privacy breach guidelines
play

PRIVACY BREACH GUIDELINES Purpose The Privacy Breach Guidelines may - PDF document

Apr 11, 2024 •174 likes •291 views

Office of the Saskatchewan Information and Privacy Commissioner PRIVACY BREACH GUIDELINES Purpose The Privacy Breach Guidelines may provide to contain, assess and analyze a privacy some guidance to government institutions, breach. The

  1. Office of the Saskatchewan Information and Privacy Commissioner PRIVACY BREACH GUIDELINES Purpose The Privacy Breach Guidelines may provide to contain, assess and analyze a privacy some guidance to government institutions, breach. The guidelines also contain some local authorities, and health information preliminary steps which can be taken to trustees (hereinafter Organizations) in prevent the breach from occurring again. Saskatchewan when a privacy breach occurs. 1 While these guidelines were created for The Privacy Breach Guidelines provide Organizations, we encourage contractors, Organizations with some basic education information management service providers about privacy breaches and take (IMSP’s), non -profit organizations, and other Organizations through some decision-making interested parties to familiarize themselves with the content within the guidelines. 2 steps regarding notification. These guidelines may also assist Organizations in their efforts 1 While these guidelines can assist Saskatchewan Organizations that are subject to The Freedom of Information and Protection of Privacy Act , The Local Authority Freedom of Information and Protection of Privacy Act, and/or The Health Information Protection Act , government institutions and local authorities should also refer to the Ministry of Justice and Attorney General Privacy Breach Management Guidelines available online at: http://www.justice.gov.sk.ca/PBMG 2 Contractors and IMSP’s should also refer to the OIPC pamphlet " A Contractor's Guide to Access and Privacy in Saskatchewan". It discusses the access and privacy issues for any business or non-profit organization which contracts with any public body in Saskatchewan. It is available online at: http://www.oipc.sk.ca/webdocs/ContractorsGuide.pdf TABLE OF CONTENTS Step 1: Contain the Breach . . . . . . . . . . . . . . . . . . 3 Step 2: Investigate the Breach . . . . . . . . . . . . . . . 4 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Step 3: Assess and Analyze the Breach . . . . . . . . . . 5 What is ‘Privacy’? . . . . . . . . . . . . . . . . . . . . . . . . . 2 Personal Information: It’s All About Me . . . . . . . . . . 2 Step 4: Notification: Who, When and How to Notify . 6 When Does a Privacy Breach Occur? . . . . . . . . . . . . 2 Step 5: Prevention . . . . . . . . . . . . . . . . . . . . . . . . 8 Proactively Reporting Privacy Breaches to the OIPC . 3 The Role of the OIPC . . . . . . . . . . . . . . . . . . . . . . . 8 Five Key Steps in Responding to a Privacy Breach . . 3 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Page 1 Privacy Breach Guidelines

  2. Office of the Saskatchewan Information and Privacy Commissioner What is ‘Privacy’? Privacy has been, defined in a variety of is understood as the right of an individual to ways, and is considered to involve several determine for him/herself when, how and to different dimensions. They include: what extent he/she will share his/her ‘personal information’.  Physical or bodily privacy;  Territorial privacy; For the purposes of these Guidelines privacy  Privacy of communications; and concerns the collection, use and disclosure of  Information privacy/data privacy. personal information in compliance with the applicable legislation. The Privacy Breach Guidelines focus on the last dimension of privacy. Information privacy Personal Information: It’s All About Me Personal information (PI) and personal health investigate privacy breaches that involve PI or information (PHI) is defined by the applicable PHI of individuals. Our authority to privacy law. 3 Generally speaking PI/PHI is investigate privacy breaches is established in, information about an identifiable individual. and limited to the PI, and/or the PHI of Typically, this office will not consider a breach individuals as defined in The Freedom of of privacy to have occurred if the information Information and Protection of Privacy Act involved is sufficiently de-identified, provided (FOIP) , The Local Authority Freedom of as statistics only, or as aggregate data. Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA). 4 The Office of the Information and Privacy Commissioner (OIPC) of Saskatchewan may When Does a Privacy Breach Occur? A privacy breach happens when there is information. unauthorized collection, use or disclosure of Privacy breaches most commonly occur when PI or PHI. Such activity is ‘unauthorized’ if it PI/PHI about patients, clients/customers or occurs in contravention of FOIP, LA FOIP, or employees is stolen, lost, mistakenly or HIPA. 5 Examples would include ‘water - cooler’ purposely used or disclosed without the conversations about client PI of which a co- requisite need to know. Examples include worker has no professional ‘need to know’, or when a computer containing PI/PHI is stolen, a health care professional accessing a or when PI/PHI is mistakenly emailed or faxed database to check a patient’s status when he to the wrong person. or she has no professional need to know the 3 PI is defined at section 24 of FOIP and section 23 of LA FOIP. PHI is defined at section 2(m) of HIPA. 4 Links to each of these acts can be found on the Saskatchewan OIPC homepage at: http://www.oipc.sk.ca/. OIPC authority to investigate is established at sections 33 and 32 of FOIP and LA FOIP respectively, and sections 42(1)(c) and 52 of HIPA. 5 See Part IV of FOIP, LA FOIP and HIPA. Page 2 Privacy Breach Guidelines

