Examination of a Privacy Breach - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Examination of a Privacy Breach

Description:

Examination of a Privacy Breach WHAT TO DO WHEN A PRIVACY BREACH OCCURS MISA London Region Professional Network PIM Regional Training Workshop: Privacy Breaches ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 20
Provided by: KimberlyI150
Category:

less

Transcript and Presenter's Notes

Title: Examination of a Privacy Breach


1
Examination of a Privacy Breach
  • WHAT TO DO WHEN A PRIVACY BREACH OCCURS
  • MISA London Region Professional Network
  • PIM Regional Training Workshop Privacy Breaches,
    Access Matrices, and Shared Policies, February
    11, 2010
  • Kimberley Ishmael, Keel Cottrelle LLP

2
What is a privacy breach?
  • A privacy breach occurs when there is
    unauthorized access to, or collection, use, or
    disclosure of, personal information
  • Such activity is unauthorized if it occurs in
    contravention of applicable privacy legislation

3
Privacy School Boards
  • Ontario school boards are affected by the
    following privacy statutes Municipal Freedom of
    Information and Protection of Privacy Act
    (MFIPPA) and Personal Health Information
    Protection Act (PHIPA)
  • A school board is governed by MFIPPA
  • A psychologist/social worker/speech language
    pathologist who collects, uses and discloses
    health information as part of the services they
    provide for students of the board is governed by
    PHIPA as an agent

4
Privacy School Boards
  • Violations of personal privacy frequently involve
    the inappropriate or inadvertent disclosure of
    personal information contrary to section 32
    (where disclosure permitted) of MFIPPA or section
    12 (security provision) of PHIPA
  • Examples
  • personal information may be lost (file misplaced,
    stolen laptop or USB)
  • Inadvertent disclosure through human error
    (misdirected fax or letter)
  • Intentional disclosures or intentional misuse is
    also a possibility
  • Example
  • Inadequate disposal of personal information
    (failure to shred materials)

5
  • Violations of personal privacy can also occur by
    unauthorized collection of personal information
    contrary to s. 28 of MFIPPA
  • Example
  • Failure to identify the collection of personal
    information on a standard form

6
Discovering a Privacy Breach
  • An institution may learn that it has breached an
    individuals personal privacy
  • directly from the affected individual or
    organization, and/or
  • Staff member involved in the breach i.e. person
    who loses USB
  • indirectly, from other parties, such as the media
    or third parties, Information and Privacy
    Commissioner/Ontario (IPC)

7
Step 1 Respond
  • Assess the situation to determine if a breach has
    occurred and what needs to be done
  • Ensure that appropriate school board staff are
    immediately notified of the breach, including the
    FOI Co-ordinator
  • Implement privacy breach protocol or procedures

8
Step 2 Contain
  • Identify the scope of the breach and take steps
    to contain it
  • Examples
  • Retrieve hard copies of any personal information
    that have been disclosed
  • Determine whether the privacy breach would allow
    unauthorized access to any other personal
    information (ex. an electronic information
    system)
  • Change file identification numbers or passwords,
    as necessary
  • Document the breach and containment activities

9
Step 3 Investigate
  • Conduct an internal investigation into the
    breach, reviewing the circumstances surrounding
    the event as well as the adequacy of existing
    policies and procedures in place to protect
    personal information
  • Type of personal information involved
  • Cause and extent of the breach
  • Individuals affected by the breach
  • Possible harm from the breach.

10
Step 4 To Notify or Not to Notify?
  • Notify individuals whose personal information has
    been disclosed, by telephone or in writing, if
    necessary
  • Include detailed information such as what
    happened the nature of the privacy breach and
    the mitigating actions taken by the board
  • If personal information that could lead to
    identity theft has been disclosed, affected
    individuals should be provided with information
    on steps they can take to protect themselves
  • Section 12(2) of Ontarios PHIPA includes a
    requirement for breach notification
  • A health information custodian that has custody
    or control of personal health information about
    an individual shall notify the individual at the
    first reasonable opportunity if the information
    is stolen, lost, or accessed by unauthorized
    persons.

11
  • Report the privacy breach to the office of the
    Information and Privacy Commissioner (IPC), as
    appropriate
  • Note that the type and extent of the breach will
    influence your decision to notify the IPC
  • Type of personal information involved
  • Cause and extent of the breach
  • Individuals affected by the breach
  • Possible harm from the breach
  • Likelihood of a complaint.

