Examination of a Privacy
Breach
WHAT TO DO WHEN A PRIVACY BREACH OCCURS
MISA London Region Professional Network
PIM Regional Training Workshop: Privacy Breaches, Access Matrices, and Shared
Policies, February 11, 2010
Kimberley Ishmael, Keel Cottrelle LLP
What is a privacy breach?
A privacy breach occurs when there is
unauthorized access to, or collection,
use, or disclosure of, personal
information
 Such activity is “unauthorized” if it occurs
in contravention of applicable privacy
legislation

Privacy & School Boards

Ontario school boards are affected by the
following privacy statutes: Municipal Freedom
of Information and Protection of Privacy Act
(MFIPPA) and Personal Health Information
Protection Act (PHIPA)


A school board is governed by MFIPPA;
A psychologist/social worker/speech language
pathologist who collects, uses and discloses health
information as part of the services they provide for
students of the board is governed by PHIPA as an
agent
Privacy & School Boards

Violations of personal privacy frequently involve the
inappropriate or inadvertent disclosure of personal
information contrary to section 32 (where disclosure
permitted) of MFIPPA or section 12 (security provision)
of PHIPA

Examples:



personal information may be lost (file misplaced, stolen laptop or
USB)
Inadvertent disclosure through human error (misdirected fax or
letter)
Intentional disclosures or intentional misuse is also a
possibility

Example:

Inadequate disposal of personal information (failure to shred
materials)

Violations of personal privacy can also occur by
unauthorized collection of personal information
contrary to s. 28 of MFIPPA

Example:

Failure to identify the collection of personal information on a
standard form
Discovering a Privacy Breach
An institution may learn that it has breached an individual’s personal
privacy
 directly from the affected individual or organization, and/or


Staff member involved in the breach i.e. person who loses USB
indirectly, from other parties, such as the media or third parties,
Information and Privacy Commissioner/Ontario (IPC)
Step 1: Respond

Assess the situation to determine if a breach
has occurred and what needs to be done;
 Ensure that appropriate school board staff are
immediately notified of the breach, including
the FOI Co-ordinator
 Implement privacy breach protocol or
procedures
Step 2: Contain


Identify the scope of the breach and take steps to contain it;
 Examples:
 Retrieve hard copies of any personal information that have
been disclosed
 Determine whether the privacy breach would allow
unauthorized access to any other personal information
(ex. an electronic information system)
 Change file identification numbers or passwords, as
necessary
Document the breach and containment activities;
Step 3: Investigate

Conduct an internal investigation into the
breach, reviewing the circumstances
surrounding the event as well as the adequacy
of existing policies and procedures in place to
protect personal information




Type of personal information involved;
Cause and extent of the breach;
Individuals affected by the breach;
Possible harm from the breach.
Step 4: To Notify or Not to Notify?

Notify individuals whose personal information has
been disclosed, by telephone or in writing, if necessary



Include detailed information such as what happened; the
nature of the privacy breach and the mitigating actions taken
by the board;
If personal information that could lead to identity theft has
been disclosed, affected individuals should be provided with
information on steps they can take to protect themselves
Section 12(2) of Ontario’s PHIPA includes a
requirement for breach notification:

“A health information custodian that has custody or control of
personal health information about an individual shall notify the
individual at the first reasonable opportunity if the information
is stolen, lost, or accessed by unauthorized persons.”

Report the privacy breach to the office of
the Information and Privacy
Commissioner (IPC), as appropriate

Note that the type and extent of the breach will
influence your decision to notify the IPC
 Type of personal information involved;
 Cause and extent of the breach;
 Individuals affected by the breach;
 Possible harm from the breach;
 Likelihood of a complaint.
Step 5: Implement Change

Address the situation on a systemic
basis
School board procedures or practices may
warrant review or revision
 Breach may identify areas for employee
training on privacy and security
 Evaluate the response and determine the
effectiveness of the remedial action

Proactive Measures to Avoid Privacy
Breaches



Comply with the privacy laws
governing the collection,
retention, use and disclosure
of personal information set
out in MFIPPA and PHIPA
Comply with the regulations
under the Acts governing the
safe and secure disposal of
personal information and the
security of records
Ensure appropriate clauses
for compliance in legal
agreements with service
providers