  3. Office of the Saskatchewan Information and Privacy Commissioner Privacy breaches may be accidental or breakdown. Privacy breaches are often intentional; they may be a one time predictable and with proper foresight and planning can be avoided. 6 occurrence or due to systemic inadequacies such as a faulty procedure or operational Proactively Reporting Privacy Breaches to the OIPC The OIPC encourages Organizations to following advice from our office in responding proactively report actual or potential privacy to the breach. breaches to this office. Proactive reporting to the OIPC allows this office to provide advice Generally, when Organizations proactively or guidance in responding to the incident. In report, the OIPC will not immediately open an our experience, Organizations that alert the investigation file, but will monitor the situation OIPC to a breach and take advice from our to ensure that the response of the office, in terms of dealing with that breach, Organization is adequate. In those instances may be much better prepared to respond to where the response is inadequate or not questions from the public, the media, MLAs, timely, OIPC may open a formal investigation etc. The Organization could then at least case file. announce that it has alerted the OIPC and is Five Key Steps in Responding to a Privacy Breach The most important step you can take is to They should be carried out as quickly as respond immediately to the breach . Step possible. Step 4: Notification and Step 5: 1: Contain the Breach , Step 2: Investigate the Prevention provide recommendations for Breach and Step 3: Assess and Analyze the longer-term solutions and prevention Breach and Associated Risks should be strategies. undertaken after learning of the breach. Step 1: Contain the Breach Take immediate steps to contain the breach.  Shut down the system that was breached; These steps may include:  Revoke access or correct weaknesses in physical security; and  Stop the unauthorized practice;  Contact the police if the breach involves  Immediately contact your Privacy Officer, theft or other criminal activity, and contact FOIP Coordinator, and/or the person affected individuals, if they may need to responsible for security in your take further steps to mitigate or avoid organization who should co-ordinate the further harm. following activities;  Recover the records; 6 An excellent tool for preventing privacy breaches is a Privacy Impact Assessment (PIA). A PIA is a diagnostic tool designed to help Organizations assess their compliance with the privacy requirements of Saskatchewan legislation. More information on PIA’s can be found on our website under the heading Privacy Impact Assessment (PIA) at: http://www.oipc.sk.ca/resources.htm Page 3 Privacy Breach Guidelines

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Privacy Breach Coverage Commercial Lines 2 Agenda Evolving Need for Insurance Enhanced

Privacy Breach Coverage Commercial Lines 2 Agenda Evolving Need for Insurance Enhanced

Privacy Breach Coverage Commercial Lines 2 Agenda Evolving Need for Insurance Enhanced Privacy Breach Endorsements New Privacy Breach Liability Coverage Ease of Underwriting Value Added Services Whats Next?

669 views • 52 slides
Class Actions on Data Breach Class Actions on Data Breach and Privacy on the Rise Litigating Class

Class Actions on Data Breach Class Actions on Data Breach and Privacy on the Rise Litigating Class

Presenting a live 90 minute webinar with interactive Q&A Class Actions on Data Breach Class Actions on Data Breach and Privacy on the Rise Litigating Class Claims, Alleging and Challenging Damages, and Evaluating Insurance Coverage WEDNES

