Chapter 9: Privacy Management
Chapter 7: Privacy Fundamentals outlined the rules that govern collection, use, disclosure, retention, accuracy, security and disposal of personal information. Institutions need to build a privacy management program that enables the institution to be compliant with these rules.
Each institution will have slightly different needs regarding the management of privacy depending on the volume of personal information within their custody, the sensitivity of the personal information they manage, and relationships with third parties, including vendors. The guidance in this chapter consists of best practices that may be adapted to each specific institution based on their needs.
This chapter outlines the importance of defining roles and responsibilities for privacy, building privacy into business practices, education and awareness; monitoring the effectiveness of a privacy program, and preventing and managing privacy breaches.
Define Roles and Responsibilities
As discussed in Chapter 2: Government Roles and Responsibilities, the head of an institution is accountable for compliance with the legislation. In most institutions, some or all of the powers of a head are delegated to an officer or officers through a formal Delegation of Authority.
Senior level accountability for privacy protection must be established within an institution. This senior official should understand the personal information holdings of the institution, the safeguards that are in place to protect personal information, and act as a champion for privacy protection at the senior level.
Further, the management of privacy needs to be an institution-wide initiative, engaging employees at all levels. All employees who work with personal information are accountable for protecting the personal information in the custody and control of the institution.
Obligations to safeguard personal information should be outlined in job descriptions, codes of conduct, and in performance development plans for all institutional employees who collect, use, or disclose personal information as part of their official duties.
Education about privacy, as well as the legislation’s requirements, will help employees understand why privacy is important, how to protect it, as well as employees’ responsibilities with regards to safeguarding personal information. Coordinators should develop a privacy awareness training program that ensures employees can identify personal information and understand appropriate uses for the personal information.
Institutions should also make available to the public contact information where inquires can be made regarding the privacy practices of the institution. Providing this contact information supports transparency and accountability.
As discussed in Chapter 7: Privacy Fundamentals, this contact information should be included in any notice of collection. Additionally, this information should be generally available to the public on the institution’s public website or other publicly available source.
Align Business Practices
Institutions should align business practices by integrating the protection of personal information into existing programs, systems, and policies.
It is easier and less expensive to build privacy protective measures into technology, contracts, programs, practices and business continuity plans from the beginning, than to retrofit them after privacy breaches occur. Therefore, institutions should consider privacy when identifying your strategic priorities, deliverables and performance measures. Privacy should not be an after-thought.
Areas that institutions should consider adding privacy considerations include:
- Assessment of potential vendors and partners;
- Contracts with vendors and partners;
- Information sharing agreements;
- Information technology planning;
- Policy development; and
- Program development.
Privacy Impact Assessment
A privacy impact assessment (PIA) is an analytical process involving several activities and deliverables. It is not a single document or end-product.
A PIA process will support institutions in identifying and addressing privacy risks when planning, designing, acquiring and implementing any program, system, process, practice, service, technology, application or other deliverable that involves personal information. It is relevant to new initiatives, as well as changes to existing information management processes or systems.
The PIA is often described as an “early warning system” because it enables institutions to identify and understand potential privacy risks, to prevent or mitigate negative privacy consequences, and to enhance privacy protection. The PIA should be started as early in a project’s lifecycle as possible.
The following examples are the types of projects that may involve a substantial change to the collection, use or disclosure of personal information and, therefore, would be benefit from a PIA:
- New programs that will involve significant collection, use, or disclosure of personal information, particularly enterprise-wide initiatives or those involving multiple programs or partners;
- Major changes to existing programs that will involve a significant change in the collection, use and disclosure of personal information including those resulting from: an integration of programs; broadening of target population; change in service delivery channels; expansion of amount or type of data collection; constraining or eliminating opportunities for anonymity or pseudonymity; or major shift toward indirect collection of personal information;
- Use of new technology or one known to impact privacy that could raise significant privacy risks (e.g., biometrics, smart cards, drug testing, or technology with surveillance capabilities);
- Major changes to technology that will alter the functionality of information management, access to personal information (by program/system administrators, customers or third parties), or security features;
- Creation or modification of databases that will contain personal information, particularly where the data is sensitive or relates to a significant number of people, or that will link separate databases or create files that index or point to personal information on such databases; or
- Creation or modification of identification and authentication schemes that will involve multi-purpose identifiers, biometrics or identity cards.
Privacy and Contracting Services
Institutions may contract with private sector organizations or enter into relationships with other types of organizations to provide services on behalf of the institution. These services may include:
- Delivering a program on behalf of government;
- Establishing and/or managing a database;
- Providing system support such as troubleshooting;
- Providing disaster recovery services;
- Conducting research;
- Administering a call centre;
- Providing records storage; or
- Supplying other services such as off-site shredding or recycling of information storage media.
