Privacy Breach Procedure
- Approver:
- Academic Coordinating Committee
- Policy Owner:
- Vice President, Facilities, Capital Development, Risk, and Safety & Security
- Policy Lead(s):
- Associate Vice President, Risk Management and Secretary General to the Board of Governors
- Defining policy:
- Effective date:
- 2022-01-06
- Date of last approval:
- 2025-04-11
- Status:
- Approved
Procedure Statement
This procedure sets out the process for handling a privacy breach at the Conestoga
College Institute of Technology and Advanced Learning (Conestoga) in accordance
with Conestoga’s Protection of Privacy Policy.
Definitions
ÐÓ°ÉÔ´´ maintains a glossary of terms specific to the institution. The ones in use for this document are defined below.
- Conestoga Users
- Individuals who access and or use Conestoga’s data while performing their duties on behalf of the College. Users include, but are not limited to, Conestoga employees (full time, part time, definite term, casual, etc.), contractors, consultants, and volunteers.
- FIPPA
- The Freedom of Information and Protection of Privacy Act (FIPPA)
- Personal Information
- Recorded information about an identifiable individual as defined in FIPPA. Information related to a person acting in their business capacity is not personal information. This includes business addresses, work titles, business phone numbers, and Conestoga issued email addresses.
- Privacy Breach
- Unauthorized collection, use, or disclosure of personal information, in contravention of the FIPPA that may affect an individual or a group.
Responsibilities
Conestoga Users
Ensure that all personal information collected, used, disclosed, stored and discarded is done in accordance with FIPPA.
Immediately report suspected privacy breaches to their manager or director and the Privacy Office.
Managers/Directors
When notified by a Conestoga User, take steps to contain privacy breaches in their area of responsibility.
With guidance from the Privacy Office, notify impacted individuals affected by a privacy breach in their department.
Associate Vice President, Risk Management
Determine if further investigation is required for reported privacy breaches.
Lead the privacy breach assessment process and coordinate prevention strategies.
Privacy Office
Provide guidance to Conestoga users in the event of a privacy breach.
Notify the Information and Privacy Commission of Ontario, as required.
Ensure that all personal information collected, used, disclosed, stored and discarded is done in accordance with FIPPA.
Immediately report suspected privacy breaches to their manager or director and the Privacy Office.
Managers/Directors
When notified by a Conestoga User, take steps to contain privacy breaches in their area of responsibility.
With guidance from the Privacy Office, notify impacted individuals affected by a privacy breach in their department.
Associate Vice President, Risk Management
Determine if further investigation is required for reported privacy breaches.
Lead the privacy breach assessment process and coordinate prevention strategies.
Privacy Office
Provide guidance to Conestoga users in the event of a privacy breach.
Notify the Information and Privacy Commission of Ontario, as required.
Procedure
-
Reporting - Any Conestoga User who suspects a privacy breach must immediately notify their manager or director. Conestoga employees must complete a Privacy Breach Reporting Form via the . All other parties can contact Conestoga’s Privacy Office via email: privacy@conestogac.on.ca.
- Containment – The manager or director must take immediate steps to contain the breach and prevent any further unauthorized access to personal information. The following steps (3, 4 & 5) can happen both in conjunction with containment and after containment.
- Preliminary Assessment – Once a potential breach has been identified, the Associate Vice President, Risk Management or designate determines if further investigation is warranted, preserves evidence, and determines if law enforcement needs to be involved.
- The Associate Vice President, Risk Management leads the assessment if needed.
-
Notification
- Impacted individuals are notified by the manager or director of the department where the breach occurred as soon as is reasonably possible. If the manager or director of the department require support and/or the notification is particularly complicated, they must reach out to the Associate Vice President, Risk Management or Privacy Office – privacy@conestogac.on.ca.
- The Information and Privacy Commissioner of Ontario must be notified by the Privacy Office when there is particularly sensitive information involved in the privacy breach and/or when there is a large number of individuals impacted.
-
Risk Mitigation
- Based on the severity and scope of the breach, the Associate Vice President, Risk Management will decide whether further investigation is required. If investigation is required, the Associated Vice President, Risk Management will:
- Lead further investigation of the privacy breach if warranted.
- Identify strategies to prevent a similar privacy breach from reoccurring.
- Monitor the outcome of prevention strategies.
Relevant Legislation and Related Documents
Relevant legislation
Revision Log
‸¾²¹³Ù±ð | ‸¾±ð³Ù²¹¾±±ô²õ |
| ​2021-12-15 | ​Academic Forum |
| ​2022-01-06 | ​Academic Coordinating Committee |