Information Breach get help

(Draft)

  1. When confidential information and personally identifiable information about individuals in SFU’s possession or control is disclosed to unauthorized individuals SFU should:
    1. conduct a prompt incident assessment to determine the risks to SFU or the people whose personal information has been disclosed (“Affected Persons”), posed by the disclosure;
    2. ensure a senior decision-maker (usually the CIO), receives and reviews the incident assessment and decides whether notification is appropriate in light of:
      1. the potential for reasonably foreseeable harm to result to SFU or Affected Persons, having regard to:
        1. the nature of information, in particular its sensitivity;
        2. the amount of information;
        3. the extent of unauthorized access, use or disclosure, including the number of likely recipients;
        4. the risk of further access, use or disclosure, especially in mass media or online;
        5. any relationship between recipients and Affected Persons;
        6. the degree to which Affected Persons may already be aware of the breach of their information privacy and be able themselves to minimize harm;
        7. steps taken by the organization to contain the breach and minimize the harm;
      2. the potential for notification itself to cause reasonably foreseeable harm to Affected Persons or any other person; and
      3. whether, considering the potential for harm to Affected Persons and the potential for notification to cause harm, notification is reasonably likely to alleviate more harm that it would cause.
  2. If SFU concludes notification is appropriate, prepare a notification strategy and use it;
  3. Proceed on the basis that early notification is generally preferred to later notification.

Contents of Notification Strategy

SFU may be required to notify affected persons; other organizations that may be affected by the breach; other groups who require notice based on legal, professional, or contractual obligations, and the BC Privacy Commissioner. The information that should be included in the notification is as follows:

  1. Notification of a privacy breach occurred and a description of it;
  2. The elements of personal information involved;
  3. Steps SFU has taken to mitigate the harm and any further steps to be taken;
  4. Advice to Affected Persons on what they can do to further mitigate the risk of harm;
  5. Information informing the Affected Persons their right to complain to the BC Privacy Commissioner.

Core Roles

Chief Safety Officer, CIO, Privacy Officer.  As necessary or resource:  VP Legal, Registrar, Directors, HR & Academic Relations, VP Advancement & Alumni Engagement, ...