Breach Notification Assessment Tool

Similar documents
LCU Privacy Breach Response Plan

Privacy Policy GENERAL

Upcoming PIPEDA Changes What is changing and what to do about it

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Data Compromise Notice Procedure Summary and Guide

It s still very important that you take some steps to help keep up security when you re online:

Privacy Law Doing Business In Canada

Earthlink and Google Final Contract Chart. Recommended Privacy and 1st Amendment Protections. Earthlink (monthly charge) Google (no fee)

Protecting Personal Health Information on Mobile and Portable Devices. Guidance from the Information and Privacy Commissioner of Ontario

Project Better Energy Limited s registered office is Witan Gate House, Witan Gate West, Milton Keynes, Buckinghamshire, MK9 1SH

Security and Privacy Breach Notification

Privacy Impact Assessments (PIAs):

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Privacy Policy Effective May 25 th 2018

Acceptable Use Policy

Elders Estates Privacy Notice

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Legal notice and Privacy policy

PS Mailing Services Ltd Data Protection Policy May 2018

DATA PROTECTION LAWS OF THE WORLD. Bahrain

Data Breach Incident Management Policy

HBW LAW LTD T/A HESELTINE BRAY & WELSH

Privacy Breach Policy

Privacy notice. Last updated: 25 May 2018

PRIVACY POLICY. 3.1 This policy does not apply to the collection, holding, use or disclosure of personal information that is an employee record.

DATA PROTECTION POLICY THE HOLST GROUP

TransLink Video Surveillance & Audio Recording Privacy Statement

Data Protection Privacy Notice

DATA PROTECTION POLICY

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

Last updated 31 March 2016 This document is publically available at

Data Loss Assessment and Reporting Procedure

Cyber Risks in the Boardroom Conference

Subject: University Information Technology Resource Security Policy: OUTDATED

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

Breach Notification Form

Subject: Kier Group plc Data Protection Policy

Privacy Policy Statement Last update 25 th May 2018.

Government data matching and the Privacy Act 1988 (Cth)

UWC International Data Protection Policy

Privacy & Information Security Protocol: Breach Notification & Mitigation

Vodafone Location Services. Privacy Management Code of Practice. Issued Version V1.0

Summary Comparison of Current Data Security and Breach Notification Bills

Data Privacy Breach Policy and Procedure

Motorola Mobility Binding Corporate Rules (BCRs)

ADMA Briefing Summary March

Data Leak Protection legal framework and managing the challenges of a security breach

Managing Cybersecurity Risk

SANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018

HIPAA UPDATE. Michael L. Brody, DPM

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

If you have any questions about this notice, please contact the Head Master.

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

Brasenose College ICT Systems Privacy Notice (v1.2)

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

The West End Community Trust Privacy Policy

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Startup Genome LLC and its affiliates ( Startup Genome, we or us ) are committed to protecting the privacy of all individuals who ( you ):

Keeping It Under Wraps: Personally Identifiable Information (PII)

Red Flag Policy and Identity Theft Prevention Program

Spectrum Wellness Privacy Statement

INNOVENT LEASING LIMITED. Privacy Notice

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

DATA BREACH POLICY [Enniskillen Presbyterian Church]

Pathways CIC Privacy Policy. Date Issued: May Date to be Reviewed: May Issued by Yvonne Clarke

National College for High Speed Rail DATA BREACH NOTIFICATION PROCEDURE

IDENTITY THEFT PREVENTION Policy Statement

Presented by: Jason C. Gavejian Morristown Office

A full list of SaltWire Network Inc. publications is available by visiting saltwire.com.

About the information we collect We collect and process personal data including but not limited to:-

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Introduction to the Personal Data (Privacy) Ordinance

UTAH VALLEY UNIVERSITY Policies and Procedures

FIRESOFT CONSULTING Privacy Policy

Acceptable Use Policy (AUP)

POMONA EUROPE ADVISORS LIMITED

Data Breach Notification: what EU law means for your information security strategy

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

8. AUTOMATED DECISION MAKING DURING DATA PROCESSING FURTHER INFORMATION FURTHER INFORMATION AND GUIDANCE CONTACT US...

RMU-IT-SEC-01 Acceptable Use Policy

Why you MUST protect your customer data

CURTIS BANKS LIMITED. Privacy Information Notice. curtisbanks.co.uk

PCA Staff guide: Information Security Code of Practice (ISCoP)

Privacy Notice. General Information Protection Regulation ( GDPR )

CNH Industrial Privacy Policy. This Privacy Policy relates to our use of any personal information you provide to us.

PATRIOT CAMPERS PTY LTD PRIVACY POLICY

Your Right to Privacy. It s abouthope

Spree Privacy Policy

This website is managed by Club Systems International on behalf of the Hoburne and Burry and Knight Groups.

Shaw Privacy Policy. 1- Our commitment to you

Cybersecurity in Higher Ed

Regulation P & GLBA Training

Xpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

PTLGateway Data Breach Policy

Red Flags/Identity Theft Prevention Policy: Purpose

Ouachita Baptist University. Identity Theft Policy and Program

INFORMATION TO BE GIVEN 2

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

CANADA S ANTI-SPAM LEGISLATION (CASL): WHAT YOUR CHARITY NEEDS TO DO BEFORE JULY 1ST

Transcription:

Breach Notification Assessment Tool December 2006 Information and Privacy Commissioner of Ontario David Loukidelis Commissioner Ann Cavoukian, Ph.D. Commissioner

This document is for general information only. It is not intended to be, and cannot be relied upon as legal advice or other advice. Its contents do not fetter, bind or constitute a decision or finding by the Office of the Information and Privacy Commissioner of British Columbia (OIPC) or the Information and Privacy Commissioner of Ontario (IPC) with respect to any matter, respecting which the OIPC and IPC will keep an open mind. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization and public body.

