Appendix B: Privacy Breach Protocol

• Related Documents: Privacy and Access to Information Policy,  Appendix A: Record categories expressly excluded from FIPPA
• Unit Responsible: General Counsel and Board Secretariat
• Owner: General Counsel and Secretary of the Board, and Chief Privacy Officer
• Approver: President
• Issued Date: 2008
• Review Dates: 2011, 2025

It is the responsibility of the University Community to report known or suspected breaches of Personal Information or Personal Health Information as soon as  reasonably possible, and to cooperate with the Chief Privacy Officer and the Office of the General Counsel and Board Secretariat to ensure that privacy breaches are contained properly, investigated, and prevented from recurring. 

A privacy breach is any unauthorized disclosure of Personal Information, including Personal Health Information.  Some causes of privacy breaches include but are not limited to:

a)    Emails sent to the wrong sender, or emails containing the incorrect file;

b)    Paper records left unattended or lost;

c)    Lost or stolen phone, laptop, or other mobile devices;

d)    Hacked or insecure data systems;

e)    Access to records by an individual who does not need that information in the performance of their employment duties; or,

f)    Disposal of equipment or paper records without secure destruction.

The Privacy Breach Protocol describes the University’s five-step approach to responding to and managing a privacy breach. 

Step 1:    Reporting a privacy breach

Responding quickly is an effective way to limit the scope and impact of a privacy breach.   

Any University Community member who becomes aware of a suspected, possible or actual privacy breach immediately will inform the Privacy Office within the General Counsel and Board Secretariat, and if the member is an employee of the university they will immediately notify their Leader.

The Privacy Office can be reached at privacy@torontomu.ca.

Step 2:    Containing a privacy breach

The Privacy Office advises and coordinates with the unit that identified the breach to take necessary and immediate steps to limit the scope and impact of the privacy breach. 

Examples of containment measures include but are not limited to: 

a)    Reviewing the collection, use, retention, disclosure and destruction processes associated with the affected information to assist in mapping possible containment options;

b)    Determining if it is possible to recapture, return, and re-secure the breached data (physical and/or electronic);

c)    Working with Computing and Communications Services and any other University IT services to re-secure the data. This could involve temporary suspension of some user accounts or systems, and / or remote wiping or locking of devices.

d)    Working with third-party providers who may provide data storage or data processing services to the University to plug any gaps and determine if a suspension of services is warranted; and / or,

e)    Working with the unit responsible for processing the breached information to determine whether the process should be suspended.  

Step 3:    Investigation and Risk Assessment

The Privacy Office conducts a risk assessment to determine the possible harms resulting from the privacy breach.  The Privacy Office reviews the circumstances leading to the breach, reviews of prior privacy impact assessments, previous breaches or complaints for any associated University systems or services involved in the breach, and reviews of practices associated with handling the Personal Information or Personal Health Information affected by the breach. The Privacy Office advises on notification to individuals whose information was breached and makes recommendations on steps to safeguard the information prior to resuming any processing, systems, or tasks that use similar data.  

Step 4:  Notification

The Chief Privacy Officer determines notification steps arising from a privacy breach.  

This may include:

a)    Affected Individuals:

The University may notify affected individuals at the first reasonable opportunity  at the direction of the Privacy Office with consideration to the type of notification based on the circumstances.   

b)    Regulatory:

i)    FIPPA:  The University may report breaches of significant scope or harm to the Information and Privacy Commissioner of Ontario (“IPC”).  The University will cooperate with the IPC’s investigation.

ii)    PHIPA:  The University has mandatory reporting requirements to the IPC for any breach of Personal Health Information. The University will cooperate with the IPC’s investigation. 

Step 5:    Remediation

The University’s procedures, processes and controls will be reviewed to determine whether there are opportunities to improve safeguards to protect Personal Information and Personal Health Information. Privacy and/or information-security training may be recommended.   

In the event the University determines the breach was deliberate and/or malicious, the circumstances will be reviewed with the unit’s relevant leader, and may also include HR or the Vice-Provost, Faculty Affairs.