Access to information and Protection of Privacy: Putting the Pieces Together

1
Access to information and Protection of Privacy
Putting the Pieces Together
PIPEDA
FIPPA
PHIPA
Notice
Policies
Collecting

• Chris Graves
• University Records
• Management Coordinator
• University Access and Privacy Website
• http//www.uoguelph.ca/secretariat/privacy.shtml

Consent
Fair Practice
Use
2
Learning Objectives

• Awareness of different types of legislation/
  policies and their impact on access, privacy and
  recordkeeping at the University
• What must I do to comply with the new privacy
  legislation?
• When can I share information?
• Should I even be creating a record?

3
Access Privacy Context

• University Policies (e.g. RM)
• Employee Agreements (e.g. HR)
• FIPPA (Public sector)
• PHIPA (Health sector)
• PIPEDA (Private sector)
• MTCU (Universities)
• Other

4
University Access and Privacy Policy
http//www.uoguelph.ca/secretariat/pr
ivacy.shtml

• Accountable
• Disseminate operational information
• Protect personal privacy
• Maintain accurate personal information
• Use information for consistent purposes
• Integrity

5
UG Records Management Policy
http//www.uoguelph.ca/secretariat/records.shtml

• Develop retention and disposition schedules
• Manage records according to this RM policy
• Involve Records Coordinator in RM developmental
  processes

6
Principles

• PRIVACY
• Individual has right to control collection,
  use, disclosure of their own personal information
• University must protect private information from
  third-parties

• ACCESS
• Individuals can request access to their own
  personal information at the University
• Individuals can request access to records at the
  University (under FIPPA, not PIPEDA)
• Exemptions should be limited and specific

versus
7
FIPPA Legislation is to Access and Privacy What

• Occupational health and safety legislation is to
  safety in the workplace
• Environmental legislation is to stewardship of
  the environment
• School board legislation is to learning
• Rule of thumb
• FIPPA is just a piece of legislation access and
  privacy is the culture

8
Access to what?

• All recorded information, however recorded,
  including
• Drafts, postit notes, hard drive files,
  blackberry, email, voice mail, agendas, address
  books
• Expense accounts and receipts
• E-mails
• Briefing notes briefing binders
• Correspondence
• Amount of money spent on various programs
• Tenders/Bids
• Consultants (e.g. names, amount spent, work done,
  selection process)

9
What is personally identifiable information?

• Key term
• Identifiable
• Name
• Photo
• Student ID
• Rule of thumb
• Context is everything!

10
Means of Access

• INFORMAL ACCESS
• Active Dissemination (AD)
• Website, reports, etc.
• Routine Disclosure (RD)
• Release of general records on request
• E.g. request to see ones own health record

• FORMAL ACCESS
• FIPPA Request
• E.g. formal PHIPA request to see ones own health
  record
• Rule of thumb
• No automatic requirement to invoke FIPPA

11
FIPPA Request Process

• Requester must
• Submit written request
• Indicate request is made under FIPPA
• Pay 5.00 fee

• University must
• Process FIPPA request within 30 calendar days

12
FIPPA Exclusions

• Archival records of Universitys.65(1)
• Only private donations are excluded
• Labour relations employment related
  informations.65(6)
• Therefore personnel files function under Employee
  Agreements and/or HR policies, not FIPPA
• Exception Expense claims and agreementss.65(7)
• Research teaching materialss.65(8.1)
• Exception Subject matter/amount of funding for
  researchs.65(9)
• Exception Evaluative/opinion/eligibility
  qualifications for teaching materialss.65(10)
• Health information is also not under FIPPAother
  than formal request process

13
FIPPA Exemptions

• Mandatory
• Third-party Information s.17(1)
• Personal Privacys.21

• Discretionary
• Advice/ Recommendationss.13(1)
• Law Enforcements.14(1)
• Economic and Other Interestss.18
• Educational testss.18(1h)
• Solicitor-Client Privileges.19
• Danger to Safety or Healths.20
• Information to be publisheds.22

14
Case 1 External

• Access to
• Invoices?
• Expense Reports?
• Minutes?
• Reference Letters?

15
Case 2 Internal

• Access to
• Student Information?
• Employee Information?
• The University Circle
• (video clip)

• See also Privacy Impact Checklist

16
Summary Records Creation Awareness

• Todays memo could be tomorrows headline
• Good records management is vital
• Create records with access in mind
• Consider possible future release of information
  at time the records are createdprotect personal
  information as appropriate
• Better than email/fax disclaimers!

17
Easy Steps to Privacy Protection

• Restrict access to client information to those
  that need to know.
• Ensure client information is not visible or
  accessible to others.
• Do not discuss client information in places where
  others may overhear
• Do not share existing passwords with anyone or
  give old passwords to new employees when
  contractor leaves.
• Discard old or used client information
  appropriately

• Collection
• Use
• Disclosure
• Retention
• Disposition

versus
18
Why Privacy?

• Privacy is
• The right to be let alone.
• The right to control ones personal information.
• One purpose of privacy regulations is to help
  protect people against the unwanted sharing of
  personal information.

