500 likes | 526 Views
Privacy in a School Setting. Angela Markel, Portfolio Officer Office of the Saskatchewan Information and Privacy Commissioner. This slide left blank intentionally. What are the Laws?. Federal Legislation: Access to Information Act (ATIA) Privacy Act
E N D
Privacy in a School Setting Angela Markel, Portfolio Officer Office of the Saskatchewan Information and Privacy Commissioner
What are the Laws? • Federal Legislation: • Access to Information Act (ATIA) • Privacy Act • Personal Information Protection and Electronic Documents Act (PIPEDA) • Provincial Legislation: • The Privacy Act • The Freedom of Information and Protection of Privacy Act (FOIP) • The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) • The Health Information Protection Act (HIPA)
Saskatchewan Information and Privacy Commissioner • Oversees 3 statutes: • The Freedom of Information and Protection of Privacy Act (FOIP) • The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) • The Health Information Protection Act (HIPA) • Appointed by Legislative Assembly • 5 year term • Right of appeal to Q.B.
OIPC Mandate • Comment on privacy implications of proposed legislation/programs • Recommend changes in collection, use and disclosure practices • Recommend destruction of improperly collected personal information • Authorize indirect collection • Carry out investigations to ensure compliance • Review decisions of public bodies • Undertake public education on access and privacy matters • Submit Annual Report to Legislative Assembly
OIPC Activities • Reports (investigations and reviews) • FOIP FOLIO (e-newsletter) • Resource Materials • Video surveillance guidelines • Faxing Guidelines • Best Practices – Mobile Device Security • Privacy Breach Guidelines • Pamphlets • “Helpful Tips” • Annual Reports
Public information must be accessible; Personal information must be protected.
The Health Information Protection Act • In force since Sept. 1, 2003 • HIPA applies to trustees: • Government institutions (includes Crown Corporations) • Regional health authorities • Health professionals • Ambulance operators • Pharmacies • Medical laboratories With custody or control of Personal health information • Sets out rules for the collection, use and disclosure of personal health information
What is ‘Personal Health Information’? • Personal health information includes: • Physical or mental health of individual • Any health service provided to the individual • Registration information • Information collected in the course of, or incidentally to, the provision of health services
HIPA does not apply to: • Statistical / De-identified health information • PHI of a person who has been deceased for more than 30 years • Records that are more than 120 years old
HIPA Basics • Facilitates information sharing within the ‘circle of care’ • Limits sharing outside that ‘circle of care’ • “Need to Know” Principle • Three forms of consent • Express, implied, deemed • Right of complaint to the OIPC
The Freedom of Information and Protection of Privacy Act • In force since 1992 • Applies to government institutions: • Government ministries, agencies, boards, commissions, Crown Corporations • Entities under contract to a government institution may have records under the control of a government institution
The Local Authority Freedom of Information and Protection of Privacy Act • In force since 1993 • Applies to local authorities: • Universities and Colleges • Regional health authorities • School and library boards • Municipalities, cities and towns • Also, a local authority’s contractors
FOIP & LA FOIP • Parts II & III deal with access • Sets out the rules for access to records in the possession or under the control of a public body; exceptions are limited and specific; provides right to request correction / amendment • Part IV deals with privacy • Governs the collection, use and disclosure of personal information in the possession or control of a public body • Provides a right to complain to the Commissioner
Other Relevant Laws • The Education Act • The Child and Family Services Act • The Children’s Law Act • The Emergency Protection for Victims of Child Sexual Abuse and Exploitation Act • The Public Health Act • The Mental Health Service Act • Youth Criminal Justice Act (federal) • Divorce Act (federal)
Surrogates • Clarifies who may act on your behalf: • Personal representative of deceased estate • Legal guardian • Attorney under power of attorney • Legal custodian - where the individual is under 18 and the exercise of the right under the legislation would not constitute an unreasonable invasion of privacy of that individual • By anyone with written authorization from the individual
Custody & Access Issues • The Children’s Law Act provides that: 9(2) Unless otherwise ordered by the court, a parent who is granted access to a child has the same right as the custodial parent to make inquiries and be given information concerning the health, education and welfare of the child. • However, having the right to “make inquiries and be given information” does not necessarily equate to the non-custodial parent being allowed to act on behalf of the child, as a surrogate does under FOIP/LA FOIP. Thus, need to consider what information is being sought and what actions are purported to be taken on the child’s behalf. Surrogacy provisions cannot be used to obtain records to further the parent’s own personal objectives.