Under these contracts it may be necessary for private sector organizations to handle personal information or other sensitive government information. However, the institution remains accountable for ensuring that the private sector organization manages the personal information in accordance with the legislation.
Institutions should take steps to assess the risk and develop mitigation strategies when contracting services that involve the collection, use, storage, retention, disclosure or disposal of personal information. The following steps provide guidance on how institutions can proactively protect personal information when contracting services:
Assess risk: Assess the sensitivity of the data and conduct a PIA and threat risk analysis when considering contracting services involving personal information.
Develop an information protection plan: Develop a plan to address control, accountability, security and mitigation strategies for any identified risks.
Procurement and contractual requirements: Work with procurement specialists and Legal Counsel to build privacy and security requirements into procurement and contracting process. Contractual requirements can address identified risks.
Audit and monitor contract: Conduct ongoing audit and consistently review contractor’s performance in managing personal and sensitive information as documented in the contract.
Monitor and Evaluate Privacy Program
Institutions should periodically review privacy policies and practices, and commit to ongoing improvements to ensure compliance with the legislation.
A privacy audit is a tool to support monitoring and evaluating a privacy program. A privacy audit is a self-assessment of the institution’s practices to identify:
- The institution’s personal information holdings;
- The information needs of a program areas or corporate functions; and
- Existing privacy and information management policies, practices, and procedures.
A privacy audit allows institutions to determine the extent to which personal information in the institution’s custody and control is maintained in accordance with the legislation. A privacy audit will also help identify gaps in compliance and can help focus efforts to improve practices within the institution.
The basic steps to follow for a privacy audit include:
- Take inventory of the types of personal information that are collected, used, disclosed, retained or disposed of by the institution;
- Confirm the legal authority for collecting the personal information; and
- Describe the end-to-end business processes or activities that support the program in delivering those services.
Following the completion of the privacy audit, institutions should identify recommendations and next steps to fill in any gaps in compliance with the legislation. Some examples of next steps that could be identified from a privacy audit include:
- Updating notices of collection to include all necessary requirements under the legislation;
- Increased security on personal information stored within systems;
- Updates to an institution’s personal information bank index in the Directory of Records; or
- Updated training for employees within the institution.
A privacy breach is an incident where personal information is collected, retained, used, disclosed or disposed of in ways that do not comply with the provisions of the legislation.
Common examples of a privacy breach include personal information being stolen, lost, or accessed by unauthorized persons. Circumstances that could lead to a privacy breach include:
- Personal information being mailed, faxed or emailed to a wrong address, email address or fax number;
- Loss or theft of equipment containing personal information, such as external hard drives, laptops, are memory sticks;
- Disposal of equipment or paper records without secure destruction of the personal information; or
- A malicious cyber-attack on an information system.
Addressing privacy breaches is an important part of an institution’s privacy management program. When a privacy breach occurs, both the individuals affected by the breach and the institutions involved are potentially vulnerable to adverse consequences:
Consequences for individuals: Unauthorized disclosure of personal information violates an individual’s privacy. It creates the potential for harm, including identity theft and other forms of fraud, physical safety issues such as stalking or harassment, financial loss, adverse impact on employment or business opportunities, and damage to reputation.
Consequences for institutions: In addition to not meeting the legal requirements of the legislation there are other consequences, including:
- Reduced productivity as staff respond to a breach or deal with a complaint;
- Lost public trust and confidence due to public disclosure of a major privacy breach;
- Cost of emergency measures necessary to control a breach; and
- Replacement costs of hardware, software and data affected by the breach.
Privacy Breach Response Plan
Despite an institution’s best efforts, privacy breaches will occur and the development of a privacy breach response plan will enable an institution to respond to a breach in a timely and effective manner.
Having such a plan enables institutions to respond to privacy breaches in a coordinated manner. As part of a privacy management program, institutions should evaluate the effectiveness of the institution’s response plan annually and implement changes, as necessary. The creation of a response plan may involve documenting existing practices for dealing with privacy breaches.
Given the diversity of institutions and the varied nature of privacy breaches, no “one size fits all” response protocol is possible or practical. However, as a best practice, institutions should first assess whether a privacy breach has occurred and in the event of a breach, institutions may take the following actions:
- Respond and contain;
- Investigate; and
- Implement change.
These steps can take place simultaneously, or in rapid succession, depending upon the circumstances. Each step does not have to be completed before beginning the next step.
