Understanding FIPPA: Fundamentals of Access to Information and Protection of Privacy

Slide Note
Embed
Share

This presentation covers the essentials of Ontario's Freedom of Information and Protection of Privacy Act (FIPPA), highlighting the regulations, obligations, and categorizations related to recorded information. It clarifies the distinctions between personal and non-personal information, emphasizing identifiability as a key factor. The overview underscores the importance of complying with laws and guidelines when handling information within institutional settings.

mido759
mido759 Follow

Uploaded on Oct 11, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Fundamentals of Access to Information and Protection of Privacy Office of Risk Management & Access to Information September 14, 2022 1

  2. Fundamentals of Access to Information and Protection of Privacy Disclaimer: All content in this presentation is intended for general information only, and should not be construed as legal advice. Remember that, generally, there are exceptions to every rule regarding information access and privacy. Before making a decision on any access/privacy issue, check the current law, including statutes, court decisions, and Orders published by the Information & Privacy Commissioner of Ontario (see https://www.ipc.on.ca/decisions/). 2

  3. I. Overview of FIPPA Ontario s Freedom of Information and Protection of Privacy Act ( FIPPA at https://www.ontario.ca/laws/statute/90f31), plus the two regulations, 459 and 460, which provide details on the application of parts of FIPPA, are concerned with: recorded information in all media in the custody or control of an institution which is listed in the Schedule to Ontario Regulation 460 - includes Lakehead University 3

  4. I. Overview of FIPPA FIPPA has virtually NO application to unrecorded information, and imposes NO obligation on the University to create a record where one doesn t exist. Exception: In light of FIPPA s reference to machine readable records in section 2, an access request may oblige the University to extract digital data from its databases and re- organize it in essentially new records. 4

  5. I. Overview of FIPPA FIPPA divides recorded information into two subcategories: 1) records of non-personal, often called general, information, and 2) records of personal information 5

  6. I. Overview of FIPPA Personal Information (section 2(1)): its distinguishing feature is: IDENTIFIABILITY FIPPA considers information personal if it makes a person identifiable either Directly (by, e.g., use of personal names, addresses, etc.) Or Indirectly (by provision of contextual information that could make the individual identifiable, even without naming him or her, to some person or group) 1) 2) Includes photographic/digital/audio recordings It follows that, to the extent that identification is stripped out of personal information, that information ceases to be personal under FIPPA 6

  7. I. Overview of FIPPA FIPPA has 3 MAIN PURPOSES in regulating institutions treatment of information: 1) To grant to all members of the public (including non-citizens) a right of access to ALL non-personal (general) information in the institution s records (section 10); This right is limited only by the specific (a) exclusions from jurisdiction and (b) exemptions from disclosure (which have been referred to as carve-outs from the right of total access) declared in the Act. This mandate of FIPPAis reflected in the Freedom of Information half of the Act s title. 7

  8. I. Overview of FIPPA FIPPA s 3 MAIN PURPOSES (cont.): 2) To protect privacy (Part III of the Act) by restricting as much as possible the institution s collection, use, disclosure, retention, and disposal of personal information; The restriction is NOT absolute: certain carve-outs , i.e. jurisdictional exclusions and exemptions, apply; This mandate is reflected in the Protection of Privacy half of the Act s title. 8

  9. I. Overview of FIPPA FIPPA s 3 MAIN PURPOSES (cont.): 3) To provide everyone with a right of access to their own personal information (section 47) in the institution s records; Including the right to request correction of errors or omissions that an individual believes exist in his or her information; There are carve-outs from this right as well. 9

  10. II. University Policy Lakehead University s Freedom of Information and Protection of Individual Privacy Policy (at https://www.lakeheadu.ca/faculty-and- staff/policies/general/freedom-of- information-and_protection-of-individual- privacy) presents practical application of FIPPA s principles to the University s circumstances. 10

  11. III. Practice Guidelines: Access to Information Anyone, even a non-citizen, may request access to any records bearing non- personal, general informationin the University s custody or control that does not fall into one of FIPPA s jurisdictional exclusions or exemptions. There are two ways to access records: 1) Informally directly from the department having custody of the record(s); or, alternatively, Formally through an official FIPPA request submitted to the Director of Risk Management and Access to Information. 2) Every department should have a protocol to determine how to respond to access requests whether by the informal or formal route. If access is sought to large amounts of information or sensitive information, senior administration should be consulted. 11

  12. III. Practice Guidelines: Access to Information If the informal process is chosen, the usual response is to give the requester copies of the records sought; occasionally it may suffice simply to allow the requester to examine the record in situ. If you already have a process in place for such access, follow that. If you have standard fees for the access, you may charge them. If you don t have standard fees, but want to charge for the search and reproduction service, follow the fee schedule in section 6 of Ontario Regulation 460 at https://www.ontario.ca/laws/regulation/900460. 12