Obtaining advice from your
board’s legal department and
FOI Co-ordinator
Consulting with the IPC’s
Policy and Compliance
Department in appropriate
situations
Consider random spot audits
of privacy policy compliance
Develop an information
culture that respects privacy,
mitigates risk, and increases
awareness
Benefits of a Privacy Breach
Protocol

Mitigate the damage by immediately
preventing further inappropriate disclosures of
personal information
 Assure complainants and affected persons as
well as the public, the media, and the IPC that
the matter is taken seriously; and
 Ensure that policies and procedures comply
with the privacy protection provisions of
MFIPPA and PHIPA and that staff are properly
trained
Recent Cases
PHIPA, Report No.: HI-050055-1(2006)
 A laptop belonging to an employee of a school board
that contained the personal health information of 37
students was stolen.
 Section 12(2) notification requirement was met by
sending notification letters to students’ parents.
 Complaint resolved by way of informal resolution.
Health information custodian agreed to update their
policies and procedures to ensure compliance with the
Act. In addition, educational measures were
undertaken to ensure staff were aware of their
obligations under the Act.
MFIPPA – Report No. MC-020008-1
 Complaint alleged that a teacher verbally disclosed a student’s probable
grade on an art assignment with two other students, contrary to MFIPPA
 IPC confirmed that verbal disclosure of personal information falls under
privacy provisions as long as the information exists or existed at one time
in recorded format
 In this instance, grade reportedly disclosed was not the same as grade
recorded thus did not qualify as “personal information” under the Act
 However, IPC questioned the school practice relating to display of
artwork and recorded grade as lacking reasonable measures to prevent
unauthorized access, contrary to Reg. 823
 IPC recommended a board policy to prevent the unauthorized disclosure
of student grades, specifically addressing the issue of verbal disclosures
as well as the issue of displaying students’ assignments
Privacy Breach at the Durham Health Department




On December 21, 2009, IPC was notified by Durham’s Officer of
Health that a nurse had lost a USB memory stick containing the
personal health information of over 83,000 individuals who had
attended H1N1 immunization clinics in Durham
The personal information included names, addresses, telephone
numbers, dates of birth, health card numbers and health history.
The memory stick was not encrypted, despite the fact that
the encryption of mobile devices was required as of Order
HO-004 in 2007.
The IPC issued an Order (HO-007) on January 14, 2010 clearly
outlining the IPC’s expectation that all personal health information
stored on any type of mobile device in Ontario be protected with
strong encryption

Theft at OTIP

3 laptops containing addresses and social insurance numbers of
approximately 8600 elementary teachers was stolen from an OTIP
office in Waterloo on December 3, 2009




The laptops had been locked to docking stations;
The information contained on the laptops was not encrypted
OTIP notified any insured teacher members whose information may
have been compromised by letter advising of the incident and
provided a toll-free number for the recipient to contact in the event
further details were requested
OTIP Spokesperson, Julie Millard, stated that it took fraud experts
nearly two weeks of forensic work to pinpoint what information had
been taken, and the holiday break delayed the process so affected
teachers were informed in mid January 2010

“Because of what’s happened we’re working faster to encrypt all our
communication devices by March 2010– laptops, Blackberries, even USB
keys”
References







Privacy & Information Management Toolkit, 2008
Information and Privacy Commissioner/Ontario, What to do if a privacy breach
occurs: Guidelines for government organizations, December 2006
Information and Privacy Commissioner/Ontario, What to do When Faced With a
Privacy Breach: Guidelines for the Health Sector
Breach Notification: A Sound Business Practice, CIPC Seminar, May 2006
Information and Privacy Commissioner/Ontario, A Privacy Breach Has Occurred –
What Happens Next?, 2001
Information and Privacy Commissioner/Ontario, Privacy Breaches: It Can Happen
To You (What Not To Do), 2006
Encrypt Your Mobile Devices: Do It Now - PHIPA Order HO-007