1 / 50

Privacy in a School Setting

Privacy in a School Setting. Angela Markel, Portfolio Officer Office of the Saskatchewan Information and Privacy Commissioner. This slide left blank intentionally. What are the Laws?. Federal Legislation: Access to Information Act (ATIA) Privacy Act

lwisdom
Download Presentation

Privacy in a School Setting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy in a School Setting Angela Markel, Portfolio Officer Office of the Saskatchewan Information and Privacy Commissioner

  2. This slide left blank intentionally

  3. What are the Laws? • Federal Legislation: • Access to Information Act (ATIA) • Privacy Act • Personal Information Protection and Electronic Documents Act (PIPEDA) • Provincial Legislation: • The Privacy Act • The Freedom of Information and Protection of Privacy Act (FOIP) • The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) • The Health Information Protection Act (HIPA)

  4. Saskatchewan Information and Privacy Commissioner • Oversees 3 statutes: • The Freedom of Information and Protection of Privacy Act (FOIP) • The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) • The Health Information Protection Act (HIPA) • Appointed by Legislative Assembly • 5 year term • Right of appeal to Q.B.

  5. OIPC Mandate • Comment on privacy implications of proposed legislation/programs • Recommend changes in collection, use and disclosure practices • Recommend destruction of improperly collected personal information • Authorize indirect collection • Carry out investigations to ensure compliance • Review decisions of public bodies • Undertake public education on access and privacy matters • Submit Annual Report to Legislative Assembly

  6. OIPC Activities • Reports (investigations and reviews) • FOIP FOLIO (e-newsletter) • Resource Materials • Video surveillance guidelines • Faxing Guidelines • Best Practices – Mobile Device Security • Privacy Breach Guidelines • Pamphlets • “Helpful Tips” • Annual Reports

  7. Public information must be accessible; Personal information must be protected.

  8. The Health Information Protection Act • In force since Sept. 1, 2003 • HIPA applies to trustees: • Government institutions (includes Crown Corporations) • Regional health authorities • Health professionals • Ambulance operators • Pharmacies • Medical laboratories With custody or control of Personal health information • Sets out rules for the collection, use and disclosure of personal health information

  9. What is ‘Personal Health Information’? • Personal health information includes: • Physical or mental health of individual • Any health service provided to the individual • Registration information • Information collected in the course of, or incidentally to, the provision of health services

  10. HIPA does not apply to: • Statistical / De-identified health information • PHI of a person who has been deceased for more than 30 years • Records that are more than 120 years old

  11. HIPA Basics • Facilitates information sharing within the ‘circle of care’ • Limits sharing outside that ‘circle of care’ • “Need to Know” Principle • Three forms of consent • Express, implied, deemed • Right of complaint to the OIPC

  12. The Freedom of Information and Protection of Privacy Act • In force since 1992 • Applies to government institutions: • Government ministries, agencies, boards, commissions, Crown Corporations • Entities under contract to a government institution may have records under the control of a government institution

  13. The Local Authority Freedom of Information and Protection of Privacy Act • In force since 1993 • Applies to local authorities: • Universities and Colleges • Regional health authorities • School and library boards • Municipalities, cities and towns • Also, a local authority’s contractors

  14. FOIP & LA FOIP • Parts II & III deal with access • Sets out the rules for access to records in the possession or under the control of a public body; exceptions are limited and specific; provides right to request correction / amendment • Part IV deals with privacy • Governs the collection, use and disclosure of personal information in the possession or control of a public body • Provides a right to complain to the Commissioner

  15. Other Relevant Laws • The Education Act • The Child and Family Services Act • The Children’s Law Act • The Emergency Protection for Victims of Child Sexual Abuse and Exploitation Act • The Public Health Act • The Mental Health Service Act • Youth Criminal Justice Act (federal) • Divorce Act (federal)

  16. Surrogates • Clarifies who may act on your behalf: • Personal representative of deceased estate • Legal guardian • Attorney under power of attorney • Legal custodian - where the individual is under 18 and the exercise of the right under the legislation would not constitute an unreasonable invasion of privacy of that individual • By anyone with written authorization from the individual

  17. Custody & Access Issues • The Children’s Law Act provides that: 9(2) Unless otherwise ordered by the court, a parent who is granted access to a child has the same right as the custodial parent to make inquiries and be given information concerning the health, education and welfare of the child. • However, having the right to “make inquiries and be given information” does not necessarily equate to the non-custodial parent being allowed to act on behalf of the child, as a surrogate does under FOIP/LA FOIP. Thus, need to consider what information is being sought and what actions are purported to be taken on the child’s behalf. Surrogacy provisions cannot be used to obtain records to further the parent’s own personal objectives.

