Privacy Breach Response Procedure

Purpose statement

This procedure guides Town of Oakville (“Town”) staff on how to respond in a consistent and coordinated manner, to incidents involving unauthorized collection, use, disclosure and disposition of personal information and outlines the steps to be taken to ensure data security, minimize damage, and compliance with the Municipal Freedom of Information and Protection of Privacy Act as amended, (“MFIPPA”) and other applicable provincial and federal legislation.

Scope

This procedure applies to town staff, elected officials, contractors, volunteers, students, interns and to all personnel who have access to personal information that is in the custody and control of the town.

Procedure

When a Privacy Breach is alleged to have occurred, immediate action must be taken. The following procedure, conducted in a quick succession, or concurrently, shall be followed:

1. Identify and Report

When staff become aware of an alleged privacy breach, they shall notify their immediate Supervisor/Manager immediately and make every effort to provide as much information on the breach as possible.

The responsible Supervisor/Manager must immediately notify the Access and Privacy Officer of the incident and complete the Privacy Breach Report Form (Appendix B) and submit to the Access and Privacy Officer.

The Access and Privacy Officer may convene a Response Team depending on the nature and scope of the incident to assist in the implementation of this procedure.

Where the Access and Privacy Officer receives enough details of an alleged privacy breach, before the report is submitted, they may invoke this procedure.

The Response Team if convened may be made up of:

  • Access and Privacy Officer
  • Supervisor/Manager/Director of the program area where the suspected breach occurred
  • ITS (required only if the suspected breach involves an information system)
  • Human Resources (required only if the suspected breach involves employee information)
  • Legal Services
  • Corporate communications
  • Other town staff, if deemed appropriate.

2. Contain

The Access and Privacy Officer will assist the affected department or program area to contain the privacy breach which may include but is not limited to:

  • Retrieving and securing records of any personal information that has been disclosed;
  • Ensuring that no copies of the personal information have been made or retained by the individual who was not authorized to receive the information and obtaining the individual’s contact information if follow-up is required;
  • Determining whether the privacy breach would allow unauthorized access to any other personal information (e.g. an electronic information system)
  • Isolating and suspending public access to any system associated with the breach;
  • Suspending all processes or practices which are believed to have served as a source for the inappropriate access or disclosure of personal information;
  • If the breach occurred as a result of routine business practice, isolating and suspending the operations related to the practice, until the breach is resolved, and all related policies and procedures are reviewed.

3. Assess

The Access and Privacy Officer shall evaluate the risks of the exposure and identify the cause(s) of the privacy breach. Factors taken into consideration may include but are not limited to:

  • What data elements have been affected? Can personal information be used for fraudulent or otherwise harmful processes?
  • How many individuals have been affected? Are these individuals employees, members of the general public, contractors, or other groups?
  • What is the cause(s) of the breach? Is there a risk of further exposure of information?
  • What is the extent of the unauthorized collection, use or disclosure?
  • Who are the recipients of the information?
  • Is there a connection between the unauthorized recipients and the affected individuals?
  • What is the potential harm of the breach for the town, affected individuals, general public, etc.?
  • Is it a systemic problem or an isolated incident?

The Risk Assessment Chart (Appendix C) may be used to determine if a Privacy Breach occurred. If a Privacy Breach is confirmed, the Access and Privacy Officer will evaluate the severity of the Privacy Breach and proceed in accordance with the steps below.

4. Notify

If a privacy breach involves sensitive personal information or a large number of individuals, the Access and Privacy Officer will follow the Information and Privacy Commissioner of Ontario (IPC) privacy breach notification protocol to inform the IPC as directed by the Town Clerk or Designate.

The Access and Privacy Officer will make a reasonable effort to notify affected individuals as directed by the Town Clerk or Designate. The decision to notify affected individuals should be based on the consideration of the following circumstances:

  • any statutory or other legal obligations to provide notice;
  • a risk of fraud or identity theft (protection of individuals requires detailed information on the breach);
  • a risk of physical harm;
  • a risk of damage to individuals’ reputation;
  • a risk of loss of business or employment opportunities;
  • a risk of stakeholders’ loss of confidence in the town and/or loss of public trust.

Affected individuals will be notified directly via phone, a letter, electronic means, or in person. Indirect notification (via the town website, media, etc.) may occur when direct notification can cause further harm or involves high costs, when contact information is missing, or when a large number of individuals are involved.

The notification will include the following information:

  • Date the breach occurred;
  • Description of the breach;
  • Description of the personal information that was compromised;
  • Risk to the individuals affected by the breach;
  • Mitigation actions already taken and next steps planned to address the breach;
  • Appropriate actions individuals can take to mitigate harm.
  • A suggestion, if financial information or information from government-issued documents is involved, to:
    • contact their bank, credit card company, and appropriate government departments to advise them of the breach
    • monitor and verify all bank account, credit card and other financial transaction statement for any suspicious activity
  • Contact information of town staff who will be able to provide further information;
  • A statement that they have a right to make a complaint to the IPC and how to do so.

5. Investigate

After the breach is contained and the affected individuals notified, the Access and Privacy Officer will collaborate with the Response Team to conduct an investigation into the Privacy Breach to:

  • Identify and analyze the events that led to the breach;
  • Review policies and practices in protecting personal information and staff training to determine whether changes are needed;
  • Determine whether the breach was a result of a systemic issue and if so, review program-wide or town-wide procedures;
  • Take corrective action to prevent similar breaches in the future and ensure staff are adequately trained;
  • If the IPC was contacted, advise the IPC of the finding and remedial measures, and cooperate with any further investigation into the incident.

