Privacy Protection in the Administration of OSAP
This statement is with regards to the protection of privacy, the disclosure and notification of privacy breaches and the prevention of future breaches.
Colleges of applied arts and technology and designated universities are governed by Ontario's Freedom of Information and Protection of Privacy Act (FIPPA). These colleges and universities are individually responsible for applying the access and privacy rules of FIPPA in their operations, including in the administration of OSAP at their institutions.
The head of these institutions has the responsibility for making decisions under FIPPA. Regulation 460, made under FIPPA, designates the Chair of the Board of Governors as the "head" for colleges and the Executive Head as the "head" for the designated universities. Each institution can delegate this responsibility.
Centennial College has appointed an Information and Privacy Coordinator to assist the institution in meeting its statutory obligations to provide access to information and protect personal privacy. The Ministry of Government Services has the overall responsibility for implementation of FIPPA within the Ontario Government. The Ministry of Government Services Manual recommends that the Coordinator's responsibilities include designing measures to ensure the privacy requirements of FIPPA are honoured.
In administering OSAP, each institution is responsible for protecting the personal privacy of the personal information it has in its custody or under its control in accordance with FIPPA and its own internal policies and procedures and any relevant OSAP policy and procedure.
Notwithstanding an institution’s best efforts, an unauthorized disclosure of personal information may occur. The Information and Privacy Commissioner has published "Privacy Breach Protocol Guidelines for Government Organizations"
The main steps that the IPC recommends are:
- Containment – identify scope of potential breach and take steps to contain it
- Notification of individuals whose privacy was breached
- IPC has recently published "Breach Notification Assessment Tool" to assist in determining whether to notify, when and how to notify and contents of the notice
- Notify staff within the institution including the Freedom of Information and Privacy Coordinator
- Inform IPC – contact will be made by the institution’s Information and Privacy Coordinator
In addition to these steps, the institution must also notify the Ministry when there has been a privacy breach arising out of the administration of OSAP. The notification must be made at the earliest possible opportunity after the breach is discovered by contacting the program administrator for the institution by e-mail.
Below is the link to the website of Ontario’s Information and Privacy Commissioner for future use:
Appendix A – Privacy Breach Checklist and Protocol (attached)
Appendix B – Ten Tips for Reducing the Likelihood of a Privacy Breach (attached)
Privacy Breach Checklist and Protocol
- Date of the Incident
- When the incident was discovered
- How was the incident discovered
- What was the location of the incident
- What was the cause of the incident
Step 1: Breach Containment and Preliminary Assessment
- Contain the breach (recovery of information, computer system shut down, locks changed, etc)
- Designate an appropriate individual to lead the initial investigation (usually the FAA or Director)
- Determine if there is a need to assemble a breach response team and if so, determine who should be included (privacy officer, security, communications, legal, etc)
- Determine who needs to be made aware of the incident internally and potentially externally at this preliminary stage ( the Student Financial Assistance Branch of the Ministry of Training, Colleges and Universities should be informed of any breach related to OSAP information). The Compliance Officer for Centennial College will be contacted and provided with an incident description.
- Determine if the breach involves theft or other criminal activity. If yes, contact the local Police department.
- Ensure that any and all evidence is available and not destroyed until breach has been corrected.
Step 2: Evaluate the Risks Associated with the Breach
- Determine what personal information was involved (name, address, SIN, financial, medical, etc)
- Determine the form the breach was in (ex. Paper records, electronic databases, etc)
- Determine what physical or technical security measures were in place at the time of the incident (locks, alarm systems, encryption, passwords, etc)
- Determine the cause and extent of the break and any risk of ongoing breaches or further exposure of the information
- Determine whether the information may be used for fraudulent or other purposes
- Determine whether the information was lost or stolen, if it was stolen, determine whether the information was the target of the theft or not
- Determine if the personal information has been recovered
- Determine if the breach was an isolated incident or a systemic problem
- Determine how many individuals were affected by the breach and who they are (employees, students, service providers, etc)
- Determine the foreseeable harm from the breach (security risk, identity theft, financial loss, physical harm, humiliation, damage to reputation, etc)
- Determine who has received the information and what the risk of further access , use or disclosure is
- Determine what harm could come to the public as a result of notification of the breach (ex. risk to public health or safety
Step 3: Notification
- Determine who should be notified (College President, law enforcement, Privacy Commissioner, etc)
- Determine reasonable expectations of the individuals concerned
- Determine the risk of harm to the individual, including identify theft or fraud
- Determine whether there is a risk of physical harm, humiliation or damage to the individual’s reputation
- Determine the ability of the individual to avoid or mitigate possible harm
- Determine the legal and contractual obligations of the organization
- If it is decided that the individual does not need to be notified, be sure to include reasons why and who was consulted before finalizing this decision (ex . Privacy Coordinator)
- If the decision is to notify the individuals, identify how and when they will be notified and by whom (phone, letter, email, in person, website, media, etc)
- If law enforcement authorities are involved, ensure that notification will not compromise the investigation
- Determine what information should be included in the notification and be careful to limit the amount of personal information disclosed in the notification to what is necessary (information about the incident in general terms, a description of the personal information involved in the breach, a general account of what Centennial College has done to control or reduce harm, what Centennial College will do to assist individual to reduce the risk of harm or further protect themselves, provide name and contact information of Centennial College Privacy Coordinator who can provide additional information or answer questions, whether Centennial College has contacted a law enforcement agency, the Privacy Commissioner’s office, etc.