  13. III. Practice Guidelines: Access to Information You do NOT have to provide records bearing non-personal, general information: 1) If that information is already publicly accessible on the University s web-site or elsewhere. 13

  14. III. Practice Guidelines: Access to Information You do NOT have to provide general information: 2)If the record sought is not in the custody or control of the University 14

  15. III. Practice Guidelines: Access to Information How do you determine if a record is in the University s custody or control? a) Any records, including email, relating to University employees duties or to employees activities on behalf of Lakehead are deemed, as far as the Ontario Government is concerned, to be in the custody or control of the University whether or not they re kept on University premises or in University email accounts. However, b) materials kept on University premises or computers and in Lakehead University email accounts - which do not relate to University business are NOT considered in the custody or control of the University and, so, are inaccessible to access requests unless the holder of the information consents to such access. 15

  16. III. Practice Guidelines: Access to Information How do you determine if a record is in the University s custody or control (continued)? c) Faculty Members and Academic Freedom: Paragraph 181 in the Order PO-3009-F of the Information & Privacy Commissioner s Office provides the following guidelines for determining whether records in the possession of a university faculty member are in the custody or control of the university (at https://decisions.ipc.on.ca/ipc- cipvp/orders/en/item/133734/index.do): 1. records or portions of records in the possession of a ... member that relate to personal matters or activities that are wholly unrelated to the university s mandate, are not in the university s custody or control; 2. records relating to teaching or research are likely to be impacted by academic freedom, and would only be in the university s custody and/or control if they would be accessible to it by custom or practice, taking academic freedom into account; 3. administrative records are prima facie in the university s custody and control, but would not be if they are unavailable to the university by custom or practice, taking academic freedom into account." 16

  17. III. Practice Guidelines: Access to Information You do NOT have to provide general information: 3) If the record concerns labour relations, negotiations, or employment related matters (section 65(6)) EXCEPT A labour/employment agreement/settlement Expense accounts submitted for reimbursement of employment related expenses 17

  18. III. Practice Guidelines: Access to Information You do NOT have to provide general information: 3) If the record concerns labour relations, negotiations, or employment related matters (section 65(6)) EXCEPT A labour/employment agreement/settlement Expense accounts submitted for reimbursement of employment related expenses 18

  19. III. Practice Guidelines: Access to Information You do NOT have to provide general information: 4) If the record concerns research, whether already conducted or proposed (section 65(8.1)(a)) EXCEPT The subject-matter and amount of funding being received with respect to a research project (section 65(9)) 19

  20. III. Practice Guidelines: Access to Information You do NOT have to provide general information: 5)If the record consists of teaching materials (section 65(8.1)(b)) 20

  21. III. Practice Guidelines: Access to Information You do NOT have to provide general information: 6) Which consists of plans relating to the management of personnel or the administration of the University that have not yet been put into operation or made public (section 18(1)(f)); 21

  22. III. Practice Guidelines: Access to Information You do NOT have to provide general information: 7)Which is subject to solicitor- client privilege (section 19(a)); 22

  23. III. Practice Guidelines: Access to Information If you decide not to respond to an access request via the informal route, you should let the requester know that he or she has the right to make a formal Freedom of Information request under FIPPA in accordance with the procedures specified on the web page of the University s Office of Risk Management and Access to Information at: https://www.lakeheadu.ca/faculty-and- staff/procedures/access-to-information/access-requests (involves paying a fee of $5.00 required by FIPPA) 23

  24. IV. Practice Guidelines: Protection of Privacy FIPPAregulates the University s treatment of personal information at all points from start to finish, including collection, use, disclosure, management and retention, and disposal. 24

  25. V. Practice Guidelines: Collection of PI Collection: FIPPA imposes the following constraints upon the University s collection of personal information ( PI ): 1) a) PI can be collected only if it is expressly authorized by statute, used for the purposes of law enforcement or necessary to the proper administration of a lawfully authorized activity (section 38(2)) 25

  26. V. Practice Guidelines: Collection of PI 1) Collection Constraints (cont.): b)PI must normally be collected directly from the person to whom it relates (section 39(1)) 26

  27. V. Practice Guidelines: Collection of PI Collection Constraints (cont.): 1) c) Whenever the University collects PI it must ensure that the collection is covered by a collection notice which informs the person to whom the PI relates of i. the legal authority for the collection; ii. the principal purpose or purposes for which the PI is intended to be used; and iii. the title, business address and business telephone number of a public official who can answer the individual s questions about the collection (section 39(2)). 27

