1 / 47

Access to information and Protection of Privacy: Putting the Pieces Together

Access to information and Protection of Privacy: Putting the Pieces Together. Chris Graves University Records Management Coordinator University Access and Privacy Website: http://www.uoguelph.ca/secretariat/privacy.shtml. PIPEDA. FIPPA. PHIPA. Notice. Policies. Collecting. Consent.

harper
Download Presentation

Access to information and Protection of Privacy: Putting the Pieces Together

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access to information and Protection of Privacy: Putting the Pieces Together Chris Graves University Records Management Coordinator University Access and Privacy Website: http://www.uoguelph.ca/secretariat/privacy.shtml PIPEDA FIPPA PHIPA Notice Policies Collecting Consent Fair Practice Use

  2. Awareness of different types of legislation/ policies and their impact on access, privacy and recordkeeping at the University What must I do to comply with the new privacy legislation? When can I share information? Should I even be creating a record? Learning Objectives

  3. University Policies (e.g. RM) Employee Agreements (e.g. HR) FIPPA (Public sector) PHIPA (Health sector) PIPEDA (Private sector) MTCU (Universities) Other Access & Privacy Context

  4. University Access and Privacy Policyhttp://www.uoguelph.ca/secretariat/privacy.shtml • Accountable • Disseminate operational information • Protect personal privacy • Maintain accurate personal information • Use information for consistent purposes • Integrity

  5. UG Records Management Policy http://www.uoguelph.ca/secretariat/records.shtml • Develop retention and disposition schedules • Manage records according to this RM policy • Involve Records Coordinator in RM developmental processes

  6. PRIVACY Individual has right to “control” collection, use, disclosure of their own personal information University must protect private information from third-parties ACCESS Individuals can request access to their own personal information at the University Individuals can request access to records at the University (under FIPPA, not PIPEDA) Exemptions should be limited and specific Principles versus

  7. FIPPA Legislation is to Access and Privacy What… • Occupational health and safety legislation is to safety in the workplace • Environmental legislation is to stewardship of the environment • School board legislation is to learning Rule of thumb: • FIPPA is just a piece of legislation; access and privacy is the culture

  8. Access to what? • All recorded information, however recorded, including: • Drafts, postit notes, hard drive files, blackberry, email, voice mail, agendas, address books • Expense accounts and receipts • E-mails • Briefing notes – briefing binders • Correspondence • Amount of money spent on various programs • Tenders/Bids • Consultants (e.g. names, amount spent, work done, selection process)

  9. What is personally identifiable information? • Key term: • Identifiable • Name • Photo • Student ID # Rule of thumb: • Context is everything!

  10. INFORMAL ACCESS Active Dissemination (AD) Website, reports, etc. Routine Disclosure (RD) Release of general records on request E.g. request to see one’s own health record FORMAL ACCESS FIPPA Request E.g. formal PHIPA request to see one’s own health record Rule of thumb: No automatic requirement to invoke FIPPA Means of Access

  11. Requester must: Submit written request Indicate request is made under FIPPA Pay $5.00 fee University must: Process FIPPA request within 30 calendar days FIPPA Request Process

  12. FIPPA Exclusions • Archival records of University—s.65(1) • Only private donations are excluded • Labour relations & employment related information—s.65(6) • Therefore personnel files function under Employee Agreements and/or HR policies, not FIPPA • Exception: Expense claims and agreements—s.65(7) • Research & teaching materials—s.65(8.1) • Exception: Subject matter/amount of funding for research—s.65(9) • Exception: Evaluative/opinion/eligibility qualifications for teaching materials—s.65(10) Health information is also not under FIPPA—other than formal request process

  13. Mandatory Third-party Information —s.17(1) Personal Privacy—s.21 Discretionary Advice/ Recommendations—s.13(1) Law Enforcement—s.14(1) Economic and Other Interests—s.18 Educational tests—s.18(1h) Solicitor-Client Privilege—s.19 Danger to Safety or Health—s.20 Information to be published—s.22 FIPPA Exemptions

  14. Case 1: External Access to: Invoices? Expense Reports? Minutes? Reference Letters?

  15. Case 2: Internal Access to: Student Information? Employee Information? The “University Circle” (video clip) • See also: Privacy Impact Checklist

  16. Summary: Records Creation Awareness • Today’s memo could be tomorrow’s headline • Good records management is vital • Create records with access in mind: • Consider possible future release of information at time the records are created—protect personal information as appropriate • Better than email/fax disclaimers!

  17. Easy Steps to Privacy Protection • Restrict access to client information to those that need to know. • Ensure client information is not visible or accessible to others. • Do not discuss client information in places where others may overhear • Do not share existing passwords with anyone or give old passwords to new employees when contractor leaves. • Discard old or used client information appropriately • Collection • Use • Disclosure • Retention • Disposition versus

  18. Privacy is: The right to be let alone. The right to control one’s personal information. One purpose of privacy regulations is to help protect people against the unwanted sharing of personal information. Why Privacy?

