Records Management and Privacy Office

Records Management and Privacy Office
Records Management and Privacy Office

Privacy Breach Protocol

What is a Privacy Breach?

A privacy breach is an unauthorized collection, use or disclosure of someone’s personal information (PI) or personal health information (PHI), in contravention of the Freedom of Information and Protection of Privacy Act (FIPPA) or Personal Health Information Protection Act (PHIPA). Under the legislation, and in accordance with university policies, Queen’s is responsible for ensuring that personal and personal health information in its custody or control are properly safeguarded from those not entitled to have access to it.

What is Personal Information?

FIPPA defines personal information (PI) as recorded information about an identifiable individual, including:

  • ethnic origin, race, religion, age, sex, sexual orientation, marital status, etc.
  • information regarding educational, financial, employment, medical, psychiatric, psychological or criminal history
  • identifying numbers, e.g., SIN, student number
  • home address, telephone number, personal email address
  • other people’s personal opinions of, or about, the individual
  • correspondence sent to Queen’s by the individual that is of a private or confidential nature
  • the individual’s name where it appears with or reveals other personal information

What is Personal Health Information?

While information about an individual’s medical, psychiatric or psychological history may fall under FIPPA, when that information is collected, used or disclosed by a Health Information Custodian, in the context of the provision of health care, it is classified as Personal Health Information (PHI) and subject to a special set of legal obligations under PHIPA, including mandatory breach notification.

Examples of unauthorized collection, use or disclosure

  • information collected in error
  • information used for a purpose not consistent with the original collection
  • lost or misplaced information
  • stolen information (through hacking or physical theft)
  • unauthorized use (including viewing) or disclosure of information, whether accidentally or deliberately

Privacy Breach Protocol (PDF, 194 KB)