Step 4: Prevention of Future Breaches
- Determine what short- and long-term steps are needed to correct the situation (ex. staff training, policy review or development, audits, etc.)
Ten Tips for Reducing the Likelihood of a Privacy Breach – Office of the Privacy Commissioner of Canada
Understand the threats you’re facing
1. Know what personal information you have, where it is, and what you are doing with it. Data inventories and process maps will help ensure you know exactly what personal information you need to protect, as well as when and where you need to protect it. When and where do you collect personal information? Where does that information go? Who can access it, and what do they do with it? You must understand your data before you can protect it!
2. Know your vulnerabilities. Conduct risk and vulnerability assessments and/or penetration tests within your organization to ensure that threats to privacy are identified. Don’t just focus on technical vulnerabilities, though. Are third parties collecting personal information on your behalf without appropriate safeguards? Do you use paper-based application forms, which are transferred to a central location (the loss of which means you’ll have no way of knowing who the affected individuals are, let alone how to notify them)? When you upgrade your systems, do the old systems and databases remain active, unwatched and unpatched? The OPC has seen each of these scenarios lead to a breach. Identify your organizations’ weak points before a breach identifies them for you!
3. Know your industry. Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association, or whatever your source of industry news – don’t be the next vulnerable target! Think beyond the hacker
4. Encrypt laptops, USB keys and other portable media. Organizations often focus on privacy breaches caused by hackers, but this ignores some key threats. Perhaps the most common type of preventable breach seen by the OPC occurs due to loss or theft of unencrypted laptops, USB keys, and other portable media. In many of these incidents, the use of sufficiently strong encryption could have turned a headline-grabbing privacy breach into a minor issue!
5. Limit the personal information you collect, as well as what you retain. You should know not only why you are collecting each piece of personal information, but why you are keeping it. Where possible, don’t collect personal information – for example, in most identity authentication cases it is enough to view, but not record, an individual’s identification. Also, if personal information is only collected for limited purposes, securely dispose of it after they have been fulfilled. Always keep in mind: you can’t lose what you don’t have
6. Don’t neglect personal information’s end-of-life. It is important that you protect personal information throughout its lifecycle – including the often overlooked end-of-life. Clearly define your policies and procedures about the secure destruction of personal information, and make sure they are followed1. The OPC has seen breaches caused by documents left behind in a move or thrown in the garbage, as well as by information not being properly erased from discarded or recycled electronics. Like an action movie hero, personal information tends to survive and reappear when its destruction isn’t seen through to the end!
7. Train your employees. Policies can only be effective when those responsible for implementing and abiding by them are aware of what they contain, why they exist, and the consequences of neglecting their responsibilities. You should have in place ongoing privacy and security training and awareness programs that go far beyond ‘box-ticking’ exercises. Employees who fully understand their roles and responsibilities in protecting personal information can be one of an organization’s best lines of defense against privacy breaches!
8. Limit, and monitor, access to personal information. Employees’ access to personal information should be limited to what they need to know, particularly when this information is sensitive. This can help ensure they don’t become the cause of a breach, either accidentally or intentionally. Similarly, monitored access logs can help you identify unusual behaviours, and potentially prevent an incident either before it occurs or in the early stage. Don’t burden your employees with more information than they need to do their jobs! But don’t forget about hackers, either
9. Maintain up-to-date software and safeguards. This is Security 101– if you don’t protect yourself against known vulnerabilities, you greatly increase the likelihood of a breach. Establish systematic, documented processes to ensure security-related patches are applied in a timely manner, and that software that is no longer in use is removed from your system. As well, ensure that the virus and malware definitions associated with your anti-virus and anti-malware software are current by allowing them to perform regular updates. Operate at the speed of your attackers!
10. Implement, and monitor, intrusion prevention and detection systems. An organization’s first goal is to prevent intrusions, and you should have systems in place to do so. However, the reality is that even with the best protections in place, your system may get breached. Measures such as intrusion detection systems, firewalls and audit logs can help you to identify and respond to privacy breaches before they escalate – assuming you’re paying attention to them. Ensure that safeguards used to monitor network or system activities and mitigate threats have been properly implemented and are proactively monitored. Don’t rely only on the guards you’ve posted at your gate; know what’s happening inside your walls!