Background
According
to the Office of the Saskatchewan Privacy Commissioner, privacy has
been defined in a variety of ways, and is considered to involve several
different dimensions. They include:
- Physical or bodily privacy;
- Territorial privacy;
- Privacy of communications; and
- Information privacy/data privacy.
The procedures outlined below focus on the last dimension of privacy.
Information
privacy is understood as the right of an individual to determine for
him/herself when, how and to what extent he/she will share his/her
âpersonal information.â
Personal
information (PI) and personal health information (PHI) is defined by
the applicable privacy law. Generally speaking, PI/PHI is information
about an identifiable individual. Typically, this school division will
not consider a breach of privacy to have occurred if the information
involved is sufficiently de-identified, provided as statistics only, or
as aggregate data.
A
privacy breach happens when there is unauthorized collection, use or
disclosure of PI or PHI. Such activity is âunauthorizedâ if it occurs in
contravention of FOIP, LA FOIP, or HIPA. Examples would include
âwater-coolerâ conversations about client PI of which a co-worker has no
professional âneed to knowâ, or a health care professional accessing a
database to check a patientâs status when he or she has no professional
need to know the information.
Privacy
breaches most commonly occur when PI/PHI about patients,
clients/customers or employees is stolen, lost, mistakenly or purposely
used or disclosed without the requisite need to know. Examples include
when a computer containing PI/PHI is stolen or when PI/PHI is mistakenly
emailed or faxed to the wrong person.
Privacy
breaches may be accidental or intentional; they may be a one-time
occurrence or due to systemic inadequacies such as a faulty procedure or
operational breakdown. Privacy breaches are often predictable and with
proper foresight and planning can and should be avoided.
Privacy Breach Guidelines
Office of the Saskatchewan
Information and Privacy Commissioner
Procedures
Five Key Steps in Responding to a Privacy Breach1.1 Respond immediately to the breach.
Step 1: Contain the Breach,
Step 2: Investigate the Breach,
Step
3: Assess and Analyze the Breach and Associated Risks should be
undertaken after learning of the breach. These first three steps
should be carried out as quickly as possible.
Step 4: Notification and
Step 5: Prevention - provide recommendations for longer term solutions and prevention strategies.
STEP 1: CONTAIN THE BREACH
Take immediate steps to contain the breach. These steps may include:
- Stop the unauthorized practice;
- Immediately
contact your Privacy Officer, FOIP Coordinator, and/or the person
responsible for security in your organization who should co-ordinate the
following activities;
- Recover the records;
- Shut down the system that was breached;
- Revoke access or correct weaknesses in physical security; and
- Contact
the police if the breach involves theft or other criminal activity, and
contact affected individuals, if they may need to take further steps to
mitigate or avoid further harm.
STEP 2: INVESTIGATE THE BREACH
Once
the breach has been contained, an Organization should conduct an
internal investigation. This investigation should be conducted by the
Privacy Officer, FOIP Coordinator or an individual designated by the
head of the Organization to conduct the investigation (hereinafter
Privacy Officer). It may be conducted on an informal or formal basis
depending on the nature of the breach. A breach investigation should
address the incident on a systemic basis.
An internal investigation should include the following elements:
- Individuals
with information about the breach should document details of the
privacy breach and provide them to the Privacy Officer as quickly as
possible.
- Evaluate the immediate and ongoing risks.
- Inventory and review safeguards in place prior to incident.
- Findings and recommendations.
- Write report or summary, as appropriate.
The following are some questions to consider asking when conducting an internal investigation:
- What were the circumstances that lead to the breach?
- Could the incident have been avoided?
- Was the breach accidental or intentional?
- What measures need to be put in place to avoid a future similar incident?
- Will you need to prepare an internal investigation report or just a summary/memo?
The findings of an internal investigation should be recorded in an Investigation Report and should include the following:
- A summary of the incident and immediate response to contain the breach and reduce harm.
- Steps taken to contain the breach.
- Background of the incident.
- Include timelines and a chronology of events.
- Personal
information (PI) or personal health information (PHI) involved (data
elements and sensitivity of, number affected, etc).
- A description of the investigative process.
- Include the cause of the incident (root and contributing).
- A summary of interviews held (complainant, internal, external).
- A review of safeguards and protocols.
- A summary of possible solutions and recommendations.
- A
description of necessary remedial actions, including short and long
term strategies to correct the situation (staff training, rework
policies/procedures, etc).
- A detailed description of what the next steps will be.
- Responsibility for implementation and monitoring, including timelines.
- May also include the names and positions of individuals responsible for the implementation.
A
standardized Incident Response Plan or Privacy Breach Protocol is
currently under development. An Incident Response Plan or Privacy
Breach Protocol will include:
- Internal reporting protocol for incidents.
- Creating an incident response team lead by the Privacy Officer who will assign responsibilities and clarify roles.
- Steps for investigating and responding to reported breaches.
- Standardize reporting mechanisms.
- Breach containment and mitigation strategy.
- Communication (including media) strategy.
STEP 3: ASSESS AND ANALYZE THE BREACH AND ASSOCIATED RISKS
To
determine what other steps are immediately necessary and assess the
risks associated with the breach. Consider the following:
Is Personal Information (PI) or Personal Health Information (PHI) involved?
- What data elements have been breached?
- Generally, the more sensitive the information, the higher the risk.
- Social
Insurance Numbers, and/or financial information that could be used for
identity theft are examples of sensitive information.
- What possible use is there for the information?
- Can the information be used for fraudulent or otherwise harmful purposes?
What is the cause and extent of the Breach?
- What is the root cause of the breach?
- Is there a risk of ongoing or further exposure of the information?
- What short term and long term steps have been taken to minimize the harm?
- What
was the extent of the unauthorized collection, use or disclosure,
including the number of likely recipients and the risk of further
access, use or disclosure, including in mass media or online?
- Is the information encrypted or otherwise not readily accessible?
- Is the information de-identified, statistical or aggregate only?
How many are affected by the Breach?
- How many individuals are affected by the breach?
- Who was affected by the breach: employees, public, contractors, clients, service providers, other organizations?
What is the foreseeable harm resulting from the Breach?
- Is there any relationship between the unauthorized recipients and the data subject?
- What harm to the individuals will result from the breach?
- Harm may include:
- Security risk (e.g. physical safety)
- Identity theft or fraud
- Loss of business or employment opportunities
- Hurt, humiliation, damage to reputation or relationships
- What harm could result to the Organization as a result of the breach? For example:
- Loss of trust in the organization, public body or custodian
- Loss of assets
- Financial exposure
- What harm could result to the public as a result of the breach? For example:
- Risk to public health
- Risk to public safety
STEP 4: NOTIFICATION: WHO, WHEN AND HOW TO NOTIFY
The
key consideration in deciding whether to notify affected individuals
should be whether notification is necessary in order to avoid, mitigate
or address harm to an individual whose PI/PHI has been inappropriately
collected, used or disclosed. Review the risk assessment to determine
whether or not notification is required; document any analysis and
decisions.
As a school division, we collect, use or disclose PI/PHI and therefore we are responsible for notifying affected individuals.
When
a privacy breach occurs at a third party entity that has been
contracted to maintain or process PI/PHI, the breach should be reported
to the originating Organization, which has primary responsibility for
notification.
Notifying Affected Individuals
As
noted above, notification of affected individuals should occur if it is
necessary to avoid, mitigate or address harm to them. Some
considerations in determining whether to notify individuals affected by
the breach include:
- Policy requires notification: our school division policy requires notification of the affected individual(s);
- Contractual obligations require notification: we have a contractual obligation to notify affected individuals in the case of a breach;
- Risk of identity theft or fraud:
How reasonable is the risk? Identity theft is a concern if the breach
includes unencrypted information such as names in conjunction with SINs,
credit card numbers, driverâs license numbers, personal health numbers,
or any other information that can be used to commit fraud by third
parties.
