Information breach policy
Policy Owner: Legal Services
Approval: Executive Leadership Team
First Approved: November 1, 2021
Effective Date: N/A
Toronto Community Housing Corporation (Toronto Community Housing) collects and retains Confidential Information that must be properly managed to protect the privacy and security of the party whose information has been collected, including, but not limited to, tenants, employees and the corporation itself. If Confidential or Internal Information is lost, corrupted, accessed or disclosed without proper authorization, it can pose a high level of legal, reputational, financial and safety risks to Toronto Community Housing.
This Policy provides a framework within which employees of Toronto Community Housing are required to respond to an Information Breach, and sets out responsibilities within Toronto Community Housing and its employees for the reporting and handling of an attempted, actual or suspected Information Breach, in order to minimize its impact.
This Policy applies to any improper or unauthorized use, release, disclosure or disposal of Confidential or Internal Information in Toronto Community Housing’s custody and control, such as tenant, employee, third party or corporate information. It covers both Information Breaches and Information Technology System Breaches.
Information Breaches can arise from cybersecurity attacks, as well as from the theft, loss, abuse, damage or unauthorized access to or disclosure of Toronto Community Housing information, whether the breach was intentional or inadvertent.
This Policy is applicable to all employees of Toronto Community Housing that have access to information in the custody or under the control of Toronto Community Housing and its Information Technology Systems. Toronto Community Housing will enter into agreements to ensure that contract management companies, vendors and third parties meet the relevant requirements of this Policy.
Toronto Community Housing supports a climate and culture that protects both Confidential and Internal Information. Toronto Community Housing will implement this Policy in accordance with the following values:
Respect: All Toronto Community Housing employees will adhere to this Policy and will take appropriate measures to protect both Confidential and Internal Information to which they have access from an Information Breach in accordance with this Policy.
Accountability: Toronto Community Housing will designate Incident Response Leads within the Legal Services and Information Technology Services Divisions who will lead its response to an Information Breach.
Integrity: Toronto Community Housing employees will alert the organization of an Information Breach.
Confidential Information: Information that is in the custody or control of Toronto Community Housing that is highly sensitive, protected from public disclosure and intended for use by a specified group of authorized users, such as Personal Information, and information related, generally, to Toronto Community Housing’s tenants, residents, contractors, employees, and members of the public that, if disclosed, may give rise to a significant risk of harm to both Toronto Community Housing and others.
Incident Response Lead: The employee within Toronto Community Housing’s Information Technology Services or Legal Services Division who is (depending on the nature of the breach) responsible for leading its response to an Information Breach.
Information Breach: The improper or unauthorized use, disclosure, release or disposal of either Confidential or Internal Information, resulting in the information being access by or disclosed to unauthorized parties. Examples of an Information Breach include, but are not limited to:
an employee sending an email containing either Confidential or Internal Information to an unintended recipient in error;
an individual (such as a tenant, vendor or other stakeholder) being mistakenly provided with or accessing either Confidential or Internal Information that they are not authorized to view;
the removal of a tenant file from a Toronto Community Housing office resulting in the unauthorized disclosure of either the tenant’s Personal Information; or
an Information Technology System Breach.
Information Technology System Breach: An Information Breach that occurs as a result of:
unauthorized activity by parties internal and external to Toronto Community Housing;
a technical vulnerability; or
a combination of those or other causes;
impacting Toronto Community Housing’s Information Technology Systems that results in the use, disclosure, release or disposal of either Confidential or Internal Information, resulting in the information being access by or disclosed to unauthorized parties of information systems or networks.
Internal Information: Information other than Confidential Information that is generally only available and intended for use by Toronto Community Housing employees and authorized third parties such as consultants and vendors. (e.g. Corporate policies, standards, and procedures unless they are intended for publication, general corporate internal announcements to staff, etc.), including but not limited to information related to Toronto Community Housing’s financial affairs, marketing plans, resources, proposed initiatives, and strategies, etc..
Personal Information: Has the same meaning as defined in Municipal Freedom of Information and Protection of Privacy Act, RSO 1990, c M.56, as amended, and includes recorded information about an identifiable individual which is collected, used, or disclosed by Toronto Community Housing. For the application of this Policy, Personal Information may include but is not limited to:
the personal address, telephone number or email address of an individual;
any identifying number, symbol or other particular assigned to an individual which can lead to their identification (e.g., Social Insurance Number or Tenant ID);
information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual;
financial information about an individual for the purposes of establishing Rent-Geared-to-Income assistance;
information about rent payment history; credit and rental history reports; and
employee information, including resumes, salary and benefits, tenant or client complaints about the individual and personnel issues.
