This is the exact embedded text of the captured official document.
Snapshot 8517d2d6fb59 · verified 2026-06-10 ·
original document ·
archived snapshot ·
unofficial consolidation, the official version is held by the municipal clerk.
This document is available in alternate formats upon request.
Please contact the Clerk's Department at 705-432-2355.
Township of Brock
Privacy Breach Policy
1.
Statement of Organizational Commitment
The Corporation of the Township of Brock is committed to protecting personal information in the
custody or control of the municipality and comply with the privacy protection requirements as
mandated by the Municipal Freedom of Information and Protection of Privacy Act.
2.
Background
The Municipal Freedom of Information and Protection of Privacy Act provides a right of access
to information under the control of institutions in accordance with the principles and to protect
the privacy of individuals with respect to personal information about themselves held by
institutions and to provide individuals with a right of access to that information.
Sections 31 & 32 of the Municipal Freedom of Information and Protection of Privacy Act outlines
when an institution can use and/or disclose personal information in its custody or under its
control. When the use or disclosure of personal information or records containing personal
information violates Sections 31 or 32 of the Municipal Freedom of Information and Protection of
Privacy Act or other applicable legislation, a privacy breach occurs. Privacy breaches can occur
when personal information of residents or employees is stolen, lost, or mistakenly disclosed (eg.
personal information is mistakenly emailed to the wrong person).
3.
Purpose
The purpose of this policy is to ensure that all Township of Brock employees and Members of
Council, at all times, comply with the privacy protection requirements as mandated by the
Municipal Freedom of Information and Protection of Privacy Act.
This policy confirms the Township of Brock's obligation to protect personal information in the
custody or control of the institution. Privacy Breaches undermine public trust in an institution and
may result in significant harm to the Township and to those whose personal information is
collected, used or disclosed inappropriately.
This policy outlines the steps that shall be followed when an alleged Privacy Breach is reported
to ensure that it is quickly contained and investigated to mitigate the potential for further
dissemination of personal information.
4.
Scope and Responsibility
This policy applies to all Township of Brock employees, volunteers, agents, contractors, and
members of Council.
The CAO & Municipal Clerk is responsible for the overall implementation and enforcement of
this policy.
Page 2 of 4
5.
Definitions
"Act" means the Municipal Freedom of Information and Protection to Privacy Act, R.S.O. 1990,
Chapter M. 56.
"Employee" means any paid employee, including, but not limited to, full-time, part-time, paid
apprenticeships, and seasonal employees.
"Municipality" means the Corporation of the Township of Brock.
"Personal Information" means recorded information about an identifiable individual, including,
a) Information relating to the race, national or ethnic origin, colour, religion, age, sex,
sexual orientation or martial or family status of the individual;
b) Information relating to the education or the medial, psychiatric, psychological,
criminal or employment history of the individual or information relating to financial
transactions in which the individual has been involved;
c) Any identifying number, symbol or other particular assigned to the individual;
d) The address, telephone number, fingerprints or blood type of the individual;
e) The personal opinions or views of the individual except if they relate to another
individual;
f) Correspondence sent to an institution by the individual that is implicitly or explicitly of
a private or confidential nature, and replies to that correspondence that would reveal
the contents of the original correspondence;
g) The views or opinions of another individual about the individual; and
h) The indivdiual's name if it appears with other personal information relating to the
individual or where the disclosure of the name would reveal other personal
information about the individual.
"Privacy Breach" means the use or disclosure of Personal information or records containing
personal information in violation of Section 31 or 32 of the Act.
"Record" means any record of information however recorded, whether in printed form, on film,
by electronic means or otherwise, and includes:
a) Correspondence, a memorandum, a book, a plan, a map, a drawing, a diagram, a
pictorial or graphic work, a photograph, a film, a microfilm, a sound recording, a
videotape, a machine readable record, any other documentary material, regardless
of physical form or characteristics, and copy thereof; and
b) Subject to regulations, any record that is capable of being produced from a machine
readable record under the control of an institution by means of a computer hardware
and software of any other information storage equipment and technical expertise
normally used by the institution.
Page 3 of 4
6.
General Procedure
When a privacy breach is alleged to have occurred, Township staff shall undertake immediate
action. In all instances of a privacy breach or alleged breach the following procedure, conducted
in quick succession, or concurrently, shall be followed.
