Freedom of Information and Protection of Privacy:
Privacy Incident Report Form
Part 1: General Information and Incident Description
(i) Contact Information of unit manager in charge of assessment and investigation
Name: UofG Email:
Department: Title:
(ii) Contact information of person filing privacy incident report form Same as above
Name: UofG Email:
(iii) Information about incident
Date of incident: Location:
When and how the incident was discovered:
Brief description of the incident:
Part 2: Containment
(i) Immediate action
Have the records concerned been retrieved or access to them stopped? Yes No
If a system was breach, has the system been shut down? Yes No
Date shut down:
Have computer access codes or authorizations been changed or revoked? Yes No
Date changed or revoked:
(ii) Follow-up action
Can you confirm that no copies have been made or retained by the individual(s)
concerned who were not authorized to retrieve the information?
Yes No
Provide the contact information for individual receiving unauthorized access to information (if more than one
individual, attach details on a separate sheet):
Name: Email:
Freedom of Information and Protection of Privacy: Privacy Incident Report Form
Page2|4
Phone: Address:
(iii) Preventative action
Identify and describe any weaknesses in physical and electronic security:
Corrective actions recommended:
Part 3: Evaluation of Risks
(i) Personal information involved
What type of personal information was involved? (e.g. addresses, ID numbers, health records, etc.)
Sensitivity of information:
High (e.g. health, financial, student or employment information)
Medium (e.g. opinion material)
Low (e.g. name and address only)
Format of records:
Was the information encrypted, anonymized or otherwise not easily accessible?
Yes No
(ii) Cause and extent of incident
Is this incident: An isolated incident The result of a systemic problem
Risk of ongoing or further exposure of the
information:
High Medium Low
Describe possible ongoing risk/exposure:
(iii) Individuals affected by the incident
Number of individuals whose personal information is affected by the incident:
Affected individuals or groups: Students Employees External Other
(iv) Foreseeable harm
Is there foreseeable harm that could result from the incident? Yes No I dont know
Freedom of Information and Protection of Privacy: Privacy Incident Report Form
Page3|4
If yes, what harm could result from the incident? Check one or more below.
Harm to individuals: Harm to the University of Guelph: Harm to public:
Risk to physical security Loss of trust in institution Risk to public health
Financial loss Damage to reputation Risk to public safety
Identity theft
Financial loss or
expenditure
Other
Damage to reputation or
relationships
Legal proceedings
Other Other
Part 4: Notification
(i) Notify University of Guelph Privacy Officer
Has the University’s Privacy Officer been notified of the incident? Yes No
Date of notification:
(ii) Notify authorities
Have the police or other authorities been notified of the incident (if necessary)? Yes No
Date of notification:
(iii) Notify Information Security
Has the Information Security Office been notified of the incident (if necessary)? Yes No
Date of notification:
(iv) Notify affected individuals
Have all affected individuals been notified of:
Description of the incident Yes No
The specifics of the information inappropriately accessed, collected, used or
disclosed
Yes No
Steps taken so far to address the incident Yes No
Future steps planned to prevent further privacy incidents Yes No
Additional information, if required, about how the individuals can protect
themselves
Yes No
Contact information for individual within the University to answer questions or
provide further information
Yes No
Date(s) of notification:
Form of notification: Email Telephone In person Other
Report completed by: Date:
Freedom of Information and Protection of Privacy: Privacy Incident Report Form
Page4|4
Part 5: Investigation and Prevention of Future Privacy Risks (to be completed by Privacy Officer)
(i) Summary and analysis of incident
(ii) Privacy incident report completed and sent to Department Chair/Director for review
Sent to: Date: