Complain about issues related to FOIP at Mount Royal University

How to report a privacy breach at Mount Royal University:

Privacy Breaches

A privacy breach occurs when there is unauthorized collection, use, or disclosure of personal information. These activities are considered “unauthorized” if they occur in contravention of the Alberta FOIP Act. [Protection of Privacy Part 2: Sections 33-42]

One of the most common privacy breaches is unauthorized disclosure of personal information.

Privacy Breach Protocol

If you believe that there has been a privacy breach in regards to your own Personal Information, notify the Mount Royal University Privacy Advisor formally in writing by filling out Part 1 of the Privacy Security Assessment Report or PSA report (not e-mail). You can also contact the University Privacy Advisor directly by phone or e-mail if deemed necessary so that immediate steps can be taken to contain the breach prior to a formal investigation by the University. In the PSA report summarize your concerns, including whether there has been an inappropriate collection, use, or disclosure of your personal information. In addition, document the department that has the custody and control of the personal information in question, the specific personal information that is at issue, and how you wish Mount Royal University to proceed.

Step 1: Contain:

Mount Royal University will take immediate action to contain the privacy breach and evaluate the scope of the privacy breach by taking the following actions:

• Contact the complainant outlining immediate steps to be taken to contain the breach.
• Inform the complainant to contact the police if the privacy breach is related to identity theft or other criminal activity. The complainant may need to contact other organizations. (For example, financial institutions, etc to limit further harm).
• Recover/Retrieve/Destroy the records containing the personal information from the Third Party (if the records have been sent to an identifiable Third Party).
• Investigate physical security concerning the records and correct any immediate process weaknesses.
• Review Technical security protocol and limit access to key software systems where appropriate. Example: Change passwords, access, identification numbers, or shut down system(s) if required.
• Note the current administrative policies of the department.
  

Step 2: Investigate:

After the privacy breach has been contained and the formal PSA has been received from the complainant, the Mount Royal University Information Management & Privacy Office will conduct an internal investigation on the department that experienced the privacy breach. This investigation will be conducted by the Information Management & Privacy Advisor. The investigation will address the privacy breach on a systematic basis in the form of a Privacy Security- Assessment Report.

Individuals in the University that have pertinent information regarding the privacy breach should document their own details and forward them to the Information & Privacy Advisor at Mount Royal University.

Privacy Security - Assessment Report:

• Describes the incident and the steps taken to contain the privacy breach.
• Records and reviews all safeguards in place prior to the privacy breach.
• Evaluates any immediate or ongoing risks concerned with Personal Information in the department.
• Documents security findings related to personal information and recommendations.
• Describes the actions required to prevent a future privacy breach (training, policies, security process, limited access by individuals).
  

Step 3: Notification:

Once the Privacy Security Assessment Report has been completed, the complainant will be notified of the conclusion of the Investigative part of the process. The communication will inform the complainant of the findings related to privacy safeguards for the department and the security actions taken in response to the privacy breach.

Mount Royal University Information Management & Privacy Office may decide to report the privacy breach to the Alberta Information and Privacy Commissioner depending on the overall evaluation of the breach.

The following are considerations that may prompt notification to the Alberta Office of the Information & Privacy Commissioner:

• Whether the disclosed Personal Information has been used to commit identity theft.
• The sensitivity of the Personal Information disclosed.
• The severity or harm to individuals from the privacy breach.
• The number of people affected by the breach.
• Personal Information has not been fully recovered.
  

Step 4: Prevention - Management Review:

The details of the privacy breach and the actions, recommendations, and conclusions that result will be reported to the Manager of the department who is responsible for the program area at Mount Royal University.

The Information Management & Privacy Advisor and the Manager will work together to ensure that the necessary changes have taken place so that a similar privacy breach will not occur in the future.

The complainant has the right to contact the Alberta Information & Privacy Commissioner and request a review of any decision, act, or failure to act. However, the request for a review must be submitted to the Commissioner in writing within 60 days after being notified of a decision by Mount Royal University as according to sections 66(1) and 66(2)a(i) of the Act.


Office of the Information & Privacy Commissioner of Alberta
410, 9925 – 109 Street
Edmonton, Alberta
T5K 2J8
Phone: 1-888-878-4044
Email: generalinfo@oipc.ab.ca