PROTECTION OF PRIVACY
What is ‘privacy’? • Not defined by privacy laws • Privacy definitions: • Right to be free from intrusion or interference • Right to be left or let alone • Different dimensions: • Physical or bodily privacy • Territorial privacy • Privacy of communications • Information or data privacy
It’s all about me • Information privacy isdefined as: • Right of an individual to determine for him/herself when, how and to what extent he/she will share his/her ‘personal information’ • ‘Personal information’ is: • Generally, it is information about an identifiable individual • Defined by the applicable privacy law
It’s all about me • What is not personal information • No concern if de-identified, provided as statistics only, or as aggregate data • Employment specific information (i.e. business card information, job duties, salary, etc) • However, employment history is personal information
Personal Information • About an identifiable individual that is recorded in any form and includes: • Name, if appears with other personal info or if the name itself would reveal personal information about the individual • Race, creed, religion, colour, sex, sexual orientation, family status, marital status, disability, age, nationality, ancestry or place or origin • Education, criminal, employment or financial history • Health history or health care received • Identifying number, symbol
Personal Information • About an identifiable individual that is recorded in any form and includes: • Contact information (home or business address, phone #), fingerprints, blood type • Confidential correspondence to a local authority (except if your views or opinions about another) • Opinions of another about you • Your personal opinions (unless about another person) • Information on a tax return • Information describing someone’s finances, assets, liabilities or credit worthiness
NOT Personal Information • Classification, salary of officer or employee (past or present) • Personal opinions in the course of work (other than about another person) • Details of contract for personal services • Details of a license, permit or discretionary benefit/financial benefit granted by a local authority to an individual • Traveling expenses of individual paid by a local authority • Academic ranks or departmental designations of members of faculties of U of S and U of R • Degrees, certificates, or diplomas received from SIAST, U of R and U of S • Discretionary benefits
My name & work address I am HIV positive My opinion of you My SIN number Age Public Information Potentially Damaging
Collection • For a purpose that relates to an existing or proposed program or activity of the local authority • Collect directly where reasonably practicable unless… • it would result in inaccurate information; or • defeat the purpose; or • prejudice the use • inform the individual why the information was collected • If you collect it, you must keep it accurate and complete
Use • Sharing of information within a public body is a use • Use with consent unless: • For purposes of collection for which it was obtained or a consistent purpose • For purposes permitted as specified • This is discussed under disclosures • ‘Need to know’ principle • Restrict to least amount of identifying information necessary for the purpose
Disclosure • “To give out, release or make available” • Sharing of information outside of the public body is a disclosure • Disclose only with consent unless… • One of 20 different circumstances apply (plus more in the Regulations) • Examples: for providing an employment reference, where necessary to protect the mental or physical health or safety of an individual, where disclosure may reasonably be expected to assist in the provisions of services for the benefit of the individual.
Disclosure Request byPolice or Social Services • As with any request for disclosure by external parties without consent, the onus is on the requestor to provide authority for the disclosure • FOIP/LA FOIP/HIPA has provisions for disclosure without consent to occur for purposes of law enforcement and health or safety matters • In addition, disclosure is allowed if authorized by another piece of legislation • However, as the public body responsible for the personal information you must be satisfied that the requirements of the legislation have been met in the circumstances
Did privacy laws prevent disclosure? • February 2004, 18 year old UBC student commits suicide in her Vancouver dormitory. • Girl was suffering from sever depression. One month earlier, she attempted suicide and was hospitalized. • The university and hospital both had knowledge but did not inform the girl’s family. • University and hospital staff claimed privacy laws prevented them from informing the girl’s parents.
Criteria for making assessment • Criteria used in other provinces to make this decision include: • must be a reasonable expectation of probable harm; • harm must constitute damage or detriment and not more inconvenience; and • must be a causal connection between disclosure and the anticipated harm. • An assessment of the risk must be made and a determination of whether there are reasonable grounds for concluding there is a danger to the health or safety of any person. That assessment must be specific to the circumstances of the case under consideration. *See Alta OIPC Orders 96-003 and 96-004 and British Columbia OIPC Order PO6-02
Privacy laws contemplatepotential harm • Risks to health (mental or physical) or safety to self or others • Uses and Disclosures without consent • FOIP section 29(2)(m) and LA FOIP section 28(2)(l): • “where necessary to protect the mental or physical health or safety of any individual” • HIPA section 27(4)(a): • where the trustee believes, on reasonable grounds, that the disclosure will avoid or minimize a danger to the health or safety of any person
Criteria to Examine • “Physical health” refers to the well-being of an individual’s physical body - relative to injury, illness or disease. • “Mental health” refers to the functioning of a person’s mind – may involve distress, suffering, or functional impairment. • “Inconvenience, upset or unpleasantness of dealing with a difficult or unreasonable person” is not sufficient • "Safety" generally means the condition of being safe; freedom from danger or risks. • Generally there is little or no discernable difference between endangering someone’s “physical and mental health” or endangering their “safety”.
