΢��ҕ�l

Privacy Breaches occur. They are usually minor and��most commonly caused��by human error – often sending an email to an incorrect email address.

After discovering a privacy breach, the focus is on the protection of the person or people whose privacy has been breached, minimising the impact where possible, and preventing further breaches, not blaming individuals.��

It is important to follow the below steps if you create or discover a privacy breach at ΢��ҕ�l.

Contain

1. Privacy breach or near miss is discovered by a��University��staff��member/student/community member.��
2. Do not try and manage the situation yourself.��
3. Inform the potential privacy breach to your line Manager (if applicable) and to the��Information and Records Management (IRM)��team via��privacy@canterbury.ac.nz. Please include as much information as possible about the situation.
   
4. If this is a system breach please also contact the helpdesk (0508 824 843 or +64 3 369 5000) to get the issue stopped immediately.

Assess

The��IRM��team will assess:

• What has happened��
• How it has happened
• What systems��or processes��are involved
• Whose��information has been affected – staff, student, third party etc.
• The scale of the breach – internal/external, email, system etc.
• The type of information included��e.g.��medical info, home addresses
• What could be done with this information by the recipient
• What can be done to retrieve or secure the personal information

They will��make a plan��for response considering the risks associated with the breach. They will include appropriate individuals and teams across the campus as needed.

Notify

The team will decide who needs to be informed about the incident. This may be��the:

• Individuals affected��
• Stakeholders��
• Public��
• Privacy Commissioner

Some breaches need to be notified to the Privacy Commissioner. This must happen for all breaches involving medical information. All breaches which meet a threshold for ‘serious harm’ must be notified. The��IRM��team will decide this in line with��the Privacy Act and��guidance from the Privacy Commission.

Prevent

A key part of responding to Privacy breaches is reporting on them. All privacy breaches are tracked internally and reported on to senior management.��Please note – no individuals will be named in the report, the reporting is about the issue and solutions, not blame.

Reviewing what happened is the last key component. A review of the incident to check if there are system or process issues which can be improved. If��so��recommendations will be made from the team.