Reporting a privacy breach - complaints
If you believe that there has been a privacy breach in regards to your personal information, you may notify the Mount Royal University Information Management & Privacy Advisor formally, in writing, by completing Part 1 of the Privacy Breach Report and submitting it to the University FOIP Office.
Alternatively, you may also (if urgent or a business unit reporting a breach) contact the University FOIP Office directly by phone (403) 440-7288 or via email (foip@mtroyal.ca), if more immediate steps are needed to be taken to contain the breach.
Privacy Breach Response Process
In Part 1 of the Privacy Breach Report summarize your concerns, including whether there has been an inappropriate collection, use, disclosure, or disposal of your personal information. In addition, document the business unit that you believe has the custody and control of the personal information in question, and the specific personal information that is at issue.
Although not required, forwarding any records pertinent to the complaint is helpful when the University FOIP Office reviews the complaint, where records can be forwarded to (foip@mtroyal.ca).
Upon receipt of a privacy complaint, Mount Royal University will take immediate action to contain the breach, investigate the incident, and implement preventative measures through the following steps:
Step 1: Contain
- Notify the business unit where the source of the breach occurred and implement containment to prevent further harm from the disclosure.
- Recover/retrieve/destroy/shred the records containing the personal information.
- Investigate security protocols concerning the breach and correct any immediate process weaknesses (physical, technical, administrative).
- Review technical security protocols and limit access to key software systems where appropriate. (change passwords, access, identification numbers, or shut down system).
Step 2: Investigate
The Mount Royal University FOIP Office will commence with Part 2 of the Privacy Breach Report to review and assess the concern, which will:
- Describe the incident and the steps taken to contain the privacy breach.
- Evaluate level of harm.
- Record and review all safeguards in place prior to the privacy breach.
- Evaluate any immediate or ongoing risks concerned with personal Information in the business unit.
- Document security findings related to personal information and recommendations.
- Describe the actions required to prevent a future privacy breach (training, policies, security process, technical improvements).
Step 3: Notification
Once the Privacy Breach Report has been completed, affected individuals, may be notified in order to mitigate against further harm in accordance with the FOIP Act.
Although also not required under the FOIP Act, the Mount Royal University FOIP Office may further decide to report the privacy breach to the Information and Privacy Commissioner of Alberta depending on the overall evaluation of the breach and based on the following considerations:
- Whether the disclosed personal Information has been used to commit identity theft.
- The sensitivity of the personal Information disclosed.
- The severity or harm to individuals from the privacy breach.
- The number of people affected by the breach.
- The personal Information has not been fully recovered.
Step 4: Prevention - Management Review
The recommendations provided by the Privacy Breach Report within Part 2 will be presented to the Manager (Unit Head) responsible for the respective business unit concerning the breach.
The Information Management & Privacy Advisor and the Manager (Unit Head) will work together to ensure that the necessary changes are implemented so that a similar privacy breach will not occur again in the future.
Office of the Information and Privacy Commissioner of Alberta - Your Rights
The FOIP Act gives individuals who believe that their own personal information has been collected, used, or disclosed in contravention of the Act the right to ask the Alberta Information and Privacy Commissioner to review the matter.
All requests for a review must be submitted to the Commissioner, in writing, in accordance with sections 66 of the Act.
Individuals have the right to submit a complaint to the Privacy Commissioner at any time during the above process.
The contact information for the Privacy Commissioner is provided (below):
Office of the Information & Privacy Commissioner of Alberta (Calgary Office)
Suite 2460, 801 - 6th Ave SW
Calgary, Alberta
T2P 3W2
Phone: 1-888-878-4044
Email: Complaint_Review@oipc.
Website: https://oipc.ab.ca/request-a-review-file-a-complaint