12
Step 5 Implement Change
  • Address the situation on a systemic basis
  • School board procedures or practices may warrant
    review or revision
  • Breach may identify areas for employee training
    on privacy and security
  • Evaluate the response and determine the
    effectiveness of the remedial action

13
Proactive Measures to Avoid Privacy Breaches
  • Comply with the privacy laws governing the
    collection, retention, use and disclosure of
    personal information set out in MFIPPA and PHIPA
  • Comply with the regulations under the Acts
    governing the safe and secure disposal of
    personal information and the security of records
  • Ensure appropriate clauses for compliance in
    legal agreements with service providers
  • Obtaining advice from your boards legal
    department and FOI Co-ordinator
  • Consulting with the IPCs Policy and Compliance
    Department in appropriate situations
  • Consider random spot audits of privacy policy
    compliance
  • Develop an information culture that respects
    privacy, mitigates risk, and increases awareness

14
Benefits of a Privacy Breach Protocol
  • Mitigate the damage by immediately preventing
    further inappropriate disclosures of personal
    information
  • Assure complainants and affected persons as well
    as the public, the media, and the IPC that the
    matter is taken seriously and
  • Ensure that policies and procedures comply with
    the privacy protection provisions of MFIPPA and
    PHIPA and that staff are properly trained

15
Recent Cases
  • PHIPA, Report No. HI-050055-1(2006)
  • A laptop belonging to an employee of a school
    board that contained the personal health
    information of 37 students was stolen.
  • Section 12(2) notification requirement was met by
    sending notification letters to students
    parents.
  • Complaint resolved by way of informal resolution.
    Health information custodian agreed to update
    their policies and procedures to ensure
    compliance with the Act. In addition, educational
    measures were undertaken to ensure staff were
    aware of their obligations under the Act.

16
  • MFIPPA Report No. MC-020008-1
  • Complaint alleged that a teacher verbally
    disclosed a students probable grade on an art
    assignment with two other students, contrary to
    MFIPPA
  • IPC confirmed that verbal disclosure of personal
    information falls under privacy provisions as
    long as the information exists or existed at one
    time in recorded format
  • In this instance, grade reportedly disclosed was
    not the same as grade recorded thus did not
    qualify as personal information under the Act
  • However, IPC questioned the school practice
    relating to display of artwork and recorded grade
    as lacking reasonable measures to prevent
    unauthorized access, contrary to Reg. 823
  • IPC recommended a board policy to prevent the
    unauthorized disclosure of student grades,
    specifically addressing the issue of verbal
    disclosures as well as the issue of displaying
    students assignments

17
  • Privacy Breach at the Durham Health Department
  • On December 21, 2009, IPC was notified by
    Durhams Officer of Health that a nurse had lost
    a USB memory stick containing the personal health
    information of over 83,000 individuals who had
    attended H1N1 immunization clinics in Durham
  • The personal information included names,
    addresses, telephone numbers, dates of birth,
    health card numbers and health history.
  • The memory stick was not encrypted, despite the
    fact that the encryption of mobile devices was
    required as of Order HO-004 in 2007.
  • The IPC issued an Order (HO-007) on January 14,
    2010 clearly outlining the IPCs expectation that
    all personal health information stored on any
    type of mobile device in Ontario be protected
    with strong encryption

18
  • Theft at OTIP
  • 3 laptops containing addresses and social
    insurance numbers of approximately 8600
    elementary teachers was stolen from an OTIP
    office in Waterloo on December 3, 2009
  • The laptops had been locked to docking stations
  • The information contained on the laptops was not
    encrypted
  • OTIP notified any insured teacher members whose
    information may have been compromised by letter
    advising of the incident and provided a toll-free
    number for the recipient to contact in the event
    further details were requested
  • OTIP Spokesperson, Julie Millard, stated that it
    took fraud experts nearly two weeks of forensic
    work to pinpoint what information had been taken,
    and the holiday break delayed the process so
    affected teachers were informed in mid January
    2010
  • Because of whats happened were working faster
    to encrypt all our communication devices by March
    2010 laptops, Blackberries, even USB keys

19
References
  • Privacy Information Management Toolkit, 2008
  • Information and Privacy Commissioner/Ontario,
    What to do if a privacy breach occurs Guidelines
    for government organizations, December 2006
  • Information and Privacy Commissioner/Ontario,
    What to do When Faced With a Privacy Breach
    Guidelines for the Health Sector
  • Breach Notification A Sound Business Practice,
    CIPC Seminar, May 2006
  • Information and Privacy Commissioner/Ontario, A
    Privacy Breach Has Occurred What Happens Next?,
    2001
  • Information and Privacy Commissioner/Ontario,
    Privacy Breaches It Can Happen To You (What Not
    To Do), 2006
  • Encrypt Your Mobile Devices Do It Now - PHIPA
    Order HO-007
Write a Comment
User Comments (0)
About PowerShow.com