AP 180.1 - Breaches of Privacy
According to the Office of the Saskatchewan Privacy Commissioner, privacy has been defined in a variety of ways, and is considered to involve several different dimensions. They include:
- Physical or bodily privacy;
- Territorial privacy;
- Privacy of communications; and
- Information privacy/data privacy.
The procedures outlined below focus on the last dimension of privacy.
Information privacy is understood as the right of an individual to determine for him/herself when, how and to what extent he/she will share his/her ‘personal information.’
Personal information (PI) and personal health information (PHI) is defined by the applicable privacy law. Generally speaking, PI/PHI is information about an identifiable individual. Typically, this school division will not consider a breach of privacy to have occurred if the information involved is sufficiently de-identified, provided as statistics only, or as aggregate data.
A privacy breach happens when there is unauthorized collection, use or disclosure of PI or PHI. Such activity is ‘unauthorized’ if it occurs in contravention of FOIP, LA FOIP, or HIPA. Examples would include ‘water-cooler’ conversations about client PI of which a co-worker has no professional ‘need to know’, or a health care professional accessing a database to check a patient’s status when he or she has no professional need to know the information.
Privacy breaches most commonly occur when PI/PHI about patients, clients/customers or employees is stolen, lost, mistakenly or purposely used or disclosed without the requisite need to know. Examples include when a computer containing PI/PHI is stolen or when PI/PHI is mistakenly emailed or faxed to the wrong person.
Privacy breaches may be accidental or intentional; they may be a one-time occurrence or due to systemic inadequacies such as a faulty procedure or operational breakdown. Privacy breaches are often predictable and with proper foresight and planning can and should be avoided.
Privacy Breach Guidelines
Office of the Saskatchewan
Information and Privacy Commissioner
Five Key Steps in Responding to a Privacy Breach
Five Key Steps in Responding to a Privacy Breach
1.1 Respond immediately to the breach.
Step 1: Contain the Breach,
Step 2: Investigate the Breach,
Step 3: Assess and Analyze the Breach and Associated Risks should be undertaken after learning of the breach. These first three steps should be carried out as quickly as possible.
Step 4: Notification and
Step 5: Prevention - provide recommendations for longer term solutions and prevention strategies.
STEP 1: CONTAIN THE BREACH
Take immediate steps to contain the breach. These steps may include:
- Stop the unauthorized practice;
- Immediately contact your Privacy Officer, FOIP Coordinator, and/or the person responsible for security in your organization who should co-ordinate the following activities;
- Recover the records;
- Shut down the system that was breached;
- Revoke access or correct weaknesses in physical security; and
- Contact the police if the breach involves theft or other criminal activity, and contact affected individuals, if they may need to take further steps to mitigate or avoid further harm.
STEP 2: INVESTIGATE THE BREACH
Once the breach has been contained, an Organization should conduct an internal investigation. This investigation should be conducted by the Privacy Officer, FOIP Coordinator or an individual designated by the head of the Organization to conduct the investigation (hereinafter Privacy Officer). It may be conducted on an informal or formal basis depending on the nature of the breach. A breach investigation should address the incident on a systemic basis.
An internal investigation should include the following elements:
- Individuals with information about the breach should document details of the privacy breach and provide them to the Privacy Officer as quickly as possible.
- Evaluate the immediate and ongoing risks.
- Inventory and review safeguards in place prior to incident.
- Findings and recommendations.
- Write report or summary, as appropriate.
The following are some questions to consider asking when conducting an internal investigation:
- What were the circumstances that lead to the breach?
- Could the incident have been avoided?
- Was the breach accidental or intentional?
- What measures need to be put in place to avoid a future similar incident?
- Will you need to prepare an internal investigation report or just a summary/memo?
The findings of an internal investigation should be recorded in an Investigation Report and should include the following:
- A summary of the incident and immediate response to contain the breach and reduce harm.
- Steps taken to contain the breach.
