Proactive Measures for Responding to Privacy Breaches

Now, more than ever, companies and organizations have been forced to recognize the importance of keeping private information safe amidst the switch to remote working. Simply put, more employees working from home translates into more risks to the safety of private information acquired and stored by your organization.

Before COVID-19, privacy measures were likely perceived as something to be implemented at larger companies that housed a significant amount of personal information. In reality, privacy is always a concern for any size or type of organization that has clients or employees.

Any personal information of a client or employee that can identify them (name, address employment records, ID number) and even other peoples’ or employees’ opinions of that individual is private information. Part XX of the Municipal Government Act outlines in-depth what constitutes personal information and is an excellent resource to brush up on this topic.

Even when an organization has training around the importance of handling private information, a great first step, the question of what happens when private information is breached must be given equal attention by your organization.

As a previous public relations professional and spending the summer as a legal student at Halifax Water working on privacy related projects, business communicators should become a driving force around implementing the following:

Putting a Privacy Breach Protocol in place

When it comes to privacy breaches, organizations must accept it is not a matter of “if” it is a matter of “when.” Need more convincing? There can be serious legal consequences for your business and/or employees if breaches of private information are not handled correctly by your organization.

Developing a Privacy Breach Protocol is a crucial proactive measure to ensure all employees are on the same page when a breach is discovered. A document such as this that references how your organization handles privacy breaches will help you avoid missed opportunities to take action and uncomfortable conversations over who should have done what.

A Privacy Breach Protocol will help your organization contain the breach as quickly and efficiently as possible. It will also provide a template for a consistent and thorough evaluation of foreseeable risks associated with the breach. Evaluating the risks informs whether or not affected individuals should be notified in order to to allow them to protect themselves and reduce further harm.

Privacy Breach Protocols may outline different roles of employees, an overall process to follow, and include assessment forms to keep breaches documented which can be used later as references to handle similar occurrences.

Testing your Privacy Breach Protocol

When you have a Privacy Breach Protocol in place it is advisable to test its functionality.

This could be done by hiring someone external to run a practice privacy breach within your organization. Your organization will respond based on your protocol and the external evaluator will see how well you’ve used this tool and provide feedback. This is an extremely useful method, if it is affordable, because a third-party is both unbiased and knowledgeable about what works and what doesn’t in these situations.

If you do not have the capacity to hire an external evaluator or consultant, you can organize a trial-run of your Privacy Breach Protocol internally. It would be advisable not to inform employees that it is occurring where possible, or at the very least when it is occurring, in order to get the most realistic response.

Doing a trial run with an external evaluator or conducting one internally will help you identify which areas of our proctol could use improvement, where a useful step may have been left out, or if areas of responsibility could be adjusted to improve your response.

Training and educating employees

Some organizations include basic privacy training when you are onboarded. This training is usually given to people depending on their role in the organization. The problem with limiting this type of training is that a privacy breach can occur anywhere and potentially involve any employee. All employees should be prepared to deal with a breach, at least in a preliminary fashion.

The first step for training and education should be focused on helping employees understand what private information and records are, how they are interacting with private information in their role and how private information is stored and protected by the organization.

The second step would be to train employees on your own Privacy Breach Protocol. It defeats the purpose of taking the valuable step of developing a protocol if employees do not understand it or how to use it.

​​About the Author:

Maria Rizzetto has over 13 years' of communications experience working within the private, non-profit and public sectors and is currently pursuing a law degree. Maria knows and values the importance of business communicators and continues to foster involvements and connections that tie her to the industry. She is the current VP, Membership of IABC Maritime Canada.