Access to Personal Information • Right of access to personal information • May be refused if provided in confidence and information to measure the suitability for employment, or if evaluative or opinion • Application for personal information on behalf of another person exists • Right to request correction • Rights of a third party to receive written notice of an intent to disclose personal information about him/herself
Case StudyFogal v. Regina School Division No. 4 • Appeal from decision of Information and Privacy Commissioner to Court of Queen’s Bench • Background: • Teacher with 20+ years experience was told, “you will be placed on extensive performance evaluation process commencing February 5, 2001 due to parental concerns”. • On behalf of Fogal the STF applied for access to records (parent’s comments) from the Board of Education • The Board denied the request as it contained, “personal information that is of an evaluative or opinion material compiled solely for the purpose of determining the individual’s suitability, eligibility or qualifications for employment” – section 30 (2) of LA FOIP • Was the board right to deny the request?
Case StudyFogal v. Regina School Division No. 4 • At issue – Was it her personal information? • Yes - the views or opinions of another person about a teacher • section 23(1)(h) of LA FOIP • Is the Board of Education entitled to rely on the exemption contained in section 30(2) of LA FOIP? • Yes. This section does not just apply to information compiled at the time of hiring. The court ruled that the board was entitled to withhold the documents.
Consent • Consent cures all • Must be in writing unless it is not “reasonably practicable” to obtain written consent • Informed consent: • Requires that the person consenting: • understands the exact nature of the information for which consent is sought; • understands the potential consequences of signing the consent; and • be given the right to revoke consent at any time.
Other Key Terms • Confidentiality • Obligation to protect the information entrusted to an organization • Security • Assessing threats & risks to information and taking steps to protect
Adequate Safeguards • To prevent privacy breaches • Physical safeguards: • locked doors/filing cabinets • Proper Disposal Methods • Administrative safeguards • Orientation & Training • Policies and Procedures • Technical safeguards • User IDs and passwords • Firewalls and encryption of data
“All the security in the world will not help if the employees keep their passwords in an unlocked desk drawer”
When does aPrivacy Breach occur? • When there is an unauthorized collection, use or disclosure of information about an identifiable individual • May be a verbal breach or involve recorded personal information • May be accidental or intentional • May be one time occurrence or due to systemic inadequacies • Often predictable
How to respond prior to involvement of OIPC • Take immediate action to stop breach and secure the affected records, systems or websites. • Ensure appropriate officials are notified including the Privacy Officer, the head and/or designate, and police if necessary. • Conduct an internal investigation (informal or formal) • Document details of the privacy breach • Evaluate the risks (immediate and ongoing) • Inventory and review safeguards in place prior to incident • Findings and recommendations • Write report or summary, as appropriate/warranted
How to respond • Try to resolve affected individuals complaints informally at the onset of the complaint if individual is already aware of incident • Consider whether to: • Notify the Commissioner • The individual whose personal information has been wrongly disclosed, stolen or lost (if unaware). • Prevention and follow-up: implementation of plan and ongoing monitoring
Role of the OIPC • Not an advocate for either the complainant or public body • Role is to investigate and determine if a public body’s actions were in contravention of FOIP/LA FOIP and/or HIPA • Will provide analysis, findings and recommendations to public body which may result in an informal resolution
OIPC Investigation • During the inquiry, OIPC may request the following: • A copy of the public body’s internal investigation report, if one prepared • The public body’s position in writing • Additional documentation of steps/actions taken and safeguards in place at time of incident • Copies of any relevant contracts, PIAs, information sharing agreements, MOUs, etc. • To interview witnesses • To attend on site for various purposes (i.e. observe work processes, capabilities of technology, etc.)
Current Issues • Video Surveillance • Safety vs. privacy • School Web-sites • Sharing of general school information • Personal information of students and staff • Data Mining • Identity Theft • Child Protection issues
Contact Information Office of the Saskatchewan Information and Privacy Commissioner 503-1801 Hamilton Street REGINA, SK S4P 4B4 Phone: (306) 787-8350 Fax: (306) 798-1603 Email: amarkel@oipc.sk.ca Website: www.oipc.sk.ca