- Background of the incident.
- Include timelines and a chronology of events.
- Personal information (PI) or personal health information (PHI) involved (data elements and sensitivity of, number affected, etc).
- A description of the investigative process.
- Include the cause of the incident (root and contributing).
- A summary of interviews held (complainant, internal, external).
- A review of safeguards and protocols.
- A summary of possible solutions and recommendations.
- A description of necessary remedial actions, including short and long term strategies to correct the situation (staff training, rework policies/procedures, etc).
- A detailed description of what the next steps will be.
- Responsibility for implementation and monitoring, including timelines.
- May also include the names and positions of individuals responsible for the implementation.
A standardized Incident Response Plan or Privacy Breach Protocol is currently under development. An Incident Response Plan or Privacy Breach Protocol will include:
- Internal reporting protocol for incidents.
- Creating an incident response team lead by the Privacy Officer who will assign responsibilities and clarify roles.
- Steps for investigating and responding to reported breaches.
- Standardize reporting mechanisms.
- Breach containment and mitigation strategy.
- Communication (including media) strategy.
STEP 3: ASSESS AND ANALYZE THE BREACH AND ASSOCIATED RISKS
To determine what other steps are immediately necessary and assess the risks associated with the breach. Consider the following:
Is Personal Information (PI) or Personal Health Information (PHI) involved?
- What data elements have been breached?
- Generally, the more sensitive the information, the higher the risk.
- Social Insurance Numbers, and/or financial information that could be used for identity theft are examples of sensitive information.
- What possible use is there for the information?
- Can the information be used for fraudulent or otherwise harmful purposes?
What is the cause and extent of the Breach?
- What is the root cause of the breach?
- Is there a risk of ongoing or further exposure of the information?
- What short term and long term steps have been taken to minimize the harm?
- What was the extent of the unauthorized collection, use or disclosure, including the number of likely recipients and the risk of further access, use or disclosure, including in mass media or online?
- Is the information encrypted or otherwise not readily accessible?
- Is the information de-identified, statistical or aggregate only?
How many are affected by the Breach?
- How many individuals are affected by the breach?
- Who was affected by the breach: employees, public, contractors, clients, service providers, other organizations?
What is the foreseeable harm resulting from the Breach?
- Is there any relationship between the unauthorized recipients and the data subject?
- What harm to the individuals will result from the breach?
- Harm may include:
- Security risk (e.g. physical safety)
- Identity theft or fraud
- Loss of business or employment opportunities
- Hurt, humiliation, damage to reputation or relationships
- What harm could result to the Organization as a result of the breach? For example:
- Loss of trust in the organization, public body or custodian
- Loss of assets
- Financial exposure
- What harm could result to the public as a result of the breach? For example:
- Risk to public health
- Risk to public safety
STEP 4: NOTIFICATION: WHO, WHEN AND HOW TO NOTIFY
The key consideration in deciding whether to notify affected individuals should be whether notification is necessary in order to avoid, mitigate or address harm to an individual whose PI/PHI has been inappropriately collected, used or disclosed. Review the risk assessment to determine whether or not notification is required; document any analysis and decisions.
As a school division, we collect, use or disclose PI/PHI and therefore we are responsible for notifying affected individuals.
When a privacy breach occurs at a third party entity that has been contracted to maintain or process PI/PHI, the breach should be reported to the originating Organization, which has primary responsibility for notification.
Notifying Affected Individuals
As noted above, notification of affected individuals should occur if it is necessary to avoid, mitigate or address harm to them. Some considerations in determining whether to notify individuals affected by the breach include:
- Policy requires notification: our school division policy requires notification of the affected individual(s);
- Contractual obligations require notification: we have a contractual obligation to notify affected individuals in the case of a breach;
- Risk of identity theft or fraud: How reasonable is the risk? Identity theft is a concern if the breach includes unencrypted information such as names in conjunction with SINs, credit card numbers, driver’s license numbers, personal health numbers, or any other information that can be used to commit fraud by third parties.
