480 likes | 713 Views
Access to information and Protection of Privacy: Putting the Pieces Together. Chris Graves University Records Management Coordinator University Access and Privacy Website: http://www.uoguelph.ca/secretariat/privacy.shtml. PIPEDA. FIPPA. PHIPA. Notice. Policies. Collecting. Consent.
E N D
Access to information and Protection of Privacy: Putting the Pieces Together Chris Graves University Records Management Coordinator University Access and Privacy Website: http://www.uoguelph.ca/secretariat/privacy.shtml PIPEDA FIPPA PHIPA Notice Policies Collecting Consent Fair Practice Use
Awareness of different types of legislation/ policies and their impact on access, privacy and recordkeeping at the University What must I do to comply with the new privacy legislation? When can I share information? Should I even be creating a record? Learning Objectives
University Policies (e.g. RM) Employee Agreements (e.g. HR) FIPPA (Public sector) PHIPA (Health sector) PIPEDA (Private sector) MTCU (Universities) Other Access & Privacy Context
University Access and Privacy Policyhttp://www.uoguelph.ca/secretariat/privacy.shtml • Accountable • Disseminate operational information • Protect personal privacy • Maintain accurate personal information • Use information for consistent purposes • Integrity
UG Records Management Policy http://www.uoguelph.ca/secretariat/records.shtml • Develop retention and disposition schedules • Manage records according to this RM policy • Involve Records Coordinator in RM developmental processes
PRIVACY Individual has right to “control” collection, use, disclosure of their own personal information University must protect private information from third-parties ACCESS Individuals can request access to their own personal information at the University Individuals can request access to records at the University (under FIPPA, not PIPEDA) Exemptions should be limited and specific Principles versus
FIPPA Legislation is to Access and Privacy What… • Occupational health and safety legislation is to safety in the workplace • Environmental legislation is to stewardship of the environment • School board legislation is to learning Rule of thumb: • FIPPA is just a piece of legislation; access and privacy is the culture
Access to what? • All recorded information, however recorded, including: • Drafts, postit notes, hard drive files, blackberry, email, voice mail, agendas, address books • Expense accounts and receipts • E-mails • Briefing notes – briefing binders • Correspondence • Amount of money spent on various programs • Tenders/Bids • Consultants (e.g. names, amount spent, work done, selection process)
What is personally identifiable information? • Key term: • Identifiable • Name • Photo • Student ID # Rule of thumb: • Context is everything!
INFORMAL ACCESS Active Dissemination (AD) Website, reports, etc. Routine Disclosure (RD) Release of general records on request E.g. request to see one’s own health record FORMAL ACCESS FIPPA Request E.g. formal PHIPA request to see one’s own health record Rule of thumb: No automatic requirement to invoke FIPPA Means of Access
Requester must: Submit written request Indicate request is made under FIPPA Pay $5.00 fee University must: Process FIPPA request within 30 calendar days FIPPA Request Process
FIPPA Exclusions • Archival records of University—s.65(1) • Only private donations are excluded • Labour relations & employment related information—s.65(6) • Therefore personnel files function under Employee Agreements and/or HR policies, not FIPPA • Exception: Expense claims and agreements—s.65(7) • Research & teaching materials—s.65(8.1) • Exception: Subject matter/amount of funding for research—s.65(9) • Exception: Evaluative/opinion/eligibility qualifications for teaching materials—s.65(10) Health information is also not under FIPPA—other than formal request process
Mandatory Third-party Information —s.17(1) Personal Privacy—s.21 Discretionary Advice/ Recommendations—s.13(1) Law Enforcement—s.14(1) Economic and Other Interests—s.18 Educational tests—s.18(1h) Solicitor-Client Privilege—s.19 Danger to Safety or Health—s.20 Information to be published—s.22 FIPPA Exemptions
Case 1: External Access to: Invoices? Expense Reports? Minutes? Reference Letters?
Case 2: Internal Access to: Student Information? Employee Information? The “University Circle” (video clip) • See also: Privacy Impact Checklist
Summary: Records Creation Awareness • Today’s memo could be tomorrow’s headline • Good records management is vital • Create records with access in mind: • Consider possible future release of information at time the records are created—protect personal information as appropriate • Better than email/fax disclaimers!
Easy Steps to Privacy Protection • Restrict access to client information to those that need to know. • Ensure client information is not visible or accessible to others. • Do not discuss client information in places where others may overhear • Do not share existing passwords with anyone or give old passwords to new employees when contractor leaves. • Discard old or used client information appropriately • Collection • Use • Disclosure • Retention • Disposition versus
Privacy is: The right to be let alone. The right to control one’s personal information. One purpose of privacy regulations is to help protect people against the unwanted sharing of personal information. Why Privacy?