  28. V. Practice Guidelines: Collection of PI Collection Constraints (cont.): 1) Example of a Collection Notice (from the Faculty of Engineering Graduate Attributes Survey): Through the Graduate Attributes Survey, the Faculty of Engineering of Lakehead University seeks to collect information required by the Canadian Engineering Accreditation Board (CEAB) for the evaluation and accreditation of the University's Engineering programs. All personal information collected through this Survey will be used only for these purposes and will be kept otherwise strictly confidential. This information is collected under the authority of sections 12 and 14 of The Lakehead University Act, 1965. Any questions about this collection may be directed to the Engineering Projects Assistant, Faculty of Engineering, Lakehead University, 955 Oliver Road, Thunder Bay, Ontario P7B 5E1. Telephone: (807) 343-8010 ext. 6643. 28

  29. VI. Practice Guidelines: Use and Disclosure of PI 2) Use and Disclosure: The general rule is that, under FIPPA, all PI (that is, information that makes a person identifiable) in the University s custody or control is protected from access by anyone other than the person to whom it relates. There are, however, exceptions to (carve- outs from) this rule, chief of which are: 29

  30. VI. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy: 1) If the person consents to the use, disclosure or disposal of his or her PI but only to the extent expressly granted by the consent 30

  31. VI. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy (cont.): 2) Public Records: Section 37 of FIPPA excludes from protection personal information that is maintained for the purpose of creating a record that is available to the general public. Examples: Employee names, job titles, qualifications, office numbers, University email addresses (of employees NOT students), and University telephone numbers in Lakehead s public directories; 31

  32. VI. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy (cont.): (2) Public Records (cont.): ONLY IN RELATION TO GRADUATION AND CONVOCATION: the limited PI about the University s students traditionally included in the public record (e.g. convocation program) at convocation. NB: all of this information is protected prior to the final graduation degree audit! 32

  33. VI. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy (cont.): 3) Business Identity Information: Section 2(3) says: Personal information does not include the name, title, contact information or designation of an individual that identifies the individual in a business, professional or official capacity. 33

  34. VI. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy (cont.): 4) Section 2(2) says: Personal information does not include information about an individual who has been dead for more than thirty years. 34

  35. VI. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy (cont.): 5) Where the PI is used or disclosed for the purpose for which it was obtained or compiled OR for a consistent purpose. 35

  36. VI. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy (cont.): 6) PI may be disclosed to an officer, employee, consultant, or agent of the University who needs the record in the performance of his or her duties and where disclosure is necessary and proper in the discharge of the university s functions. The Internal Disclosure Rule (section 42(1)(d)): NB: Agent includes representatives and employees of companies or associations who have contracted with the University to provide services (e.g. food services, debt collection), and includes as well the teaching, administrative, and clerical staff of other institutions engaged in collaborative programs with Lakehead University. 36

  37. VI. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy (cont.): 7) Disclosure to the federal or Ontario governments or their agencies for the purpose of complying with statutes or associated treaties, agreements or arrangements (section 42(1)(e)) Example: disclosure of data whose submission is mandated by the Ontario and federal governments for enrolment and statistical analysis. 37

  38. VI. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy (cont.): 8) Disclosure for law enforcement purposes (section 42(1)(g)): Disclosure of PI to an institution or a law enforcement agency in Canada if, (i) the disclosure is to aid in an investigation undertaken by the institution or the agency with a view to a law enforcement proceeding, or (ii) there is a reasonable basis to believe that an offence may have been committed and the disclosure is to enable the institution or the agency to determine whether to conduct such an investigation. (section 42(1)(g)). In such a case, the agency representative must produce written confirmation, with supporting contact information of an official authority within the agency, that such an investigation in underway, or that such a proceeding is likely to occur. 38

  39. VI. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy (cont.): 9) Disclosure of PI in compelling circumstances affecting the health or safety of an individual if upon disclosure notification thereof is mailed to the last known address of the individual to whom the information relates (section 42(1)(h)). General Rule: SAFETY ALWAYS TRUMPS PRIVACY! 39

  40. VI. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy (cont.): 10) Disclosure of PI in compassionate circumstances, to facilitate contact with the spouse, a close relative or a friend of an individual who is injured, ill or deceased (section 42(1)(i)). 40

  41. VII. Practice Guidelines: Use and Disclosure of PI Exceptions to Absolute Privacy (cont.): 11)If a person is under 16 years of age, whoever has lawful custody of the child has full access to their PI (section 66(c)) (so, if the child is 16 or older, his/her parents can have access only with, and to the extent of, the child s written consent). 41

  42. VIII. Practice Guidelines: Security of PI FIPPA requires everyone responsible for records of personal information to keep them reasonably secure from intrusion and/or damage. So: a) Ensure that records with sensitive information are not visible to visitors to your office or to anyone else who should not have access to them, whether the records are piled on your desk or apparent on your computer screen; 42

  43. VIII. Practice Guidelines: Security of PI b) Keep your sensitive hard copy documents in a filing cabinet that can be locked when you are absent; 43

