Privacy Breach Policy
Canadian All Care College is committed to protecting the privacy of individuals concerning the personal information that is under their control and recognizes this is an essential element in maintaining student trust. All personal information is confidential and kept securely and locked. Only authorized staff members have access to the personal information and all the staff handling personal are trained in maintaining and protecting personal, confidential information. Confidentiality agreements are signed with all the staff who is handling student personal information.
What is a Privacy Breach?
A privacy breach involves the improper or unauthorized collection, use, disclosure, retention or disposal of personal information. A privacy breach may occur within an institution or off-site and may be the result of inadvertent errors or malicious actions by employees, third parties, partners in information-sharing agreements or intruders.
Preventing privacy breaches
To prevent a privacy breach all the staff at CACC should:
- Take privacy into account before making contracting decisions or entering into information-sharing agreements.
- Provide regular and ongoing training to employees, managers and executives to ensure that they are aware of the requirements of the Code of Fair Information Practices
- Establish clear administrative controls that restrict access and editing rights to records containing personal information to only those employees who have a legitimate need to know
- As a general rule, do not send personal information by facsimile unless necessary.
- Purge all equipment and other electronic devices containing personal information before selling, disposing of, or transferring such equipment or devices;
- Empty security containers such as file cabinets, safes or mobile shelving units and ensure that no classified or protected material is left inside before selling or transferring them to other responsibility centres or outside the government;
- Ensure that requests for personal information are valid and that individuals asking for personal information are who they claim to be;
- Refuse to provide personal information in response to an unsolicited telephone call, fax, letter, email attachment or Internet advertisement;
- Be on the lookout for clues indicating that a website may be fraudulent (e.g., spelling errors, unusual advertisements, or portions of the site that do not work properly);
- Check the lock icon at the bottom of your browser to ensure that you are sending personal information over a secure connection; and
- Verify the phone number and call the organization to determine validity if you have any concerns.
- Notify the Director/Manager of the campus immediately of situations where personal data is at risk of being compromised and a potential privacy breach may occur.
Privacy Breach Management Process
Preliminary assessment and containment; Full assessment; Notification (to affected individuals and internal management where required); Mitigation and prevention; Notification of MTCU and any funding third party; and Sharing of lessons learned.
CACC should be taking immediate action to stop the breach and to secure the affected records, systems or websites by:
- Removing, moving or segregating exposed information or files to prevent further wrongful access;
- Shutting down the website, application or device temporarily to permit a complete assessment of the breach and resolve vulnerabilities;
- Attempting to retrieve any documents or copies of documents that were wrongfully disclosed or taken by an unauthorized person; and
- Returning the documents to their original location or the intended recipient.
- Taking inventory of the personal information that was or may have been compromised;
- Identifying the parties whose personal information has been wrongfully disclosed or accessed, stolen or lost;
- Identifying the institutional sector or third party that is responsible for the personal information involved;
- Identifying the individuals affected by the breach, or if this is not possible, identifying the groups of individuals likely to have been affected. The institution should also document the process that it carries out to identify affected individuals.
To the extent possible, it is strongly recommended that CACC notify all affected individuals whose personal information has been or may have been compromised through theft, loss or unauthorized disclosure, especially if the breach:
- Involves sensitive personal data such as financial or medical information, or personal identifiers such as the Social Insurance Number;
- Can result in identity theft or some other related fraud; or
- Can otherwise cause harm or embarrassment detrimental to the individual’s career, reputation, financial position, safety, health or well-being.
- Notification should occur as soon as possible following the breach to allow individuals to take actions to protect themselves against, or mitigate the damage from, identity theft or other possible harm.
- Care should be exercised in the notification process to not unduly alarm individuals, especially where the institution only suspects but cannot confirm that certain individuals have been affected by the breach.
- It is always preferable to notify affected individuals by letter (first-class recommended), by telephone or in-person unless the individuals cannot be located or the number of individuals is so large that the task would become too onerous.
- In the event of a privacy breach / in an event that any student personal information or records are released, Canadian All Care College will notify all parties involved; Advising the institution’s Manager of OSAP Inspection and Compliance Unit, Michelle Crawford, 416-212-6650, email@example.com; Contacting the Information and Privacy Commissioner of Ontario and/or the Privacy Commissioner of Canada; Investigating why the incident occurred; and Brainstorming and implementing change to limit future incidents.
Notification of affected individuals should include:
- A general description of the incident, including date and time;
- The source of the breach (an institution, a contracted party, or a party to a sharing agreement);
- A list of the personal information that has been or may have been compromised;
- A description of the measures taken or to be taken to retrieve the personal information, contain the breach and prevent reoccurrence;
- The name and contact information of an official at the institution with whom individuals can discuss the matter further or obtain assistance;
- CACC should also inform affected individuals of developments as the matter is further investigated and outstanding issues are resolved.
- Follow up the breach with all involved parties.
- CACC will keep all the records of all privacy breach incidence.
- Share the lessons learned among all involved staff to prevent reoccurrence.
In case of any disputes, updated printed copies of CACC policies will take precedence over the policies published on our website.