Policies & Guidelines

Reporting a privacy breach - complaints

If you believe that there has been a privacy breach in regards to your personal information, you may notify the Mount Royal University Information Management & Privacy Advisor formally, in writing, by completing Part 1 of the Privacy Breach Report and submitting it to the University Access & Privacy Office.

Alternatively, you may also (if urgent or a Department reporting a breach) contact the University Access & Privacy Office directly by phone (403) 440-7288 or via email (foip@mtroyal.ca), if more immediate steps are needed to be taken to contain the breach.

Privacy Breach Response Process

In Part 1 of the Privacy Breach Report summarize your concerns, including whether there has been an inappropriate collection, use, disclosure, or destruction of your personal information. In addition, document the Department that you believe has the custody and control of the personal information in question, and the specific personal information that is at issue.

Although not required, forwarding any records pertinent to the complaint is helpful when the University Access & Privacy Office reviews the complaint, where records can be forwarded to (foip@mtroyal.ca).

Upon receipt of a privacy complaint, Mount Royal University will take immediate action to contain the breach, investigate the incident, and implement preventative measures as needed through the following steps (if the breach is substantiated):

Step 1: Contain

  • Notify the Department where the source of the breach occurred and implement containment to prevent further harm from the disclosure.
  • Recover/retrieve/destroy/shred the records containing the personal information.
  • Investigate security protocols concerning the breach and correct any immediate process weaknesses (physical, technical, administrative).
  • Review technical security protocols and limit access to key software systems where appropriate. (change passwords, access, identification numbers, or shut down system).

Step 2: Investigate

The Mount Royal University Access & Privacy Office will commence with Part  2 of the Privacy Breach Report to review and assess the concern, which will:

  • Describe the incident and the steps taken to contain the privacy breach.
  • Evaluate level of harm.
  • Record and review all safeguards in place prior to the privacy breach.
  • Evaluate any immediate or ongoing risks concerned with personal Information in the Department.
  • Document security findings related to personal information and recommendations.
  • Describe the actions required to prevent a future privacy breach (training, policies, security process, technical improvements).

Step 3: Notification

Once the Privacy Breach Report has been completed, affected individuals, may be notified in order to mitigate against further harm in accordance with the Alberta Protection of Privacy Act (the "POPA").

Although also not required under the POPA, the Mount Royal University Access & Privacy Office may further decide to report the privacy breach to the Information and Privacy Commissioner of Alberta depending on the overall evaluation of the breach and based on the following considerations:

  • Whether the disclosed personal Information has been used to commit identity theft.
  • The sensitivity of the personal Information disclosed.
  • The severity or harm to individuals from the privacy breach.
  • The number of people affected by the breach.
  • The personal Information has not been fully recovered.

Step 4: Prevention - Management Review

The recommendations provided by the Privacy Breach Report within Part  2 will be presented to the Manager responsible for the respective Department concerning the breach.

The Information Management & Privacy Advisor and the Department Manager will work together to ensure that the necessary changes are implemented so that a similar privacy breach will not occur again in the future.

Office of the Information and Privacy Commissioner of Alberta - Your Rights

The POPA gives individuals who believe that their own personal information has been collected, used, disclosed, or destroyed in contravention of the Act the right to ask the Alberta Information and Privacy Commissioner to review the matter.

All requests for a review must be submitted to the Commissioner, in writing, in accordance with section 38(1) of the Act.

Before delivering a request for review to the Commissioner, a person must make a complaint to the Mount Royal University concerned respecting the matter that will be the subject of the request.

The University must respond within 30 business days after receiving the compliant .

A request for review must be delivered to the Privacy Commissioner within 60 business days after the University responds to the complaint.

The contact information for the Privacy Commissioner is provided (below):

Office of the Information & Privacy Commissioner of Alberta (Calgary Office)
Suite 2460, 801 - 6th Ave SW
Calgary, Alberta  T2P 3W2
Phone: 1-888-878-4044
Email: Complaint_Review@oipc.ab.ca
Website: https://oipc.ab.ca/request-a-review-file-a-complaint