Information and Privacy Commissioner of Ontario Breach Notification Assessment Tool The Information and Privacy Commissioners for British Columbia and Ontario have jointly produced this Breach Notification Assessment Tool to assist you in making key decisions after a privacy breach occurs. It should be read along with: B.C.: Key Steps in Responding to Privacy Breaches http://www.oipc.bc.ca Ontario: What to do if a privacy breach occurs: Guidelines for government organizations, http://www.ipc.on.ca/images/resources/up-prbreach.pdf What to do When Faced With a Privacy Breach: Guidelines for the Health Sector, http://www.ipc.on.ca/images/resources/up-hprivbreach.pdf Organizations that collect and hold personal information are responsible for notifying affected individuals when a privacy breach occurs. If the breach occurs at a third party entity that has been contracted to maintain or process personal information, the breach should be reported to the originating entity, which has primary responsibility for notification. This Notification Assessment Tool takes organizations through four decision-making steps regarding notification: Step 1: Step 2: Step 3: Step 4: Notifying Affected Individuals When and How to Notify What to Include in the Notification Others to Contact Step 1: Notifying Affected Individuals Use the chart below to help you decide whether you should notify affected individuals. If either of the first two factors listed below applies, notification of the individuals affected must occur. The risk factors that follow are intended to serve as a guide. If none of these applies, no notification may be required. You must use your judgment to evaluate the need for notification of individuals. 1

1 Legislation requires notification Consideration Check if Applicable Are you or your organization covered by legislation that requires notification of the affected individual? If you are uncertain, contact the privacy commissioner (see contact information at the end of this publication). 2 Contractual obligations Do you or your organization have a contractual obligation to notify affected individuals in the case of a data loss or privacy breach? 3 Risk of identity theft Is there a risk of identity theft or other fraud? How reasonable is the risk? Identity theft is a concern if the breach includes unencrypted information such as names in conjunction with social insurance numbers, credit card numbers, driver s licence numbers, personal health numbers, debit card numbers with password information or any other information that can be used for fraud by third parties (e.g. financial). 4 Risk of physical harm Does the loss of information place any individual at risk of physical harm, stalking or harassment? 5 Risk of hurt, humiliation, damage to reputation Could the loss of information lead to hurt, humiliation or damage to an individual s reputation? This type of harm can occur with the loss of information such as mental health records, medical records or disciplinary records. 6 Risk of loss of business or employment opportunities Could the loss of information result in damage to the reputation to an individual, affecting business or employment opportunities? Step 2: When and How to Notify Affected Individuals When: Notification should occur as soon as possible following a breach. However, if you have contacted law enforcement authorities, you should determine from those authorities whether notification should be delayed in order not to impede a criminal investigation. How: The preferred method of notification is direct by phone, letter or in person to affected individuals. Indirect notification website information, posted notices, media should generally only occur where direct notification could cause further harm, is prohibitive in cost, or contact information is lacking. Using multiple methods of notification in certain cases may be the most effective approach. The chart below sets out factors to consider in deciding how to notify the affected individuals. 2

Information and Privacy Commissioner of Ontario Considerations Favouring Direct Notification of Affected Individuals The identities of the individuals are known. Current contact information for the affected individuals is available. Individuals affected by the breach require detailed information in order to properly protect themselves from the harm arising from the breach. Individuals affected by the breach may have difficulty understanding an indirect notification (due to mental capacity, age, language, etc.) Check if applicable Considerations Favouring Indirect Notification of Affected Individuals A very large number of individuals are affected by the breach such that direct notification could be impractical. Direct notification could compound the harm to the individual resulting from the breach. Step 3: What to Include in the Notification of Affected Individuals The information in the notice should help the individual to reduce or prevent the harm that could be caused by the breach. Include the information set out below: Date of the breach. Description of the breach. Information Required Confirm Information Included A general description of what happened. Description of the information. Describe the information inappropriately accessed, collected, used or disclosed. Steps taken so far to control or reduce the harm. Future steps planned to prevent further privacy breaches. Steps the individual can take. Provide information about how individuals can protect themselves, e.g. how to contact credit reporting agencies (to set up credit watch), information explaining how to change a personal health number or driver s licence number. Privacy Commissioner contact information. Include information about how to complain to the privacy commissioner. Organization contact information for further assistance. Contact information for someone within your organization who can provide additional information and assistance and answer questions. 3

Step 4: Others to Contact Regardless of what you determine your obligations to be with respect to notifying individuals, you should consider whether the following authorities or organizations should also be informed of the breach. Do not share personal information with these other entities unless required. Authority or Organization Law Enforcement Privacy Commissioner s Office Professional or regulatory bodies Technology suppliers If theft or other crime is suspected. Purpose of Contacting (Note: The police may request a temporary delay in notifying individuals, for investigative purposes.) For assistance with developing a procedure for responding to the privacy breach, including notification. To ensure steps taken comply with the organization s obligations under privacy legislation. If professional or regulatory standards require notification of the regulatory or professional body. If the breach was due to a technical failure and a recall or technical fix is required. Check if applicable Contact Information For public and private sector bodies in British Columbia: Office of the Information and Privacy Commissioner for British Columbia Telephone: 250-387-5629 Email: Website: info@oipc.bc.ca www.oipc.bc.ca For public and health care sectors in Ontario: Information and Privacy Commissioner of Ontario Telephone: 416-326-3333 or 1-800-387-0073 Email: Website: info@ipc.on.ca www.ipc.on.ca 4

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback