Have you ever received a phone call from your bank telling you that your credit card information may have been compromised or stolen?
Be glad you did. While this kind of call may frighten you and create doubt and cause inconvenience, it is far better to be notified and to solve the problem than to let it persist. And if the bank catches the theft early and calls you to let you know how they have prevented it from happening again, you are likely to thank the bank for looking out for your best interests.
The same thing happens when you suspect that you have a privacy breach at work. You need to stop it, report it, inform the client, and let them know what you are doing to solve the problem. It is never an easy phone call to make, but most of the time the client appreciates your concern.
So, what is a privacy breach?
A privacy breach is a loss, unauthorized access to or disclosure of personal information. Personal information may include your name, date or birth, address, account information, or even your email address.
Why is a privacy breach a significant problem?
There is an active market for personal identities, with great financial incentive to steal or misuse this personal information. At work, most privacy breaches are usually ‘oopses', honest mistakes or a result of not carefully following procedures. But sometimes, information is intentionally stolen to harm a specific person or for financial gain. Sometimes the theft is by employees and sometimes by outsiders.
If you think you have a privacy breach at work, you need to:
- Recognize the breach
- Inform your supervisor and privacy officer
- The privacy officer will take immediate steps to contain the breach
- Report the breach – internally and to police, regulators, and other agencies as required
- Notify the individuals whose information has been breached
- Recommend appropriate communication
- Investigate the cause of the breach and implement a plan to prevent it from happening again
- Conduct a security audit, threat risk analysis, and review and revise policies and procedures to prevent the breach from happening again
Watch our NEW video about “Can You Spot the Privacy Breach?”.
The Office of the Information and Privacy Commissioner of Alberta's website has many resources for your use.
Mandatory Breach Reporting Tool is designed to assist organizations determine if they are required to report a breach under section 34.1 of PIPA.
Reporting a Breach to the Commissioner sets out the minimum requirements for what must be included in a breach report to the Commissioner.
Breach Reporting Guide has been designed to assist organizations in providing the information needed to meet the breach reporting requirements.
Breach Report Form can be used to submit a breach report to the Commissioner.
Office of the Information and Privacy Commissioner's Process for Determining Whether to Require Notification describes the process undertaken by the Commissioner upon receiving a breach report.
Resources are also available on the Policy and Governance, Service Alberta website at pipa.alberta.ca, including Information Sheet 11: Notification of a Security Breach.
- Review your organization's policy and procedure about Managing a Privacy Breach. If you don't have one yet, create a draft to discuss with your team.
- Do you know who the privacy officer is in your business?
- Pretend that you have a privacy breach and complete the privacy breach report form. Learn the process before you have a real privacy breach!
Share Privacy Challenge #15 !