Privacy breach response

A privacy breach is any unauthorized collection, use, alteration, disclosure, loss, or destruction of personal information the cause of which can be either accidental or deliberate. 

Breaches are serious violations and are potential grounds for prosecution under the Protection of Privacy Act (POPA) and may result in serious consequences for those involved.  

Reporting a breach 

  1. Report identified breaches as quickly as possible to the University Secretary at access.privacy@auarts.ca, who will direct the response with appropriate units.  
  2. Where there exists a real risk of significant harm to an individual because of the privacy incident, notice of the incident will be given in writing to: 
  • the impacted individual(s) 
  • the Information and Privacy Commissioner 
  • the Minister of Technology and Innovation 

How do we manage breaches?  

  • Ensure all staff handling personal information and using information systems understand their responsibilities in relation to POPA and understand the requirements for reporting a breach.  
  • Contain the breach: as required, shut down the system, access privileges, or activities and make reasonable efforts to retrieve information released or lost.  
  • Evaluate the severity level based on both the nature and volume of the information, the potential harm to the subjects and who may have had unauthorized access.  
  • Assist the University Secretary who acts as the Privacy Officer and others involved in the response in investigating the cause of the breach.  
  • Recommend and implement measures and practices to prevent or mitigate harm from similar breaches in the future. This will include employee education, and a determination whether employees violated privacy and security policy and as a result, could face sanctions.