HomeMy WebLinkAboutADM 050-002 Privacy Breach ProcedureCety
DICKERING
Procedure
Procedure Title: Privacy Breach Procedure
Procedure Number
ADM 050-002
Reference
Municipal Freedom of Information
and Protection of Privacy Act,
1990
Date Originated (mldly)
September 2016
Date Revised (mldly)
Pages
5
Approval: Chief Administrative Officer
Point of Contact: City Clerk
Procedure Objective
The Municipal Freedom of Information and Protection of Privacy Act, 1990 (the Act), establishes
rules for government institutions to follow to ensure the protection of individual privacy. The Act
governs the collection, retention, use, disclosure and security of personal information. A privacy
breach occurs when personal information is collected, retained, used or disclosed in ways that
are not in accordance with the provisions of the Act. This procedure affirms the City's obligation
to protect personal information in custody or control of the institution. Privacy breaches
undermine public trust in an institution, and may result in significant harm to the City, and to
those whose personal information is collected, used, or disclosed inappropriately.
Index
01 Definitions
02 What is a privacy breach?
03 Procedures
04 Steps to avoid a privacy breach
01 Definitions
01.01 Information and Privacy Commissioner of Ontario (IPC) - the Information
and Privacy Commissioner of Ontario is appointed by the Lieutenant Governor
in Council. The Commissioner is an officer of the Legislature and is
independent of the government. The Commissioner hears appeals of decisions
made by Heads of institutions, issues binding orders, conducts privacy
investigations, and has certain powers relating to the protection of personal
privacy.
01.02 Personal Information — recorded information about an identifiable individual
(not a corporation, partnership or sole proprietorship), including information
relating to:
a) Race, national or ethnic origin, color, religion, age, sex, sexual
orientation or marital or family status of the individual;
b) Education, medical, psychiatric, psychological, criminal or employment
history, financial transactions;
c) Any identifying number, symbol, address, telephone number, fingerprints
or blood type;
d) Personal opinions or views of the individual except if they relate to
another individual, and views or opinions of another individual about the
individual;
e) Correspondence sent to the City which is implicitly or explicitly of a
private or confidential nature and includes replies to the
correspondence; and
f) The individual's name if it appears with any other personal information.
02 What is a Privacy Breach?
02.01 A privacy breach occurs when there is unauthorized access to, or collection,
use, or disclosure of, personal information. Such activity is "unauthorized" if it
occurs in contravention of the Act, or other applicable legislation addressing
protection of privacy. Some of the most common privacy breaches happen
when personal information of customers, clients, or employees is stolen, lost,
or mistakenly disclosed (e.g. a computer containing personal information is
stolen, or personal information mistakenly emailed to the wrong people). A
privacy breach may also be a consequence of faulty business processes or
operational break -downs.
03 Procedures
03.01 Step 1 — Identify and Alert the City Clerk
a) When a privacy breach is alleged to have occurred, City staff shall
undertake immediate action to identify the suspected source of the
privacy breach and alert their immediate supervisor. The supervisor will
then notify the City Clerk or designate within one business day. The City
Clerk will then investigate the validity of the complaint or suspicion. If a
privacy breach is confirmed, they will evaluate the severity of the breach
and proceed accordingly.
03.02 Step 2 — Risk Assessment / Containment
Procedure Title: Privacy Breach Procedure Page 2 of 5
Procedure Number: ADM 050-002
a) Upon notification, the City Clerk or designate will establish a response
team with staff where the alleged breach occurred, and with the City
Solicitor (if applicable). During this meeting, the response team will
attempt to establish the particulars of the incident including:
• the location and date of incident and discovery;
• the cause of the incident, if known;
• an estimate of the number of individuals involved;
• the type of individuals involved (e.g. internal vs. external);
• the type of personal information subject to the breach;
• any identifiable records associated with the alleged breach;
• any actions already undertaken to contain the breach; and
• other organizations who have been notified (e.g. police).
This information will be used to develop a containment strategy.
b) The City Clerk will identify the scope of the potential breach and take
steps to contain it. Steps could include:
• retrieve and secure any records associated with the alleged breach;
• where appropriate and depending on circumstances, isolate and
suspend access to any system associated with the alleged breach;
• suspend all processes or practices which are believed to have
served as a source for the breach; and
• take any other action as deemed necessary to contain the alleged
breach.
03.03 Step 3 - Notification to Affected Individual(s)
a) The City Clerk shall notify all individuals affected by a privacy breach.
The City Clerk shall also notify the IPC of confirmed privacy breaches.
This notification will include the following:
• all information surrounding the nature of the alleged, or confirmed,
privacy breach;
• the details of the breach as understood at the time of notification;
Procedure Title: Privacy Breach Procedure Page 3 of 5
Procedure Number: ADM 050-002
• the specific personal information affected;
• steps taken so far to control or reduce the harm;
• steps the individual can take to protect themselves (e.g. how to
contact credit reporting agencies or information on how to change a
drivers licence number);
• future steps planned to prevent future privacy breaches; and
• contact information for the City Clerk and IPC.
The preferred method of notification is direct — by phone, letter, or in
person, to affected individuals. Indirect notification — website information,
posted notices, media — should generally only occur where direct
notification could cause further harm, is prohibitive in cost, or contact
information is lacking. Using multiple methods of notification in certain
cases may be the most effective approach.
The City Clerk will consider whether other authorities or organizations
will need to be notified and could include law enforcement (if theft or
crime is suspected), professional or regulatory bodies (if notification is
required by their standards), or technology suppliers (if a breach was
due to a technical failure or a technical fix is required).
03.04 Step 4 — Report and Follow-up
a) The City Clerk will conduct an internal investigation following a privacy
breach, and findings will be compiled into a report. The objectives of this
investigation are to:
• ensure the immediate requirements of containment and notification
have been addressed;
• review the circumstances surrounding the breach;
• ensure staff are appropriately educated and trained with respect to
compliance with the privacy protection provisions of the Act; and
• review the adequacy of existing policies and procedures in protecting
personal information.
b) Consistent with privacy best practices, a copy of the report shall be
forwarded to the IPC, the City Department that was involved in the
breach, as well as to all individuals who were affected by the privacy
breach.
Procedure Title: Privacy Breach Procedure Page 4 of 5
Procedure Number: ADM 050-002
04 Steps to avoid a privacy breach
The following are recommendations for all City staff to ensure a proactive approach in
preventing a privacy breach.
04.01 City staff should ensure they are appropriately trained on privacy rules
governing the collection, retention, use and disclosure of personal information,
including the safe and secure disposal of personal information, and the security
of records.
04.02 City staff should ensure they have read and understood City Policy ADM 050,
Freedom of Information and Protection of Privacy Policy, which sets out the
City's responsibilities for privacy protection provisions under the Act.
04.03 When starting any new City project that involves personal information, City staff
should consider whether the project could benefit from a Privacy Impact
Assessment. Privacy Impact Assessments can be used to identify potential
privacy risks of new or redesigned City Projects, and can help reduce or
eliminate these risks to an acceptable level.
04.04 When in doubt about a question concerning the Act, staff should contact the
City Clerk.
Procedure Title: Privacy Breach Procedure Page 5 of 5
Procedure Number: ADM 050-002