Privacy Breach Policy
SECTION 1 – INTRODUCTION
1.1 Purpose
The purpose of this policy is to provide direction in the event of a privacy breach of the personal or confidential information of Precise Parklink Inc. (“Precise”) clients, personnel, or customers.
This policy provides guidance on reasonable steps necessary to limit the breach, support an effective investigation and to assist with remediation.
SECTION 2 - POLICY
2.1 Policy
It is Precise’s policy to prevent privacy breaches by following a culture of privacy, security and accountability in adhering to all privacy protocols as detailed in Precise’s Privacy Policy. Should a privacy breach occur through the loss, theft or unauthorized access of personal or confidential information, then the impact of the breach must be contained, and a prompt, reasonable, and coordinated response to the breach must be taken consistent with this policy.
SECTION 3 – RESPONSIBILITY & PROCEDURE
3.2 Privacy Breach Protocol
The following five steps will be initiated as soon as a privacy breach, or suspected breach, has been reported.
3.2.1 Step 1 – Report and Assess
Report
Upon becoming aware of a possible breach of personal or confidential
information, the Precise employee will promptly report the suspected breach to
their manager. This will occur even if the breach is suspected and not yet
confirmed. The manager will assess:
What happened.
Where it occurred.
When the suspected incident occurred.
How the potential breach was discovered.
Where the information was breached eg: technology, paper files, verbally. Corrective action taken when the possible breach was discovered.
Assess
The manager will also assess the breach by asking the following questions:
Q1) Is personal or confidential information involved?
yes no
Q2) Has unauthorized collection, use, disclosure or retention of personal or confidential information occurred?
yes no
Q3) Has personal or confidential information been lost or stolen?
yes no
If the answer is “Yes” to question 1, and “Yes” to either Questions 2 or 3, then it can be assumed that a breach has occurred.
3.2.2 Step 2 – Containment
Containment involves taking immediate corrective action to end the unauthorized practice that lead to a breach. For example, corrective action could include recovering the lost or stolen records; revoking/changing access codes or correcting weaknesses in an electronic security system. The main goal is to alleviate any consequences for both the individual(s) whose personal or confidential information was involved and Precise.
3.2.3 Step 3 – Investigate
Once the privacy breach is confirmed and contained, the manager will conduct an investigation to determine the cause and extent of the breach by:
Identify and analyze the events that led to the privacy breach.
Evaluate if the beach was an isolated incident or if there is risk of further privacy breaches.
Determine who was affected by the breach e.g. clients or personnel or customers, and how many individuals were affected
Evaluate the effect of containment activities.
Evaluate who had access to the information.
Evaluate if the information was lost or stolen.
Evaluate if the personal or confidential information has been recovered.
3.2.4 Step 4 – Notify
The manager shall consult with their director, who will consult with the legal department to determine what notifications are required. Some considerations include:
Notification to authorities/other organizations. Examples include the police if theft or other crimes is suspected; credit card companies, financial institutions, etc.
Does the loss or theft of information place any individual at risk of physical harm, stalking or harassment?
Is there a risk of identity theft? How reasonable is the risk?
Timeline
Affected individuals should be promptly notified and receive the initial notification as soon as possible after the breach has occurred. Further communication with the affected individuals may occur during the process as updates occur.
Method
The method of notification will be guided by the nature and scope of the breach and in a manner that is reasonable to ensure that the affected individual will receive it. Direct notification e.g. by phone, letter, email or in person shall be used where the individuals are identified. Where affected individuals are not fully known, media releases, website notices or letters to clients shall be considered.
Responsibility for notification
If the breach was client information the manager of that program will provide the notification. In the event that the breach was personal information of Precise personnel, Human Resources will provide the notification. If the breach was information of a Precise customer, Marketing will provide the notification.
In the instance where there is a high risk of adverse publicity as a result of the breach, the Chief Operating Officer will be responsible for the notification. As necessary, a determination will be made if external media / public relations support is required due to the severity of the breach.
Notification will include:
Description of the incident and timing
Description of the information involved
The nature of potential or actual risks or harm
What actions were taken/are being taken
Any appropriate actions for the individual(s) to take in order to protect themselves against harm
A contact person for questions or to provide further information
3.2.5 Step 5 – Prevention of Future Breaches
Once the breach has been resolved, the director will work with the manager to develop a prevention plan or take corrective actions as required and will report to the Chief Operating Officer for required approvals. Prevention activities might include: audits; review of policies, procedures and practices; employee training; or a review of service delivery.
Updated November 4, 2020