Guidelines for reporting and responding to a Privacy Incident

1. Introduction

Any breach of Personal Information, defined below, can have an impact on the individual(s) concerned.

The University must act responsibly, effectively and in accordance with the Act respecting Access to documents held by public bodies and the Protection of personal information chapter A-2.1 (the “Act”) when responding to an incident that threatens to compromise the security of Personal Information. These Guidelines are intended to inform the community as to the process followed when a Privacy Incident, as defined below, has occurred.

2. Context

These Guidelines are to be interpreted in conjunction with other Concordia policies and guidelines, including but not limited to:

• VPS-50, Emergency Management Policy;
• VPS-33, Information Security Policy;
• SG-10, Policy on Records Management and Archives; and
• SG-9, Policy Concerning Access to Information and the Protection of Personal Information.
  

3. Definitions

• “CAI” means the Commission d’accès à l’information du Québec;

• “Privacy Incident” means any incident, actual or suspected, involving the:

a) unauthorized access to Personal Information;

b) unauthorized use of Personal Information;

c) unauthorized disclosure of Personal Information;

d) loss of Personal Information; or

e) any other breach of the protection of such information.

Some examples of Privacy Incidents include:

• The consultation of information concerning students or employees for personal purposes;
• The collection of Personal Information that is not required for the performance of the duties of University personnel at the time of collection;
• The transmission of an e-mail containing Personal Information to the wrong recipient;
• The theft or loss of a laptop containing Personal Information;
• The unauthorized disclosure of Personal Information to any public or private organization;
• The loss of a USB key containing Personal Information;
• The disclosure, whether intentional or not, of Personal Information to colleagues who are not authorized to consult such information;
• A data breach caused by the hacking of a service provider who hosts, on their servers and/or cloud, Personal Information provided by Concordia.

4. Procedure for reporting and handling of a Privacy Incident

The following procedure applies to the reporting and handling of a Privacy Incident:

Identification of Incident

Any Member who suspects or has discovered that a Privacy Incident has occurred must immediately notify the designated Privacy Ambassador in their department or unit. The Privacy Ambassador must report the Incident to the Privacy Officer within 24 hours by completing the form here. If the member cannot identify a Privacy Ambassador in their unit, they may fill out the form here or contact the Privacy Office by email at privacy.office@concordia.ca.

Any third party, such as a service provider or agent, who holds Personal Information for the University must report any Privacy Incident to the Privacy Officer within 24 hours by email at privacy.office@concordia.ca.

Assessment

When informed of a suspected or an actual Privacy Incident, the Privacy Officer will make an initial assessment of the Privacy Incident. After this initial assessment, the Privacy Officer will decide on the relevance of calling a meeting of the University’s Incident Response Team (“IRT”). The IRT may, among other actions,

1. Determine the identity to the individual(s) whose Personal Information may have been compromised;
2. Determine the nature of the compromised Personal Information;
3. Assess the degree of sensitivity of the compromised information and the possibility that the incident included Sensitive Personal Information;
4. Determine the number of individuals affected;
5. Determine whether the Personal Information has been encrypted, anonymized, or otherwise made inaccessible;
6. Assess if and how the Personal Information could be used for harmful purposes;
7. Assess whether the Privacy Incident is a systemic problem or an isolated case;
8. Determine who received the Personal Information and assess whether there is a link between the unauthorized recipients and the persons involved in the Privacy Incident.

Notification of Incident (if required)

Where the IRT in consultation with the Privacy Officer determine that a Privacy Incident poses a risk of serious injury to the individual(s) concerned, the Privacy Officer may decide to bring the matter to the Privacy Committee for discussion and recommendation regarding Notification to the individuals affected by the Privacy Incident and to the CAI. The Privacy Officer or delegate will work closely with University Communications Services (UCS) to ensure that appropriate internal and external communications relating to the Privacy Incident are provided.

Recovery

The IRT continually monitors the initial assessment and investigation to determine if anything more can be done to contain and limit the effects of the Privacy Incident. If necessary, the IRT assesses how best to restore any affected system. Systems and/or activities should be restored as quickly as possible provided that this does not create further security problems, expose the University to the risk of additional incidents or result in the unintended loss or destruction of evidence.

Prevention

Once measures have been taken to limit and mitigate the risks associated with the Privacy Incident, long-term safeguards may need to be developed or enhanced. Special consideration is given to auditing the technical and physical security protocols in place at the time of the Privacy Incident. Where appropriate, the Privacy Officer reviews and updates the University’s policies taking into account lessons learned from the Privacy Incident.