VIU Scenery

Privacy Breach Protocol

The Freedom of Information and Protection of Privacy Act (FIPPA) requires the Vancouver Island University (VIU) to protect personal information in its custody or under its control, and to take certain measures should a privacy breach occur.

A privacy breach occurs when personal information is collected, retained, used, disclosed, accessed, or disposed of in a way that does not comply with the provisions of FIPPA. For example, losing an unencrypted USB drive which contains personnel files or third-party personal information, or inadvertently sending personal information by email to the wrong third party, would potentially expose personal information to unauthorized sources.

If VIU discovers that personal information in its custody or under its control has been inadvertently or intentionally disclosed without authorization VIU must immediately follow the procedures outlined in this protocol.

Scope

This protocol applies to all employees as well as service providers contracted to VIU.

Definitions

Personal Information is defined as recorded information about an identifiable individual excluding business contact information.

Business Contact Information means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual.

Procedures

When a breach or suspected breach of privacy occurs, the following procedures shall be followed.

Investigation

If a privacy breach is suspected, the employee, supervisor and Privacy Officer should immediately take the following steps.

  • The employee will notify their supervisor immediately who will in turn notify the Privacy Officer at Privacy.Officer@viu.ca. Service providers will follow the procedures outlined in the contract’s Privacy Protection Schedule or Privacy Protection Schedule for Cloud Services.
  • The supervisor, in consultation with the Privacy Officer, must immediately ensure personal information is not still being compromised.
  • The supervisor, in consultation with the Privacy Officer, will conduct a preliminary investigation to confirm whether a privacy breach has in fact occurred. The preliminary investigation will determine the following:
    • Description of the information that was compromised
    • Known or suspected cause(s) of the breach
    • Date and time of the breach
    • Number and type of individuals affected
    • Sensitivity of the personal information breached and the level of harm to individuals
    • Immediate steps taken to contain the breach
  • The supervisor will report the outcomes of the preliminary investigation to the Privacy Officer.
  • The Privacy Officer will determine if a breach has occurred and if so, will notify VIU’s General Counsel and University Secretariat and commence further remediation activities.

Remediation

If a breach of privacy has occurred, the Privacy Officer will take the following steps.

  • Contain the privacy breach by preventing the further spread of the personal information. This may include disabling systems including system access, contacting recipients of emails, and asking them to not open or delete, coaching employees, etc.
  • Notify contractors if the breach involves data that is currently in their custody under the obligation(s) of their contract with VIU.
  • Make all reasonable efforts to recover the personal information from all sources to which the personal information has been disclosed. If recovery is not possible, ensure the sources who received the information confidentially destroy the information. Get written confirmation from the sources (e.g., email) that they have destroyed the personal information and have not retained any copies.
  • The Privacy Officer will work with the appropriate staff members to take remedial action on a systemic basis which may include:
    • changes to systems or programs involving personal information
    • revising operational policies and procedures and advising employees of the revisions
    • providing supplementary training to staff regarding their privacy obligations
  • Notify the police if the breach involves theft or any other suspected criminal activity.

In accordance with Section 36.3 of FIPPA, VIU must, without unreasonable delay, notify affected individuals if the privacy breach could reasonably be expected to result in significant harm to the individual such as:

  • Identity theft
  • bodily harm
  • humiliation
  • damage to reputation or relationships
  • loss of employment, business, or professional opportunities
  • financial loss
  • negative impact on a credit record
  • damage to, or loss of, property

VIU must notify the Office of the Privacy Commissioner (OIPC) if the privacy breach could reasonably be expected to result in significant harm as noted above.

VIU is not required to notify an affected individual if notification could reasonably be expected to result in immediate and grave harm to the individual's safety or physical or mental health or threaten another individual's safety or physical or mental health.

Notification must be given directly to each affected individual in writing (preferably within 3 to 5 business days), and must include the following information:

  • the name of the public body
  • the date on which the privacy breach came to the attention of the public body
  • a description of the privacy breach including, if known, the date on which or the period during which the privacy breach occurred, and a description of the nature of the personal information involved in the privacy breach
  • confirmation that the commissioner has been or will be notified of the privacy breach
  • contact information for a person who can answer, on behalf of the public body, questions about the privacy breach
  • a description of steps, if any, that the public body has taken or will take to reduce the risk of harm to the affected individual
  • a description of steps, if any, that the affected individual could take to reduce the risk of harm that could result from the privacy breach

Notifications must not include:

  • personal information about others or any information that could result in a further privacy breach
  • information that could be used to circumvent security measures or negatively impact an ongoing investigation

Notification may be given to an affected individual in an indirect manner if VIU:

  • does not have accurate contact information for the affected individual
  • reasonably believes that providing the notice directly to the affected individual would unreasonably interfere with the operations of the organization
  • reasonably believes that the information in the notification will come to the attention of the affected individual more quickly if it is given in an indirect manner

If notification may be given in an indirect manner as noted above, the notification must be given by public communication that can reasonably be expected to reach the affected individual, and contain the information set out above.

Notification to the OIPC must be provided writing and must include the following information:

  • the name of the public body
  • the date on which the privacy breach came to the attention of VIU
  • a description of the privacy breach including, if known, the date on which or the period during which the privacy breach occurred, a description of the nature of the personal information involved in the privacy breach, and an estimate of the number of affected individuals
  • contact information for a person who can answer, on behalf of VIU, questions about the privacy breach
  • a description of steps, if any, that VIU has taken or will take to reduce the risk of harm to the affected individuals

Documentation

The Privacy Officer will prepare a report of the privacy breach including circumstances, findings, remediation, and recommendations, and share it with VIU’s Executive.

The report may also be shared with the OIPC if requested.

Documentation related to privacy breaches should be kept in accordance with records retention requirements, e.g., section 31 of FIPPA requires VIU to retain personal information for at least one year if it is used to make a decision that directly affects an individual.

Questions Regarding this Protocol

If you have any questions regarding this protocol, please contact VIU’s Privacy Office at Privacy.Officer@viu.ca.