Privacy Breach Procedures and Checklist for (Name of Agent/Agency)
Compliance Officer: Date:
Definition of Privacy Breach
A privacy breach occurs when there is an unauthorized access to, or collection, use or disclosure of personal information (PI) that contravenes privacy legislation. Typically breaches occur because PI is lost, stolen, disclosed in error or as a consequence of an operational breakdown. Some of the most common privacy breaches happen when PI of customers, patients, clients or employees is stolen or personal information is mistakenly disclosed (e.g. a computer containing personal information is stolen or personal information is mistakenly emailed to the wrong person).
Step 1: Contain the breach.
If you discover a privacy breach has occurred or is occurring, notify the Compliance Officer immediately and take steps to contain the breach – don’t let any more PI escape if you can prevent it. Depending on what has happened:
□Stop the unauthorized practice
□Recover any records that can be recovered
□Shut down the system that was breached
□Revoke or change computer access codes or
□Correct weaknesses in physical or electronic security, i.e. order the locks changed
□ Do not destroy evidence that may be necessary to investigate and to take corrective action.
□Notify the police if the breach appears to involve theft or other criminal activity.
□Other action to be taken ______
Step 2: Gather information about the incident:
- Date of occurrence______
- Date discovered______
- How discovered______
- Location of the incident______
- Cause of the incident______
- Any other information you can quickly assemble______
- Is there risk of ongoing breaches or further exposure of PI? ______
- Was the PI lost or stolen? ______
- If stolen, can you determine whether the information was the target of theft? ______
- Has the PI been recovered? ______
- Is this a systemic problem or isolated incident? ______
- What form was the PI in?
□ Paper
□Electronic
□Other ______
- What physical or technical security measures were in place at the time of the incident?
□Reception area□ Encryption □ Passwords
□ Locks□ Alarm systems□ Anonymous info.
□ Other ______
- Did any security measures fail to perform as desired or contribute to the breach?
□Reception area□Encryption
□Locks□Passwords
□Alarm systems
□Other______
Step 3: Evaluate the Breach and Associated Risks*:
- What PI was involved?
□Name
□Address
□ Medical/health info.
□ Disciplinary records
□ Mental health info.
□ Financial
□ Bank account numbers
□ Credit card numbers
□ Insurance policy numbers
□ Other ______
□Identification information
□ SIN□ Driver’s License
□ Health care numbers□ Other______
- How sensitive was the information*?______
□ A combination of sensitive information, along with name and/or address and/or DOB and/or government-issued ID numbers was involved. (This represents a higher risk).
- What kinds of harm can come to individuals from the breach? ______
- Can this information be used for or cause:
□ Fraud
□ Identity theft
□ Financial loss
□ Loss of business or employment
□ Humiliation
□ Damage to reputation or relationships
□ Physical harm, stalking, harassment
□ Have you identified who has received the information? ______
□ Have you determined the risk of further access, use or disclosure? ______
- What is the ability of the individual to avoid or mitigate possible harm? ______
- What harm can result tous? (Loss of trust, assets, financial exposure, legal proceedings).
______
- The extent of the breach
How many individuals have been affected?______
Who are they?
□ Employees
□ Contractors
□ Agents
□ Customers
□ Service providers
□ Other ______
- What steps are needed to correct the problem? ______
- Is this a one-off issue or is it systemic? ______
Step 4: Notification of Privacy Breach
Who should be notified?
The Privacy Commissioner states “Typically, the organization that has a direct relationship with the customer, client or employee should notify the affected individuals, including when the breach occurs at a third party service provider that has been contracted to maintain or process the personal information.” The decision as to whether to notify the affected individuals may have to be delayed in order for a full risk assessment to be conducted.
- What are our legal and/or obligations to provide notification to individuals concerned?
- What are the reasonable expectations of the individuals concerned? ______
- What are our obligations to notify regulators? (At this date, Ontario, Newfoundland and Labrador, New Brunswick and Alberta require notification of affected parties when there are privacy breaches. Alberta specifically requires that the provincial Privacy Commissioner also be notified. The federal Office of the Privacy Commissioner of Canada is also seeking changes to PIPEDA, which would require notifications).
- Do we have contractual obligations to notify any insurers? ______
- Do any insurers expect to provide the notification, rather than us? ______
- If customer information was involved, do we notify the MGA involved? ______
- Are there others who should be notified of the breach? ______
If it is decided that individuals and/or insurers and/or MGAs do not need to be notified, please note the reasoning: ______
If affected individuals are to be notified:
- Who will notify them? ______
- How will they be notified?
□ Phone
□ Letter
□ In person
□ Website
□ Media
□ Other ______
- Do any third parties need to be involved? ______
- What needs to be included in the notification?
Depending on the circumstances, notifications could include some of the following, but be careful to limit the amount of personal information disclosed in the notification to only what is necessary:
- Information about the incident and its timing in general terms;
- A description of the personal information involved in the breach;
- A general account of what we have done to control or reduce harm;
- What we will do to assist individuals and steps individuals can take to reduce the risk of harm or further protect themselves;
- Sources of information designed to assist individuals in protecting against identity theft;
- Contact information of who can answer questions or provide further information;
- Whether we have notified a privacy commissioner’s office;
- Additional contact information to address any privacy concerns to us; and
- Contact information for the appropriate privacy commissioner (s).
Step 5: Prevent Future Breaches
What short and long term steps do we need to take to correct the situation?
□ Staff training
□ Review and revise our policy and procedures
□ Regular privacy audits
□ Investment in electronic and or/physical security safeguards
□ Other ______