  18. PROTECTION OF PRIVACY

  19. What is ‘privacy’? • Not defined by privacy laws • Privacy definitions: • Right to be free from intrusion or interference • Right to be left or let alone • Different dimensions: • Physical or bodily privacy • Territorial privacy • Privacy of communications • Information or data privacy

  20. It’s all about me • Information privacy isdefined as: • Right of an individual to determine for him/herself when, how and to what extent he/she will share his/her ‘personal information’ • ‘Personal information’ is: • Generally, it is information about an identifiable individual • Defined by the applicable privacy law

  21. It’s all about me • What is not personal information • No concern if de-identified, provided as statistics only, or as aggregate data • Employment specific information (i.e. business card information, job duties, salary, etc) • However, employment history is personal information

  22. Personal Information • About an identifiable individual that is recorded in any form and includes: • Name, if appears with other personal info or if the name itself would reveal personal information about the individual • Race, creed, religion, colour, sex, sexual orientation, family status, marital status, disability, age, nationality, ancestry or place or origin • Education, criminal, employment or financial history • Health history or health care received • Identifying number, symbol

  23. Personal Information • About an identifiable individual that is recorded in any form and includes: • Contact information (home or business address, phone #), fingerprints, blood type • Confidential correspondence to a local authority (except if your views or opinions about another) • Opinions of another about you • Your personal opinions (unless about another person) • Information on a tax return • Information describing someone’s finances, assets, liabilities or credit worthiness

  24. NOT Personal Information • Classification, salary of officer or employee (past or present) • Personal opinions in the course of work (other than about another person) • Details of contract for personal services • Details of a license, permit or discretionary benefit/financial benefit granted by a local authority to an individual • Traveling expenses of individual paid by a local authority • Academic ranks or departmental designations of members of faculties of U of S and U of R • Degrees, certificates, or diplomas received from SIAST, U of R and U of S • Discretionary benefits

  25. My name & work address I am HIV positive My opinion of you My SIN number Age Public Information Potentially Damaging

  26. This slide left blank intentionally

  27. What does CUD have to do with it?

  28. Collection • For a purpose that relates to an existing or proposed program or activity of the local authority • Collect directly where reasonably practicable unless… • it would result in inaccurate information; or • defeat the purpose; or • prejudice the use • inform the individual why the information was collected • If you collect it, you must keep it accurate and complete

  29. Use • Sharing of information within a public body is a use • Use with consent unless: • For purposes of collection for which it was obtained or a consistent purpose • For purposes permitted as specified • This is discussed under disclosures • ‘Need to know’ principle • Restrict to least amount of identifying information necessary for the purpose

  30. Disclosure • “To give out, release or make available” • Sharing of information outside of the public body is a disclosure • Disclose only with consent unless… • One of 20 different circumstances apply (plus more in the Regulations) • Examples: for providing an employment reference, where necessary to protect the mental or physical health or safety of an individual, where disclosure may reasonably be expected to assist in the provisions of services for the benefit of the individual.

  31. Disclosure Request byPolice or Social Services • As with any request for disclosure by external parties without consent, the onus is on the requestor to provide authority for the disclosure • FOIP/LA FOIP/HIPA has provisions for disclosure without consent to occur for purposes of law enforcement and health or safety matters • In addition, disclosure is allowed if authorized by another piece of legislation • However, as the public body responsible for the personal information you must be satisfied that the requirements of the legislation have been met in the circumstances

  32. Did privacy laws prevent disclosure? • February 2004, 18 year old UBC student commits suicide in her Vancouver dormitory. • Girl was suffering from sever depression. One month earlier, she attempted suicide and was hospitalized. • The university and hospital both had knowledge but did not inform the girl’s family. • University and hospital staff claimed privacy laws prevented them from informing the girl’s parents.

  33. Criteria for making assessment • Criteria used in other provinces to make this decision include: • must be a reasonable expectation of probable harm; • harm must constitute damage or detriment and not more inconvenience; and • must be a causal connection between disclosure and the anticipated harm. • An assessment of the risk must be made and a determination of whether there are reasonable grounds for concluding there is a danger to the health or safety of any person. That assessment must be specific to the circumstances of the case under consideration. *See Alta OIPC Orders 96-003 and 96-004 and British Columbia OIPC Order PO6-02

  34. Privacy laws contemplatepotential harm • Risks to health (mental or physical) or safety to self or others • Uses and Disclosures without consent • FOIP section 29(2)(m) and LA FOIP section 28(2)(l): • “where necessary to protect the mental or physical health or safety of any individual” • HIPA section 27(4)(a): • where the trustee believes, on reasonable grounds, that the disclosure will avoid or minimize a danger to the health or safety of any person

  35. Criteria to Examine • “Physical health” refers to the well-being of an individual’s physical body - relative to injury, illness or disease. • “Mental health” refers to the functioning of a person’s mind – may involve distress, suffering, or functional impairment. • “Inconvenience, upset or unpleasantness of dealing with a difficult or unreasonable person” is not sufficient • "Safety" generally means the condition of being safe; freedom from danger or risks. • Generally there is little or no discernable difference between endangering someone’s “physical and mental health” or endangering their “safety”.

