Privacy Breach Procedures and Checklist for (Name of Agent/Agency) Compliance Officer: Date: Definition of Privacy Breach A privacy breach occurs when there is an unauthorized access to, or collection, use or disclosure of personal information (PI) that contravenes privacy legislation. Typically breaches occur because PI is lost, stolen, disclosed in error or as a consequence of an operational breakdown. Some of the most common privacy breaches happen when PI of customers, patients, clients or employees is stolen or personal information is mistakenly disclosed (e.g. a computer containing personal information is stolen or personal information is mistakenly emailed to the wrong person). Step 1: Contain the breach. If you discover a privacy breach has occurred or is occurring, notify the Compliance Officer immediately and take steps to contain the breach – don’t let any more PI escape if you can prevent it. Depending on what has happened: □ □ □ □ □ Stop the unauthorized practice Recover any records that can be recovered Shut down the system that was breached Revoke or change computer access codes or Correct weaknesses in physical or electronic security, i.e. order the locks changed □ Do not destroy evidence that may be necessary to investigate and to take corrective action. □ Notify the police if the breach appears to involve theft or other criminal activity. □ Other action to be taken ______________________________________________________ Step 2: Gather information about the incident: o o o o o o Date of occurrence_______________________________________________________ Date discovered________________________________________________________ How discovered________________________________________________________ Location of the incident__________________________________________________________ Cause of the incident__________________________________________________________ Any other information you can quickly assemble__________________________ o o o o o o o Is there risk of ongoing breaches or further exposure of PI? _________________ Was the PI lost or stolen? ___________________________________________ If stolen, can you determine whether the information was the target of theft? _______________ Has the PI been recovered? _________________________________________ Is this a systemic problem or isolated incident? ___________________________ What form was the PI in? □ Paper □ Electronic □ Other ________________________________________________________ What physical or technical security measures were in place at the time of the incident? □ □ □ o Reception area □ Encryption Locks □ Alarm systems Other ____________________________ □ Passwords □ Anonymous info. Did any security measures fail to perform as desired or contribute to the breach? □ □ □ □ Reception area □ Encryption Locks □ Passwords Alarm systems Other___________________________________________ Step 3: Evaluate the Breach and Associated Risks*: o o What PI was involved? □ Name □ Address □ Medical/health info. □ Disciplinary records □ Mental health info. □ Financial □ Bank account numbers □ Credit card numbers □ Insurance policy numbers □ Other _________________ □ Identification information □ SIN □ Driver’s License □ Health care numbers □ Other______________________ How sensitive was the information*?______________________________________________________ _________________________________________________________________ □ A combination of sensitive information, along with name and/or address and/or DOB and/or government-issued ID numbers was involved. (This represents a higher risk). o o o What kinds of harm can come to individuals from the breach? _________________________________________________________________ o Can this information be used for or cause: □ Fraud □ Identity theft □ Financial loss □ Loss of business or employment □ Humiliation □ Damage to reputation or relationships □ Physical harm, stalking, harassment □ Have you identified who has received the information? ___________________ □ Have you determined the risk of further access, use or disclosure? _________ o What is the ability of the individual to avoid or mitigate possible harm? ________________________________________________________________ o What harm can result to us? (Loss of trust, assets, financial exposure, legal proceedings). ________________________________________________________________ o The extent of the breach How many individuals have been affected? __________________________ Who are they? □ Employees □ Contractors □ Agents □ Customers □ Service providers □ Other _______________________________________________________ What steps are needed to correct the problem? _____________________________________________________________________ Is this a one-off issue or is it systemic? _____________________________________________________________________ Step 4: Notification of Privacy Breach Who should be notified? The Privacy Commissioner states “Typically, the organization that has a direct relationship with the customer, client or employee should notify the affected individuals, including when the breach occurs at a third party service provider that has been contracted to maintain or process the personal information.” The decision as to whether to notify the affected individuals may have to be delayed in order for a full risk assessment to be conducted. o o o o o o o What are our legal and/or obligations to provide notification to individuals concerned? What are the reasonable expectations of the individuals concerned? ___________________________________________________________________ What are our obligations to notify regulators? (At this date, Ontario, Newfoundland and Labrador, New Brunswick and Alberta require notification of affected parties when there are privacy breaches. Alberta specifically requires that the provincial Privacy Commissioner also be notified. The federal Office of the Privacy Commissioner of Canada is also seeking changes to PIPEDA, which would require notifications). Do we have contractual obligations to notify any insurers? _____________________ Do any insurers expect to provide the notification, rather than us? _______________ If customer information was involved, do we notify the MGA involved? ___________ Are there others who should be notified of the breach? ________________________ If it is decided that individuals and/or insurers and/or MGAs do not need to be notified, please note the reasoning: _____________________________________________________________________________ If affected individuals are to be notified: o Who will notify them? __________________________________________________ o How will they be notified? □ Phone □ Letter □ Email □ In person □ Website □ Media □ Other _____________________________________________________________ o Do any third parties need to be involved? __________________________________ o What needs to be included in the notification? Depending on the circumstances, notifications could include some of the following, but be careful to limit the amount of personal information disclosed in the notification to only what is necessary: Information about the incident and its timing in general terms; A description of the personal information involved in the breach; A general account of what we have done to control or reduce harm; What we will do to assist individuals and steps individuals can take to reduce the risk of harm or further protect themselves; Sources of information designed to assist individuals in protecting against identity theft; Contact information of who can answer questions or provide further information; Whether we have notified a privacy commissioner’s office; Additional contact information to address any privacy concerns to us; and Contact information for the appropriate privacy commissioner (s). Step 5: Prevent Future Breaches What short and long term steps do we need to take to correct the situation? □ Staff training □ Review and revise our policy and procedures □ Regular privacy audits □ Investment in electronic and or/physical security safeguards □ Other _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________