海角社区

A Confidentiality Incident is defined by the Access Act as any unauthorized access, use, or communication of personal information, as well as the loss of personal information or any other breach of its protection. It is important to note that the intention behind the act is not a factor in determining whether an incident has occurred; accidental errors or technical failures can also constitute an incident.

Examples of confidentiality incidents include, but are not limited to:

Unauthorized Access to Personal Information: Accessing personal information without a legitimate need related to one鈥檚 duties.

• A staff member views student records without a job-related reason.
• A researcher accesses identifiable participant data from a shared database without ethics approval.
• A system vulnerability allows external users to access personal data stored in a university system.

Unauthorized Use of Personal Information: Using personal information for purposes not originally intended or permitted by law.

• A university employee uses student contact details, collected for administrative purposes, to send marketing emails for a personal business.
• Research data is processed for a purpose not outlined in the original consent form.
• An academic uses former students鈥� email addresses to promote private consulting services.

Unauthorized Release of Personal Information: Disclosing personal information to individuals or entities not authorized to receive it.

• A spreadsheet containing student grades is mistakenly emailed to an external recipient.
• Sensitive details are not properly redacted in documents released under access to information requests.
• De-identified research data is released in a way that allows re-identification.

Loss of Personal Information: Personal information is lost or stolen, potentially exposing it to unauthorized access.

• A university-issued laptop containing unencrypted personal data is stolen.
• A USB stick with student records is misplaced during transit.
• A ransomware attack encrypts university servers and exfiltrates personal data.

Other Breaches:

• Alteration of data by an unauthorized individual, or a system outage preventing access to personal information.
• Excessive Collection: Collecting more personal information from students, staff, or research participants than is strictly necessary to fulfill the stated purpose of collection.
• Failure to abide by the 海角社区 Records Retentions Schedule (MURRS) whether by deleting personal information before it is scheduled for destruction or by retaining it for longer than is called for.

A single incident may involve several of the elements described above.

Several key roles and bodies at 海角社区 are involved in overseeing and implementing personal information protection and incident management:

Secretary-General (Privacy Officer): As 海角社区's designated Privacy Officer, the Secretary-General is responsible for monitoring internal compliance with privacy obligations, advising the University, and making the final determination on the risk of serious harm for confidentiality incidents.

Access and Privacy Office: Responsible for investigating confidentiality incidents, managing privacy complaints, and serving as a key resource for the University community on privacy matters.

IT Services/Information Security: Works with the Access and Privacy Office to investigate incidents, implement security measures, and ensure the integrity, confidentiality, and availability of 海角社区 IT Resources.

Unit Heads/Liaisons: Responsible for ensuring that personal information within their units is processed in accordance with University policies and procedures, and for promptly reporting any suspected or actual confidentiality incidents.

All members of the University community share responsibility for protecting Personal Information.
If you believe a confidentiality incident may have occurred, it must be reported to the Access and Privacy Office as quickly as possible. Prompt reporting is essential to allow the University to limit the impact on affected individuals and meet its legal obligations.

Before reporting, staff should consider any immediate steps they can take to help contain the incident (for example, stopping further access or securing misdirected information). These steps should be taken where they can be done quickly and without delaying the report.

It is important to report any incident, even if it does not initially appear serious. When in doubt, assume that you may be dealing with a confidentiality incident and report it.

Take immediate steps to limit the incident

Where possible, take simple actions to prevent further exposure or loss:

• Close, restrict, or disable access to the affected file, document, or system.
• If an email or document was sent to the wrong recipient, do not rely on the 鈥渞ecall鈥� function. Instead, contact the unintended recipient as soon as possible, inform them of the error, and request that they:
  • delete the email or file and any copies;
  • confirm that they have not read, used, or shared the information;
  • keep any Personal Information they may have accessed confidential.
• Lock or disconnect any compromised workstation or account.
• Preserve all information related to the incident.
  Do not delete or alter emails, system logs, files, or any other materials that may be needed to understand what occurred.

If the incident involves a technological system, contact immediately so they can help contain and assess the issue.

You are not expected to resolve the situation alone 鈥� taking reasonable first steps and reporting promptly is sufficient.

Notify your Unit Head or Unit Liaison 鈥� and ensure the Access and Privacy Office is informed promptly

In accordance with the Policy on the Governance of Personal Information, staff must notify their Unit Head or Unit Liaison as soon as they become aware of a possible or actual confidentiality incident. The Unit Head or Liaison is responsible for promptly reporting the incident to the Access and Privacy Office.

However, if your Unit Head or Unit Liaison is not immediately available, or if contacting them would delay reporting, you must contact the Access and Privacy Office directly. You may inform your Unit Head or Liaison afterwards.

A brief description of what occurred is sufficient to initiate the process. The Access and Privacy Office will follow up with any required questions and coordinate next steps.

Incidents involving Research data

If the confidentiality incident involves human participant research data, research participants鈥� personal information, study records, or any other materials related to research involving human participants, contact the Associate Director Research Ethics (after implementing immediate containment measures).

Research participants may also contact the Associate Director Research Ethics directly if they have concerns about the handling of their Personal Information in a study.

If you are not a staff member

If you are a student, alumnus/alumna, or community member, please report the incident directly to the Access and Privacy Office.

Contacting the Access and Privacy Office
Email: privacy.secretariat [at] mcgill.ca
Phone: 514-398-4719

A brief description of what occurred is sufficient. The Access and Privacy Office will guide you through the next steps.

After receiving your report, the Access and Privacy Office will:

• review the incident and determine whether further containment measures are needed (with IT Security when relevant);
• gather details necessary to evaluate the incident;
• determine whether it presents a risk of serious injury to affected individuals;
• coordinate notifications to affected individuals and the Commission d鈥檃cc猫s 脿 l鈥檌nformation, where required by law; and
• provide guidance on corrective and preventive measures.

Throughout this process, the Access and Privacy Office will work closely with the reporting unit, as well as IT Security and any other relevant units, to ensure an appropriate and coordinated response.

听