  36. Access to Personal Information • Right of access to personal information • May be refused if provided in confidence and information to measure the suitability for employment, or if evaluative or opinion • Application for personal information on behalf of another person exists • Right to request correction • Rights of a third party to receive written notice of an intent to disclose personal information about him/herself

  37. Case StudyFogal v. Regina School Division No. 4 • Appeal from decision of Information and Privacy Commissioner to Court of Queen’s Bench • Background: • Teacher with 20+ years experience was told, “you will be placed on extensive performance evaluation process commencing February 5, 2001 due to parental concerns”. • On behalf of Fogal the STF applied for access to records (parent’s comments) from the Board of Education • The Board denied the request as it contained, “personal information that is of an evaluative or opinion material compiled solely for the purpose of determining the individual’s suitability, eligibility or qualifications for employment” – section 30 (2) of LA FOIP • Was the board right to deny the request?

  38. Case StudyFogal v. Regina School Division No. 4 • At issue – Was it her personal information? • Yes - the views or opinions of another person about a teacher • section 23(1)(h) of LA FOIP • Is the Board of Education entitled to rely on the exemption contained in section 30(2) of LA FOIP? • Yes. This section does not just apply to information compiled at the time of hiring. The court ruled that the board was entitled to withhold the documents.

  39. Consent • Consent cures all • Must be in writing unless it is not “reasonably practicable” to obtain written consent • Informed consent: • Requires that the person consenting: • understands the exact nature of the information for which consent is sought; • understands the potential consequences of signing the consent; and • be given the right to revoke consent at any time.

  40. Other Key Terms • Confidentiality • Obligation to protect the information entrusted to an organization • Security • Assessing threats & risks to information and taking steps to protect

  41. Adequate Safeguards • To prevent privacy breaches • Physical safeguards: • locked doors/filing cabinets • Proper Disposal Methods • Administrative safeguards • Orientation & Training • Policies and Procedures • Technical safeguards • User IDs and passwords • Firewalls and encryption of data

  42. “All the security in the world will not help if the employees keep their passwords in an unlocked desk drawer”

  43. When does aPrivacy Breach occur? • When there is an unauthorized collection, use or disclosure of information about an identifiable individual • May be a verbal breach or involve recorded personal information • May be accidental or intentional • May be one time occurrence or due to systemic inadequacies • Often predictable

  44. How to respond prior to involvement of OIPC • Take immediate action to stop breach and secure the affected records, systems or websites. • Ensure appropriate officials are notified including the Privacy Officer, the head and/or designate, and police if necessary. • Conduct an internal investigation (informal or formal) • Document details of the privacy breach • Evaluate the risks (immediate and ongoing) • Inventory and review safeguards in place prior to incident • Findings and recommendations • Write report or summary, as appropriate/warranted

  45. How to respond • Try to resolve affected individuals complaints informally at the onset of the complaint if individual is already aware of incident • Consider whether to: • Notify the Commissioner • The individual whose personal information has been wrongly disclosed, stolen or lost (if unaware). • Prevention and follow-up: implementation of plan and ongoing monitoring

  46. Role of the OIPC • Not an advocate for either the complainant or public body • Role is to investigate and determine if a public body’s actions were in contravention of FOIP/LA FOIP and/or HIPA • Will provide analysis, findings and recommendations to public body which may result in an informal resolution

  47. OIPC Investigation • During the inquiry, OIPC may request the following: • A copy of the public body’s internal investigation report, if one prepared • The public body’s position in writing • Additional documentation of steps/actions taken and safeguards in place at time of incident • Copies of any relevant contracts, PIAs, information sharing agreements, MOUs, etc. • To interview witnesses • To attend on site for various purposes (i.e. observe work processes, capabilities of technology, etc.)

  48. Current Issues • Video Surveillance • Safety vs. privacy • School Web-sites • Sharing of general school information • Personal information of students and staff • Data Mining • Identity Theft • Child Protection issues

  49. Questions ??

  50. Contact Information Office of the Saskatchewan Information and Privacy Commissioner 503-1801 Hamilton Street REGINA, SK S4P 4B4 Phone: (306) 787-8350 Fax: (306) 798-1603 Email: amarkel@oipc.sk.ca Website: www.oipc.sk.ca

More Related