Examination of a Privacy Breach

1
Examination of a Privacy Breach

• WHAT TO DO WHEN A PRIVACY BREACH OCCURS
• MISA London Region Professional Network
• PIM Regional Training Workshop Privacy Breaches,
  Access Matrices, and Shared Policies, February
  11, 2010
• Kimberley Ishmael, Keel Cottrelle LLP

2
What is a privacy breach?

• A privacy breach occurs when there is
  unauthorized access to, or collection, use, or
  disclosure of, personal information
• Such activity is unauthorized if it occurs in
  contravention of applicable privacy legislation

3
Privacy School Boards

• Ontario school boards are affected by the
  following privacy statutes Municipal Freedom of
  Information and Protection of Privacy Act
  (MFIPPA) and Personal Health Information
  Protection Act (PHIPA)
• A school board is governed by MFIPPA
• A psychologist/social worker/speech language
  pathologist who collects, uses and discloses
  health information as part of the services they
  provide for students of the board is governed by
  PHIPA as an agent

4
Privacy School Boards

• Violations of personal privacy frequently involve
  the inappropriate or inadvertent disclosure of
  personal information contrary to section 32
  (where disclosure permitted) of MFIPPA or section
  12 (security provision) of PHIPA
• Examples
• personal information may be lost (file misplaced,
  stolen laptop or USB)
• Inadvertent disclosure through human error
  (misdirected fax or letter)
• Intentional disclosures or intentional misuse is
  also a possibility
• Example
• Inadequate disposal of personal information
  (failure to shred materials)

5

• Violations of personal privacy can also occur by
  unauthorized collection of personal information
  contrary to s. 28 of MFIPPA
• Example
• Failure to identify the collection of personal
  information on a standard form

6
Discovering a Privacy Breach

• An institution may learn that it has breached an
  individuals personal privacy
• directly from the affected individual or
  organization, and/or
• Staff member involved in the breach i.e. person
  who loses USB
• indirectly, from other parties, such as the media
  or third parties, Information and Privacy
  Commissioner/Ontario (IPC)

7
Step 1 Respond

• Assess the situation to determine if a breach has
  occurred and what needs to be done
• Ensure that appropriate school board staff are
  immediately notified of the breach, including the
  FOI Co-ordinator
• Implement privacy breach protocol or procedures

8
Step 2 Contain

• Identify the scope of the breach and take steps
  to contain it
• Examples
• Retrieve hard copies of any personal information
  that have been disclosed
• Determine whether the privacy breach would allow
  unauthorized access to any other personal
  information (ex. an electronic information
  system)
• Change file identification numbers or passwords,
  as necessary
• Document the breach and containment activities

9
Step 3 Investigate

• Conduct an internal investigation into the
  breach, reviewing the circumstances surrounding
  the event as well as the adequacy of existing
  policies and procedures in place to protect
  personal information
• Type of personal information involved
• Cause and extent of the breach
• Individuals affected by the breach
• Possible harm from the breach.

10
Step 4 To Notify or Not to Notify?

• Notify individuals whose personal information has
  been disclosed, by telephone or in writing, if
  necessary
• Include detailed information such as what
  happened the nature of the privacy breach and
  the mitigating actions taken by the board
• If personal information that could lead to
  identity theft has been disclosed, affected
  individuals should be provided with information
  on steps they can take to protect themselves
• Section 12(2) of Ontarios PHIPA includes a
  requirement for breach notification
• A health information custodian that has custody
  or control of personal health information about
  an individual shall notify the individual at the
  first reasonable opportunity if the information
  is stolen, lost, or accessed by unauthorized
  persons.

11

• Report the privacy breach to the office of the
  Information and Privacy Commissioner (IPC), as
  appropriate
• Note that the type and extent of the breach will
  influence your decision to notify the IPC
• Type of personal information involved
• Cause and extent of the breach
• Individuals affected by the breach
• Possible harm from the breach
• Likelihood of a complaint.

