Privacy or Information Security Breaches

A University employee who is aware that a privacy or information security breach may have occurred must take immediate action to stop and contain the breach, and contact the appropriate people within the University.

A privacy or information security breach has occurred when there is unauthorized access to, or unauthorized collection, use, disclosure, or disposal of:

  • personal information,
  • health information, or
  • confidential information

that is handled in the course of the University’s operations, or in the course of a research project by a University researcher.

Examples might be:

  • Stolen or lost files, laptops, data drives or disks, or USB sticks
  • Accidental disclosure of personal information to the incorrect individual in a misdirected email, fax, or other communication;
  • Disclosure of personal information in any manner to an individual who is not authorized to have access to the personal information; or
  • A cyberattack (e.g. a database has been affected by ransomware or otherwise “hacked”).

This list is, of course, not exhaustive.

Who to contact

If the potential breach involves information technology resources, such as a cyberattack or a misdirected email, then the incident should be reported immediately to: .

As well, University policy requires that the Information & Privacy Office and the Chief Information Security Officer be notified within 24 hours of detecting a possible breach.  To do so, University employees must fill out this form and send it to the contact information provided on the form.

Finally, if the potential breach involves theft of University property, please also contact University of Alberta Protective Services at 780-492-5050.

Loss or Breach of Information Reporting Form

Report a Breach