Thompson Rivers University
Thompson Rivers University

Breach Protocol

The Breach Protocol provides guidance on the steps that TRU will follow when there is evidence that confidential information has been accessed without authorization. Examples of when the Breach Protocol should be used include, loss or theft of any device containing confidential information, loss or theft of any paper files containing confidential information, or when there is evidence of unauthorized access to any system or file where confidential information is stored or accessed.

Modified by the TRU Information Security Committee - May 23, 2013

When confidential information, and especially personally identifiable information about individuals in TRU’s possession or control is disclosed to unauthorized individuals TRU should:

a. conduct a prompt incident assessment to determine the risks to TRU or the people whose personal information has been disclosed (“Affected Persons”), posed by the disclosure;
b. ensure a senior decision-maker (usually the CIO), receives and reviews the incident assessment and decides whether notification is appropriate in light of:
i. the potential for reasonably foreseeable harm to result to TRU or Affected Persons, having regard to:
1. the nature of information, in particular its sensitivity;
2. the amount of information;
3. the extent of unauthorized access, use or disclosure, including the number of likely recipients;
4. the risk of further access, use or disclosure, especially in mass media or online;
5. any relationship between recipients and Affected Persons;
6. the degree to which Affected Persons may already be aware of the breach of their information privacy and be able themselves to minimize harm;
7. steps taken by the organization to contain the breach and minimize the harm;
ii. the potential for notification itself to cause reasonably foreseeable harm to Affected Persons or any other person; and
iii. whether, considering the potential for harm to Affected Persons and the potential for notification to cause harm, notification is reasonably likely to alleviate more harm that it would cause.
c. ensure that in compliance with the BC Freedom of Information and Protection of Privacy Act, section 30.5 (2), the senior decision maker, (usually the CIO), immediately notifies the Head of Public Body, and/or their delegate, regardless of any other notification that may be necessary.

2) If TRU concludes notification is appropriate, prepare a notification strategy and use it;

3) Proceed on the basis that early notification is generally preferred to later notification.

TRU may be required to notify Affected Persons; other organizations that may be affected by the breach; other groups who require notice based on legal, professional, or contractual obligations, and the BC Privacy Commissioner. The information that should be included in the notification:

1) that a privacy breach occurred and a description of it;
2) the elements of personal information involved;
3) steps that TRU has taken to mitigate the harm and any likely further steps;
4) advice to Affected Persons on what they can do to further mitigate the risk of harm;
5) that Affected Persons have the right to complain to the BC Privacy Commissioner.