Each step of the protocol is described below and includes suggested roles and responsibilities for the key players.
Once an incident or suspected incident has occurred, it should be reported by the employee who discovered it immediately the employee’s direct supervisor and the Coordinator. The Coordinator will work with the program area to determine if a privacy breach has occurred.
Assessing a Suspected Breach
When an incident has been reported to the manager or the Coordinator within an institution, they must immediately determine if a privacy breach has occurred. In making this assessment, two important questions need to be answered:
- Is personal information involved?
- Has the personal information been collected, used, accessed or disclosed in an unauthorized manner?
Not all data in the custody or control of an institution is personal information. Therefore, the first part of your assessment is to identify the type of information affected by the incident. See Chapter 7: Privacy Fundamentals for a definition of personal information and examples.
If the answer to both questions is “yes”, a privacy breach has occurred.
Respond and Contain
Coordinators or other employees should contain the privacy breach by taking corrective action. Corrective action may include retrieving personal information, or isolating or suspending activity on a system or website.
The privacy breach should be reported to key players within the institution including senior leadership and impacted program areas.
The institution should document the details of the privacy breach. Documentation should be as detailed as possible and address the “who, what, where, when and how” of the incident.
Finally, Coordinators should brief senior management on the privacy breach and how it is being managed and resolved, as appropriate.
Coordinators should work with the program area and Legal Counsel to plan notification of the breach. Notifying the individuals impacted by the privacy breach should be the default course of action. The purpose of providing notice of a privacy breach to the individuals whose personal information was involved in the incident is to provide them with sufficient information about:
- What happened;
- The nature of potential or actual risks of harm;
- Appropriate action to take to protect themselves against harm; and
- A brief explanation of the individual’s right to complain to the IPC about your institution’s handling of their personal information.
Such notice supports the purposes of the legislation and the institution’s responsibility to protect the privacy of individuals with respect to personal information. It is also consistent with the fair information practices of openness and accountability.
Notice should take place at the earliest opportunity. However, institutions should not compound the potential harm caused by a privacy breach by providing premature notice based on incomplete facts or taking any action that might make identity theft or other harm more likely to occur as a result.
Notice should be delayed if law enforcement determines immediate notice would impede a criminal investigation; or the breach resulted from a security or information system failure, restore and test the integrity of the system before disclosing details of the breach.
Notifying the individuals affected by a privacy breach may not be appropriate, reasonably possible, or necessary in the following limited circumstances:
- Law enforcement determines notice would impede a criminal investigation;
- Notice is not in the individual’s interest (e.g., notice could potentially endanger an individual or result in greater harm to the individual); or
- Notice would serve no useful purpose (e.g., if all the personal information involved in the privacy breach is: already publicly available; recovered before an unauthorized party could possibly access it; or protected by technology, such as encryption, that would mean unauthorized access and use of the data is not reasonably possible).
Coordinators should consider consulting with the IPC when planning to provide notice to individuals impacted by privacy breaches.
See Chapter 12: Privacy Complaints, Breaches and Investigations for more information on institutions self-reporting privacy breaches to the IPC.
Institutions should investigate to:
- Identify and analyze the events that led to the privacy breach;
- Evaluate the institution’s response and containment of the breach; and
- Recommend remedial action to help prevent future breaches.
Document the results of the internal investigation including:
- Background and scope of the investigation;
- Legislative implications;
- How the investigation was conducted (who did it, who was interviewed, what questions asked, what policies and practices considered, etc..);
- The source and cause of the privacy breach;
- An inventory of systems and programs affected by the breach;
- Determination of the adequacy of existing security and privacy policies, procedures and practices;
- Assessment of the effectiveness of the institution’s response to the breach; and
- Findings including a chronology of events and recommendations for remedial actions.
Senior management should be informed of the results of the investigation to ensure recommendations are enacted.
The final step of the response plan is to implement changes within the institution to prevent future privacy breaches. When determining what changes and remedial action needs to be implemented, Coordinators should consider if it is necessary to:
- Review relevant information management systems to enhance compliance with the legislation;
- Amend or reinforce your existing policies and practices for managing and safeguarding personal information;
- Develop and implement new security or privacy measures;
- Train staff on legislative requirements, security and privacy policies, practices and procedures to reduce the potential of future breaches; or
- Test and evaluate remedial actions to determine if they have been implemented correctly, and if your policies and practices need to be modified.
In addition, Coordinators should evaluate whether the notice individuals impacted by the privacy breach was done in a reasonably timely manner, whether the tone and content of the notice was appropriate, and whether there was sufficient support provided to individuals impacted by the breach.