735 views • 55 slides
MANDATORY BREACH REPORTING: REVIEW OF THE REQUIREMENTS UNDER PHIPA OVERVIEW OF BREACH

MANDATORY BREACH REPORTING: REVIEW OF THE REQUIREMENTS UNDER PHIPA OVERVIEW OF BREACH

MANDATORY BREACH REPORTING: REVIEW OF THE REQUIREMENTS UNDER PHIPA OVERVIEW OF BREACH NOTIFICATION AND IPC STATISTICS Fida Hindi, Legal Counsel Office of the Information and Privacy Commissioner of Ontario This presentation is

352 views • 23 slides
Breach Notification Response Information Security and Privacy Office January 2012 Agenda

Breach Notification Response Information Security and Privacy Office January 2012 Agenda

Breach Notification Response Information Security and Privacy Office January 2012 Agenda Your information has been breached Now what? Youve Got Mail Breach Notification Letters 46 states have breach notification laws 1 st

656 views • 14 slides
Privacy Breach Risk and Insurance Vancouver Presentation 10 April 2014 Presented by Brian

Privacy Breach Risk and Insurance Vancouver Presentation 10 April 2014 Presented by Brian

Privacy Breach Risk and Insurance Vancouver Presentation 10 April 2014 Presented by Brian Rosenbaum LL.B National Director Aon Risk Solutions Financial Services Group Legal and Research Practice Aon Cyber and Privacy Group Agenda

313 views • 30 slides
Health Information Privacy Breaches Privacy Breaches EHIL Webinar November 14, 2011 1 2011

Health Information Privacy Breaches Privacy Breaches EHIL Webinar November 14, 2011 1 2011

2011 11 16 Health Information Privacy Breaches Privacy Breaches EHIL Webinar November 14, 2011 1 2011 11 16 Agenda What is a privacy breach? What is a privacy breach? Breaches we investigate How to prepare

641 views • 14 slides
THREE REGULATORS: TACKLING THE ROUGE VALLEY HOSPITAL PRIVACY BREACH Sherry Liang | Assistant

THREE REGULATORS: TACKLING THE ROUGE VALLEY HOSPITAL PRIVACY BREACH Sherry Liang | Assistant

THREE REGULATORS: TACKLING THE ROUGE VALLEY HOSPITAL PRIVACY BREACH Sherry Liang | Assistant Commissioner, Tribunal Services | Office of the Information and Privacy Commissioner/Ontario Brigitte Brousseau | Detective Constable | Ontario

793 views • 25 slides
INFORMATION SECURITY AND PRIVACY ADVISORY BOARD 1 Mega Breaches The Year of the Breach 2011

INFORMATION SECURITY AND PRIVACY ADVISORY BOARD 1 Mega Breaches The Year of the Breach 2011

INFORMATION SECURITY AND PRIVACY ADVISORY BOARD 1 Mega Breaches The Year of the Breach 2011 2012 2013 Breaches 208 156 253 Identities Exposed 232M 93M 552M Breaches >10M 5 1 8 2013 was the Year of the Mega Breach Internet

214 views • 5 slides
DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions apply to three types of entities, which are known as

111 views • 7 slides
Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security Dr. Christos Xenakis Dr. Christoforos Ntantogian Associate Professor, Department of Digital Systems School of Information and Communication

524 views • 26 slides
Security, and Breach Notification Rules Office for Civil Rights (OCR) U.S. Department of Health

Security, and Breach Notification Rules Office for Civil Rights (OCR) U.S. Department of Health

4/27/2017 Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Office for Civil Rights (OCR) U.S. Department of Health and Human Services Updates Policy Development Breach Notification

176 views • 17 slides
Network Security & Privacy Liability: An Overview of Loss Mitigation Concepts and Data Breach

Network Security & Privacy Liability: An Overview of Loss Mitigation Concepts and Data Breach

Network Security & Privacy Liability: An Overview of Loss Mitigation Concepts and Data Breach Response Services March 20 th , 2012 Brian Cole, Managing Director Professional Liability Specialty Practice Overview of Topics Cyber Security

611 views • 21 slides
Data Privacy Security Breach Exercise ISSA Meeting January 21, 2016 Purpose Provide a forum

Data Privacy Security Breach Exercise ISSA Meeting January 21, 2016 Purpose Provide a forum

Data Privacy Security Breach Exercise ISSA Meeting January 21, 2016 Purpose Provide a forum to discuss privacy security data incident/event issues Discuss how best to respond in the event of a privacy incident and learn from the

723 views • 54 slides
Trends in Data Security and Privacy Li7ga7on and Insurance 2015 Verizon Data Breach Report

