Privacy Breach Protocol
What is a privacy breach?
A privacy breach is an incident involving the unauthorized collection, use or disclosure of personal information. Unauthorized disclosures of personal information are the most common sources of privacy breaches and can occur when personal information is lost, stolen or inadvertently disclosed through human error.
Circumstances that could lead to a privacy breach include:
- loss or theft of equipment containing personal information (e.g., memory sticks, disks, laptops)
- e-mails sent to a wrong address or person
- incorrect file attached to an e-mail
- disposal of equipment containing personal information without secure destruction
- insufficient controls in place to protect personal information in paper and electronic files
- information faxed to a wrong number
- use of laptops, disks, memory sticks or other equipment to store or transport personal information outside of the office without adequate security measures
What is personal information?
"Personal Information" is defined as recorded information about an identifiable individual. An individual's personal information includes information regarding his or her race, gender, home address, medical history, education history, identifying numbers (e.g. SIN, employee number, student number, etc.), financial or employment information, personal opinions, completed assignments and exams, and grades, comments and evaluations provided by an instructor.
What to do if a privacy breach occurs?
The University has a responsibility to protect personal information in its custody or control from unauthorized access or disclosure. Upon discovery of a privacy breach, or suspected breach, the incident must be reported immediately to the relevant unit head (e.g., Dean’s Office) and to Western’s Information and Privacy Office. Decisions on how to respond to a suspected or confirmed privacy breach will be made on a case-by-case basis.
Contact Western’s Information and Privacy Office (Ext. 84543)
Contact your Dean, Chair or Supervisor
Take steps to stop or minimize breach, where possibleWestern's Information and Privacy Coordinator will work with the unit to ensure that the breach is contained, other relevant units are notified (e.g. ITS, OOR, CCPS), a full investigation is undertaken as appropriate, and steps are taken to prevent future breaches.
The following information, if known, will be helpful when reporting a breach:
- The nature of the personal information involved (e.g. name, SIN, etc.)
- The number (potential or actual) of individuals affected by the breach and who they are (e.g. employees, students)
- The possible scope of the breach (e.g. internal/external - who might have gained access to the personal information without consent or authorization, length of time before detection of breach, etc.)
- The date and/or location of the incident giving rise to the breach
- When and how the breach was discovered
Do not delay reporting a breach even if some of this information is not available.
Spring, 2008; Rev. 05/09