Information Security Incidents or Privacy Breaches

A University employee who is aware that an information security incident or privacy breach may have occurred must take immediate action to stop and contain it, and contact the appropriate people within the University.

An information security incident or privacy breach has occurred when there is unauthorized access to, or unauthorized collection, use, disclosure, or disposal of:

  • personal information,
  • health information, or
  • confidential information

that is handled in the course of the University’s operations, or in the course of a research project by a University researcher.

Examples might be:

  • Stolen or lost files, laptops, data drives or disks, or USB sticks
  • Accidental disclosure of personal information to the incorrect individual in a misdirected email, fax, or other communication;
  • Disclosure of personal information in any manner to an individual who is not authorized to have access to the personal information; or
  • A cyberattack (e.g. a database has been affected by ransomware or otherwise “hacked”).

This list is, of course, not exhaustive.

Who to contact

If the potential incident/breach involves information technology resources, such as a cyberattack or a misdirected email, then the incident should be reported immediately to: and

As well, University policy requires that the Information & Privacy Office and the Chief Information Security Officer be notified within 24 hours of detecting a possible information security incident or privacy breach.  To do so, University employees must fill out this form and send it to the contact information provided on the form.

Finally, if the potential breach involves theft of University property, please also contact University of Alberta Protective Services at 780-492-5050.

Information Security Incident or Privacy Breach Reporting Form

Report an Information Security
Incident or Privacy Breach