Acts and Regulations

2010-111 - General

Section 4.2
Disposition versions

Full text
Information practices
2018-24
4.2(1)The following definitions apply in this section.
“privacy breach” means any incident of unauthorized access, use, disclosure or disposal of personal information in the custody of or under the control of a public body.(atteinte à la vie privée)
“significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property.(préjudice grave)
4.2(2)A public body shall make the following security arrangements with respect to personal information in its custody or under its control:
(a) identify
(i) the names or categories of its officers, directors, employees or agents who are authorized to access the personal information,
(ii) the categories of personal information to which those persons or any category of those persons have access, and
(iii) the types of access permitted to the personal information by those persons or any category of those persons;
(b) only allow access to the personal information to persons or categories of persons authorized under paragraph (a);
(c) when responding to requests for disclosure of personal information under the Act, ensure that the request contains sufficient detail to uniquely identify the individual to whom the information relates;
(d) provide for the following procedures, appropriate in each case for the level of risk of unauthorized access, use, disclosure or disposal of the personal information and to the degree of harm that might arise from any unauthorized access, use, disclosure or disposal of the personal information:
(i) with respect to a person seeking access to personal information, verifying the identity of the person seeking access, the categories of personal information to which the person has access and the type of access permitted under paragraph (a);
(ii) recording and monitoring access to the personal information; and
(iii) protecting the personal information while the information is stored or being transferred.
4.2(3)With respect to the security arrangements made by a public body under subsection (2) of this Regulation or subsection 48.1(1) of the Act, the public body shall
(a) require that its officers, directors, employees and agents comply with the security arrangements, and
(b) periodically test and evaluate the effectiveness of the security arrangements.
4.2(4)With respect to a privacy breach, a public body shall take the following measures:
(a) investigate every reported privacy breach, actual or suspected;
(b) maintain a registry of every actual privacy breach reported and any corrective measure taken in relation to the privacy breach to diminish the likelihood of a similar occurrence;
(c) notify a person as soon as possible of any privacy breach involving the person’s personal information if it is reasonable in the circumstances to believe that the privacy breach creates a risk of significant harm to that person; and
(d) notify the Commissioner as soon as possible of any privacy breach under paragraph (c).
4.2(5)The factors that are relevant to determining whether a privacy breach creates a risk of significant harm to the person include
(a) the sensitivity of the personal information involved in the breach, and
(b) the probability that the personal information has been, is being, or will be misused.
4.2(6)For greater certainty, a public body shall retain and dispose of personal information in its custody in accordance with the record schedules established by the Provincial Archivist under the Archives Act, except the following educational bodies:
(a) The University of New Brunswick;
(b) Université de Moncton;
(c) St. Thomas University; and
(d) Mount Allison University.
2018-24