  44. VIII. Practice Guidelines: Security of PI c) If you have sensitive records in your computer, make sure that you have adequate virus, spyware, and spam protection, and that you back up your records. 44

  45. VIII. Practice Guidelines: Security of PI d) You should password protect your computer so that only you (and the officer to whom you report) can access it. 45

  46. VIII. Practice Guidelines: Security of PI e) Make sure that you log out of your computer, or at least out of your applications giving access to sensitive information, if you will be leaving it unattended for any significant period of time, and that you lock the door to your office when you leave. 46

  47. VIII. Practice Guidelines: Security of PI f) Follow your office protocol for disclosing PI over the telephone. Don t give out PI about an individual unless you are sure i. The person to whom you are speaking really is who they say they are, and then ii. That that individual has a right to access the PI they re seeking. 47

  48. VIII. Practice Guidelines: Security of PI g) Transporting records with PI: Try to avoid taking records bearing personal information out of their secure campus locations, but if you have to, make sure that you keep them secure both in their transportation and in their destination: 48

  49. VIII. Practice Guidelines: Security of PI g) Transporting records with PI (cont.): There are horror stories about laptop computers full of personal information stolen from cars or hotel rooms (an egregious example: a physician s laptop which was carrying the personal health information of some 2900 patients from the Hospital for Sick Children in Toronto (see http://decisions.ipc.on.ca/ipc- cipvp/phipa/en/item/135025/index.do). The best practice when transporting sensitive records in such portable data storage devices is to encrypt them passwords don t offer sufficient protection. Contact TSC for further information. 49

  50. VIII. Practice Guidelines: Security of PI g) Transporting records with PI (cont.): Both your hard copy documents and portable data storage devices should be locked in your car trunk, not left in the cabin which can be easily broken into. No records of personal information should be left in a vehicle overnight. 50

Related


Understanding the Privacy Paradox: Attitudes vs. Behaviors

Understanding the Privacy Paradox: Attitudes vs. Behaviors

clai_evi
Data Privacy Best Practices Training for Libraries

Data Privacy Best Practices Training for Libraries

teo_nah
Understanding Privacy in Information Security Training

Understanding Privacy in Information Security Training

lillia
Understanding Privacy Rights in Europe: A Comprehensive Overview

Understanding Privacy Rights in Europe: A Comprehensive Overview

jesu_26
Understanding Breach of Confidence and Privacy Rights in English Law

Understanding Breach of Confidence and Privacy Rights in English Law

teodor
Privacy-Preserving Analysis of Graph Structures

Privacy-Preserving Analysis of Graph Structures

bilal
NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

haley
Ensuring Privacy and Data Protection in the Digital Age

Ensuring Privacy and Data Protection in the Digital Age

msuh
Understanding Data Privacy Laws and Regulations in Saudi Arabia

Understanding Data Privacy Laws and Regulations in Saudi Arabia

twyla
Privacy and Data Protection in the Digital Age

Privacy and Data Protection in the Digital Age

smer
Privacy Awareness Week 2017: Understanding the Australian Privacy Act

Privacy Awareness Week 2017: Understanding the Australian Privacy Act

saan296
Enhancing Online Patron Privacy in Library Websites

Enhancing Online Patron Privacy in Library Websites

weld852
FMCSA Privacy Awareness Training Overview for 2022

FMCSA Privacy Awareness Training Overview for 2022

natan
Database Access Control & Privacy: A Common Ground Explored

Database Access Control & Privacy: A Common Ground Explored

mcsorley_s
Understanding Breach of Confidence and Privacy Rights in Legal Context

Understanding Breach of Confidence and Privacy Rights in Legal Context

harmo
Proposal for IEEE 802.11 Privacy Enhancement

Proposal for IEEE 802.11 Privacy Enhancement

pkal
Student Privacy Laws and Best Practices in Education Sector

Student Privacy Laws and Best Practices in Education Sector

nam_e
Privacy Considerations in Data Management for Data Science Lecture

Privacy Considerations in Data Management for Data Science Lecture

maen728
Understanding the General Data Protection Regulation (GDPR) and Data Protection Bill

Understanding the General Data Protection Regulation (GDPR) and Data Protection Bill

helena
Dynamic Pricing Algorithms with Privacy Preservation in Personalized Decision Making

Dynamic Pricing Algorithms with Privacy Preservation in Personalized Decision Making

lillia
The Challenges of Protecting Privacy with Differential Privacy

The Challenges of Protecting Privacy with Differential Privacy

rashiqu
Understanding VA Privacy Issues and Sensitive Information

Understanding VA Privacy Issues and Sensitive Information

mariposa
Privacy Challenges in Online Social Networks

Privacy Challenges in Online Social Networks

shr_not
Understanding Carnegie Mellon's Protection and Security Concepts

Understanding Carnegie Mellon's Protection and Security Concepts

der_co

More Related Content