Privacy Breach Procedure
- Approver:
- Academic Coordinating Committee
- Policy Owner:
- Associate Vice President, Risk Management
- Policy Lead(s):
- Manager, Campus Safety
- Defining policy:
- Effective date:
- 2022-01-06
- Date of last approval:
- 2022-01-06
- Status:
- Approved
Procedure Statement
This procedure sets out the process for handling a privacy breach at the Conestoga
College Institute of Technology and Advanced Learning (Conestoga) in accordance
with Conestoga’s Protection of Privacy Policy.
Definitions
ÌÇÐÄvlog¾«Æ· maintains a glossary of terms specific to the institution. The ones in use for this document are defined below.
- Conestoga Users
- Individuals who access and or use Conestoga’s data while performing their duties on behalf of the College. Users include, but are not limited to, Conestoga employees (full time, part time, definite term, casual, etc.), contractors, consultants, and volunteers.
- FIPPA
- The Freedom of Information and Protection of Privacy Act (FIPPA)
- Personal Information
- Recorded information about an identifiable individual as defined in FIPPA. Information related to a person acting in their business capacity is not personal information. This includes business addresses, work titles, business phone numbers, and Conestoga issued email addresses.
Procedure
- Reporting - any Conestoga user that suspects a privacy breach must immediately notify their functional leader and email: privacy@conestogac.on.ca. Managers must notify this email address of any privacy breach for reporting purposes.
- Containment – the manager must take immediate steps to contain the breach and prevent any further unauthorized access to the personal information. The following steps - steps 3, 4 & 5 - can happen both in conjunction with containment and after containment.
- Preliminary Assessment – Once a potential breach has been identified, the Vice President, Finance and Corporate Services or designate determines if further investigation is warranted, preserves evidence, and determines if law enforcement need to be involved.
- The Vice President, Finance and Corporate Services leads the assessment if needed.
-
Notification
- Impacted individuals are notified by the manager or director of the unit / office where the breach occurred as soon as is reasonably possible. If the manager or director of the unit requires support and/or the notification is particularly complicated, they must reach out to the Vice President, Finance and Corporate Services.
- The Information and Privacy Commissioner of Ontario must be notified by the Vice President, Finance and Corporate Services when there is particularly sensitive information involved in the privacy breach and/or when there is a large number of individuals impacted.
- Risk Mitigation
- Based on the severity and scope of the breach, the Vice President, Finance and Corporate Services will decide whether further investigation is required. If it is, the VP will:
- Lead further investigation of the privacy breach if warranted.
- Identify prevention strategies to ensure a similar privacy breach does not reoccur.
- Monitor outcome of prevention strategies.
Relevant Legislation and Related Documents
Relevant legislation
Related documents
Revision Log
‸¾²¹³Ù±ð | ‸¾±ð³Ù²¹¾±±ô²õ |
| ​2021-12-15 | ​Academic Forum |
| ​2022-01-06 | ​Academic Coordinating Committee |