Privacy Protection in the Administration of OSAP

This statement is with regards to the protection of privacy, the disclosure and notification of privacy breaches and the prevention of future breaches.

Privacy Protection Statement

Colleges of applied arts and technology and designated universities are governed by Ontario's Freedom of Information and Protection of Privacy Act (FIPPA). These colleges and universities are individually responsible for applying the access and privacy rules of FIPPA in their operations, including in the administration of OSAP at their institutions.

The head of these institutions has the responsibility for making decisions under FIPPA. Regulation 460, made under FIPPA, designates the Chair of the Board of Governors as the "head" for colleges and the Executive Head as the "head" for the designated universities. Each institution can delegate this responsibility.

Centennial College has appointed an Information and Privacy Coordinator to assist the institution in meeting its statutory obligations to provide access to information and protect personal privacy:
Stephen Young, Vice President, Strategy, Alignment and Analytics
stephenyoung@centennialcollege.ca
647-482-6936

The Ministry of Government Services has the overall responsibility for implementation of FIPPA within the Ontario Government. The Ministry of Government Services Manual recommends that the Coordinator's responsibilities include designing measures to ensure the privacy requirements of FIPPA are honored.

In administering OSAP, each institution is responsible for protecting the personal privacy of the personal information it has in its custody or under its control in accordance with FIPPA and its own internal policies and procedures and any relevant OSAP policy and procedure.

Privacy Breaches

Notwithstanding an institution’s best efforts, an unauthorized disclosure of personal information may occur. The Information and Privacy Commissioner has published "Privacy Breach Protocol Guidelines for Government Organizations"

The main steps that the IPC recommends are:

  • Containment – identify scope of potential breach and take steps to contain it.
  • Notification of individuals whose privacy was breached.
  • IPC has recently published "Breach Notification Assessment Tool" to assist in determining whether to notify, when and how to notify and contents of the notice.
  • Notify staff within the institution including the Freedom of Information and Privacy Coordinator.
  • Inform IPC – contact will be made by the institution’s Information and Privacy Coordinator.

In addition to these steps, the institution must also notify Graham Webster, Manager OSAP and Compliance Unit, graham.webster@ontario.ca, (416-557-9033) at the Ministry when there has been a privacy breach arising out of the administration of OSAP. The notification must be made at the earliest possible opportunity after the breach is discovered by contacting the program administrator for the institution by e-mail.

Below is the link to the website of Ontario’s Information and Privacy Commissioner for future use:

http://www.ipc.on.ca

Appendix A


Privacy Breach Checklist and Protocol

Incident Description

  • Date of the Incident
  • When the incident was discovered
  • How the incident was discovered
  • What was the location of the incident
  • What was the cause of the incident

1. Breach Containment and Preliminary Assessment

  • Contain the breach (recovery of information, computer system shut down, locks changed, etc.)
  • Designate an appropriate individual to lead the initial investigation (usually the FAA or Director).
  • Determine if there is a need to assemble a breach response team and if so, determine who should be included (privacy officer, security, communications, legal, etc.)
  • Determine who needs to be made aware of the incident internally and potentially externally at this preliminary stage (the Student Financial Assistance Branch of the Ministry of Training, Colleges and Universities should be informed of any breach related to OSAP information). The Compliance Officer for Centennial College will be contacted and provided with an incident description. 
  • Determine if the breach involves theft or other criminal activity. If yes, contact the local Police department.
  • Ensure that any and all evidence is available and not destroyed until breach has been corrected.

2. Evaluate the Risks Associated with the Breach

  • Determine what personal information was involved (name, address, SIN, financial, medical, etc.)
  • Determine the form the breach was in (ex. Paper records, electronic databases, etc.)
  • Determine what physical or technical security measures were in place at the time of the incident (locks, alarm systems, encryption, passwords, etc.)
  • Determine the cause and extent of the break and any risk of ongoing breaches or further exposure of the information.
  • Determine whether the information may be used for fraudulent or other purposes.
  • Determine whether the information was lost or stolen, if it was stolen, determine whether the information was the target of the theft or not.
  • Determine if the personal information has been recovered.
  • Determine if the breach was an isolated incident or a systemic problem.
  • Determine how many individuals were affected by the breach and who they are (employees, students, service providers, etc.)
  • Determine the foreseeable harm from the breach (security risk, identity theft, financial loss, physical harm, humiliation, damage to reputation, etc.)
  • Determine who has received the information and what the risk of further access, use or disclosure is.
  • Determine what harm could come to the public as a result of notification of the breach (ex. risk to public health or safety).

3. Notification

  • Determine who should be notified (College President, law enforcement, Privacy Commissioner, etc.)
  • Determine reasonable expectations of the individuals concerned.
  • Determine the risk of harm to the individual, including identify theft or fraud.
  • Determine whether there is a risk of physical harm, humiliation or damage to the individual’s reputation.
  • Determine the ability of the individual to avoid or mitigate possible harm.
  • Determine the legal and contractual obligations of the organization.
  • If it is decided that the individual does not need to be notified, be sure to include reasons why and who was consulted before finalizing this decision (ex. Privacy Coordinator).
  • If the decision is to notify the individuals, identify how and when they will be notified and by whom (phone, letter, email, in person, website, media, etc.)
  • If law enforcement authorities are involved, ensure that notification will not compromise the investigation.
  • Determine what information should be included in the notification and be careful to limit the amount of personal information disclosed in the notification to what is necessary (information about the incident in general terms, a description of the personal information involved in the breach, a general account of what Centennial College has done to control or reduce harm, what Centennial College will do to assist individual to reduce the risk of harm or further protect themselves, provide name and contact information of Centennial College Privacy Coordinator who can provide additional information or answer questions, whether Centennial College has contacted a law enforcement agency, the Privacy Commissioner’s office, etc.)

4. Prevention of Future Breaches

  • Determine what short- and long-term steps are needed to correct the situation (ex. staff training, policy review or development, audits, etc.)

Appendix B


Ten Tips for Reducing the Likelihood of a Privacy Breach – Office of the Privacy Commissioner of Canada

Understand the threats you’re facing