AP 118

Privacy Breach and Privacy Complaints

 

Background


The Board of Education is committed to meeting its obligations to protect personal information from unauthorized access, use and disclosure in accordance with the Freedom of Information and Protection of Privacy Act (“FIPPA”) or (the “Act”).

Definitions  

 

“Privacy Breach” is the theft or loss of personal information, or the collection, use or disclosure of personal information in the custody or control of a public body that is not authorized by FIPPA, including where the personal information is in written, verbal or electronic form.

“Privacy complaint” is a complaint from an individual about a breach of their own personal information.

Procedures


1.      Designating a Privacy Contact Person

         The Secretary-Treasurer or their designate will be the privacy contact person.

2.      Privacy Breaches and Privacy Complaints

2.1    Privacy Breaches

                   When a privacy breach has been identified:

  • employees must immediately report any actual or suspected breach immediately to their Supervisor/Manager or Superintendent.
  • the Supervisor/Manager or Superintendent reports the breach to either the Secretary-Treasurer or their designate privacy contact.
  • requirements to report immediately, includes actual or suspected information incidents discovered outside of normal working hours.
    •  
      • the Secretary-Treasurer and/or designated privacy contact will, if applicable, take the following steps:
  • enact mechanisms to commence investigation into the reported incident.
  • determine the level of harm (mandatory or discretionary notification) and the need for breach notification in accordance with the Act.
  • notify affected individuals and the Office of the Information and Privacy Commissioner (“OIPC”), as required under section 36.3 of the Act.
  • contain and recover breached personal information.
  • conduct notification of affected individuals and the OIPC, as required under Section 36.3 of the Act; contact others as appropriate.
  • request individuals involved to provide written attestations confirming they have returned and/or destroyed any records they received without authorization, and whether they sent them to others and if so, whom.
  • review investigative findings and develop prevention strategies.
  • document breaches and retain information in accordance with administrative procedure 523 - Records Retention administrative procedures.

2.2    Privacy Complaint

Privacy complaints may be submitted to the district’s privacy coordinator. The Secretary-Treasurer or the Superintendent will oversee the response to all complaints.

In responding to complaints, the Secretary-Treasurer/privacy coordinator may (depending on the nature of the complaint):

  • enact mechanisms to commence investigation into the reported incident.
  • determine the level of harm (mandatory or discretionary notification), and the need for the complaint notification to the Office of the Ombudsperson of British Columbia.
  • isolate or suspend the activity that led to the complaint.
  • document and retain information in accordance with administrative procedure 523 – Records Retention.
  • work with the complainant to find resolution.

Last Revised: March 2023

Print