Privacy Breach Protocol



Similar documents
What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Information and Privacy Commissioner of Ontario. Guidelines for Using Video Surveillance Cameras in Schools

Brian Beamish. Commissioner (Acting) Ontario Information and Privacy Commission. Cyber Risk National Conference February 9, 2015

State of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION OF A SECURITY BREACH

Guidelines on Facsimile Transmission Security

A Guide to Ontario Legislation Covering the Release of Students

Information and Privacy Commissioner of Ontario. Guidelines for the Use of Video Surveillance Cameras in Public Places

Moving Information: Privacy & Security Guidelines

Identity Theft. A Crime of Opportunity.

FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments

PRIVACY BREACH POLICY

Personal Health Information Privacy Policy

Procedure for Managing a Privacy Breach

Ann Cavoukian, Ph.D.

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice

A Guide. Personal Health Information Protection Act. to the. December Ann Cavoukian, Ph.D Commissioner

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Privacy Incident and Breach Management Policy

Helpful Tips. Privacy Breach Guidelines. September 2010

Information and Privacy Commissioner of Ontario. Caller ID Guidelines

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia (404) (404)

SAFEGUARDING PRIVACY IN A MOBILE WORKPLACE

Protection of Privacy

Accountable Privacy Management in BC s Public Sector

Best Practices for Protecting Individual Privacy in Conducting Survey Research (Full Version)

Mohawk DI-r: Privacy Breach Management Procedure Version 2.0. April 2011

Protecting. Personal Information A Business Guide. Division of Finance and Corporate Securities

EHR Contributor Agreement

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Privacy Investigation: The Toronto Police Service s use of Mobile Licence Plate Recognition Technology to find stolen vehicles

Data Protection Policy

PRIVACY BREACH MANAGEMENT POLICY

Identity theft. A fraud committed or attempted using the identifying information of another person without authority.

DATA PROTECTION AND DATA STORAGE POLICY

Privacy and Security Incident Management Protocol

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

How To Ensure Health Information Is Protected

Village of Brockport Identity Theft Prevention Program Effective December 1, 2009 Confirmed 7/21/14

Privacy and Information Protection Bulletin

5.00 Employee in relation to the university, includes a volunteer and a service provider.

Reclaiming your identity

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

Posting Information on Websites: Best Practices for Schools and School Boards

Activate ProtectMyID Now in Three Easy Steps. If you have questions or need an alternative to enrolling online, please call

DOYLESTOWN FAMILY MEDICINE, P.C. IDENTITY THEFT PREVENTION PROGRAM TEMPLATE ADOPTED AND EFFECTIVE: APRIL 15, 2009 UPDATED:

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

Data Security Breach Notice Letter

What is involved if you are asked to provide a Police Background Check?

Responding to New Identity Theft Laws

PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004: AN OVERVIEW FOR HEALTH INFORMATION CUSTODIANS

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Information Security Classification

[FACILITY NAME] IDENTITY THEFT PREVENTION PROGRAM. Effective May 1, 2009

Travis County Water Control & Improvement District No. 17. Identity Theft Prevention Program. Effective beginning November 20, 2008

Privacy Law in Canada

II. F. Identity Theft Prevention

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

CITY OF MARQUETTE, MICHIGAN CITY COMMISSION POLICY

University of Alaska. Identity Theft Prevention Program

Best Practices for Institutions in Mediating Appeals

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

Transcription:

& Privacy Breach Protocol Guidelines for Government Organizations www.ipc.on.ca

Table of Contents What is a privacy breach? 1 Guidelines on what government organizations should do 2 What happens when the IPC investigates a privacy complaint? 3 What steps can you take to avoid a privacy breach? 4 IPC website 5

Privacy Breach Protocol Guidelines for Government Organizations What is a privacy breach? The Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act (the Acts) establish rules for government institutions to follow to ensure the protection of individual privacy. The Acts govern the collection, retention, use, disclosure and security of personal information (sections 37 46 of the provincial Act and 27 35 of the municipal Act). A privacy breach occurs when personal information is collected, retained, used or disclosed in ways that are not in accordance with the provisions of the Acts. Among the most common breaches of personal privacy is the unauthorized disclosure of personal information, contrary to section 42 of the provincial Act or section 32 of the municipal Act. For example, personal information may be lost (a file is misplaced within an institution), stolen (laptop computers are a prime example) or inadvertently disclosed through human error (a letter addressed to person A is actually mailed to person B). If an individual believes that a provincial or municipal government institution has failed to comply with one or more of the privacy protection provisions of the Acts, and that his or her privacy has been compromised as a result, the individual can file a complaint with the Information and Privacy Commissioner of Ontario (IPC). As well, upon learning of a possible privacy breach, the IPC may itself initiate a complaint in the absence of an individual complainant. The purpose of the IPC complaint investigation is future-oriented that is, should it be established that there was a privacy breach, the IPC will make recommendations that assist the institution in taking whatever remedial steps are necessary to prevent future similar occurrences. 1

Guidelines on what government organizations should do Upon learning of a privacy breach, immediate action should be taken. Many of the following guidelines need to be carried out simultaneously or in quick succession. When faced with a potential breach of privacy, the first two priorities are: Containment: Identify the scope of the potential breach and take steps to contain it: retrieve the hard copies of any personal information that has been disclosed; ensure that no copies of the personal information have been made or retained by the individual who was not authorized to receive the information and obtain the individual s contact information in the event that follow-up is required; and determine whether the privacy breach would allow unauthorized access to any other personal information (e.g., an electronic information system) and take whatever necessary steps are appropriate (e.g., change passwords, identification numbers and/or temporarily shut down a system). Notification: Identify those individuals whose privacy was breached and, barring exceptional circumstances, notify those individuals accordingly: notify the individuals whose privacy was breached, by telephone or in writing; provide details of the extent of the breach and the specifics of the personal information at issue; if financial information or information from government-issued documents are involved, include the following in the notice: As a precautionary measure, we strongly suggest that you contact your bank, credit card company, and appropriate government departments to advise them of this breach. You should monitor and verify all bank accounts, credit card and other financial transaction statements for any suspicious activity. If you suspect misuse of your personal information, you can obtain a copy of your credit report from a credit reporting bureau: Equifax at 1-800- 465-7166 or www.equifax.ca and TransUnion at 1-800-663-9980 or www.tuc.ca to verify the legitimacy of the transactions listed. If you are concerned that you may be a victim of fraud, you may request these organizations to place a fraud alert on your credit files instructing creditors to contact you before opening any new accounts. 2

