Privacy Breach Protocol
What is a Privacy Breach?
A privacy breach is an unauthorized collection, use or disclosure of someone’s personal information (PI) or personal health information (PHI), in contravention of the Freedom of Information and Protection of Privacy Act (FIPPA) or Personal Health Information Protection Act (PHIPA). Under the legislation, and in accordance with university policies, Queen’s is responsible for ensuring that personal and personal health information in its custody or control are properly safeguarded from those not entitled to have access to it.
What is Personal Information?
FIPPA defines personal information (PI) as recorded information about an identifiable individual, including:
- ethnic origin, race, religion, age, sex, sexual orientation, marital status, etc.
- information regarding educational, financial, employment, medical, psychiatric, psychological or criminal history
- identifying numbers, e.g., SIN, student number
- home address, telephone number, personal email address
- other people’s personal opinions of, or about, the individual
- correspondence sent to Queen’s by the individual that is of a private or confidential nature
- the individual’s name where it appears with or reveals other personal information
What is Personal Health Information?
While information about an individual’s medical, psychiatric or psychological history may fall under FIPPA, when that information is collected, used or disclosed by a Health Information Custodian, in the context of the provision of health care, it is classified as Personal Health Information (PHI) and subject to a special set of legal obligations under PHIPA, including mandatory breach notification.
Examples of unauthorized collection, use or disclosure
- information collected in error
- information used for a purpose not consistent with the original collection
- lost or misplaced information
- stolen information (through hacking or physical theft)
- unauthorized use (including viewing) or disclosure of information, whether accidentally or deliberately
If a privacy breach occurs, take immediate action
- CONTAIN: stop or contain the breach if you can
- to your immediate supervisor (or, if unavailable, the next level of management) and the unit or department head
- to the Chief Privacy Officer at firstname.lastname@example.org or (613) 533-6000 ext. 75226 who will assist with the next steps
- INVESTIGATE: use the step-by-step Privacy Breach Report Form (to be provided by the Chief Privacy Officer) to collect information and address the breach