12
Step 5 Implement Change

• Address the situation on a systemic basis
• School board procedures or practices may warrant
  review or revision
• Breach may identify areas for employee training
  on privacy and security
• Evaluate the response and determine the
  effectiveness of the remedial action

13
Proactive Measures to Avoid Privacy Breaches

• Comply with the privacy laws governing the
  collection, retention, use and disclosure of
  personal information set out in MFIPPA and PHIPA
• Comply with the regulations under the Acts
  governing the safe and secure disposal of
  personal information and the security of records
• Ensure appropriate clauses for compliance in
  legal agreements with service providers

• Obtaining advice from your boards legal
  department and FOI Co-ordinator
• Consulting with the IPCs Policy and Compliance
  Department in appropriate situations
• Consider random spot audits of privacy policy
  compliance
• Develop an information culture that respects
  privacy, mitigates risk, and increases awareness

14
Benefits of a Privacy Breach Protocol

• Mitigate the damage by immediately preventing
  further inappropriate disclosures of personal
  information
• Assure complainants and affected persons as well
  as the public, the media, and the IPC that the
  matter is taken seriously and
• Ensure that policies and procedures comply with
  the privacy protection provisions of MFIPPA and
  PHIPA and that staff are properly trained

15
Recent Cases

• PHIPA, Report No. HI-050055-1(2006)
• A laptop belonging to an employee of a school
  board that contained the personal health
  information of 37 students was stolen.
• Section 12(2) notification requirement was met by
  sending notification letters to students
  parents.
• Complaint resolved by way of informal resolution.
  Health information custodian agreed to update
  their policies and procedures to ensure
  compliance with the Act. In addition, educational
  measures were undertaken to ensure staff were
  aware of their obligations under the Act.

16

• MFIPPA Report No. MC-020008-1
• Complaint alleged that a teacher verbally
  disclosed a students probable grade on an art
  assignment with two other students, contrary to
  MFIPPA
• IPC confirmed that verbal disclosure of personal
  information falls under privacy provisions as
  long as the information exists or existed at one
  time in recorded format
• In this instance, grade reportedly disclosed was
  not the same as grade recorded thus did not
  qualify as personal information under the Act
• However, IPC questioned the school practice
  relating to display of artwork and recorded grade
  as lacking reasonable measures to prevent
  unauthorized access, contrary to Reg. 823
• IPC recommended a board policy to prevent the
  unauthorized disclosure of student grades,
  specifically addressing the issue of verbal
  disclosures as well as the issue of displaying
  students assignments

17

• Privacy Breach at the Durham Health Department
• On December 21, 2009, IPC was notified by
  Durhams Officer of Health that a nurse had lost
  a USB memory stick containing the personal health
  information of over 83,000 individuals who had
  attended H1N1 immunization clinics in Durham
• The personal information included names,
  addresses, telephone numbers, dates of birth,
  health card numbers and health history.
• The memory stick was not encrypted, despite the
  fact that the encryption of mobile devices was
  required as of Order HO-004 in 2007.
• The IPC issued an Order (HO-007) on January 14,
  2010 clearly outlining the IPCs expectation that
  all personal health information stored on any
  type of mobile device in Ontario be protected
  with strong encryption

18

• Theft at OTIP
• 3 laptops containing addresses and social
  insurance numbers of approximately 8600
  elementary teachers was stolen from an OTIP
  office in Waterloo on December 3, 2009
• The laptops had been locked to docking stations
• The information contained on the laptops was not
  encrypted
• OTIP notified any insured teacher members whose
  information may have been compromised by letter
  advising of the incident and provided a toll-free
  number for the recipient to contact in the event
  further details were requested
• OTIP Spokesperson, Julie Millard, stated that it
  took fraud experts nearly two weeks of forensic
  work to pinpoint what information had been taken,
  and the holiday break delayed the process so
  affected teachers were informed in mid January
  2010
• Because of whats happened were working faster
  to encrypt all our communication devices by March
  2010 laptops, Blackberries, even USB keys

19
References

• Privacy Information Management Toolkit, 2008
• Information and Privacy Commissioner/Ontario,
  What to do if a privacy breach occurs Guidelines
  for government organizations, December 2006
• Information and Privacy Commissioner/Ontario,
  What to do When Faced With a Privacy Breach
  Guidelines for the Health Sector
• Breach Notification A Sound Business Practice,
  CIPC Seminar, May 2006
• Information and Privacy Commissioner/Ontario, A
  Privacy Breach Has Occurred What Happens Next?,
  2001
• Information and Privacy Commissioner/Ontario,
  Privacy Breaches It Can Happen To You (What Not
  To Do), 2006
• Encrypt Your Mobile Devices Do It Now - PHIPA
  Order HO-007