19
Principles
Balance

• PRIVACY
• Individual has right to control collection,
  use, disclosure of their own personal information
• University must protect private information from
  third-parties
• Security does not equal privacy

• ACCESS
• Individuals can request access to their own
  personal information at the University
• Individuals can request access to records at the
  University (under FIPPA, not PIPEDA)
• Exemptions should be limited and specific

versus
20
Strong Privacy Compromises Security
Security
e.g. Terrorist anonymity
Privacy
21
Strong Security Limits Privacy
Privacy
e.g. Digital Trail
Security
22
Privacy Security

• Privacy and security rely on trust
• Trust in policy (to provide rules and guidance)
• Trust in process (to ensure compliance)
• Trust in technology (to deliver anticipated
  results)
• Trust in people (to act responsibly)

23
If You Wanted to Know

• What must I do to comply with the new
  policies/legislation?

24
Noticess.39(2) 41(1) (PHIPA or PIPEDA
obtain direct consent not notice)

• Must provide notice to individual indicating
• Legal authority for the collection of information
• What gives the University the right to collect
  this?
• Purpose for which it is intended
• How will the University use this information?
• Business contact info for questions
• Who do I contact if I have questions about how my
  information is being used?

25

• AND

26
Retention Disposition

• Must maintain personal info at least 1 year after
  last uses.40(1) Reg.460, s.5
• Must maintain record of information destroyed
  (without revealing personal info)s.40(4)
  Reg.459,s.6
• See also sample disposal record

27
If You Wanted to Know

• When can I share information?

28
Look to Your Notice!

• Consistent purpose requires that individual
  might reasonably have expected the use or
  disclosure at time info was collected
• Consistent purpose therefore depends on the
  collection notice and what (reasonable)
  expectations it creates
• See also Privacy Impact Checklist
• University Circle

29
Above All Consistent Purposes.41(1.b)

• Requires that individual might reasonably have
  expected the use or disclosure at time info was
  collected
• Consistent purpose therefore depends on the
  collection notice and what (reasonable)
  expectations it creates

30
Case 3 Necessary and Appropriate

• Too much information
• (video clip)

31
Fair Information Practices

• Accountability
• Consent
• Limiting use, disclosure,
• and retention
• Safeguards
• Individual access
• Identifying purposes
• Limiting collection

• Accuracy
• Openness
• Challenging compliance

32
The Importance of Accuracy
33
Privacy Breaches Do Happen
34
Be prepared to answer questions
such as
35
Five Key Questions

• Why are you asking for this information?
• How will my information be used?
• Who will be able to see my information?
• Will there be any secondary uses?
• How can I control my data?

36
Case 4 Breach

• Theft
• (video clip)
• Audio space
• (video clip)

37
If a Privacy Breach Occurs

• Notify the University Secretariat of a privacy
  breach involving personal information
• An investigation will most likely result

38
Managing Breach Protocol

• Inform your manager
• Manager will notify University Secretariat and/or
  University Legal counsel
• Identify the scope
• What personal information was involved?
• Who had unauthorized access to personal
  information?
• Contain the breach
• Suspend the process/activity that caused breach
• Retrieve records
• Notify
• Individuals whose privacy was breached
• University Secretariat will notify IPC if required

39
Preventing Future Breaches

• Educate staff about the privacy rules and privacy
  regulations
• Ensure staff is aware of the consequences of a
  privacy breach
• Each person is accountable for personal
  information in their custody
• Staff should err on the side of protecting
  privacy
• Or should they? E.g. Virginia Tech.
• Staff should contact the program manager and/or
  University Secretariat for advice

40
Risk-based Prioritization

• Privacy planning is more effective if approached
  from a risk management perspective than a legal
  compliance perspective
• Risk management permits the efficient allocation
  of resources
• In contrast, legal compliance requires the
  allocation of resources to all compliance issues
  regardless of risk
• Contact the Secretariat about available
  assessment options

41
Risk Map
1
3
Action not yet started No progress
reported Moderate progress reported Evidential
progress reported Action successfully completed
2
4
DefaultRisk Tolerance Line
42
Summary

• Periodically review/audit and ensure appropriate
  processes and practices are in place re
  collection, use, disclosure, retention and
  disposal of personal information
• E.g. Do we really need SINs? How long do we
  really need to retain resumes?
• Build in privacy
• Design collection processes to limit and protect
  personal information
• Put system in place to update Secretariat when
  new information is being collected or shared so
  we can advise on making it FIPPA compliant
• Rule of thumb
• Data minimization!

43
Lessons Learned contd

• Know where your personal information is
• Conduct personal info inventory, including
  portable computing storage devices and paper
  records
• Say what you do with personal information
• Post clear notices of privacy practices on Web
  sites, in offices, and whenever collecting
  personal info
• Do what you say in managing personal information
• Monitor compliance with laws and policies,
  including content monitoring of Web sites and
  e-mail
• Consider implementing Clean Desk / Clean Drive
  policy

44
Case 5

• Should I create a record?

45
Ask

• Is there an operational need to create a record?
• What does the record need to say/contain?
• What does the record NOT need to say/contain?
• Who should create / hold / access the record?
• How are drafts / copies tracked and final version
  identified?
• How are retention and destruction addressed?
• See also Note-taking tip sheets

46
Things To Take Away

• Secretariat is coordinating FIPPA-related
  processes
• Secretariat is contact-point for specific
  concerns
• Secretariat will share information through
  Liaison Network

47
Questions?

• Chris Graves
• University Records Management Coordinator
• Phone 519-824-4120 Ext. 56103
• Fax 519-767-1350
• Emailc.graves_at_exec.uoguelph.ca