June 13, 2012 - Vancouver Island University

advertisement
Presentation by Mark Grady
Vancouver Island University
June 13, 2012
The purposes of this Act are to make public bodies more accountable to the public and
to protect personal privacy by
(a) giving the public a right of access to records,
(b) giving individuals a right of access to, and a right to request correction of, personal information,
about themselves
(c) specifying limited exceptions to the rights of access,
(d) preventing the unauthorized collection, use or disclosure of personal information by public bodies, and
(e) providing for an independent review of decisions made under this Act.
FIPPA does not apply to
Teaching materials or research information of faculty members, teaching assistants,
research assistants or other persons teaching or carrying out research at a postsecondary educational body**
A record of a question that is to be used on an examination or test
Material placed in the archives of a public body
Responding to FIPPA access requests
Duty to assist applicants and to respond openly, accurately and completely
30 business days to respond to the request
Must provide a written response confirming the reasons for refusing access to all
or part of the records and the exception(s) to disclosure on which the refusal is
based;
Mandatory exceptions to disclosure
Third party personal information where disclosure would be an unreasonable
invasion of a third party’s personal privacy.
Confidential third party business information where its disclosure would
significantly harm a third party’s business interests.
Discretionary exceptions to disclosure
Disclosure of information that would reveal advice or recommendations developed
by or for the university.
Disclosure of information that could reasonably be expected to harm the
university’s financial or economic interests.
Disclosure of information that is subject to solicitor client privilege
Common access requests received by universities
Media requests for employees’ salary and travel expenses information
Unsuccessful job applicants or service providers
Disciplined or dismissed employees seek investigation and decision information
Employees who disagree with decisions about other employees or students
Students disciplined or expelled from the university
Contracts with service providers/companies to provide services
Lessons learned from FIPPA access requests:
Record information in an objective, professional manner;
Avoid adding information about your personal life in business emails;
Retain records for appropriate time periods;
Destroy records at the end of established retention periods and outdated drafts as soon as
possible
Conduct a reasonable search for responsive records
FIPPA privacy protection obligations and requirements
A pernicious yet enduring myth is that privacy matters only to those who have something
illegal or wrong to hide. Most of us have nothing to hide, yet still attach great value to our
individual privacy. Privacy matters because we all have the right to maintain a private life,
separate and apart from our public life. We negotiate our identity in the world and choose
to share pieces of ourselves with those we trust.
David Loukidelis, former B.C. Information and Privacy Commissioner, March 2008
Under FIPPA, all VIU staff members, service providers or contractors and volunteers
have an obligation to protect personal information contained in records in the
university’s custody or under its control.
A best practice is to treat other people’s personal information as if it were your own
information.
The privacy (data or personal information) protection minimum standards or
requirements in BC’s FIPPA are based on ten internationally accepted fair information
practices.
Collection
A key principle – if you don’t need it, don’t collect it – reduce the risk of unauthorized
access, use or disclosure by minimizing the type and amount of personal information
you collect
What authority do you need for collection? The most relevant authorities are:
Authority under an Act - The University Act - necessary to provide educational
programs and related services
Relates directly to and is necessary for a VIU program or activity
With the individual’s informed consent**
Reducing the risk that an individual will be a victim of domestic violence**
Method of Collection
You must collect personal information directly from the individual the information is about unless
–the individual authorizes another method or source of collection
– necessary for medical treatment of the affected individual who is incapable of providing consent
–collection is for the purpose determining suitability for an honorary degree, scholarship, prize, bursary or
similar honours or awards
– collecting a debt or fine
– information is about an employee and the collection is necessary for managing or terminating the
employment relationship**
Notification
What information must be included in the notification?
the purpose of collecting it;
the legal authority for collecting it, and;
the name and contact information for a VIU employee who can answer the individual’s
questions about the collection
When is notification not required?
when the information is about a law enforcement matter;
the information is collected by observation at a public event at which the individual
voluntarily appears**;
where it is reasonable to expect that the notification to an employee would
compromise the availability or accuracy of the information, or an investigation or a
proceeding related to the individual’s employment**
Accuracy and Completeness
If an individual's personal information
will be used by or on behalf of the public body to make a decision that directly affects the
individual,
the public body must make every reasonable effort to ensure that the personal information is
accurate and complete.
Right to request correction
An applicant who believes there is an error or omission in his or her personal information may
request the head of the public body that has the information in its custody or under its control
to correct the information.
Retention
Personal information must be retained for at least one year if the information has been used
to make a decision that directly affects the individual
Security
FIPPA requires public bodies to protect personal information by making reasonable security
arrangements against such risks as unauthorized access, collection, use, disclosure or disposal
“Reasonable security arrangements" are those that a fair, rational person would think were
appropriate to the sensitivity of the information and to the medium in which it is stored,
transmitted, handled, or transferred.
January, 2012 University of Victoria break-in and privacy breach
Prohibition on storage of personal information , or access to it from, outside Canada
Use of Personal Information
A public body may use personal information for:
the purpose for which that information was obtained or compiled (and the purpose should have
been confirmed in collection notification);
a use consistent with that purpose (the new use has a reasonable and direct connection to the
original purpose and is necessary for performing the university’s statutory duties or for
operating a university program or activity);
a different use where the individual has provided written consent to that use for specific
information,
Disclosure of Personal Information
FIPPA authorities that allow universities to disclose personal information
where the individual consents to the disclosure of specific information
where its disclosure is not considered an unreasonable invasion of privacy in response to
a FIPPA access request
under an enactment of BC or Canada that authorizes or requires disclosure
to contact the next of kin or a friend of an injured, ill or deceased individual
for research purposes where there is a FIPPA research agreement between the university
and the researcher
To a “law enforcement” agency or body (policing, or investigations or proceedings that
lead or could lead to a penalty or sanction being imposed)
Procedure for Resolving Privacy Complaints
Attempt to resolve at the university – address concerns, investigate complaints, provide
written decision
If unsuccessful, notify the individual of the Information and Privacy Commissioner’s
role to independently review university privacy decisions of practices
Privacy Impact Assessment
Until last fall, only provincial government ministries were required to conduct a privacy impact
assessment to determine if a current or proposed enactment, system, project or program meets
FOIPOP’s privacy requirements.
With the November 2011 amendments, the university now has the same obligation for
conducting a privacy impact assessment and notifying the Commissioner where the proposed
systems, projects, programs or activities concerns a "common or integrated program or activity"
or a "data-linking initiative"**
Download