsel (FOIPOP Administratr) r their designate will cntact the manager t discuss the deficiencies with a view t imprved future reprting and management f privacy breaches. The WCB Legal Cunsel (FOIPOP Administratr) r their designate will, using the Privacy Breach Incident Risk Assessment Tl, assign a risk level t the privacy breach incident fr tracking and reprting purpses. Lng-Term Actin WCB Legal Cunsel (FOIPOP Administratr) r their designate will, n a Quarterly basis, cmpile the infrmatin cntained in Privacy Breach Reprt Frms and prvide a Privacy Breach Trend Reprt t the Privacy Advisry Cmmittee (PAC). The reprt will include charts and trend analysis f breach vlumes by varius dimensins (e.g., department, risk level, rt cause). The reprt may als include: Observatins and details f specific incidents in rder t prvide cntext t the statistics; Infrmatin and/r trend analysis arund privacy cmplaints (see Sectin 6.0 belw). The Privacy Advisry Cmmittee will review the reprt with the intent f identifying trends and rt causes that will ultimately help prevent future breaches and imprve rganizatinal privacy practices. The Cmmittee will develp advice r suggestins fr further, lnger-term rganizatinal actins based n findings and bservatins supprted by the Privacy Breach Trend Reprt and submit t senir management fr cnsideratin and/r priritizatin. 4

6.0 Privacy Cmplaint Prcess WCB emplyees may receive a call r letter frm a citizen r anther WCB emplyee: cmplaining f an alleged breach f that persn s persnal infrmatin; cmplaining that they have received smene else s persnal infrmatin in errr; expressing a general cncern abut the WCB s handling f the infrmatin we cllect. This is a privacy cmplaint. It may be determined, upn initial r mre in-depth review, a privacy breach has ccurred. In these instances, the WCB Privacy Breach Prtcl (abve) will be used. Step 1. Receive and Dcument the Cmplaint When a cmplaint is received by telephne r in persn, discuss the details f the cmplaint with the cmplainant and dcument what the cmplainant believes has happened. When a cmplaint is received by e-mail r letter, r nce the details prvided t yu in persn r by phne have been dcumented, frward the cmplaint t yur manager. If the cmplaint is an injured wrker cmplaining they have received the persnal infrmatin f anther injured wrker, use the Privacy Breach Prtcl (abve) and discntinue use f the Privacy Cmplaint Prcess. NOTE: Dcumentatin f privacy cmplaints must NOT be added t a claim file (i.e., n E-file). This will help t prevent any misperceptin that claim adjudicatin may be affected by initiating a cmplaint. Step 2. WCB Respnse Crdinatin The manager will reprt the cmplaint t the WCB Legal Cunsel (FOIPOP Administratr) r their designate. Cmplaints received by the Client Relatins Officer may be sent directly t the WCB Legal Cunsel (FOIPOP Administratr) r their designate, instead f first ging t a manager. WCB Legal Cunsel (FOIPOP Administratr) r their designate will be respnsible fr the WCB s respnse and decide wh within the WCB shuld be ntified. Step 3. Investigatin and Cmmunicatin with the Cmplainant The WCB Legal Cunsel (FOIPOP Administratr) r their designate will: Send written acknwledgement t the cmplainant, restating the details presented by the cmplainant. Cntact the cmplainant as sn as pssible, but n later than 30 days f receiving the cmplaint, and advise them: They may need t cntact the cmplainant fr mre infrmatin as the investigatin prgresses discuss the cmplaint with ther in the WCB t fully understand the cmplaint. They may als need t get in tuch with ther peple t fully understand the cmplaint and this culd require the mentin f the cmplainants name and sme f the details f their persnal infrmatin as part f the investigatin. 5

If the privacy cmplaint is abut the cnduct f ne r mre WCB emplyees, the matter will be discussed with the staff members(s) during the investigatin. If necessary, send a written update f prgress f the investigatin (stage f investigatin, fllw-up activities, expected r updated time-frames etc.). This will be dne after n mre than tw mnths has elapsed since the initial acknwledgement f the cmplaint. Prduce an investigatin reprt. The reprt will, at a minimum, include: A summary f the initial cmplaint. The utcme f the cmplaint (substantiated/nt substantiated). Dcumentatin f the investigative prcess and findings. Mitigating activities. Other fllw-up activities. Cmmunicate a summary f the final results f the investigatin t the cmplainant. Advise the cmplainant that they may cntact the WCB s Client Relatins Officer if they are nt satisfied with the WCB s investigatin. The Client Relatins Officer is required t fllw Plicy 10.3.1R Quality f Service Delivery and will review the WCB s investigatin f the privacy cmplaint t determine if the WCB fllwed apprpriate prcesses in handling the cmplaint. The Client Relatins Officer will cntact the cmplainant with the results f their review. Advise the cmplainant that if they are nt satisfied with the Client Relatins Officer s review f their cmplaint, they may make a cmplaint t the Nva Sctia Privacy Review Officer. 6

APPENDIX A - WCB Privacy Breach Management Prcess e.g., Phne call, self-identified, misdirected fax Initiate Retrieval (templated email t PPS per Retrieval f Disclsed Dc prcedure) YES Ptential Breach is Identified Cmplete Initial Sectin f Privacy Breach Reprt Frm Knwn Breach? Enugh inf initially available t determine that a breach ccurred AND which WCB dept shuld investigate & manage breach UNCONFIRMED Frward Privacy Breach Reprt Frm t YOUR Frward Privacy Breach Reprt Frm t apprpriate may frward Frm and initial findings t anther if mre apprpriate Initiate Retrieval (templated email t PPS per Retrieval f Disclsed Dc prcedure) YES Initiates Investigatin Did a Breach Occur? NO Fllw-up/share learnings (Emplyee wh identified ptential breach, ther emplyees) Cmpletes Investigatin (per Investigatin Guide) Ntifies Injured Wrker (per Guidelines fr Advising Injured Wrkers f a Privacy Breach) Cmpletes Privacy Breach Reprt Frm prepares additinal dcumentatin when warranted (e.g., unusual circumstances, additinal factrs influencing breach/ utcme) If investigatin is delayed (e.g., awaiting dcument retrieval) may submit partial reprt OR prvide ntificatin f circumstances t Privacy Crdinatr submits dcumentatin t Privacy Crdinatr cmpletes fllwup activities where applicable May include preventative initiatives, fllw-up with staff, sharing f circumstances/learnings/utcmes with team

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information