Critical Incident and Privacy Breach Procedure

Administrative Procedure: 177

CRITICAL INCIDENT AND PRIVACY BREACH PROCEDURE

Background
The District is committed to ensuring the protection and security of all personal information within its control. That commitment includes responding effectively and efficiently to privacy breach incidents that may occur.
The purpose of this Procedure is to set out the District’s process for responding to significant privacy breaches and to complying with its notice and other obligations under the Freedom of Information and Protection of Privacy Act (FIPPA).

Procedures
1. Scope & Responsibility
All staff of the District are expected to be aware of and follow this Procedure in the event of a privacy breach. This Procedure applies to all employees, contractors, and volunteers of the District (“Staff”).

2. Responsibility of the Head
The administration of this Procedure is the responsibility of the Secretary Treasurer of the School District, who is the “head” of the District for all purposes under FIPPA (the “Head”). The Head may delegate any of their powers under this Procedure or FIPPA to other District Personnel by written delegation.

3. Definitions
3.1 “Head” means the Secretary Treasurer and includes any person to whom the Head has delegated their powers by written instrument.
3.2 “Personal Information” means any recorded information about an identifiable individual that is within the control of the School District and includes information about any student or any Staff member of the School District. Personal Information does not include business contact information, such as email address and telephone number, that would allow a person to be contacted at work.
3.3 “Privacy Breach” means the theft or loss of or the collection, use or disclosure of Personal Information not authorized by FIPPA, and includes cyber and ransomware attacks and other situations where there are reasonable grounds to believe that any such unauthorized activities have taken place or there is a reasonable belief that they will take place.
3.4 “Privacy Officer” means the person designated by the Head as Privacy Officer for the School District.
3.5 “Records” means books, documents, maps, drawings, photographs, letters, vouchers, papers. and any other thing on which information is recorded or stored by graphic, electronic, mechanical or other means, but does not include a computer program or other mechanism that produces records.
3.6 “Staff” means the employees, contractors, and volunteers of the School District.

4. Responsibilities of Staff
4.1 All Staff must without delay report all actual, suspected or expected Privacy Breach incidents of which they become aware in accordance with this Procedure. All Staff have a legal responsibility under FIPPA to report Privacy Breaches to the Head.
4.2 Privacy Breach reports may also be made to the Privacy Officer, who has delegated responsibility for receiving and responding to such reports.
4.3 If there is any question about whether an incident constitutes a Privacy Breach or whether the incident has occurred, Staff should consult with the Privacy Officer.
4.4 All Personnel must provide their full cooperation in any investigation or response to a Privacy Breach incident and comply with this Procedure for responding to Privacy Breach incidents.
4.5 Any member of Staff who knowingly refuses or neglects to report a Privacy Breach in accordance with this Procedure may be subject to discipline, up to and including dismissal.

5. Privacy Breach Response
5.1 Step One – Report and Contain
5.1.1 Upon discovering or learning of a Privacy Breach, all Staff shall:
5.1.1.1 Immediately report the Privacy Breach to the Head or to the Privacy Officer.
5.1.1.2 Take any immediately available actions to stop or contain the Privacy Breach, such as by:
5.1.1.2.1 isolating or suspending the activity that led to the Privacy Breach; and
5.1.1.2.2 taking steps to recover Personal Information, Records or affected equipment.
5.1.1.3 preserve any information or evidence related to the Privacy Breach in order to support the School District’s incident response.
5.1.2 Upon being notified of a Privacy Breach the Head or the Privacy Officer in consultation with the Head, shall implement all available measures to stop or contain the Privacy Breach. Containing the Privacy Breach shall be the first priority of the Privacy Breach response, and all Staff are expected to provide their full cooperation with such initiatives.
5.2 Step Two – Assessment and Containment
5.2.1 The Privacy Officer shall take steps to, in consultation with the Head, contain the Privacy Breach by making the following assessments:
5.2.1.1 the cause of the Privacy Breach;
5.2.1.2 if additional steps are required to contain the Privacy Breach, and, if so, to implement such steps as necessary;
5.2.1.3 identify the type and sensitivity of the Personal Information involved in the Privacy Breach, and any steps that have been taken or can be taken to minimize the harm arising from the Privacy Breach;
5.2.1.4 identify the individuals affected by the Privacy Breach, or whose Personal Information may have been involved in the Privacy Breach.
5.2.1.5 determine or estimate the number of affected individuals and compile a list of such individuals, if possible; and
5.2.1.6 make preliminary assessments of the types of harm that may flow from the Privacy Breach.
5.2.2 The Head, in consultation with the Privacy Officer, shall be responsible to, without delay, assess whether the Privacy Breach could reasonably be expected to result in significant harm to individuals (“Significant Harm”). That determination shall be made with consideration of the following categories of harm or potential harm:
5.2.2.1 bodily harm;
5.2.2.2 humiliation;
5.2.2.3 damage to reputation or relationships;
5.2.2.4 loss of employment, business or professional opportunities;
5.2.2.5 financial loss;
5.2.2.6 negative impact on credit record,
5.2.2.7 damage to, or loss of, property,
5.2.2.8 the sensitivity of the Personal Information involved in the Privacy Breach; and
5.2.2.9 the risk of identity theft.
5.3 Step Three – Notification
5.3.1 If the Head determines that the Privacy Breach could reasonably be expected to result in Significant Harm to individuals, then the Head shall make arrangements to:
5.3.1.1 report the Privacy Breach to the Office of the Information and Privacy Commissioner; and
5.3.1.2 provide notice of the Privacy Breach to affected individuals, unless the Head determines that providing such notice could reasonably be expected to result in grave or immediate harm to an individual’s safety or physical or mental health or threaten another individual’s safety or physical or mental health.
5.3.1.3 If the Head determines that the Privacy Breach does not give rise to a reasonable expectation of Significant Harm, then the Head may still proceed with notification to affected individual if the Head determines that notification would be in the public interest or if a failure to notify would be inconsistent with the School District’s obligations or undermine public confidence in the School District.
5.3.1.4 Determinations about notification of a Privacy Breach shall be made without delay following the Privacy Breach, and notification shall be undertaken as soon as reasonably possible. If any law enforcement agencies are involved in the Privacy Breach incident, then notification may also be undertaken in consultation with such agencies.

5.4 Step 4 – Prevention
The Head, or the Privacy Officer in consultation with the Head, shall complete an investigation into the causes of each Breach Incident reported under this Procedure, and shall implement measures to prevent recurrences of similar incidents.

6. Contact Information
Questions or comments about this Policy may be addressed to the Privacy Officer.

Revised: May 2013

Procedure 177