Freedom of Information and Protection of Privacy: Privacy Breaches and Complaints Procedures Procedures

Roles and Responsibilities

1. All Employees and Board members have a duty under the Act to report any Privacy Incidents or Privacy Breaches to their supervisor/manager, or to the Privacy Officer directly.


2. Any unit, department, or office (Department) of the College may receive a Privacy Complaint and is required to attempt to resolve the Complaint. If the Complaint cannot be resolved within the Department that received it, the Department will direct the Complaint to the Privacy Office.   

Privacy Breaches

3. Employees and Board members must immediately report any Privacy Incidents or Privacy Breaches to their supervisor/manager, who will then immediately report the Incident or Breach to the Privacy Officer.
   
   
   
   1. Breaches or Incidents may be reported directly to the Privacy Officer in the absence of a supervisor/manager, or as the Breach or Incident requires.
   
   
   2. Service Providers will report to the Employee who is their administrative contact in accordance with the Privacy Protection Schedule.
   
   
   3. The Privacy Office will develop materials to assist with reporting and reports can be made to privacyandfoi@vcc.ca or directly by phone.
   
   
   
   


4. If an Incident or Breach involves theft, loss or destruction of property, Employees and Board members must also immediately notify the Department of Safety & Security. 


5. If an Incident or Breach involves computer security, unauthorized access of systems, any compromised data, or other technology-related Incidents, Employees and Board members must also immediately notify IT Services. 


6. Simultaneous with reporting, Employees and Board members will take steps to contain the Breach to the best of their ability when possible. Initial remediation may include:
   
   
   
   1. Immediately stopping the activity that led to the Breach;
   
   
   2. Recovering or requesting the deletion of records that were inappropriately disclosed;
   
   
   3. Disabling any systems that might have been improperly accessed.
   
   
   
   


7. The Privacy Office, in collaboration with the Department(s) or individual(s) involved, will conduct a preliminary investigation. The preliminary investigation report will include the following:
   
   
   
   1. Description of the information that was compromised;
   
   
   2. Known or suspected cause(s) of the Incident or Breach;
   
   
   3. Date and time of the Incident or Breach;
   
   
   4. Number and type of individuals affected;
   
   
   5. Sensitivity of the Personal Information Breached and the level of harm to individuals;
   
   
   6. Immediate steps taken to contain the Incident or Breach.  
   
   
   
   


8. The Privacy Office will determine if a Breach has occurred and if so, will commence further investigation and remediation activities.


9. If a Breach has occurred, the Privacy Office, and, when applicable, IT Services and/or Safety & Security, in collaboration with the unit(s), department(s), or office(s) involved in the Breach, will:
   
   
   
   1. Ensure that the Breach is contained by preventing the further spread of Personal Information.
   
   
   2. Notify Service Providers if the Breach involves data that is currently in their custody under the obligation(s) of their contract with VCC.
   
   
   3. Make all reasonable efforts to recover the Personal Information from all sources to which the Personal Information has been disclosed or receive confirmation the Personal Information has been confidentially destroyed and no copies retained if the Personal Information cannot be recovered.
   
   
   4. Work with the appropriate Employees to take remedial action on a systemic basis which may include:
      
      
      
      1. Changes to systems or programs involving Personal Information;
      
      
      2. Revising operational policies and procedures and advising employees of the revisions;
      
      
      3. Providing supplementary training to staff regarding their privacy obligations.
      
      
      
      
   
   
   5. Notify law enforcement if required or appropriate.
   
   
   6. Determine whether affected individuals should be notified in accordance with #10. 
   
   
   
   


10. In accordance with section 36.3 of the Act, the Privacy Officer will, without unreasonable delay, notify affected individuals if the Breach could reasonably be expected to result in significant harm to the individual, including identity theft or significant
    
    
    
    1. bodily harm;
    
    
    2. humiliation;
    
    
    3. damage to reputation or relationships loss of employment, business, or professional opportunities;
    
    
    4. financial loss;
    
    
    5. negative impact on a credit record;
    
    
    6. damage to, or loss of, property.
    
    
    
    


11. VCC is not required to notify an affected individual if notification:
    
    
    
    1. Could reasonably be expected to result in immediate and grave harm to the individual's safety or physical or mental health; or
    
    
    2. Threaten another individual's safety or physical or mental health.
    
    
    
    


12. The Privacy Officer must notify the Office of the Privacy Commissioner (OIPC) if the Privacy Breach could reasonably be expected to result in significant harm.


13. The Privacy Office will prepare a report of the Privacy Breach including circumstances, findings, remediation, and recommendations, and share it with the Executive Director of Safety, Security, Risk & Privacy. Privacy Breach Reports may be shared with the Senior Leadership Team depending on the severity of the Breach. The report may also be shared with the OIPC if requested.


14. Documentation related to Privacy Breaches will be retained in accordance with VCC's Records Retention Schedule (RRS).

Complaints

15.  Any individual may file a Privacy Complaint with VCC about the improper collection, use, or disclosure of their Personal Information by VCC, or about a decision made by VCC concerning a Personal Information request.


16. Privacy Complaints may be received by any Employee in any Department at VCC. Based on the Complaint, the relevant Department will work to resolve the Complaint.


17. If the Department is unable to resolve the Complaint, the Department must refer the Complaint to the Privacy Office.


18. The Privacy Office will investigate and remediate as required and will attempt to resolve the Complaint informally.


19. Individuals who are not satisfied with VCC's response to their complaint may submit a formal complaint to the BC Office of the Privacy Commissioner (OIPC) following the instructions and requirements available on the OIPC's website at oipc.bc.ca.