Once the investigation is completed, a report shall be prepared by the Access and Privacy Officer outlining results of the investigation and recommendations made to mitigate the possibility of future occurrences.

6. Mitigate and Prevent

The Access and Privacy Officer will coordinate the implementation of remedial and long-term measures to enhance the privacy protection program.

The measures may include but are not limited to:

  • Amendment/development of privacy protection procedures and business area specific guidelines;
  • Amendment or elimination of certain processes;
  • Staff training;
  • Follow-up correspondence with affected individuals;
  • Revision of the compliance audit program;
  • If appropriate, conducting a privacy impact assessment of the affected systems;
  • Revision of records management systems to enhance the protection of personal information kept in them;
  • Development and implementation of security measures.

The Town Clerk or Designate will brief the Executive Leadership Team, Mayor and Councillors when required as appropriate about the results of the investigation and recommended mitigation strategies.

References and related documents 

Municipal Act, 2001
Municipal Freedom of Information and Protection of Privacy Act 
Records Retention By-law
Protection of Privacy Policy 
Records and Information Management Policy
Records and Information Management Procedure 
Access to Records Procedure 
Open Data Procedure 
Employee Code of Conduct Policy
Information Technology General Use and Practices Policy 
Information Technology General Use and Practices Procedure

Definitions

For the purpose of this procedure, unless otherwise stated, the following definitions apply:

Personal Information: MFIPPA defines Personal Information as recorded information about an identifiable individual. To qualify as Personal Information, it must be about an individual in a personal capacity, and it is reasonable to expect an individual may be identified if the information is disclosed. Examples of Personal Information include:

  • race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
  • education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
  • identifying number, symbol or other particular assigned,
  • address, telephone number, date of birth, fingerprints or blood type,
  • personal opinions or views of the individual except if they relate to another individual,
  • correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature, and replies that would reveal the contents of the original correspondence,
  • views or opinions of another individual about the individual,
  • individual’s name if it appears with other personal information.

Privacy breach: occurs when personal information is collected, retained, used, disclosed or disposed in ways that are not in accordance with the provisions of MFIPPA and/or corporate policies. Examples can include a lost or stolen town computer or mobile device or the mailing of sensitive information to the wrong address.

Access and Privacy Officer: Town of Oakville staff within the Clerk’s Department appointed by the Town Clerk or Designate.

Privacy Breach Response Team (“Response Team”): Town of Oakville staff responsible for the assessment, investigation and prevention of a privacy breach. A Response Team may consist of staff directly involved in a privacy breach, their supervisors, ITS and Legal Services staff, subject matter experts, etc.

Responsibilities

Town Clerk or Designate

  • Oversees the development and implementation of the Privacy Breach Response Procedure.
  • Determines whether and the IPC should be notified of the Privacy Breach, and if so, directs the Access and Privacy Officer to carry out such notification.
  • Notify and reports on Privacy Breach related issues to Senior Leadership Team, as appropriate.

Town Staff

  • Immediately report any suspected privacy breach to their immediate Supervisor.
  • Assist with the containment of the privacy breach by suspending the process that has caused it, as appropriate.
  • Cooperate fully and promptly with the Access and Privacy Officer and the Breach Response Team in the investigation and remediation of the Privacy Breach.
  • Participate in training regarding the appropriate handling of Personal Information, as provided by the Clerks Department.

Breach Response Team

The responsibility of the Response Team will include:

  • Assisting and supporting the Access and Privacy Officer in the implementation of the Privacy Breach Response Procedure.
  • Assisting with the evaluation of risks, investigation of a breach and the development and implementation of a mitigation plan.

Access and Privacy Officer

  • Lead the Privacy Breach Response procedure in coordination with the Town Clerk/Designate.
  • Ensures that the procedure is fully implemented in response to Privacy Breaches and makes recommendations for remedial action(s).
  • Coordinates the implementation of remedial and long-term measures to enhance the privacy protection program.
  • Completes any other tasks as assigned by the Town Clerk in relation to the Privacy Breach Response Procedure.
  • Notifies affected individuals as directed by the Town Clerk.
  • Notifies/reports the privacy breach to the IPC, where appropriate and as directed by the Town Clerk.
  • Acts as a liaison between the Town and any organizations, including the IPC, which may be investigating the privacy breach.
  • Responds to questions from the public regarding the privacy breach.
  • Promotes changes in practices that mitigate the risk of future Privacy Breaches and monitors the implementation of the changes.
  • Retains records of Privacy Breaches and the town’s response to them in the town’s records management systems.

Staff in leadership positions (Supervisors/Managers/Directors/Commissioners)

  • * Inform the Access and Privacy Officer, Town Clerk or Designate of a suspected Privacy Breach.
  • * Immediately document the details of the suspected Privacy Breach using the Privacy Breach Report Form (Appendix B) and submit it to the Access and Privacy Officer or Town Clerk/Designate.
  • * Cooperate with the Access and Privacy Officer, to undertake all appropriate actions required to contain the Privacy Breach.
  • * Cooperate fully and promptly with the Access and Privacy Officer in the investigation and remediation of the Privacy Breach.

Appendices

  • Appendix A: Privacy Breach Flow Chart (Internal Document)
  • Appendix B: Privacy Breach Report Form (Internal Document)
  • Appendix C: Privacy Breach Risk Assessment (Internal Document)
This website uses cookies to enhance usability and provide you with a more personal experience. By using this website, you agree to our use of cookies as described on the Privacy & Legal page.