Presentation by Mark Grady Vancouver Island University June 13, 2012 The purposes of this Act are to make public bodies more accountable to the public and to protect personal privacy by (a) giving the public a right of access to records, (b) giving individuals a right of access to, and a right to request correction of, personal information, about themselves (c) specifying limited exceptions to the rights of access, (d) preventing the unauthorized collection, use or disclosure of personal information by public bodies, and (e) providing for an independent review of decisions made under this Act. FIPPA does not apply to Teaching materials or research information of faculty members, teaching assistants, research assistants or other persons teaching or carrying out research at a postsecondary educational body** A record of a question that is to be used on an examination or test Material placed in the archives of a public body Responding to FIPPA access requests Duty to assist applicants and to respond openly, accurately and completely 30 business days to respond to the request Must provide a written response confirming the reasons for refusing access to all or part of the records and the exception(s) to disclosure on which the refusal is based; Mandatory exceptions to disclosure Third party personal information where disclosure would be an unreasonable invasion of a third party’s personal privacy. Confidential third party business information where its disclosure would significantly harm a third party’s business interests. Discretionary exceptions to disclosure Disclosure of information that would reveal advice or recommendations developed by or for the university. Disclosure of information that could reasonably be expected to harm the university’s financial or economic interests. Disclosure of information that is subject to solicitor client privilege Common access requests received by universities Media requests for employees’ salary and travel expenses information Unsuccessful job applicants or service providers Disciplined or dismissed employees seek investigation and decision information Employees who disagree with decisions about other employees or students Students disciplined or expelled from the university Contracts with service providers/companies to provide services Lessons learned from FIPPA access requests: Record information in an objective, professional manner; Avoid adding information about your personal life in business emails; Retain records for appropriate time periods; Destroy records at the end of established retention periods and outdated drafts as soon as possible Conduct a reasonable search for responsive records FIPPA privacy protection obligations and requirements A pernicious yet enduring myth is that privacy matters only to those who have something illegal or wrong to hide. Most of us have nothing to hide, yet still attach great value to our individual privacy. Privacy matters because we all have the right to maintain a private life, separate and apart from our public life. We negotiate our identity in the world and choose to share pieces of ourselves with those we trust. David Loukidelis, former B.C. Information and Privacy Commissioner, March 2008 Under FIPPA, all VIU staff members, service providers or contractors and volunteers have an obligation to protect personal information contained in records in the university’s custody or under its control. A best practice is to treat other people’s personal information as if it were your own information. The privacy (data or personal information) protection minimum standards or requirements in BC’s FIPPA are based on ten internationally accepted fair information practices. Collection A key principle – if you don’t need it, don’t collect it – reduce the risk of unauthorized access, use or disclosure by minimizing the type and amount of personal information you collect What authority do you need for collection? The most relevant authorities are: Authority under an Act - The University Act - necessary to provide educational programs and related services Relates directly to and is necessary for a VIU program or activity With the individual’s informed consent** Reducing the risk that an individual will be a victim of domestic violence** Method of Collection You must collect personal information directly from the individual the information is about unless –the individual authorizes another method or source of collection – necessary for medical treatment of the affected individual who is incapable of providing consent –collection is for the purpose determining suitability for an honorary degree, scholarship, prize, bursary or similar honours or awards – collecting a debt or fine – information is about an employee and the collection is necessary for managing or terminating the employment relationship** Notification What information must be included in the notification? the purpose of collecting it; the legal authority for collecting it, and; the name and contact information for a VIU employee who can answer the individual’s questions about the collection When is notification not required? when the information is about a law enforcement matter; the information is collected by observation at a public event at which the individual voluntarily appears**; where it is reasonable to expect that the notification to an employee would compromise the availability or accuracy of the information, or an investigation or a proceeding related to the individual’s employment** Accuracy and Completeness If an individual's personal information will be used by or on behalf of the public body to make a decision that directly affects the individual, the public body must make every reasonable effort to ensure that the personal information is accurate and complete. Right to request correction An applicant who believes there is an error or omission in his or her personal information may request the head of the public body that has the information in its custody or under its control to correct the information. Retention Personal information must be retained for at least one year if the information has been used to make a decision that directly affects the individual Security FIPPA requires public bodies to protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal “Reasonable security arrangements" are those that a fair, rational person would think were appropriate to the sensitivity of the information and to the medium in which it is stored, transmitted, handled, or transferred. January, 2012 University of Victoria break-in and privacy breach Prohibition on storage of personal information , or access to it from, outside Canada Use of Personal Information A public body may use personal information for: the purpose for which that information was obtained or compiled (and the purpose should have been confirmed in collection notification); a use consistent with that purpose (the new use has a reasonable and direct connection to the original purpose and is necessary for performing the university’s statutory duties or for operating a university program or activity); a different use where the individual has provided written consent to that use for specific information, Disclosure of Personal Information FIPPA authorities that allow universities to disclose personal information where the individual consents to the disclosure of specific information where its disclosure is not considered an unreasonable invasion of privacy in response to a FIPPA access request under an enactment of BC or Canada that authorizes or requires disclosure to contact the next of kin or a friend of an injured, ill or deceased individual for research purposes where there is a FIPPA research agreement between the university and the researcher To a “law enforcement” agency or body (policing, or investigations or proceedings that lead or could lead to a penalty or sanction being imposed) Procedure for Resolving Privacy Complaints Attempt to resolve at the university – address concerns, investigate complaints, provide written decision If unsuccessful, notify the individual of the Information and Privacy Commissioner’s role to independently review university privacy decisions of practices Privacy Impact Assessment Until last fall, only provincial government ministries were required to conduct a privacy impact assessment to determine if a current or proposed enactment, system, project or program meets FOIPOP’s privacy requirements. With the November 2011 amendments, the university now has the same obligation for conducting a privacy impact assessment and notifying the Commissioner where the proposed systems, projects, programs or activities concerns a "common or integrated program or activity" or a "data-linking initiative"**