- Risk of physical harm: Does the breach place any individual at risk of physical harm, stalking or harassment?
- Risk of hurt, humiliation or damage to reputation: This type of harm can occur when PI/PHI such as mental health records, medical records or disciplinary records are breached.
- Risk of loss of business or employment opportunities: Could the breach result in damage to the reputation of an individual, affecting business or employment opportunities?
When and How to Notify
- When:
Notification of individuals affected by the breach should occur as soon
as possible. However, if law enforcement authorities have been
contacted, those authorities should be consulted to determine whether
notification should be delayed in order not to impede a criminal
investigation. Ensure all such discussions are documented.
- How:
The preferred method of notification is direct (by telephone, letter or
in person) to affected individuals. This method is preferred where:
- The identities of individuals are known,
- Current contact information for the affected individuals is available,
- Affected
individuals require detailed information in order to properly protect
themselves from the harm arising from the Breach, and/or
- Affected
individuals may have difficulty understanding an indirect notification
due to mental capacity, age, language, or other factors.
- Indirect
notification â website information, posted notices, media â should
generally only occur where direct notification could cause further harm,
is prohibitive in cost, contact information is lacking, or where a very
large number of individuals are affected by the breach such that direct
notification could be impractical. Using multiple methods of
notification in certain cases may be the most effective approach.
- What: Notifications should include the following information:
- Recognize the impacts of the breach on affected individuals and consider offering an apology;
- Date of the breach;
- Description of the breach (a general description of what happened);
- Description of the breached PI/PHI (e.g. name, credit card numbers, SINS, medical records, financial information, etc.);
- The steps taken to mitigate the harm to date;
- Next steps planned and any long term plans to prevent future breaches;
Steps
the individual can take to further mitigate the risk of harm. Provide
information about how individuals can protect themselves e.g. how to
contact credit reporting agencies (to set up a credit watch), how to
change a health services number or driverâs license number; Contact
information of an individual within the Organization who can answer
questions and provide further information; and
That individuals have a right to complain to the OIPC. Provide contact information.
Others to Contact
Regardless
of what our determinations are with respect to notifications, we should
consider whether the following authorities or organizations should also
be informed:
- OIPC:
proactive disclosure of a privacy breach to the OIPC may better prepare
the Organization to respond to queries from MLAâs, the media, and the
public.
- The following factors are relevant in deciding when to report a breach to the OIPC:
- The sensitivity of the PI/PHI;
- Whether the disclosed PI/PHI could be used to commit identity theft;
- Whether there is a reasonable chance of harm from the breach;
- The number of people affected by the breach; and
- Whether the PI/PHI was fully recovered without further disclosure, or if any further unauthorized use has been thwarted.
Government
institutions and local authorities can also contact the Access and
Privacy Branch of the Ministry of Justice and Attorney General, for
advice in regard to responding to an incident.
- Police: if theft or other crime is suspected
- Insurers or others: if required by contractual obligations
- Professional or other regulatory bodies: if professional or regulatory standards require notification of these bodies
- Credit
card companies and/or credit reporting agencies: it may be necessary to
work with these companies to notify individuals and mitigate the
effects of fraud.
STEP 5: PREVENTION
Once
the immediate steps are taken to mitigate the risks associated with the
breach, the Privacy Officer will thoroughly investigate the cause of
the breach. This will ultimately result in a plan to avoid future
breaches. This may require an audit of physical, administrative and
technical safeguards. The plan will also include a process to ensure
that the prevention plan has been fully implemented.
As
a result of such evaluations, the Privacy Officer will develop, or
improve as necessary, adequate long term safeguards against further
breaches. Said policies and safeguards will be reviewed and updated to
reflect and implement the recommendations gleaned from the
investigation. Policy review and updates will occur regularly, at least
biannually, after that.
Privacy Breach Guidelines - Office of the Saskatchewan Information and Privacy Commissioner
April 9, 2014