The purpose of this policy is to provide direction in the event of a privacy breach of the personal or confidential information of Precise Parklink Inc. (“Precise”) clients, personnel, or customers.
This policy provides guidance on reasonable steps necessary to limit the breach, support an effective investigation and to assist with remediation.
The following five steps will be initiated as soon as a privacy breach, or suspected breach, has been reported.
Upon becoming aware of a possible breach of personal or confidential information, the Precise employee will promptly report the suspected breach to their manager. This will occur even if the breach is suspected and not yet confirmed. The manager will assess:
The manager will also assess the breach by asking the following questions:
Q1) Is personal or confidential information involved?
Q2) Has unauthorized collection, use, disclosure or retention of personal or confidential information occurred?
Q3) Has personal or confidential information been lost or stolen?
If the answer is “Yes” to question 1, and “Yes” to either Questions 2 or 3, then it can be assumed that a breach has occurred.
Containment involves taking immediate corrective action to end the unauthorized practice that lead to a breach. For example, corrective action could include recovering the lost or stolen records; revoking/changing access codes or correcting weaknesses in an electronic security system. The main goal is to alleviate any consequences for both the individual(s) whose personal or confidential information was involved and Precise.
Once the privacy breach is confirmed and contained, the manager will conduct an investigation to determine the cause and extent of the breach by:
The manager shall consult with their director, who will consult with the legal department to determine what notifications are required. Some considerations include:
Affected individuals should be promptly notified and receive the initial notification as soon as possible after the breach has occurred. Further communication with the affected individuals may occur during the process as updates occur.
The method of notification will be guided by the nature and scope of the breach and in a manner that is reasonable to ensure that the affected individual will receive it. Direct notification e.g. by phone, letter, email or in person shall be used where the individuals are identified. Where affected individuals are not fully known, media releases, website notices or letters to clients shall be considered.
If the breach was client information the manager of that program will provide the notification. In the event that the breach was personal information of Precise personnel, Human Resources will provide the notification. If the breach was information of a Precise customer, Marketing will provide the notification.
In the instance where there is a high risk of adverse publicity as a result of the breach, the Chief Operating Officer will be responsible for the notification. As necessary, a determination will be made if external media / public relations support is required due to the severity of the breach.
Once the breach has been resolved, the director will work with the manager to develop a prevention plan or take corrective actions as required and will report to the Chief Operating Officer for required approvals. Prevention activities might include: audits; review of policies, procedures and practices; employee training; or a review of service delivery.