Canadian Baptist of Western Canada

If Personal Information is Wrongly Disclosed

Computer securitySometimes, privacy is breached accidentally (or intentionally). It can happen through lost
notebooks, uncontrolled access to computer records, inappropriately shared prayer concerns,
theft or in many other ways. In a complex organization like a church with many people who
have access to information for different reasons, it is almost inevitable. Here is what you can
do if it happens:

 

 

Understand What Happened and Why

  • Designate the Privacy Officer or team to investigate how the breach happened
  • Find out what personal information was involved
  • Find out how many people were impacted and whether other organizations were affected, such as other churches, employees, contractors, volunteers, service providers etc.
  • Find out what form the information was in (electronic database, notebook, paper records, tax receipts, verbal information)
  • When was privacy violated and how?
  • How did the breach become known?
  • Is it possible to determine who breached an individual’s privacy?

Act Quickly to Minimize the Impact of the Privacy Breach

  • Empower the Privacy Officer to contain the breach and minimize its impact.
  • Contain the breach by recovering lost notebooks, changing locks, shutting down computers, changing passwords – depending on how access to information was gained
  • Determine who needs to know about the breach, including the person(s) whose information was shared, and possibly police, lawyers, accountants etc.
  • If the breach involves criminal activity, notify the police
  • Ensure that evidence about the security breach is not destroyed

Evaluate the Risks Associated with the Breach

  • Based on the information that was disclosed, determine the possible harmful outcomes that could result, such as to personal safety, physical harm, damage to reputation, humiliation, identity theft, financial losses etc.
  • Determine the risk of future disclosure caused by the people who received or obtained the information
  • Determine what harm there might be to your church because of the disclosure of information, such as lost of trust, financial losses, legal action etc.
  • Determine whether the disclosure of information might harm the public in any way.
  • Determine what physical or technical security measures were in place at the time of the breach (passwords, padlocks, alarms, data encryption etc.)
  • Determine if there is a risk of further breaches
  • Was the information lost or was it stolen? If stolen, was the information the intended target of the theft or an unintended outcome of the theft?
  • Has the personal information been recovered?
  • Is this a routine problem or an isolated incident?

Notify the People Affected by the Security Breach

  • Determine who has been affected and should be notified
  • Determine who else, apart from those affected, should be informed, such as credit card companies, financial institutions, insurance agencies, police, the CBWC, employees, volunteers etc.
  • Determine who (i.e. Privacy Officer, Pastor, Moderator/Chair of church, lawyer) should communicate with the person(s) whose privacy was breached
  • Determine what information will be communicated to those affected
    • when, how, why, what, who
    • what the church will do to help individuals to reduce the risk of harm to
      themselves
    • what steps the church has taken or is taking to remedy this situation to prevent
      future privacy lapses
    • contact information for future updates
  • Ensure that notification is done as quickly as feasible, apart from delays necessary to
    avoid compromising criminal investigations
  • Notify the individuals whose privacy has been violated
  • If you feel there is no need to notify the individuals in the case of a very minor breach, note your reasons in a permanent record
  • Understand your church’s legal and contractual obligations

Prevent Future Breaches of Privacy

  • Take steps to minimize the chances of accidental disclosure or theft of private
    information by responding to the root causes of the incident, including:

    • Updating privacy policies and procedures
    • Training staff and volunteers about privacy and confidentiality
    • Obtaining the physical or electronic security systems needed to safeguard
      records