A privacy incident occurs when personal information in the custody or control of the University is collected, used, or disclosed in a manner that is not in accordance with FIPPA. Examples of administrative privacy incidents include e-mailing personal information to the wrong person, disclosure of information about a student to faculty, staff or external party who does not have a legitimate need to know the information, accidentally posting a document on a public web location, or unauthorized access or use of personal information holdings (snooping).
What should you do when a privacy incident happens?
If the incident is related to a mis-directed email communication, immediately attempt to recall the email. Email recall is most effective when done quickly, which limits the opportunity for the unintended recipient to open the email. For steps to recalling emails, please visit Microsoft’s support page on email recalls.
Immediately report any privacy incident or possible privacy incident to your manager, Freedom of Information Liaison (FOIL) and the Privacy Office at privacy@utoronto.ca. If uncertain, please report to ensure that no privacy incidents are missed.
Where personal information is exposed as a result of a security incident such as an account compromise resulting from a malicious attack, please also report the incident to Information Security.
Managing the privacy incident
The Privacy Office will open a formal privacy incident file and work through the steps below with you to quickly and effectively address the incident. These steps are not necessarily sequential but will be managed concurrently.
Contain the incident immediately by taking remedial action, e.g. stop process/activity that caused the incident; make arrangements to retrieve records; take process off-line. Determine the effect of the remediation steps and identify any remaining issues/gaps.
Assess the extent of the incident:
- Identify the cause and scope
- Identify the type (eg. students, volunteers, staff, etc) and number of individuals affected
- Identify which fields of personal information are involved, e.g. name, address, e-mail address, student number, grades
Real Risk of Significant Harm: the Privacy Office will determine whether the incident creates a real risk of significant harm; if necessary, the Privacy Office will report the incident to the Information and Privacy Commissioner.
Notify: the Privacy Office will recommend whether the individuals whose personal information was affected by the incident should be notified. Where notice is provided, document who was notified and keep a copy of the notice.
Document the details of the incident including: dates and times of key events and reports, which faculty/department etc. is affected, how the incident was discovered. Document any other pertinent information such as how the personal information was protected, e.g. passwords, encryption, access permission configuration.
Brief University officials on the incident and response, as appropriate. Keep a record of any email correspondence or note to file of any verbal briefing.
Prevent future incidents. Identify and implement any measures that could prevent or reduce the likelihood of a similar incident occurring in the future. Considerations include:
- Is additional training needed?
- Are there any administrative practices or procedures which created an unnecessary risk of disclosure?
- Are there any technological factors which created an unnecessary risk of disclosure? Are there any technological opportunities to avoid future risk?
- Is there a means by which future incidents can be more quickly identified and contained?