250 likes | 844 Views
2. History of Canadian Privacy Laws . FederalAccess to Information Act - 1983Privacy Act - 1983Personal Information Protection and Electronic Documents Act (PIPEDA)
E N D
1. Freedom of Information & Protection of Privacy (FOIP) November 2006
2. 2
3. 3 What is FOIP? Alberta law which:
Grants people a right of access to records under the custody or control of a public body (subject to limited and specific exceptions)
Governs the way personal information is collected, used and shared by public bodies
Provides for an independent review by the Information and Privacy Commissioner
4. 4 Part I - Access to Records General Inquiries
Active dissemination of information
FOIP Requests
Founded on three principles:
government information should be available to the public
the necessary exceptions to the right of access should be limited and specific
decisions on disclosure of government information should be reviewed independently of government
5. 5 Application of the the FOIP Act The FOIP Act applies to all records in the custody or under the control of AU created
both before and after the FOIP Act came into force (subject to specific and limited
exceptions)
Record: information recorded in any form (e.g., notes, images, audiovisual recordings, books, documents, maps, drawings, photographs, letters, vouchers and papers)
Custody:
Physical possession
Legal ownership irrelevant
Control:
Not in possession, but still have authority to manage the record
Exclusions (of interest to AU):
Question to be used on an examination
Teaching materials
Research information
Material that is published or available for purchase
6. 6 Right of Access Anyone can request any record
30 days to respond (extension possible)
Fees (personal vs. general)
Consultations with affected parties
Severing
Release records unless
Mandatory exception applies
Discretionary exception applies AND “harms test” satisfied
7. 7 Mandatory Exceptions Confidential Third Party Business Interests
Trade secrets
Commercial, financial, labour relations, scientific or technical information of a third party
BUT only if disclosure would present harm (e.g., harm the competitive position of the third party)
Third Party Personal Privacy
Must be an unreasonable invasion
8. 8 Discretionary Exceptions Any disclosure that could reasonably be expected to harm:
Individual or public safety
Law enforcement activities
Advice, proposals, recommendations or policy options developed by or for a public body
Economic interest of a public body
Testing/auditing procedures or techniques
Confidential evaluations
Privileged information
In-camera deliberations of a governing body (AUGC and AUAC)
9. 9 Access – Other Issues Disclosure in the Public Interest
Risk of significant harm to environment or to health and safety
Personal Information Banks (PIBs)
Collection of information that is organized or retrievable by the name of the individual or by an identifying number or other particular assigned to the individual
Public bodies must publish a directory of PIBs that contains the following information:
Title and location of the PIB
Description of the type of personal information
Authority for collecting the personal information
Must be kept as current as practicable (annual review)
10. 10 Part II – Protecting Privacy What is privacy?
Often equated with confidentiality
Has been characterized as the right to be left alone, to be secure in one’s home and free from unwanted interference
In the context of the privacy laws, privacy means having control over one’s personal information
Choice of whether to disclose information at all
Control over with whom it is shared
Control over how it is used
Don’t lose control once you’ve released your information
11. 11 Part II – Protecting Privacy What is personal information?
Information about an identifiable individual that is recorded in any form
Age, sex, birth date, marital status, educational history, race, political beliefs, fingerprints, health and health care history, criminal history
Identifiers (SIN, Student ID #)
Home contact information
Individual’s personal opinions and others opinions about the individual
12. 12 Survey Results 90% of respondents willing to disclose name
78% willing to disclose email address
61% willing to disclose street address
14% willing to disclose weight
13% willing to disclose income
12% willing to disclose job title
11% willing to disclose employer
8% willing to disclose net worth
NRF Foundation/Adjoined Consulting Research; Retail Demand Insights 2006
13. 13 How to Protect Personal Information 4 Golden Rules
Collect only information that is necessary to carry out operations
Collect information directly from the individual
Only use information for the purpose for which it was collected
Disclose information only to the individual it is about or other University employees that need to know
14. 14 Collection of Personal Information Direct from the individual on a need to know basis
Legal authority
Accurate and complete
Correction
Protection
Minimum retention of one year if used to make a decision about the individual
15. 15 Use of Personal Information Intended purpose or consistent purpose
With the individual’s consent
Alumni records for fundraising purposes
16. 16 Disclosure of Personal Information To the individual
Individual consents
Pursuant to laws of Alberta or Canada
Where the disclosure would not be an unreasonable invasion of privacy
Enrollment in a program
Attendance at convocation
Receipt of award
Within AU on a need to know basis
Law enforcement
28 other specific situations
17. 17 Roles & Responsibilities FOIP Office
Process Access to Information and Privacy requests
Apply applicable exemptions and exclusions
Apply relevant case law
Interpret law and policy
Advise internally on application of FOIP legislation and policy
Respond to complaint investigations by Office of Information and Privacy Commissioner
Advice and guidance on collection and use of personal information
Privacy Impact Assessments
Faculty/Staff
Maintain records in an easily retrievable fashion
Locate, retrieve and provide relevant records to FOIP Officer within 10 calendar days
Formulate appropriate recommendations to FOIP Office by conducting preliminary review of records
Advise FOIP Office of new or revised requirements to collect or use personal information (Privacy Impact Assessment)
18. 18 Best Practices – Contracting Out Contracting out does not absolve AU from its privacy obligations for the personal information under its custody/control
Conduct a Privacy Impact Assessment, if warranted, at an early stage prior to contracting out a program or service involving personal information
Include proper privacy protection clauses in contracts to safeguard against unauthorized collection, use, disclosure or disposal of personal information
19. 19 Best Practices – FOIP Requests Work closely with the FOIP Office to:
Resolve issues as they arise
Ensure the request is clearly understood
Advise if search/programming/CPU time is required
Prepare disclosure recommendations
Retrieve all relevant records and DO NOT remove or delete information from those records
Do not destroy transitory records or records scheduled for destruction
20. 20 Best Practices – Creating Records Do Not:
write inappropriate personal comments/notes
assume all information will be confidential
release sensitive information:
information subject to FOIP Act exemptions and exclusions should be reviewed by the Privacy Advisor
misfile records
destroy documents if you are not sure of their retention status
21. 21 Best Practices – Privacy Breach Contact individuals affected
Contact Office of the Information and Privacy Commissioner
Review Security Measures