1 / 15

PIPA PRESENTATION

PIPA PRESENTATION. PERSONAL INFORMATION PROTECTION ACT. WHAT IS PIPA?. Protection for personal information held by the private sector “Common sense” rules for the collection, use, disclosure, retention and security of personal information A response to national and international developments.

cora
Download Presentation

PIPA PRESENTATION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT

  2. WHAT IS PIPA? • Protection for personal information held by the private sector • “Common sense” rules for the collection, use, disclosure, retention and security of personal information • A response to national and international developments

  3. WHAT IS PERSONAL INFORMATION? • Defined as “Information about an Identifiable Individual” • Broad Coverage • Applies to personal information (in general) not just when it is used for commercial purposes • Includes Employee and Volunteer information • Does not include: • Contact Information • Work Product Information

  4. What are the Rules? • Identify Purpose • Purpose must be reasonable • Define purpose as clearly as possible and narrowly as possible so individuals can reasonably understand how personal information will be used or disclosed. • Examples: • Opening an account, program enrollment, sending out association membership information, identifying customer preferences

  5. What are the Rules? (con’t) • Limit Collection • Information must be necessary to fulfill identified puposes

  6. What are the Rules? (con’t) • Disclose Purposes and Get Consent • Consent may be explicit or implicit • Explicit Consent:(can be obtained in person, by phone, by mail, via the internet etc.) • Reasonable expectations of the individual • Circumstances surrounding the collection • Sensitivity of the information involved • Implicit (or Deemed) Consent • Purpose must be obvious; info voluntarily provided • Given opportunity to opt-out and does not • Some circumstances where no consent required • Medical Emergency, debt owing, legal investigation,publicly available information, required by law

  7. Out-out Consent • Consent is implied if: • Provide notice (in a form that is understandable) or purpose; • Give reasonable amount of time and opportunity to decline; • Individual does not decline; • And collection, use or disclosure reasonable given sensitivity of personal information

  8. Obtaining Consent • Record the consent received (e.g., note to file, copy of e-mail, copy of check-off box). • Do not obtain consent by deceptive means. • Do not make consent a condition of supplying a product or service beyond what is minimally necessary to provide the product or service. • Explain to individuals the implications of withdrawing their consent but do not prohibit the withdrawal unless it would frustrate the performance of legal obligation

  9. GRANDFATHER CLAUSE • Does NOT apply to the collection of personal information that has been collected on or before the Act comes into force • Practical effect: Organizations do not have to “re-collect” personal information they already hold – as long as only use and disclose for purposes that are reasonable and fulfill the original purposes collected • All other protections will apply (e.g., security, new uses, right of access)

  10. What are the Rules? (con’t) • Limit Use, Disclosure and Retention to Identified Purposes • aka: “For new uses, get consent.”

  11. What are the Rules? (con’t) • Reasonable Security • Should be appropriate and proportional to the sensitivity of the personal information • Safeguards should include: • Physical measures (locked file cabinets, restricted access to offices) • Technological measures (user IDs, passwords, encryption) • Organizational measures (security clearances, “need to know” policy)

  12. SECURITY TIPS • Security is only as good as it’s weakest link. • Consider internal security threats. Most data leaks come from the inside, not from external “Hackers”. • Protect personal information throughout its lifecycle (e.g., storing inactive records, destroying records – certificate of destruction)

  13. What are the Rules? (con’t) • Be Accountable • (privacy officer, contractors) • Be Open and Transparent • (policies, notices) • Ensure Accurate • Right of Access • Provide Recourse

  14. 10 Steps to Compliance • Assign Responsibility • Become Familiar with the Ten Privacy Principles • Conduct a Privacy Audit • Put your Practices to the Test • Implement Changes • Develop a Privacy Policy • Train Staff • Develop or revise forms and communications materials • Review and revise service contracts • Develop an effective complaints handling process

  15. Ministry of Management PIPA Website http://www.mser.gov.bc.ca/FOI_POP/

More Related