3.2 Privacy Breach Policy

Policy Statement

SelfDesign Learning Foundation (SDLF) is committed to protecting the personal information in its custody and/or under its control, and to taking certain measures should a privacy breach occur.

Definitions

Business Contact Information – means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual.

Personal Information – means recorded information about an identifiable individual excluding business contact information.

Privacy Breach – occurs when personal information is collected, retained, used, disclosed, accessed, or disposed of in a way that does not comply with the provisions of PIPA and SDLF Privacy Policies. For example, losing a laptop which contains personnel files or inadvertently sending personal information by email to an external third-party, would potentially expose personal information to unauthorized sources.

Policy

The SelfDesign Learning Foundation will, in accordance with the Personal Information Protection Act (PIPA), protect the personal information in its custody or under its control and, if the personal information in its custody or under its control is inadvertently or intentionally disclosed without authorization, immediately follow the protocol outlined in this policy.

Protocol

The protocol below shall be followed when a breach or suspected breach of privacy occurs.

Report

The individual who identifies a breach or suspected breach of privacy, called ‘the reporter’,  will:

1. Notify SDLF’s Privacy Officer by submitting a support request.
   • Navigate to: https://support.selfdesign.org/ with a web browser.
   • Select: “Report an Incident”.
   • Select: “Report a Privacy Incident/Breach”.
   • Complete and submit the online form.
2. Notify their Foundation contact, e.g., as per their contract or agreement with SDLF.
3. Work together with their Foundation contact and the Privacy Officer to ensure personal information is not still being compromised.

Investigate

1. The reporter and their Foundation contact in consultation with the Privacy Officer, will conduct a preliminary investigation to confirm whether a privacy breach has in fact occurred. The preliminary investigation will include the following:
   • Description of the information that was compromised.
   • Known or suspected cause(s) of the breach.
   • Date and time of the breach.
   • Number and type of individuals affected.
   • Sensitivity of the personal information breached and the level of harm to individuals.
   • Immediate steps taken to contain the breach.
2. The Privacy Officer will determine if a breach has occurred and if so, will commence further remediation activities, notifying the President and CEO based on severity.

Remediate

If a breach of privacy has occurred, the Privacy Officer will guide the reporter and their Foundation contact to take the following steps.

• Contain the breach by preventing further spread of the personal information. This may include disabling systems, including system access, contacting recipients of emails and asking them not to open or delete, etc.
• Request relevant individuals who received access to the breached personal information to permanently delete and not make any copies of the ill-received information.
• Make all reasonable efforts to recover the personal information from all sources to which the personal information has been disclosed. If recovery is not possible, ensure the information is securely destroyed. Get written confirmation from the sources (e.g., email) that they have securely destroyed the personal information and have not retained any copies.
• Take remedial action (to be done by the Foundation contact) on a systematic basis which may include:
  • Changes to systems or programs involving personal information
  • Revising operational policies and procedures and communicating the revisions as appropriate
  • Providing supplementary training to individuals regarding their privacy obligations
• Notify the police if the breach involves theft or any other suspected criminal activity.

Notify

1. SDLF must, without unreasonable delay, notify affected individuals if the privacy breach could reasonably be expected to result in significant harm to the individual such as:
   • Identity theft
   • Bodily harm
   • Humiliation
   • Damage to reputation or relationships
   • Loss of employment, business, or professional opportunities
   • Financial loss
   • Negative impact on a credit record
   • Damage to, or loss of, property.
2. SDLF may notify the B.C.-based Office of the Information and Privacy Commissioner (OIPC) if the privacy breach could reasonably be expected to result in significant harm as noted above.
3. SDLF is not required to notify an affected individual if notification could reasonably be expected to result in immediate and grave harm to the individual’s safety or physical or mental health or threaten another individual’s safety or physical or mental health.
4. Notification, if required, must be given directly to each affected individual in writing (preferably within 3 to 5 business days), and must include the following information:
   • The date on which the privacy breach came to the attention of SDLF.
   • A description of the privacy breach including, if known, the date on which or the period during which the privacy breach occurred, and a description of the nature of the personal information involved in the privacy breach.
   • Confirmation that the commissioner has been or will be notified of the privacy breach.
   • Contact information for a person who can answer questions about the privacy breach on behalf of SDLF.
   • A description of steps, if any, that SDLF has taken or will take to reduce the risk of harm to the affected individual.
   • A description of steps, if any, that the affected individual could take to reduce the risk of harm that could result from the privacy breach.
5. Notifications must not include:
   • Personal information about others or any information that could result in a further privacy breach.
   • Information that could be used to circumvent security measures or negatively impact an ongoing investigation.
6. Notification may be given to an affected individual in an indirect manner if SDLF:
   • Does not have accurate contact information for the affected individual.
   • Reasonably believes that providing the notice directly to the affected individual would unreasonably interfere with the operations of the organization.
   • Reasonably believes that the information in the notification will come to the attention of the affected individual more quickly if it is given in an indirect manner.
7. If notification is given in an indirect manner as noted above, the notification must be given by communication that can reasonably be expected to reach the affected individual, and contain the information set out above.
8. Notification to the OIPC must be provided in writing and must include the following information:
   • The date on which the privacy breach came to the attention of SDLF.
   • A description of the privacy breach including, if known, the date on which or the period during which the privacy breach occurred, and a description of the nature of the personal information involved in the privacy breach.
   • Contact information for a person who can answer, on behalf of SDLF, questions about the privacy breach.
   • A description of steps, if any, that SDLF has taken or will take to reduce the risk of harm to the affected individual.

Related Documents

• Personal Information Protection Act