Title: Access to information and Protection of Privacy: Putting the Pieces Together
1Access to information and Protection of Privacy
Putting the Pieces Together
PIPEDA
FIPPA
PHIPA
Notice
Policies
Collecting
- Chris Graves
-
- University Records
- Management Coordinator
- University Access and Privacy Website
- http//www.uoguelph.ca/secretariat/privacy.shtml
Consent
Fair Practice
Use
2Learning Objectives
- Awareness of different types of legislation/
policies and their impact on access, privacy and
recordkeeping at the University - What must I do to comply with the new privacy
legislation? - When can I share information?
- Should I even be creating a record?
3Access Privacy Context
- University Policies (e.g. RM)
- Employee Agreements (e.g. HR)
- FIPPA (Public sector)
- PHIPA (Health sector)
- PIPEDA (Private sector)
- MTCU (Universities)
- Other
4University Access and Privacy Policy
http//www.uoguelph.ca/secretariat/pr
ivacy.shtml
- Accountable
- Disseminate operational information
- Protect personal privacy
- Maintain accurate personal information
- Use information for consistent purposes
- Integrity
5UG Records Management Policy
http//www.uoguelph.ca/secretariat/records.shtml
- Develop retention and disposition schedules
- Manage records according to this RM policy
- Involve Records Coordinator in RM developmental
processes
6Principles
- PRIVACY
- Individual has right to control collection,
use, disclosure of their own personal information - University must protect private information from
third-parties
- ACCESS
- Individuals can request access to their own
personal information at the University - Individuals can request access to records at the
University (under FIPPA, not PIPEDA) - Exemptions should be limited and specific
versus
7FIPPA Legislation is to Access and Privacy What
- Occupational health and safety legislation is to
safety in the workplace - Environmental legislation is to stewardship of
the environment - School board legislation is to learning
- Rule of thumb
- FIPPA is just a piece of legislation access and
privacy is the culture
8Access to what?
- All recorded information, however recorded,
including - Drafts, postit notes, hard drive files,
blackberry, email, voice mail, agendas, address
books - Expense accounts and receipts
- E-mails
- Briefing notes briefing binders
- Correspondence
- Amount of money spent on various programs
- Tenders/Bids
- Consultants (e.g. names, amount spent, work done,
selection process)
9What is personally identifiable information?
- Key term
- Identifiable
- Name
- Photo
- Student ID
- Rule of thumb
- Context is everything!
10Means of Access
- INFORMAL ACCESS
- Active Dissemination (AD)
- Website, reports, etc.
- Routine Disclosure (RD)
- Release of general records on request
- E.g. request to see ones own health record
- FORMAL ACCESS
- FIPPA Request
- E.g. formal PHIPA request to see ones own health
record - Rule of thumb
- No automatic requirement to invoke FIPPA
11FIPPA Request Process
- Requester must
- Submit written request
- Indicate request is made under FIPPA
- Pay 5.00 fee
- University must
- Process FIPPA request within 30 calendar days
12FIPPA Exclusions
- Archival records of Universitys.65(1)
- Only private donations are excluded
- Labour relations employment related
informations.65(6) - Therefore personnel files function under Employee
Agreements and/or HR policies, not FIPPA - Exception Expense claims and agreementss.65(7)
- Research teaching materialss.65(8.1)
- Exception Subject matter/amount of funding for
researchs.65(9) - Exception Evaluative/opinion/eligibility
qualifications for teaching materialss.65(10) - Health information is also not under FIPPAother
than formal request process
13FIPPA Exemptions
- Mandatory
- Third-party Information s.17(1)
- Personal Privacys.21
- Discretionary
- Advice/ Recommendationss.13(1)
- Law Enforcements.14(1)
- Economic and Other Interestss.18
- Educational testss.18(1h)
- Solicitor-Client Privileges.19
- Danger to Safety or Healths.20
- Information to be publisheds.22
14Case 1 External
- Access to
- Invoices?
- Expense Reports?
- Minutes?
- Reference Letters?
15Case 2 Internal
- Access to
- Student Information?
- Employee Information?
- The University Circle
- (video clip)
- See also Privacy Impact Checklist
16Summary Records Creation Awareness
- Todays memo could be tomorrows headline
- Good records management is vital
- Create records with access in mind
- Consider possible future release of information
at time the records are createdprotect personal
information as appropriate - Better than email/fax disclaimers!
17Easy Steps to Privacy Protection
- Restrict access to client information to those
that need to know. - Ensure client information is not visible or
accessible to others. - Do not discuss client information in places where
others may overhear - Do not share existing passwords with anyone or
give old passwords to new employees when
contractor leaves. - Discard old or used client information
appropriately
- Collection
- Use
- Disclosure
- Retention
- Disposition
versus
18Why Privacy?
- Privacy is
- The right to be let alone.
- The right to control ones personal information.
- One purpose of privacy regulations is to help
protect people against the unwanted sharing of
personal information.