Privacy Breach Protocol Guidelines for Government Organizations You may also wish to review the publication of the Information and Privacy Commissioner, Ontario entitled, Identity Theft: A Crime of Opportunity, at www.ipc.on.ca. advise of the steps that have been taken to address the breach, both immediate and long-term; provide contact information for someone within your organization who can provide additional information, assistance and answer questions; and advise that the IPC has been contacted to ensure that all obligations under the Act are fulfilled and, where appropriate, provide information about how to complain to the IPC. Additional steps: ensure appropriate staff within your organization are immediately notified of the breach, including the Freedom of Information and Privacy Co-ordinator, the head and/or delegate; inform the IPC registrar of the privacy breach and work together constructively with IPC staff; conduct an internal investigation into the matter, linked to the IPC s investigation. The objectives of the investigation are to: 1) ensure the immediate requirements of containment and notification have been addressed; 2) review the circumstances surrounding the breach; and 3) review the adequacy of existing policies and procedures in protecting personal information; address the situation on a systemic basis. In some cases, program-wide or institution-wide procedures may warrant review (e.g., a misdirected fax transmission); advise the IPC of your findings and work together to make any necessary changes; ensure staff are appropriately educated and trained with respect to compliance with the privacy protection provisions of the Act; and cooperate in any further investigation into the incident undertaken by the IPC. What happens when the IPC investigates a privacy complaint? When investigating a privacy complaint, the IPC will, depending on the circumstances: ensure any issues surrounding containment and notification have been addressed by the organization; 3

discuss the complaint with the parties and obtain any relevant evidence; interview individuals involved with the privacy breach or individuals who can provide information about a process; obtain and review the organization s position on the privacy complaint; ask for a status report of any actions taken by the organization; review a copy of the personal information at issue; research IPC precedents; discuss settlement options; provide input and advice on current applicable policies and procedures and any other relevant documents and recommend changes; issue a report at the conclusion of the investigation; and issue an Order which disposes of the complaint. What steps can you take to avoid a privacy breach? Government institutions governed by the Acts would be well served by adopting proactive measures to prevent a privacy breach from occurring. These measures should include: educating staff about the privacy rules governing the collection, retention, use and disclosure of personal information set out in Part III of the provincial Act and Part II of the municipal Act; educating staff about the regulations under the Acts governing the safe and secure disposal of personal information and the security of records; ensuring policies and procedures are in place that comply with the privacy protection provisions of the Acts and that staff are properly trained in this respect; conducting a privacy impact assessment (PIA), where appropriate. The PIA is a process that helps determine whether new technologies, information systems and proposed programs or policies meet basic privacy requirements; when in doubt, obtaining advice from your organization s legal department and Freedom of Information Co-ordinator. The Ministry of Government Services Office of the Chief Information and Privacy Officer is also a useful resource for Co-ordinators; and consulting with the IPC s Policy Department in appropriate situations. 4

Privacy Breach Protocol Guidelines for Government Organizations IPC website The IPC has published a number of documents that can assist organizations in avoiding a privacy breach. These documents can be found in the Resources section of the IPC s website (www.ipc.on.ca). The following publications offer guidelines and best practices for protecting privacy: Guidelines on Facsimile Transmission Security; Guidelines for Protecting the Privacy and Confidentiality of Personal Information When Working Outside the Office; Moving Information: Privacy & Security Guidelines; E-mail Encryption Made Simple; Best Practices for Protecting Individual Privacy in Conducting Survey Research; Indirect Collection Guidelines (provincial and municipal versions); Model Data Sharing Agreement; Model Access and Privacy Agreement; Safeguarding Privacy in a Mobile Workplace; and Fact Sheet #16 Health-Care Requirement for Strong Encryption. The following IPC Practices also contain guidance and practical suggestions on how government organizations can protect privacy: Copying Information to Individuals Inside and Outside an Institution (Number 2); Providing Notice of Collection (Number 8); Video Surveillance: The Privacy Implications (Number 10); Audits and the Collection of Personal Information (Number 11); The Indirect Collection of Personal Information (Number 14); Maintaining the Confidentiality of Requesters and Privacy Complainants (Number 16); How to Protect Personal Information in the Custody of a Third Party (Number 18); Tips on Protecting Privacy (Number 19); and Safe and Secure Disposal Procedures for Municipal Institutions (Number 26). Privacy Complaint Reports that are publicly available are accessible through the IPC s website. Information about the IPC s privacy complaint process can also be found at www.ipc.on.ca. 5

About the IPC The role of the Information and Privacy Commissioner is set out in three statutes: the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act and the Personal Health Information Protection Act. The Commissioner is appointed by the Legislative Assembly of Ontario and is independent of the government of the day. For more information: Information and Privacy Commissioner Ontario, Canada 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 CANADA Tel: 416-326-3333 or 1-800-387-0073 Fax: 416-325-9195 TTY: 416-325-7539 info@ipc.on.ca www.ipc.on.ca Cette publication est également disponible en français Revised: May 2014

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information