PRIVACY Individual has right to “control” collection, use, disclosure of their own personal information University must protect private information from third-parties Security does not equal privacy ACCESS Individuals can request access to their own personal information at the University Individuals can request access to records at the University (under FIPPA, not PIPEDA) Exemptions should be limited and specific Balance Principles versus
Strong Privacy Compromises Security Security e.g. Terrorist anonymity Privacy
Strong Security Limits Privacy Privacy e.g. Digital Trail Security
Privacy & Security • Privacy and security rely on trust: • Trust in policy (to provide rules and guidance) • Trust in process (to ensure compliance) • Trust in technology (to deliver anticipated results) • Trust in people (to act responsibly)
If You Wanted to Know… What must I do to comply with the new policies/legislation?
Notices—s.39(2); 41(1)(PHIPA or PIPEDA = obtain direct consent not notice) Must provide notice to individual indicating: • Legal authority for the collection of information • What gives the University the right to collect this? • Purpose for which it is intended • How will the University use this information? • Business contact info for questions • Who do I contact if I have questions about how my information is being used?
Retention & Disposition • Must maintain personal info at least 1 year after last use—s.40(1); Reg.460, s.5 • Must maintain record of information destroyed (without revealing personal info)—s.40(4); Reg.459,s.6 • See also: sample disposal record
If You Wanted to Know… When can I share information?
Look to Your Notice! • “Consistent purpose” requires that individual might reasonably have expected the use or disclosure at time info was collected • Consistent purpose therefore depends on the collection notice and what (reasonable) expectations it creates • See also: Privacy Impact Checklist • University Circle
Above All: Consistent Purpose—s.41(1.b) • Requires that individual might reasonably have expected the use or disclosure at time info was collected • Consistent purpose therefore depends on the collection notice and what (reasonable) expectations it creates
Case 3: “Necessary and Appropriate” Too much information (video clip)
Accountability Consent Limiting use, disclosure, and retention Safeguards Individual access Identifying purposes Limiting collection Accuracy Openness Challenging compliance Fair Information Practices
Be prepared to answer questions such as…
Five Key Questions • Why are you asking for this information? • How will my information be used? • Who will be able to see my information? • Will there be any secondary uses? • How can I control my data?
Case 4: “Breach” Theft (video clip) Audio space (video clip)
If a Privacy Breach Occurs • Notify the University Secretariat of a privacy breach involving personal information • An investigation will most likely result
Managing Breach: Protocol • Inform your manager • Manager will notify University Secretariat and/or University Legal counsel • Identify the scope • What personal information was involved? • Who had unauthorized access to personal information? • Contain the breach • Suspend the process/activity that caused breach • Retrieve records • Notify • Individuals whose privacy was breached • University Secretariat will notify IPC if required
Preventing Future Breaches • Educate staff about the privacy rules and privacy regulations • Ensure staff is aware of the consequences of a privacy breach • Each person is accountable for personal information in their custody • Staff should err on the side of protecting privacy • Or should they? E.g. Virginia Tech. • Staff should contact the program manager and/or University Secretariat for advice
Risk-based Prioritization • Privacy planning is more effective if approached from a risk management perspective than a legal compliance perspective • Risk management permits the efficient allocation of resources • In contrast, legal compliance requires the allocation of resources to all compliance issues regardless of risk • Contact the Secretariat about available assessment options
Risk Map 1 3 Action not yet started No progress reported Moderate progress reported Evidential progress reported Action successfully completed 2 4 DefaultRisk Tolerance Line
Summary • Periodically review/audit and ensure appropriate processes and practices are in place re: collection, use, disclosure, retention and disposal of personal information • E.g. Do we really need SINs? How long do we really need to retain resumes? • Build in privacy • Design collection processes to limit and protect personal information • Put system in place to update Secretariat when new information is being collected or shared so we can advise on making it FIPPA compliant Rule of thumb: • Data minimization!
Lessons Learned cont’d • Know where your personal information is • Conduct personal info inventory, including portable computing & storage devices and paper records • Say what you do with personal information • Post clear notices of privacy practices on Web sites, in offices, and whenever collecting personal info • Do what you say in managing personal information • Monitor compliance with laws and policies, including content monitoring of Web sites and e-mail • Consider implementing Clean Desk / Clean Drive policy
Case 5 Should I create a record?
Ask: • Is there an operational need to create a record? • What does the record need to say/contain? • What does the record NOT need to say/contain? • Who should create / hold / access the record? • How are drafts / copies tracked and final version identified? • How are retention and destruction addressed? • See also: Note-taking tip sheets
Things To Take Away • Secretariat is coordinating FIPPA-related processes • Secretariat is contact-point for specific concerns • Secretariat will share information through Liaison Network
Questions? Chris Graves University Records Management Coordinator Phone: 519-824-4120 Ext. 56103 Fax: 519-767-1350 Email:c.graves@exec.uoguelph.ca