19Principles
Balance
- PRIVACY
- Individual has right to control collection,
use, disclosure of their own personal information - University must protect private information from
third-parties - Security does not equal privacy
- ACCESS
- Individuals can request access to their own
personal information at the University - Individuals can request access to records at the
University (under FIPPA, not PIPEDA) - Exemptions should be limited and specific
versus
20Strong Privacy Compromises Security
Security
e.g. Terrorist anonymity
Privacy
21Strong Security Limits Privacy
Privacy
e.g. Digital Trail
Security
22Privacy Security
- Privacy and security rely on trust
- Trust in policy (to provide rules and guidance)
- Trust in process (to ensure compliance)
- Trust in technology (to deliver anticipated
results) - Trust in people (to act responsibly)
23If You Wanted to Know
- What must I do to comply with the new
policies/legislation?
24Noticess.39(2) 41(1) (PHIPA or PIPEDA
obtain direct consent not notice)
- Must provide notice to individual indicating
- Legal authority for the collection of information
- What gives the University the right to collect
this? - Purpose for which it is intended
- How will the University use this information?
- Business contact info for questions
- Who do I contact if I have questions about how my
information is being used?
25 26Retention Disposition
- Must maintain personal info at least 1 year after
last uses.40(1) Reg.460, s.5 - Must maintain record of information destroyed
(without revealing personal info)s.40(4)
Reg.459,s.6 - See also sample disposal record
27If You Wanted to Know
- When can I share information?
28Look to Your Notice!
- Consistent purpose requires that individual
might reasonably have expected the use or
disclosure at time info was collected - Consistent purpose therefore depends on the
collection notice and what (reasonable)
expectations it creates - See also Privacy Impact Checklist
- University Circle
29Above All Consistent Purposes.41(1.b)
- Requires that individual might reasonably have
expected the use or disclosure at time info was
collected - Consistent purpose therefore depends on the
collection notice and what (reasonable)
expectations it creates
30Case 3 Necessary and Appropriate
- Too much information
- (video clip)
31Fair Information Practices
- Accountability
- Consent
- Limiting use, disclosure,
- and retention
- Safeguards
- Individual access
- Identifying purposes
- Limiting collection
- Accuracy
- Openness
- Challenging compliance
32The Importance of Accuracy
33Privacy Breaches Do Happen
34Be prepared to answer questions
such as
35Five Key Questions
- Why are you asking for this information?
- How will my information be used?
- Who will be able to see my information?
- Will there be any secondary uses?
- How can I control my data?
36Case 4 Breach
- Theft
- (video clip)
- Audio space
- (video clip)
37If a Privacy Breach Occurs
- Notify the University Secretariat of a privacy
breach involving personal information - An investigation will most likely result
38Managing Breach Protocol
- Inform your manager
- Manager will notify University Secretariat and/or
University Legal counsel - Identify the scope
- What personal information was involved?
- Who had unauthorized access to personal
information? - Contain the breach
- Suspend the process/activity that caused breach
- Retrieve records
- Notify
- Individuals whose privacy was breached
- University Secretariat will notify IPC if required
39Preventing Future Breaches
- Educate staff about the privacy rules and privacy
regulations - Ensure staff is aware of the consequences of a
privacy breach - Each person is accountable for personal
information in their custody - Staff should err on the side of protecting
privacy - Or should they? E.g. Virginia Tech.
- Staff should contact the program manager and/or
University Secretariat for advice
40Risk-based Prioritization
- Privacy planning is more effective if approached
from a risk management perspective than a legal
compliance perspective - Risk management permits the efficient allocation
of resources - In contrast, legal compliance requires the
allocation of resources to all compliance issues
regardless of risk - Contact the Secretariat about available
assessment options
41Risk Map
1
3
Action not yet started No progress
reported Moderate progress reported Evidential
progress reported Action successfully completed
2
4
DefaultRisk Tolerance Line
42Summary
- Periodically review/audit and ensure appropriate
processes and practices are in place re
collection, use, disclosure, retention and
disposal of personal information - E.g. Do we really need SINs? How long do we
really need to retain resumes? - Build in privacy
- Design collection processes to limit and protect
personal information - Put system in place to update Secretariat when
new information is being collected or shared so
we can advise on making it FIPPA compliant - Rule of thumb
- Data minimization!
43Lessons Learned contd
- Know where your personal information is
- Conduct personal info inventory, including
portable computing storage devices and paper
records - Say what you do with personal information
- Post clear notices of privacy practices on Web
sites, in offices, and whenever collecting
personal info - Do what you say in managing personal information
- Monitor compliance with laws and policies,
including content monitoring of Web sites and
e-mail - Consider implementing Clean Desk / Clean Drive
policy
44Case 5
- Should I create a record?
45Ask
- Is there an operational need to create a record?
- What does the record need to say/contain?
- What does the record NOT need to say/contain?
- Who should create / hold / access the record?
- How are drafts / copies tracked and final version
identified? - How are retention and destruction addressed?
- See also Note-taking tip sheets
46Things To Take Away
- Secretariat is coordinating FIPPA-related
processes - Secretariat is contact-point for specific
concerns - Secretariat will share information through
Liaison Network
47Questions?
- Chris Graves
- University Records Management Coordinator
- Phone 519-824-4120 Ext. 56103
- Fax 519-767-1350
- Emailc.graves_at_exec.uoguelph.ca