Trends in Data Security and Privacy Li7ga7on and Insurance 2015 Verizon Data Breach Report

4/16/16 Trends in Data Security and Privacy Li7ga7on and Insurance 2015 Verizon Data Breach Report 79,790 security incidents 2,122 confirmed data breaches Top industries affected: Public, Informa7on, and Financial Services (same as

181 views • 14 slides
Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No privacy breaches! Public Data Anonymization Data representation? Privacy breach? Value of data? Data publisher Privacy Analyst Work by: Elena

80 views • 3 slides
Basic Privacy Principles Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0

Basic Privacy Principles Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0

Basic Privacy Principles Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0 Basic Privacy Principles (part of OECD Privacy Guidelines & most Privacy/Data Protection Law s) Lawfullness of processing , e.g. by

296 views • 4 slides
Cyber Security Readiness & New Mandatory Data Breach Notification Laws Norton Rose Fulbright

Cyber Security Readiness & New Mandatory Data Breach Notification Laws Norton Rose Fulbright

Cyber Security Readiness & New Mandatory Data Breach Notification Laws Norton Rose Fulbright Australia April 2018 Purpose This presentation has been commissioned by CyberHound Pty Ltd (part of the Superloop Group) to assist schools that are

646 views • 26 slides
BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace MCHRMA Spring

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace MCHRMA Spring

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace MCHRMA Spring Conference April 4, 2014 MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST PRESENTED BY: Sonya Guggemos MCIT Staff Counsel for Risk Control sguggemos@mcit.org

734 views • 42 slides
Reliance Capital Limited Investor Presentation February 10, 2017 Disclaimer This presentation

Reliance Capital Limited Investor Presentation February 10, 2017 Disclaimer This presentation

Reliance Capital Limited Investor Presentation February 10, 2017 Disclaimer This presentation does not constitute a prospectus, an offering circular, an advertisement, a private placement offer letter or offer document or an offer, or a

1.11k views • 41 slides
Presentation to the Health Commission Office of Compliance and Privacy Affairs (OCPA) San

Presentation to the Health Commission Office of Compliance and Privacy Affairs (OCPA) San

Presentation to the Health Commission Office of Compliance and Privacy Affairs (OCPA) San Francisco Department of Public Health October 3, 2017 OCPA Overview 1. DPH Organizational Chart 2. DPH OCPA Roadmap 3. DPH Compliance Program 4.

462 views • 16 slides
Mexico co-EU EU Town n Hal all on n Border er Car arbo bon n Adju justment ment: An An

Mexico co-EU EU Town n Hal all on n Border er Car arbo bon n Adju justment ment: An An

Mexico co-EU EU Town n Hal all on n Border er Car arbo bon n Adju justment ment: An An U Updat ate o e on D Devel elopmen ents ts i in th the E e EU Webinar 27 August 2020 Andrei Marcu, ERCST Michael Mehling, ERCST Why Are

679 views • 24 slides
Health, Trade & TRIPS: Current Work at the WTO and How it Relates to the Generic Industry

Health, Trade & TRIPS: Current Work at the WTO and How it Relates to the Generic Industry

15 th Annual IGPA Conference Kyoto, Japan, 5 December 2012 The Interface Between Public Health, Trade & TRIPS: Current Work at the WTO and How it Relates to the Generic Industry Roger Kampf, WTO Secretariat The views

383 views • 36 slides
May 2016 1 Disclaimer Certain statements in this document may be forward-looking statements.

May 2016 1 Disclaimer Certain statements in this document may be forward-looking statements.

Leading Through Innovation and Technology Financial Results Presentation FY-16 May 2016 1 Disclaimer Certain statements in this document may be forward-looking statements. Such forward-looking statements are subject to certain risks and

123 views • 11 slides
Policy & Planning Policy & Planning SFY 2021 Proposed Budget SFY 2021 Proposed Budget

Policy & Planning Policy & Planning SFY 2021 Proposed Budget SFY 2021 Proposed Budget

Policy & Planning Policy & Planning SFY 2021 Proposed Budget SFY 2021 Proposed Budget SFY 2020 As SFY 2021 Budget Expenditures Passed Target Change Personal Services 1.1% 4,274,546 4,227,395 Operating $ 902,092 $ 1,000,651

214 views • 5 slides

More recommend