6.1
Step 1: Identify and Alert
If a complaint has been received or you suspect that a privacy breach has occurred,
contact the CAO & Municipal Clerk or designate immediately. The CAO & Municipal
Clerk will then investigate the validity of the complaint or suspicion. The "Risk
Assessment Chart," attached hereto as Appendix A, can be used to assist in determining
if a privacy breach occurred. If a privacy breach is confirmed, the CAO & Municipal Clerk
or designate will evaluate the severity of the breach and proceed accordingly.
6.2
Step 2: Contain
The CAO & Municipal Clerk shall, in cooperation with other staff, undertake the following
actions to contain the alleged privacy breach:
Retrieve and secure any records associated with the alleged breach;
Where appropriate and depending on circumstances, isolate and suspend
access to any system associated with the alleged breach (i.e. an electronic
information system, change passwords, etc.);
Suspend processes or practices which are believed to have served as a source
for the alleged breach; and
Take any other action necessary to contain the alleged breach.
6.3
Step 3: Notify
The CAO & Municipal Clerk shall notify the IPC of all alleged and confirmed privacy
breaches.
The CAO & Municipal shall notify all individuals affected by a privacy breach as soon as
possible, via telephone followed with a formal letter that shall include the following
information:
Information surrounding the nature of alleged, or confirmed, privacy breach;
The details of the breach (as understood at the time of notification);
The specific personal information affected;
Steps, if any, taken so far to control or reduce the harm;
Future steps planned to prevent future privacy breaches;
Steps the individual can take to protect themselves; and
Contact information for Township staff and the Information and Privacy
Commissioner of Ontario, should they have any questions.
Page 4 of 4
The CAO & Municipal Clerk or designate shall handle all inquiries with respect to privacy
breaches and the actions of the municipality in response to an alleged or confirmed
breach. The CAO & Municipal Clerk or designate will determine if other authorities or
organizations, such as law enforcement, privacy commissioner's office, and/or
professional/regulatory bodies should be informed of the breach.
6.4
Step 4: Investigate
After all efforts have been exhausted to contain the alleged privacy breach and notifying
the affected individuals, the CAO & Municipal Clerk or designate shall undertake an
investigation in an attempt to establish:
Whether a privacy breach occurred;
A time line of the events that led to the breach;
The source of the breach, including any policies or procedures responsible for
the breach;
The nature and sensitivity of the personal information disclosed;
The number of individuals affected; and
Any other factors relevant to the circumstances.
6.5
Step 5: Report and Follow-Up
Following the completion of the investigation, a report shall be prepared by the CAO &
Municipal Clerk or designate outlining the results of the investigation, including any
recommendations to mitigate future incidents. Consistent with the privacy best practices,
a copy of the report shall be forwarded to the IPC, as well as to all individuals who were
affected by the privacy breach.
The report shall also be included on the agenda of the Administration and Personal
Committee when:
More than five (5) individuals are affected by a confirmed breach; or,
In the opinion of the CAO & Municipal Clerk it is determined that it is in the public
interest to provide such a report.
Any recommendations from the report will be reviewed and where appropriate,
implemented.
*Adopted by Resolution No. 6-1 at the January 25, 2016 Administration & Personnel Committee.
Appendix A
This document is available in alternate formats upon request.
Please contact the Clerk's Department at 705-432-2355.
Township of Brock - Privacy Breach Risk Assessment Chart
The "Risk Assessment Chart" can be used to assist in determining if a privacy breach occurred.
If you answer "No" to all risk factors, there is a low probability that personal information has
been compromised and it's not likely a reportable breach. Regardless, the CAO & Municipal
Clerk will make the determination.
Risk Assessment
Yes or No
1.
Risk of identity theft
Is there a risk of identity theft or other fraud?
Identity theft is a concern if the breah includes unencrypted
information such as names in conjunction with social insurance
numbers, credit card numbers, driver's licence numbers,
personal health numbers, debit card numbers with password
information or any other information that can be used for fraud by
third parties (e.g. financial information)
2.
Risk of physical harm
Does the loss of information place any individual at risk of
physical harm, stalking or harassment?
3.
Risk of hurt, humiliation, damage to reputation
Could the loss of information lead to hurt, humiliation or damage
to an individual's reputation?
This type of harm can occur with the loss of information such as
medical or disciplinary records.
4.
Risk of loss of business or employment opportunities
Could the loss of information result in damage to the reputation
to an individual, affecting business or employment opportunities?