Privacy Breach - Who Does What?

PRIVACY BREACH – WHO DOES WHAT?

It seems next to impossible to pass a day without hearing about “privacy breach” or “privacy incident” these days. Nurses in a Victoria hospital, for example, were caught snooping patient’s medical records just out of curiosity, and fired because of their unlawful activities. A health researcher lost his laptop in a café, where he came by to buy a coffee and a doughnut; the laptop contained tens of thousands personal health information; and coincidentally, it was not encrypted. Then recently, the Ministry of Education in BC lost an unencrypted – again! – back-up hard drive that contains about 3.4 million records that can be linked to specific individuals.

If you look closely at these seemingly disparate privacy breaches, however, you can notice a common thread and that most breaches could have easily been prevented. If not, the damage from the breach could have been mitigated.

As you are well aware, our organization is also managing a large amount of personal information, such as health benefits claim information, medical records, and HR information of clients and employees. Protecting their personal information safely and securely would be, therefore, instrumental for us to obtain and maintain their trust. We do have a simple and straightforward procedure for dealing with privacy breach (“Privacy Breach Management Procedure” is in place), and it would be beneficial for all the staff to know “who does what” when privacy breach happens.

 

WHAT IS PRIVACY BREACH?

A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information. Such activity is “unauthorized” if it occurs in contravention of the Personal Information Protection Act, under which our organization is operating.

Source: A Decade of Data Breach 

TYPICAL PRIVACY BREACH EXAMPLES

• Personal information faxed to a wrong number or mailed to a wrong address or person;
• Workers intentionally viewing personal information other than that required to perform their job functions;
• Unauthorized disclosure of personal information, or disclosure beyond what workers need to know to perform their job function;
• Loss or theft of: equipment containing personal information, e.g., laptops, filing cabinets, photocopiers, fax machines, portable storage devices, network devices, mobile devices, and electronic media; or personal information recorded on paper or other written or printed media;
• Disposal of equipment without secure destruction of the personal information it contains; and
• Use of laptops, disks, portable storage device, briefcases, or any other means of storage or transportation of personal information outside the office, without adequate security measures.

 

WHO DOES WHAT?

If you have lost personal information or an employer-issued device, or suspect that that is has been stolen, please take the following actions immediately:

1. Contain the Incident: Take appropriate and immediate steps to contain or prevent a Privacy Breach.
2. Report it to your supervisor/manager. Inform your manager or supervisor about the incident and work with them on the appropriate approach.
3. Report it to the Help Desk.
4. Notify the police if the breach involves theft or other criminal activity.
5. Support the investigation & other processes: You may be asked participate and assist in an investigation of a Privacy Breach.