Skip to main content

Guidelines for reporting and responding to a Privacy Incident

The following guidelines are intended to inform the community as to the process when a Privacy Incident has occurred.

1. Introduction

Any breach of Personal Information, defined below, can have an impact on the individual(s) concerned.

The University must act responsibly, effectively and in accordance with the Act respecting Access to documents held by public bodies and the Protection of personal information chapter A-2.1 (the “Act”) when responding to an incident that threatens to compromise the security of Personal Information. These Guidelines are intended to inform the community as to the process followed when a Privacy Incident, as defined below, has occurred.

2. Context

These Guidelines are to be interpreted in conjunction with other Concordia policies and guidelines, including but not limited to:

3. Definitions

• “CAI” means the Commission d’accès à l’information du Québec;

• “Privacy Incident” means any incident, actual or suspected, involving the:

a) unauthorized access to Personal Information;

b) unauthorized use of Personal Information;

c) unauthorized disclosure of Personal Information;

d) loss of Personal Information; or

e) any other breach of the protection of such information.

Some examples of Privacy Incidents include:

  • The consultation of information concerning students or employees for personal purposes;
  • The collection of Personal Information that is not required for the performance of the duties of University personnel at the time of collection;
  • The transmission of an e-mail containing Personal Information to the wrong recipient;
  • The theft or loss of a laptop containing Personal Information;
  • The unauthorized disclosure of Personal Information to any public or private organization;
  • The loss of a USB key containing Personal Information;
  • The disclosure, whether intentional or not, of Personal Information to colleagues who are not authorized to consult such information;
  • A data breach caused by the hacking of a service provider who hosts, on their servers and/or cloud, Personal Information provided by Concordia.
  • Notification” means the action of notifying the concerned individuals and/or the CAI of a Privacy Incident.
  • Personal Information” means any information which relates to a natural person and allows that person to be identified directly or indirectly. Such Personal Information could include a person’s name, address, phone number, photo, social insurance number, date and place of birth, health record, education history, degrees, employment history, marital status, etc.
  • Privacy Ambassador” means a person who is designated in certain departments and/or units and who has received training regarding the tools and procedures relating to the protection of Personal Information and specifically the steps to take when a Privacy Incident may have occurred.
  • Privacy Officer” means the person in charge of the Protection of Personal Information within the University. The Privacy Officer may delegate their functions under this Plan, as appropriate.
  • Member(s)” means any student and any full-time, part-time or temporary employee of the University, including staff, faculty, postdoctoral fellows, researchers, members of the administration, stagiaires, interns and volunteers.
  • Privacy Committee” refers to the committee responsible for supporting the University in carrying out its responsibilities and obligations under the Act respecting Access to documents held by public bodies and the Protection of Personal Information, A-2.1.
  • Sensitive Personal Information” means any Personal Information which, due to its highly personal nature, and/or the context of its use or communication, requires a higher level of confidentiality.
  • 4. Procedure for reporting and handling of a Privacy Incident

    The following procedure applies to the reporting and handling of a Privacy Incident:

    Identification of Incident

    Any Member who suspects or has discovered that a Privacy Incident has occurred must immediately notify the designated Privacy Ambassador in their department or unit. The Privacy Ambassador must report the Incident to the Privacy Officer within 24 hours by completing the form here. If the member cannot identify a Privacy Ambassador in their unit, they may fill out the form or contact the Privacy Office by email at privacy.office@concordia.ca.

    Any third party, such as a service provider or agent, who holds Personal Information for the University must report any Privacy Incident to the Privacy Officer within 24 hours by email at privacy.office@concordia.ca.

    Assessment

    When informed of a suspected or an actual Privacy Incident, the Privacy Officer will make an initial assessment of the Privacy Incident. After this initial assessment, the Privacy Officer will decide on the relevance of calling a meeting of the University’s Incident Response Team (“IRT”). The IRT may, among other actions,

    1. Determine the identity to the individual(s) whose Personal Information may have been compromised;
    2. Determine the nature of the compromised Personal Information;
    3. Assess the degree of sensitivity of the compromised information and the possibility that the incident included Sensitive Personal Information;
    4. Determine the number of individuals affected;
    5. Determine whether the Personal Information has been encrypted, anonymized, or otherwise made inaccessible;
    6. Assess if and how the Personal Information could be used for harmful purposes;
    7. Assess whether the Privacy Incident is a systemic problem or an isolated case;
    8. Determine who received the Personal Information and assess whether there is a link between the unauthorized recipients and the persons involved in the Privacy Incident.

    Notification of Incident (if required)

    Where the IRT in consultation with the Privacy Officer determine that a Privacy Incident poses a risk of serious injury to the individual(s) concerned, the Privacy Officer may decide to bring the matter to the Privacy Committee for discussion and recommendation regarding Notification to the individuals affected by the Privacy Incident and to the CAI. The Privacy Officer or delegate will work closely with University Communications Services (UCS) to ensure that appropriate internal and external communications relating to the Privacy Incident are provided.

    Recovery

    The IRT continually monitors the initial assessment and investigation to determine if anything more can be done to contain and limit the effects of the Privacy Incident. If necessary, the IRT assesses how best to restore any affected system. Systems and/or activities should be restored as quickly as possible provided that this does not create further security problems, expose the University to the risk of additional incidents or result in the unintended loss or destruction of evidence.

    Prevention

    Once measures have been taken to limit and mitigate the risks associated with the Privacy Incident, long-term safeguards may need to be developed or enhanced. Special consideration is given to auditing the technical and physical security protocols in place at the time of the Privacy Incident. Where appropriate, the Privacy Officer reviews and updates the University’s policies taking into account lessons learned from the Privacy Incident.

    Questions and comments

    For questions or for more information on accessing documents held by Concordia, please contact:

    Gabriel Desjardins
    Officer, Access and Privacy
    Office of the Secretary-General
    gabriel.desjardins@concordia.ca 
    514-848-2424, ext. 4804

    Back to top

    © Concordia University