- Risk of physical harm: Does the breach place any individual at risk of physical harm, stalking or harassment?
- Risk of hurt, humiliation or damage to reputation: This type of harm can occur when PI/PHI such as mental health records, medical records or disciplinary records are breached.
- Risk of loss of business or employment opportunities: Could the breach result in damage to the reputation of an individual, affecting business or employment opportunities?
When and How to Notify
- When: Notification of individuals affected by the breach should occur as soon as possible. However, if law enforcement authorities have been contacted, those authorities should be consulted to determine whether notification should be delayed in order not to impede a criminal investigation. Ensure all such discussions are documented.
- How: The preferred method of notification is direct (by telephone, letter or in person) to affected individuals. This method is preferred where:
- The identities of individuals are known,
- Current contact information for the affected individuals is available,
- Affected individuals require detailed information in order to properly protect themselves from the harm arising from the Breach, and/or
- Affected individuals may have difficulty understanding an indirect notification due to mental capacity, age, language, or other factors.
- Indirect notification – website information, posted notices, media – should generally only occur where direct notification could cause further harm, is prohibitive in cost, contact information is lacking, or where a very large number of individuals are affected by the breach such that direct notification could be impractical. Using multiple methods of notification in certain cases may be the most effective approach.
- What: Notifications should include the following information:
- Recognize the impacts of the breach on affected individuals and consider offering an apology;
- Date of the breach;
- Description of the breach (a general description of what happened);
- Description of the breached PI/PHI (e.g. name, credit card numbers, SINS, medical records, financial information, etc.);
- The steps taken to mitigate the harm to date;
- Next steps planned and any long term plans to prevent future breaches;
Steps the individual can take to further mitigate the risk of harm. Provide information about how individuals can protect themselves e.g. how to contact credit reporting agencies (to set up a credit watch), how to change a health services number or driver’s license number; Contact information of an individual within the Organization who can answer questions and provide further information; and
That individuals have a right to complain to the OIPC. Provide contact information.
Others to Contact
Regardless of what our determinations are with respect to notifications, we should consider whether the following authorities or organizations should also be informed:
- OIPC: proactive disclosure of a privacy breach to the OIPC may better prepare the Organization to respond to queries from MLA’s, the media, and the public.
- The following factors are relevant in deciding when to report a breach to the OIPC:
- The sensitivity of the PI/PHI;
- Whether the disclosed PI/PHI could be used to commit identity theft;
- Whether there is a reasonable chance of harm from the breach;
- The number of people affected by the breach; and
- Whether the PI/PHI was fully recovered without further disclosure, or if any further unauthorized use has been thwarted.
Government institutions and local authorities can also contact the Access and Privacy Branch of the Ministry of Justice and Attorney General, for advice in regard to responding to an incident.
- Police: if theft or other crime is suspected
- Insurers or others: if required by contractual obligations
- Professional or other regulatory bodies: if professional or regulatory standards require notification of these bodies
- Credit card companies and/or credit reporting agencies: it may be necessary to work with these companies to notify individuals and mitigate the effects of fraud.
STEP 5: PREVENTION
Once the immediate steps are taken to mitigate the risks associated with the breach, the Privacy Officer will thoroughly investigate the cause of the breach. This will ultimately result in a plan to avoid future breaches. This may require an audit of physical, administrative and technical safeguards. The plan will also include a process to ensure that the prevention plan has been fully implemented.
As a result of such evaluations, the Privacy Officer will develop, or improve as necessary, adequate long term safeguards against further breaches. Said policies and safeguards will be reviewed and updated to reflect and implement the recommendations gleaned from the investigation. Policy review and updates will occur regularly, at least biannually, after that.
Privacy Breach Guidelines - Office of the Saskatchewan Information and Privacy Commissioner
April 9, 2014