As a government employee you may handle a high volume of sensitive information (personal information, health information, etc.) and therefore are responsible for the protection of the privacy of that information.
Government institutions and local authorities have legal and policy obligations to protect personal information and personal health information in their possession or control, and recognize this is an essential element in maintaining public trust.
"personal health information" means personal health information within the meaning of The Health Information Protection Act.
"personal information" means personal information within the meaning of The Freedom of Information and Protection of Privacy Act or The Local Authority Freedom of Information and Protection of Privacy Act.
It is important to understand what a privacy breach is and how to prevent and respond to one. This page and resources are intended to serve as guidelines to help organizations take the appropriate steps in the event a privacy breach has occurred. Employees are encouraged to refer to their internal polices and to consult with their designated Access and Privacy Contact when determining how best to respond to a privacy breach.
You can learn more about privacy breach management below or by reading the Privacy Breach Management Guidelines.
A privacy breach occurs when there is the loss or unauthorized collection, use or disclosure of personal information and/or personal health information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation. Privacy breaches may be the result of inadvertent errors (e.g., lost computer or phone or an email sent to the wrong recipient), insufficient safeguards or faulty business or operational practices or procedures (e.g., complacent mail out procedures, unlocked cabinets) or are the result of deliberate or malicious actions (e.g., snooping to access personal information of customers, patients, clients or employees out of curiosity or for spiteful intentions). Upon learning a privacy beach has occurred, prompt action must be taken.
If you suspect a privacy breach has occurred, immediately contact your organization’s designated Access and Privacy Contact, responsible for reviewing privacy breach concerns.
The Access and Privacy contact will work with appropriate staff to ensure appropriate action has been taken through these three key steps: (1) contain the breach; (2) investigate and notify the affected parties and authorities; and, (3) take steps to prevent similar incidents. For more information, please see the Privacy Breach Management Guidelines.
To help reduce privacy breaches from occurring, organizations must should employ administrative, physical and technical safeguards to ensure personal and personal health information is adequately protected. Safeguards may include, but are not limited to:
- Administrative Safeguards: Policies, procedures, training, confidentiality agreements, etc.
- Physical Safeguards: Locked cabinets/doors, security systems, controlled access, etc.
- Technical safeguards: Strong passwords, encryption, firewalls, auditing, etc.
When determining what safeguards are appropriate consider the sensitivity and amount of information, potential risks, who will have access to the information, the manner of distribution, what format(s) the information will be in (e.g., paper or electronic), and the method(s) of storage. The Workstation Checklist provides some best practices for employees to safeguard and protect personal and sensitive information.
Privacy Breach Management Guidelines
Access and Privacy Contacts by Institution
Privacy Incident Form
The Freedom of Information and Protection of Privacy Act
The Health Information Protection Act
The Local Authority Freedom of Information and Protection of Privacy Act