Privacy Breaches
What is a privacy breach?
A privacy breach is an incident involving the unauthorized collection, use or disclosure of personal information. Unauthorized disclosures of personal information are the most common sources of privacy breaches and can occur when personal information is lost, stolen or inadvertently disclosed through human error.
Circumstances that could lead to a privacy breach include:
- loss or theft of equipment containing personal information (e.g., memory sticks, disks, laptops)
- e-mails sent to a wrong address or person containing personal information
- incorrect file attached to an e-mail
- disposal of equipment containing personal information without secure destruction
- insufficient controls in place to protect personal information in paper and electronic files
- information faxed to a wrong number
- use of laptops, disks, memory sticks or other equipment to store or transport personal information outside of the office without adequate security measures
use of laptops, disks, memory sticks or other equipment to store or transport personal information outside of the office without adequate security measures
What is personal information?
"Personal Information" is defined as recorded information about an identifiable individual. An individual's personal information includes information regarding his or her race, gender, home address, medical history, education history, identifying numbers (e.g. SIN, employee number, student number, etc.), financial or employment information, personal opinions, completed assignments and exams, and grades, comments and evaluations provided by an instructor.
What to do if a privacy breach occurs?
The University has a responsibility to protect personal information in its custody or control from unauthorized access or disclosure. Upon discovery of a privacy breach, or suspected breach, the incident must be reported immediately to the Schulich Privacy Officer (privacy@schulich.uwo.ca) who will then work with Western’s Information and Privacy Office. Decisions on how to respond to a suspected or confirmed privacy breach will be made on a case-by-case basis.
The following information, if known, will be helpful when reporting a breach:
- The nature of the personal information involved (e.g. name, SIN, etc.)
- The number (potential or actual) of individuals affected by the breach and who they are (e.g. employees, students)
- The possible scope of the breach (e.g. internal/external - who might have gained access to the personal information without consent or authorization, length of time before detection of breach, etc.)
- The date and/or location of the incident giving rise to the breach
- When and how the breach was discovered