  19. PRIVACY Individual has right to “control” collection, use, disclosure of their own personal information University must protect private information from third-parties Security does not equal privacy ACCESS Individuals can request access to their own personal information at the University Individuals can request access to records at the University (under FIPPA, not PIPEDA) Exemptions should be limited and specific Balance Principles versus

  20. Strong Privacy Compromises Security Security e.g. Terrorist anonymity Privacy

  21. Strong Security Limits Privacy Privacy e.g. Digital Trail Security

  22. Privacy & Security • Privacy and security rely on trust: • Trust in policy (to provide rules and guidance) • Trust in process (to ensure compliance) • Trust in technology (to deliver anticipated results) • Trust in people (to act responsibly)

  23. If You Wanted to Know… What must I do to comply with the new policies/legislation?

  24. Notices—s.39(2); 41(1)(PHIPA or PIPEDA = obtain direct consent not notice) Must provide notice to individual indicating: • Legal authority for the collection of information • What gives the University the right to collect this? • Purpose for which it is intended • How will the University use this information? • Business contact info for questions • Who do I contact if I have questions about how my information is being used?

  25. AND…

  26. Retention & Disposition • Must maintain personal info at least 1 year after last use—s.40(1); Reg.460, s.5 • Must maintain record of information destroyed (without revealing personal info)—s.40(4); Reg.459,s.6 • See also: sample disposal record

  27. If You Wanted to Know… When can I share information?

  28. Look to Your Notice! • “Consistent purpose” requires that individual might reasonably have expected the use or disclosure at time info was collected • Consistent purpose therefore depends on the collection notice and what (reasonable) expectations it creates • See also: Privacy Impact Checklist • University Circle

  29. Above All: Consistent Purpose—s.41(1.b) • Requires that individual might reasonably have expected the use or disclosure at time info was collected • Consistent purpose therefore depends on the collection notice and what (reasonable) expectations it creates

  30. Case 3: “Necessary and Appropriate” Too much information (video clip)

  31. Accountability Consent Limiting use, disclosure, and retention Safeguards Individual access Identifying purposes Limiting collection Accuracy Openness Challenging compliance Fair Information Practices

  32. The Importance of Accuracy

  33. Privacy Breaches Do Happen

  34. Be prepared to answer questions such as…

  35. Five Key Questions • Why are you asking for this information? • How will my information be used? • Who will be able to see my information? • Will there be any secondary uses? • How can I control my data?

  36. Case 4: “Breach” Theft (video clip) Audio space (video clip)

  37. If a Privacy Breach Occurs • Notify the University Secretariat of a privacy breach involving personal information • An investigation will most likely result

  38. Managing Breach: Protocol • Inform your manager • Manager will notify University Secretariat and/or University Legal counsel • Identify the scope • What personal information was involved? • Who had unauthorized access to personal information? • Contain the breach • Suspend the process/activity that caused breach • Retrieve records • Notify • Individuals whose privacy was breached • University Secretariat will notify IPC if required

  39. Preventing Future Breaches • Educate staff about the privacy rules and privacy regulations • Ensure staff is aware of the consequences of a privacy breach • Each person is accountable for personal information in their custody • Staff should err on the side of protecting privacy • Or should they? E.g. Virginia Tech. • Staff should contact the program manager and/or University Secretariat for advice

  40. Risk-based Prioritization • Privacy planning is more effective if approached from a risk management perspective than a legal compliance perspective • Risk management permits the efficient allocation of resources • In contrast, legal compliance requires the allocation of resources to all compliance issues regardless of risk • Contact the Secretariat about available assessment options

  41. Risk Map 1 3 Action not yet started No progress reported Moderate progress reported Evidential progress reported Action successfully completed 2 4 DefaultRisk Tolerance Line

  42. Summary • Periodically review/audit and ensure appropriate processes and practices are in place re: collection, use, disclosure, retention and disposal of personal information • E.g. Do we really need SINs? How long do we really need to retain resumes? • Build in privacy • Design collection processes to limit and protect personal information • Put system in place to update Secretariat when new information is being collected or shared so we can advise on making it FIPPA compliant Rule of thumb: • Data minimization!

  43. Lessons Learned cont’d • Know where your personal information is • Conduct personal info inventory, including portable computing & storage devices and paper records • Say what you do with personal information • Post clear notices of privacy practices on Web sites, in offices, and whenever collecting personal info • Do what you say in managing personal information • Monitor compliance with laws and policies, including content monitoring of Web sites and e-mail • Consider implementing Clean Desk / Clean Drive policy

  44. Case 5 Should I create a record?

  45. Ask: • Is there an operational need to create a record? • What does the record need to say/contain? • What does the record NOT need to say/contain? • Who should create / hold / access the record? • How are drafts / copies tracked and final version identified? • How are retention and destruction addressed? • See also: Note-taking tip sheets

  46. Things To Take Away • Secretariat is coordinating FIPPA-related processes • Secretariat is contact-point for specific concerns • Secretariat will share information through Liaison Network

  47. Questions? Chris Graves University Records Management Coordinator Phone: 519-824-4120 Ext. 56103 Fax: 519-767-1350 Email:c.graves@exec.uoguelph.ca

More Related