荔枝视频

A privacy incident/breach occurs where there is loss of, unauthorized access to or unauthorized disclosure of personal information. 

A privacy incident/breach may occur within U荔枝视频 or off-site and may be the result of inadvertent errors or malicious actions by third parties. Common examples include misdirected emails containing personal information, intentional unauthorized access to personal information or electronic resources (for example, through a cyber attack), unintentional exfiltration of personal information as a result of employees being deceived (for example, through phishing or social engineering), and lost or stolen documents or devices containing personal information.

As a general rule, U荔枝视频 faculty and staff are authorized to access personal information on a 鈥渘eed-to-know鈥� basis, whereas individuals who are not faculty or staff are only authorized to access personal information under exceptional circumstances. If you are not sure whether you are permitted to access a file or document, you should check with you supervisor or manager before doing so. 

If you suspect that a privacy incident/breach has occurred involving the loss of, unauthorized access to or unauthorized disclosure of personal information, please immediately report the incident to the Access and Privacy Office by completing the Privacy Breach Incident Report form and sending it to accessandprivacy@ucalgary.ca.

If the incident involves U荔枝视频 electronic resources, then the incident must also be reported to IT Cybersecurity Operations Team at abuse@ucalgary.ca.

If the incident involves theft or other illegal activity, it must also be reported to Campus Security at campus.security@ucalgary.ca.

If the reporting individual has not already taken immediate steps to contain the breach, the Access and Privacy Office will provide guidance on appropriate containment measures. This may include engaging the IT Cybersecurity Operations Team, where necessary. 

Standard containment measures may include:

• Attempting to recall the email;
• Contacting the recipient to request deletion of the email and confirmation that the information has not been shared, discussed, or otherwise retained;
• Recovering any physical records;
• Updating passwords; or
• Stopping any unauthorized or unintended access from continuing.

In certain cases, the Access and Privacy Office may direct the responsible area to issue a communication to affected individuals. This communication would outline the nature of the incident, steps taken to mitigate risks, and provide a contact person for further inquiries. No communication regarding a privacy incident should be issued without prior consultation and approval from the Access and Privacy Office. 

After initial mitigation measures are completed, the Access and Privacy Office will conduct a privacy risk assessment to determine whether the incident could reasonably be expected to result in a Real Risk of Significant Harm (RROSH).

The following factors will be considered as part of this assessment:

• The nature and cause of the incident;
• The number of affected individuals;
• The number of individuals the personal information was exposed to;
• The type of personal information involved including the data classification, sensitivity, and category of persons the personal information pertains to;
• Whether there is a reasonable basis to believe that the personal information has been misused or will be misused;
• Whether the incident occurred as a result of malicious intent;
• Whether there is a risk of significant harm as a result of the incident (including  bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, identity theft, negative effects on insurability, negative effects to an individual鈥檚 credit record, damage to or loss of property or other legal harms or financial losses); and
• Any mitigating measures taken or other factors that reduce the risk of significant harm, such as whether the personal information was recovered.

If a determination is made that there has been a RROSH as a result of the incident, U荔枝视频 has an obligation under Section 10(2) of POPA and Section 4(3)(4)(5) of the M-Regulation to provide notice to all affected individuals and report the incident to the Office of the Information and Privacy Commissioner and Minister of Technology without unreasonable delay. Any reporting will be handled directly by the Access and Privacy Office. 

Upon conclusion of the incident, the Access and Privacy Office will assess whether any improvements or changes to technical, administrative, or physical safeguards are required as a result, or whether further training or education is required or recommended. This review may include conducting audits of physical or technical security, performing a root cause analysis, revisiting or developing internal policies and procedures, and identifying the need for additional training to help prevent similar incidents in the future.

Individuals who are unsatisfied with U荔枝视频鈥檚 response to a privacy incident or who believe that their own personal information has been collected, used or disclosed by U荔枝视频 in contravention of POPA may submit a formal complaint to the Access and Privacy Office at accessandprivacy@ucalgary.ca. U荔枝视频 will review all complaints and respond within the required timelines under POPA.

If you disagree with a decision made by U荔枝视频, you may also request review through the Office of the Information and Privacy Commissioner of Alberta (OIPC) under Part 6 of POPA. To request a review, you must submit a completed Request for Review form within 60 business days from the date of this letter to the OIPC at Suite 410, 9925 鈥� 109 Street, Edmonton, Alberta, T5K 2J8. The form is available on the OIPC鈥檚 website, , or you can call 1-888-878-4044 to request a copy.