Examination of a Privacy Breach WHAT TO DO WHEN A PRIVACY BREACH OCCURS MISA London Region Professional Network PIM Regional Training Workshop: Privacy Breaches, Access Matrices, and Shared Policies, February 11, 2010 Kimberley Ishmael, Keel Cottrelle LLP
What is a privacy breach? A privacy breach occurs when there is unauthorized access to, or collection, use, or disclosure of, personal information Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation
Privacy & School Boards Ontario school boards are affected by the following privacy statutes: Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and Personal Health Information Protection Act (PHIPA) A school board is governed by MFIPPA; A psychologist/social worker/speech language pathologist who collects, uses and discloses health information as part of the services they provide for students of the board is governed by PHIPA as an agent
Privacy & School Boards Violations of personal privacy frequently involve the inappropriate or inadvertent disclosure of personal information contrary to section 32 (where disclosure permitted) of MFIPPA or section 12 (security provision) of PHIPA Examples: personal information may be lost (file misplaced, stolen laptop or USB) Inadvertent disclosure through human error (misdirected fax or letter) Intentional disclosures or intentional misuse is also a possibility Example: Inadequate disposal of personal information (failure to shred materials)
Violations of personal privacy can also occur by unauthorized collection of personal information contrary to s. 28 of MFIPPA Example: Failure to identify the collection of personal information on a standard form
Discovering a Privacy Breach An institution may learn that it has breached an individual’s personal privacy directly from the affected individual or organization, and/or Staff member involved in the breach i.e. person who loses USB indirectly, from other parties, such as the media or third parties, Information and Privacy Commissioner/Ontario (IPC)
Step 1: Respond Assess the situation to determine if a breach has occurred and what needs to be done; Ensure that appropriate school board staff are immediately notified of the breach, including the FOI Co-ordinator Implement privacy breach protocol or procedures
Step 2: Contain Identify the scope of the breach and take steps to contain it; Examples: Retrieve hard copies of any personal information that have been disclosed Determine whether the privacy breach would allow unauthorized access to any other personal information (ex. an electronic information system) Change file identification numbers or passwords, as necessary Document the breach and containment activities;
Step 3: Investigate Conduct an internal investigation into the breach, reviewing the circumstances surrounding the event as well as the adequacy of existing policies and procedures in place to protect personal information Type of personal information involved; Cause and extent of the breach; Individuals affected by the breach; Possible harm from the breach.
Step 4: To Notify or Not to Notify? Notify individuals whose personal information has been disclosed, by telephone or in writing, if necessary Include detailed information such as what happened; the nature of the privacy breach and the mitigating actions taken by the board; If personal information that could lead to identity theft has been disclosed, affected individuals should be provided with information on steps they can take to protect themselves Section 12(2) of Ontario’s PHIPA includes a requirement for breach notification: “A health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons.”
Report the privacy breach to the office of the Information and Privacy Commissioner (IPC), as appropriate Note that the type and extent of the breach will influence your decision to notify the IPC Type of personal information involved; Cause and extent of the breach; Individuals affected by the breach; Possible harm from the breach; Likelihood of a complaint.
Step 5: Implement Change Address the situation on a systemic basis School board procedures or practices may warrant review or revision Breach may identify areas for employee training on privacy and security Evaluate the response and determine the effectiveness of the remedial action
Proactive Measures to Avoid Privacy Breaches Comply with the privacy laws governing the collection, retention, use and disclosure of personal information set out in MFIPPA and PHIPA Comply with the regulations under the Acts governing the safe and secure disposal of personal information and the security of records Ensure appropriate clauses for compliance in legal agreements with service providers Obtaining advice from your board’s legal department and FOI Co-ordinator Consulting with the IPC’s Policy and Compliance Department in appropriate situations Consider random spot audits of privacy policy compliance Develop an information culture that respects privacy, mitigates risk, and increases awareness
Benefits of a Privacy Breach Protocol Mitigate the damage by immediately preventing further inappropriate disclosures of personal information Assure complainants and affected persons as well as the public, the media, and the IPC that the matter is taken seriously; and Ensure that policies and procedures comply with the privacy protection provisions of MFIPPA and PHIPA and that staff are properly trained
Recent Cases PHIPA, Report No.: HI-050055-1(2006) A laptop belonging to an employee of a school board that contained the personal health information of 37 students was stolen. Section 12(2) notification requirement was met by sending notification letters to students’ parents. Complaint resolved by way of informal resolution. Health information custodian agreed to update their policies and procedures to ensure compliance with the Act. In addition, educational measures were undertaken to ensure staff were aware of their obligations under the Act.
MFIPPA – Report No. MC-020008-1 Complaint alleged that a teacher verbally disclosed a student’s probable grade on an art assignment with two other students, contrary to MFIPPA IPC confirmed that verbal disclosure of personal information falls under privacy provisions as long as the information exists or existed at one time in recorded format In this instance, grade reportedly disclosed was not the same as grade recorded thus did not qualify as “personal information” under the Act However, IPC questioned the school practice relating to display of artwork and recorded grade as lacking reasonable measures to prevent unauthorized access, contrary to Reg. 823 IPC recommended a board policy to prevent the unauthorized disclosure of student grades, specifically addressing the issue of verbal disclosures as well as the issue of displaying students’ assignments
Privacy Breach at the Durham Health Department On December 21, 2009, IPC was notified by Durham’s Officer of Health that a nurse had lost a USB memory stick containing the personal health information of over 83,000 individuals who had attended H1N1 immunization clinics in Durham The personal information included names, addresses, telephone numbers, dates of birth, health card numbers and health history. The memory stick was not encrypted, despite the fact that the encryption of mobile devices was required as of Order HO-004 in 2007. The IPC issued an Order (HO-007) on January 14, 2010 clearly outlining the IPC’s expectation that all personal health information stored on any type of mobile device in Ontario be protected with strong encryption
Theft at OTIP 3 laptops containing addresses and social insurance numbers of approximately 8600 elementary teachers was stolen from an OTIP office in Waterloo on December 3, 2009 The laptops had been locked to docking stations; The information contained on the laptops was not encrypted OTIP notified any insured teacher members whose information may have been compromised by letter advising of the incident and provided a toll-free number for the recipient to contact in the event further details were requested OTIP Spokesperson, Julie Millard, stated that it took fraud experts nearly two weeks of forensic work to pinpoint what information had been taken, and the holiday break delayed the process so affected teachers were informed in mid January 2010 “Because of what’s happened we’re working faster to encrypt all our communication devices by March 2010– laptops, Blackberries, even USB keys”
References Privacy & Information Management Toolkit, 2008 Information and Privacy Commissioner/Ontario, What to do if a privacy breach occurs: Guidelines for government organizations, December 2006 Information and Privacy Commissioner/Ontario, What to do When Faced With a Privacy Breach: Guidelines for the Health Sector Breach Notification: A Sound Business Practice, CIPC Seminar, May 2006 Information and Privacy Commissioner/Ontario, A Privacy Breach Has Occurred – What Happens Next?, 2001 Information and Privacy Commissioner/Ontario, Privacy Breaches: It Can Happen To You (What Not To Do), 2006 Encrypt Your Mobile Devices: Do It Now - PHIPA Order HO-007