AJ-R: Privacy Breach- Regulation

Classification: 
Section A: Foundations and Basic Commitments
Code: 
AJ-R

ROLES AND RESPONSIBILITIES

All District employees are responsible for complying with this policy and for performing their duties in a manner that ensures personal information to which they have access in the course of their duties is protected at all times from unauthorized access, use and disclosure (either accidental or intentional).

The FOI Officer is responsible for all investigation and subsequent documentation in relation to any reported privacy breach incidents. All reported incidents will be documented along with any action taken. The FOI Officer will assess whether the reported incident requires immediate action to prevent any recurrence of a similar incident. 

PRIVACY BREACH RESPONSE PROCESS

1.0       Responsibilities of Employee     

Upon becoming aware of an actual or a suspected privacy breach, all District employees shall:

a. Immediately report the suspected or actual breach to their supervisor/manager/administrator;

b. Take action, where possible, to contain the breach and limit its impact by:

 i. Isolating or suspending the activity that led to the privacy breach;

ii. Taking immediate steps to recover the personal information, records, or equipment where possible;

iii. Determining if any copies have been made of the personal information at risk and recovering where  possible.

 

2.0       Responsibilities of Supervisor/Manager/Administrator

 Upon being notified of an actual or a suspected privacy breach, the supervisor/manager/administrator shall:

a. Immediately notify FOI Officer of the breach and work with the FOI Officer to carry out a preliminary assessment of the extent and impact of the privacy breach, including:

i. Assessing whether additional steps are required to contain the breach, implementing as necessary;

ii. Identifying the type and sensitivity of personal information breached and any steps that have been taken to minimize the harm from the breach;

iii. Identifying who is affected by the breach;

iv. Estimating the number of individuals affected by the breach;

v. Identifying the cause of the breach; and

vi. Identifying foreseeable harm from the breach.

 

3.0       Responsibility of FOI Officer

The FOI Officer shall be responsible for the detailed investigation of incidents of actual or suspected privacy breaches. The FOI Officer’s investigation shall include but not be limited to:

a. Assessing all information reported by the supervisor/manager/ administrator and obtaining further clarification of events and findings if required;

b. Taking any further steps required to minimize or reduce the harm:

c. Assessing foreseeable harm from the breach including but not limited to:

i. Risk of harm to the individual(s);

ii. Loss of public trust in District;

iii. Risk to public safety;

iv. Financial exposure;

4.0       District Actions and Notifications

The determination of whether to notify individuals, public bodies, organizations affected by the privacy breach, or the Privacy Commissioner, will be made by the FOI Officer and the Director of Instruction. The considerations shall include but are not limited to:

a. Necessity to avoid or mitigate harm to the affected individual, public body or organization;

 b. Legislative requirements;

 c. Contractual obligations;

 d. Potential risk of identity theft or fraud due to the breach of any personal identification information;

 e. Any risk of physical harm due to the privacy breach such as stalking or harassment;

 f. A risk of damage to reputation, hurt or humiliation such as when the privacy breach includes the release of medical or disciplinary information;

 g. A risk of loss of business or employment opportunities should the privacy breach results in damage to the reputation of an individual;

 h. A risk of the loss of confidence in the District, or any related public body or organization, and good District relations.

  • If notification of individuals is determined to be necessary, the notification should occur by the Direct Supervisor/Manager/Administrator or Designate as soon as possible following the breach. (If a law enforcement agency has been informed, and is conducting a criminal investigation, consultation and cooperation should occur in order to facilitate the investigation.)

  • Where feasible, affected individuals will be notified directly, by the Direct Supervisor/Manager/Administrator or Designate by phone, email, letter or in person, depending on the practicalities. Indirect notification using general, non-personal information will usually occur only when direct notification could cause further harm, is prohibitive in cost, or contact information is unavailable. In some circumstances, using multiple methods of notification may be considered.

Revision Date: 
Feb 2016