What is a Privacy Incident or Breach?
A privacy incident or breach is any event that compromises the privacy or confidentiality of personal information, even if it may seem unimportant. Some common examples include:
Electronic Incidents:
- Sending emails containing personal information to unintended recipients
- Using “CC” instead of “BCC” to send group emails that reveal recipient information
- Unauthorized access to databases, systems, or files containing personal information
- Loss or theft of laptops, tablets, phones, or storage devices with personal information
- Sharing login credentials
- Leaving systems logged in and unattended
- Posting personal information on websites, social media, or other public platforms without authorization or consent
Physical Incidents:
- Loss, theft, or misplacing of documents containing personal information
- Leaving documents with personal information unsecured (eg. in desks, printers, vehicles)
- Conversations about personal information in public where they can be overheard
- Disposal of documents containing personal information without shredding or destruction
- Unauthorized persons gaining access to areas where personal information is stored
Procedural Incidents:
- Sharing student information with unauthorized parties (including parents, without consent)
- Providing personal information for non-educational purposes without proper authorization
- Failing to redact/remove personal information from documents before sharing
- Collecting personal information without proper authority or purpose
- Retaining personal information longer than is necessary or authorized
Immediately report all incidents right away. The following are a few illustrative examples:
- Accidentally sending a student's grades or personal information to other students
- Forwarding any email with personal information to someone who should not have access
- Discovering a file cabinet or office containing personal information was left unlocked
- Learning or realizing that personal information was included in a document posted publicly
- Finding personal information in locations where it should not be stored
- Learning a third party (contractor, vendor, visitor) may have accessed personal information
- Learning personal information was stolen, lost, or used or disclosed without authorization
- Learning of personal information handling in violation of FIPPA or other University obligations
- Any situation where you believe personal information may have been handled inappropriately
Why Reporting every issue is Essential
As explained above, we urge you to report even if you are uncertain for important reasons including:
- Legal Protection: FIPPA requires notification of breaches as soon as feasible, and we can only accomplish this through your immediate reporting. Delayed reporting can result in a contravention of FIPPA requirements even if the underlying incident was minor.
- Professional Assessment: The Manager, Privacy has expertise to evaluate incidents and to determine whether they meet legal notification and reporting requirements. Apparently minor incidents will often meet legal requirements for quick notification and reporting.
- Protection of Affected Individuals: We have an obligation to mitigate risks and harms and to provide mitigations to affected individuals. Unreported incidents can leave affected individuals unprotected, enabling or increasing harm to them. Early notification and action support effective harm and risk mitigation.
- Institutional Protection: Unreported incidents are a breach of University legal obligations and can escalate into major problems. Early intervention through prompt reporting enables effective containment, remediation and legal compliance.
- Support for You: Reporting protects faculty and staff because we are all responsible for compliance with University legal requirements. Reporting supports a proper institutional response. Our privacy team will guide and support you as the University works through the incident or breach.
How to Report Privacy Incidents
Immediate Actions:
- Stop: Cease any activities that might worsen the situation
- Contain: If possible, limit further exposure (recall emails, secure documents, log out of systems)
- Report: Immediately contact the Manager, Privacy
When reporting, provide:
- Your contact information
- Date and time of discovery
- Description of what happened
- Types of personal information potentially involved
- Number of individuals potentially affected
- Steps already taken to address the situation
Focus on Solutions
Our privacy incident response focuses on solutions. We understand that mistakes happen, and our goal is to address them quickly and effectively at an institutional level. We will support and guide all who report incidents quickly. However, failing to report known or suspected privacy incidents may result in serious consequences for both individuals and the University.
Remember: When in Doubt, Report
If you are uncertain whether an event constitutes a privacy incident, always err on the side of caution and report it immediately. Our Manager, Privacy is here to help assess situations and guide appropriate responses. Quick reporting enables quick solutions and protects the people whose personal information we are entrusted, the University, and all of us.
Thank you for your commitment to protecting the personal information entrusted to our university.