Privacy Breach Protocol
Privacy Breach Protocol (PDF, 194 KB)
What is a Privacy Breach?
A privacy breach is an unauthorized collection, use or disclosure of someone鈥檚 personal information (PI) or personal health information (PHI), in contravention of the (FIPPA) or (PHIPA). Under the legislation, and in accordance with university policies, Queen鈥檚 is responsible for ensuring that personal and personal health information in its custody or control are properly safeguarded from those not entitled to have access to it.
What is Personal Information?
FIPPA defines personal information (PI) as recorded information about an identifiable individual, including:
- ethnic origin, race, religion, age, sex, sexual orientation, marital status, etc.
- information regarding educational, financial, employment, medical, psychiatric, psychological or criminal history
- identifying numbers, e.g., SIN, student number
- home address, telephone number, personal email address
- other people鈥檚 personal opinions of, or about, the individual
- correspondence sent to Queen鈥檚 by the individual that is of a private or confidential nature
- the individual鈥檚 name where it appears with or reveals other personal information
What is Personal Health Information?
While information about an individual鈥檚 medical, psychiatric or psychological history may fall under FIPPA, when that information is collected, used or disclosed by a Health Information Custodian, in the context of the provision of health care, it is classified as Personal Health Information (PHI) and subject to a special set of legal obligations under PHIPA, including mandatory breach notification.
Examples of unauthorized collection, use or disclosure
- information collected in error
- information used for a purpose not consistent with the original collection
- lost or misplaced information
- stolen information (through hacking or physical theft)
- unauthorized use (including viewing) or disclosure of information, whether accidentally or deliberately
If a privacy breach occurs, take immediate action
- CONTAIN: stop or contain the breach if you can
- REPORT:
- to your immediate supervisor (or, if unavailable, the next level of management) and the unit or department head
- to the Chief Privacy Officer at access.privacy@queensu.ca or (613) 533-6000 ext. 75226 who will assist with the next steps
- INVESTIGATE: use the step-by-step Privacy Breach Report Form (to be provided by the Chief Privacy Officer) to collect information and address the breach