Presentation on theme: "Examination of a Privacy Breach"— Presentation transcript:
1Examination of a Privacy Breach WHAT TO DO WHEN A PRIVACY BREACH OCCURSMISA London Region Professional NetworkPIM Regional Training Workshop: Privacy Breaches, Access Matrices, and Shared Policies, February 11, 2010Kimberley Ishmael, Keel Cottrelle LLP
2What is a privacy breach? A privacy breach occurs when there is unauthorized access to, or collection, use, or disclosure of, personal informationSuch activity is “unauthorized” if it occurs in contravention of applicable privacy legislation
3Privacy & School Boards Ontario school boards are affected by the following privacy statutes: Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and Personal Health Information Protection Act (PHIPA)A school board is governed by MFIPPA;A psychologist/social worker/speech language pathologist who collects, uses and discloses health information as part of the services they provide for students of the board is governed by PHIPA as an agent
4Privacy & School Boards Violations of personal privacy frequently involve the inappropriate or inadvertent disclosure of personal information contrary to section 32 (where disclosure permitted) of MFIPPA or section 12 (security provision) of PHIPAExamples:personal information may be lost (file misplaced, stolen laptop or USB)Inadvertent disclosure through human error (misdirected fax or letter)Intentional disclosures or intentional misuse is also a possibilityExample:Inadequate disposal of personal information (failure to shred materials)
5Violations of personal privacy can also occur by unauthorized collection of personal information contrary to s. 28 of MFIPPAExample:Failure to identify the collection of personal information on a standard form
6Discovering a Privacy Breach An institution may learn that it has breached an individual’s personal privacydirectly from the affected individual or organization, and/orStaff member involved in the breach i.e. person who loses USBindirectly, from other parties, such as the media or third parties, Information and Privacy Commissioner/Ontario (IPC)
7Step 1: RespondAssess the situation to determine if a breach has occurred and what needs to be done;Ensure that appropriate school board staff are immediately notified of the breach, including the FOI Co-ordinatorImplement privacy breach protocol or procedures
8Step 2: ContainIdentify the scope of the breach and take steps to contain it;Examples:Retrieve hard copies of any personal information that have been disclosedDetermine whether the privacy breach would allow unauthorized access to any other personal information (ex. an electronic information system)Change file identification numbers or passwords, as necessaryDocument the breach and containment activities;
9Step 3: InvestigateConduct an internal investigation into the breach, reviewing the circumstances surrounding the event as well as the adequacy of existing policies and procedures in place to protect personal informationType of personal information involved;Cause and extent of the breach;Individuals affected by the breach;Possible harm from the breach.
10Step 4: To Notify or Not to Notify? Notify individuals whose personal information has been disclosed, by telephone or in writing, if necessaryInclude detailed information such as what happened; the nature of the privacy breach and the mitigating actions taken by the board;If personal information that could lead to identity theft has been disclosed, affected individuals should be provided with information on steps they can take to protect themselvesSection 12(2) of Ontario’s PHIPA includes a requirement for breach notification:“A health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons.”
11Report the privacy breach to the office of the Information and Privacy Commissioner (IPC), as appropriateNote that the type and extent of the breach will influence your decision to notify the IPCType of personal information involved;Cause and extent of the breach;Individuals affected by the breach;Possible harm from the breach;Likelihood of a complaint.
12Step 5: Implement Change Address the situation on a systemic basisSchool board procedures or practices may warrant review or revisionBreach may identify areas for employee training on privacy and securityEvaluate the response and determine the effectiveness of the remedial action
14Benefits of a Privacy Breach Protocol Mitigate the damage by immediately preventing further inappropriate disclosures of personal informationAssure complainants and affected persons as well as the public, the media, and the IPC that the matter is taken seriously; andEnsure that policies and procedures comply with the privacy protection provisions of MFIPPA and PHIPA and that staff are properly trained
15Recent Cases PHIPA, Report No.: HI-050055-1(2006) A laptop belonging to an employee of a school board that contained the personal health information of 37 students was stolen.Section 12(2) notification requirement was met by sending notification letters to students’ parents.Complaint resolved by way of informal resolution. Health information custodian agreed to update their policies and procedures to ensure compliance with the Act. In addition, educational measures were undertaken to ensure staff were aware of their obligations under the Act.
16MFIPPA – Report No. MCComplaint alleged that a teacher verbally disclosed a student’s probable grade on an art assignment with two other students, contrary to MFIPPAIPC confirmed that verbal disclosure of personal information falls under privacy provisions as long as the information exists or existed at one time in recorded formatIn this instance, grade reportedly disclosed was not the same as grade recorded thus did not qualify as “personal information” under the ActHowever, IPC questioned the school practice relating to display of artwork and recorded grade as lacking reasonable measures to prevent unauthorized access, contrary to Reg. 823IPC recommended a board policy to prevent the unauthorized disclosure of student grades, specifically addressing the issue of verbal disclosures as well as the issue of displaying students’ assignments
17Privacy Breach at the Durham Health Department On December 21, 2009, IPC was notified by Durham’s Officer of Health that a nurse had lost a USB memory stick containing the personal health information of over 83,000 individuals who had attended H1N1 immunization clinics in DurhamThe personal information included names, addresses, telephone numbers, dates of birth, health card numbers and health history.The memory stick was not encrypted, despite the fact that the encryption of mobile devices was required as of Order HO-004 in 2007.The IPC issued an Order (HO-007) on January 14, 2010 clearly outlining the IPC’s expectation that all personal health information stored on any type of mobile device in Ontario be protected with strong encryption
18Theft at OTIP3 laptops containing addresses and social insurance numbers of approximately 8600 elementary teachers was stolen from an OTIP office in Waterloo on December 3, 2009The laptops had been locked to docking stations;The information contained on the laptops was not encryptedOTIP notified any insured teacher members whose information may have been compromised by letter advising of the incident and provided a toll-free number for the recipient to contact in the event further details were requestedOTIP Spokesperson, Julie Millard, stated that it took fraud experts nearly two weeks of forensic work to pinpoint what information had been taken, and the holiday break delayed the process so affected teachers were informed in mid January 2010“Because of what’s happened we’re working faster to encrypt all our communication devices by March 2010– laptops, Blackberries, even USB keys”
19References Privacy & Information Management Toolkit, 2008 Information and Privacy Commissioner/Ontario, What to do if a privacy breach occurs: Guidelines for government organizations, December 2006Information and Privacy Commissioner/Ontario, What to do When Faced With a Privacy Breach: Guidelines for the Health SectorBreach Notification: A Sound Business Practice, CIPC Seminar, May 2006Information and Privacy Commissioner/Ontario, A Privacy Breach Has Occurred – What Happens Next?, 2001Information and Privacy Commissioner/Ontario, Privacy Breaches: It Can Happen To You (What Not To Do), 2006Encrypt Your Mobile Devices: Do It Now - PHIPA Order HO-007