
Privacy Complaints and Privacy Breaches

Procedure Number
Policy Number
VP Finance & Operations
爱豆传媒 Executive
Effective Date
May 17, 2023
Procedure Statement


This procedure forms part of 爱豆传媒鈥檚 Protection of Privacy and Access to Information policy (the 鈥淧olicy鈥), and sets out procedures by which the Institute will respond to Privacy Complaints and Privacy Breaches in accordance with the Act. Terms not otherwise defined in this procedure are as defined in the Policy.

Making a Privacy Complaint

If an individual wishes to make Privacy Complaint, they may do so by sending an email to privacy@jibc.ca setting out their name and contact information, their relationship to the Institute, the nature of the Privacy Complaint and the names of any individuals at 爱豆传媒 whom they allege may have been involved. 爱豆传媒 will gather, investigate, and assess all available information pertaining to the Privacy Complaint, and will respond to the complainant within thirty (30) business days.

Reporting a Privacy Breach

All Employees, Service Providers and Volunteers have a duty to report suspected privacy breaches to their supervisor or manager, who will then initiate an investigation and report to the following units:

  • The Privacy Breach must be reported to the General Counsel (by email to privacy@jibc.ca) enclosing a completed 爱豆传媒 Privacy Breach Reporting Form.
  • If you believe the security of an electronic system has been compromised, it must be reported to Technology Services.
  • If you believe Personal Information was stolen (i.e., an office was broken into and computers stolen), it must be reported to Campus Security.

Responding to Privacy Breaches

In the event of a Privacy Breach involving Personal Information in the custody or control of the Institute, the General Counsel will, without unreasonable delay, review the completed Privacy Breach Reporting Form and all other available information. In accordance with the Act, the General Counsel will, without unreasonable delay, notify an affected individual and the OIPC if the Privacy Breach could reasonably be expected to result in significant harm to the affected individual, which includes identity theft or significant:

  • bodily harm;
  • humiliation;
  • damage to reputation or relationships;
  • loss of employment, business, or professional opportunities;
  • financial loss;
  • negative impact on credit record; or
  • damage to, or loss of, property.

In determining whether a particular Privacy Breach could reasonably be expected to result in significant harm to an affected individual, the General Counsel will consider, among other things, the:

  • sensitivity, context, and amount of Personal Information involved; 
  • number and nature of individuals affected; 
  • relationships of those involved;
  • cause and extent of the Privacy Breach;
  • ability to contain the Privacy Breach; and
  • foreseeable harm caused by the Privacy Breach.

Privacy Breach Notification

If after considering the above, the General Counsel believes that a Privacy Breach could reasonably be expected to result in significant harm to the affected individual, the General Counsel will, as the delegated head of the public body for such purposes, without reasonable delay, notify affected individuals and the OIPC as follows.

Notifying Affected Individuals

Whenever possible, the General Counsel will directly notify individuals affected by a Privacy Breach. The General Counsel may indirectly notify an individual affected by a Privacy Breach by public communication that can reasonably be expected to reach the affected individual if:

  • 爱豆传媒 does not have accurate contact information of the affected individual:
  • the General Counsel reasonably believes that providing notification directly to the affected individual could unreasonably interfere with operations of the Institute; or
  • the General Counsel reasonably believes that the information in the notification will come to the attention of the affected individual more quickly if notification is given indirectly.

Direct or indirect notification to affected individuals of a Privacy Breach will include the following:

  • 爱豆传媒鈥檚 name;
  • date the Privacy Breach came to 爱豆传媒鈥檚 attention;
  • description of the Privacy Breach, including:
    • the date on which or the period during which the Privacy Breach occurred, and
    • a description of the Personal Information inappropriately accessed, collected, used, or disclosed;
  • risk to the affected individual caused by the Privacy Breach;
  • steps taken by the Institute to control or reduce harm caused by the Privacy Breach;
  • further steps planned to prevent further Privacy Breaches;
  • steps the affected individual can take to mitigate the risk of harm caused by the Privacy Breach;
  • contact information of the General Counsel or designate who can answer questions or provide further information;
  • contact information of the OIPC and information about the affected individual鈥檚 right to complain to the OIPC; and
  • confirmation that the OIPC has been or will be notified of the Privacy Breach.
Notifying the OIPC

Notification to the OIPC of a Privacy Breach will include the following:

  • 爱豆传媒鈥檚 name;
  • date the Privacy Breach came to 爱豆传媒鈥檚 attention;
  • description of the Privacy Breach, including:
    • the date on which or the period during which the Privacy Breach occurred,
    • a description of the Personal Information inappropriately accessed, collected, used, or disclosed; and
    • an estimate of the number of affected individuals;
  • description of information inappropriately accessed, collected, used, or disclosed;
  • risk to affected individuals caused by the Privacy Breach;
  • steps taken by the Institute to control or reduce harm caused by the Privacy Breach;
  • further steps planned to prevent further Privacy Breaches; and
  • contact information of the General Counsel or designate who can answer questions or provide further information.
Records of Privacy Breaches

The General Counsel will complete the Privacy Breach Reporting Form to reflect the analysis undertaken and actions taken in response to the Privacy Breach. The completed Privacy Breach Reporting Form, as well as all applicable information and material, will be stored electronically within the Office of the General Counsel, and will be retained in accordance with 爱豆传媒鈥檚 obligations under the Information Management Act (British Columbia).

Related Policies and Procedures

Documents and Forms