Privacy Complaints and Privacy Breaches

Procedure Number
003
Policy Number
2105
Responsibility
VP Finance & Operations
Approved
JIBC Executive
Effective Date
May 17, 2023
Procedure Statement

Scope

This procedure forms part of JIBC’s Protection of Privacy and Access to Information policy (the “Policy”), and sets out procedures by which the Institute will respond to Privacy Complaints and Privacy Breaches in accordance with the Act. Terms not otherwise defined in this procedure are as defined in the Policy.

Making a Privacy Complaint

If an individual wishes to make Privacy Complaint, they may do so by sending an email to privacy@jibc.ca setting out their name and contact information, their relationship to the Institute, the nature of the Privacy Complaint and the names of any individuals at JIBC whom they allege may have been involved. JIBC will gather, investigate, and assess all available information pertaining to the Privacy Complaint, and will respond to the complainant within thirty (30) business days.

Reporting a Privacy Breach

All Employees, Service Providers and Volunteers have a duty to report suspected privacy breaches to their supervisor or manager, who will then initiate an investigation and report to the following units:

  • The Privacy Breach must be reported to the General Counsel (by email to privacy@jibc.ca) enclosing a completed JIBC Privacy Breach Reporting Form.
  • If you believe the security of an electronic system has been compromised, it must be reported to Technology Services.
  • If you believe Personal Information was stolen (i.e., an office was broken into and computers stolen), it must be reported to Campus Security.

Responding to Privacy Breaches

In the event of a Privacy Breach involving Personal Information in the custody or control of the Institute, the General Counsel will, without unreasonable delay, review the completed Privacy Breach Reporting Form and all other available information. In accordance with the Act, the General Counsel will, without unreasonable delay, notify an affected individual and the OIPC if the Privacy Breach could reasonably be expected to result in significant harm to the affected individual, which includes identity theft or significant:

  • bodily harm;
  • humiliation;
  • damage to reputation or relationships;
  • loss of employment, business, or professional opportunities;
  • financial loss;
  • negative impact on credit record; or
  • damage to, or loss of, property.

In determining whether a particular Privacy Breach could reasonably be expected to result in significant harm to an affected individual, the General Counsel will consider, among other things, the:

  • sensitivity, context, and amount of Personal Information involved; 
  • number and nature of individuals affected; 
  • relationships of those involved;
  • cause and extent of the Privacy Breach;
  • ability to contain the Privacy Breach; and
  • foreseeable harm caused by the Privacy Breach.

Privacy Breach Notification

If after considering the above, the General Counsel believes that a Privacy Breach could reasonably be expected to result in significant harm to the affected individual, the General Counsel will, as the delegated head of the public body for such purposes, without reasonable delay, notify affected individuals and the OIPC as follows.

Notifying Affected Individuals

Whenever possible, the General Counsel will directly notify individuals affected by a Privacy Breach. The General Counsel may indirectly notify an individual affected by a Privacy Breach by public communication that can reasonably be expected to reach the affected individual if:

  • JIBC does not have accurate contact information of the affected individual:
  • the General Counsel reasonably believes that providing notification directly to the affected individual could unreasonably interfere with operations of the Institute; or
  • the General Counsel reasonably believes that the information in the notification will come to the attention of the affected individual more quickly if notification is given indirectly.

Direct or indirect notification to affected individuals of a Privacy Breach will include the following:

  • JIBC’s name;
  • date the Privacy Breach came to JIBC’s attention;
  • description of the Privacy Breach, including:
    • the date on which or the period during which the Privacy Breach occurred, and
    • a description of the Personal Information inappropriately accessed, collected, used, or disclosed;
  • risk to the affected individual caused by the Privacy Breach;
  • steps taken by the Institute to control or reduce harm caused by the Privacy Breach;
  • further steps planned to prevent further Privacy Breaches;
  • steps the affected individual can take to mitigate the risk of harm caused by the Privacy Breach;
  • contact information of the General Counsel or designate who can answer questions or provide further information;
  • contact information of the OIPC and information about the affected individual’s right to complain to the OIPC; and
  • confirmation that the OIPC has been or will be notified of the Privacy Breach.
Notifying the OIPC

Notification to the OIPC of a Privacy Breach will include the following:

  • JIBC’s name;
  • date the Privacy Breach came to JIBC’s attention;
  • description of the Privacy Breach, including:
    • the date on which or the period during which the Privacy Breach occurred,
    • a description of the Personal Information inappropriately accessed, collected, used, or disclosed; and
    • an estimate of the number of affected individuals;
  • description of information inappropriately accessed, collected, used, or disclosed;
  • risk to affected individuals caused by the Privacy Breach;
  • steps taken by the Institute to control or reduce harm caused by the Privacy Breach;
  • further steps planned to prevent further Privacy Breaches; and
  • contact information of the General Counsel or designate who can answer questions or provide further information.
Records of Privacy Breaches

The General Counsel will complete the Privacy Breach Reporting Form to reflect the analysis undertaken and actions taken in response to the Privacy Breach. The completed Privacy Breach Reporting Form, as well as all applicable information and material, will be stored electronically within the Office of the General Counsel, and will be retained in accordance with JIBC’s obligations under the Information Management Act (British Columbia).

Related Policies and Procedures

Documents and Forms