With regards to applicants and tenants, Personal Information may include income, credit history, subsidy, arrears, utility consumption, personal circumstances, health information, information regarding conflicts between tenants, requests for transfers for personal reasons and any requests from tenants that are personal in nature. With regards to employees, Personal Information may include hiring, termination, disciplinary record, salary negotiations, tenant complaints and information regarding conflicts between employees or between employees and tenants.
Public Information: Information that is generally available to the public, with no special protection from disclosure required (e.g. a press release, a public request for proposals, external TCHC website content, and published reports).
Toronto Community Housing responsibilities
Toronto Community Housing will:
Promote a culture and implement business practices that support information security, cybersecurity and the prevention of Information Breaches.
Provide education on information security to Incident Response Leads and employees who have access to or are responsible for either Confidential or Internal Information.
Maintain appropriate administrative, physical and technical security safeguards to prevent the unauthorized access, use or disclosure of either Confidential or Internal Information.
Maintain procedures and protocols to identify, contain, and recover from any Information Breaches that ensures there is a consistent and effective approach to the management of Information Breaches.
The General Counsel and Corporate Secretary will oversee Toronto Community Housing’s response to an Information Breach and will work with the Vice President, Information Technology Services and the Incident Response Leads to mitigate its impact.
In performing their duties and fulfilling their responsibilities, employees will learn information about Toronto Community Housing and its operations. This includes information in that is shared with the employee verbally and in writing, through formal documents, corporate files, e-mails, computers files, data records, etc. In most cases, this information is not generally known to the public. Examples include information related to our financial affairs, marketing plans, tenants, residents, resources, contractors, proposed initiatives, strategy, members of the public, employees, etc. This information is confidential and is Toronto Community Housing’s property.
Employees are required to take all reasonable steps to protect both Confidential and Internal Information from unauthorized use or disclosure. This includes safeguarding physical and electronic documents, laptops, and cell phones that have been entrusted to their care, as well as taking necessary steps to protect information when using computer systems and sending e-mail pursuant to the requirements of related policies, procedures or directives that have been issued by TCHC.
If an employee becomes aware of an Information Breach, he or she must immediately notify their manager, Division Head and the General Counsel and Corporate Secretary in accordance with the procedure set out in the Information Breach Procedure.
If an employee suspects that an Information Technology System Breach may have occurred, he or she must immediately notify their manager, Division Head and the Information Technology Service Desk. The Service Desk team will report the breach to the Incident Response Leads in accordance with the procedure set out in the Information Technology Security Incident Management Procedure.
Information breach standards
In the event of an actual or suspected Information Breach, Toronto Community Housing will, to the extent necessary in order to mitigate the impact of the Information Breach, undertake the following actions:
Determine if an actual breach occurred and identify the type of information that was disclosed (i.e., Confidential Information, Internal Information or Public Information).
Contain the incident to minimize impact (e.g. retrieving the information if possible, disconnecting devices affected or implicated by the Information Breach from the network, suspending access rights, quarantining any discovered malware).
Investigate the cause of the Information Breach and depending on its nature, conduct any additional forensic analysis required to support any criminal or legal investigation as may be required.
Conduct an assessment with relevant employees to determine the impact of the Information Breach and review the recovery actions required.
Notify the affected stakeholders (e.g. employees, tenants, vendors) and if Personal Information may have been disclosed, notify the Information and Privacy Commissioner as necessary.
Notify Toronto Community Housing employees and Directors, as appropriate.
Conduct a post-incident analysis of the cause of the Information Breach, and identify lessons learned, preventative actions, and how to further improve Toronto Community Housing’s overall information security protocols.
Compliance and monitoring
Compliance with this Policy will be assessed through various methods, including internal and external audits. Legal Services and Information Technology Services will monitor the volume and severity of Information Breaches and prepare an annual report of incidents to the Executive Leadership Team highlighting any actions that need to be taken to mitigate risk. At the direction of the President and CEO, the content of this annual report will be shared with the Toronto Community Housing Board of Directors through the Building Investment, Finance and Audit Committee.
Toronto Community Housing will take appropriate steps to ensure vendors, contractors and third-parties comply with this Policy.
Governing and applicable legislation
Municipal Freedom of Information and Protection of Privacy Act
Personal Information Protection and Electronic Documents Act, 2000