Access and Privacy in British Columbia

Document Sample
Access and Privacy in British Columbia Powered By Docstoc
					              Access and Privacy
              in British Columbia
B.C.’s Freedom of Information and Protection of Privacy Act

                 Basi, A/Manager,
            Kash Basi A/Manager Strategic Privacy Initiatives
         Joanne Gardiner, Senior Legislative and Policy Analyst

                Knowledge and Information Services Branch
    Office of the Chief Information Officer, Ministry of Citizens’ Services

                             February 8 2010
    • Introductions
                              y    g
                          Today’s Agenda
    • Coffee break
    • An overview of the Freedom of Information and Protection of
      Pi      Act         A t) i l di
      Privacy A t (FOIPP Act) including:
          an examination of requirements governing the right of access (FOI
          request process, exceptions to disclosure and severing)
                   i ti      f     i
          an examination of requirements related t the protection of personal
                                          t   l t d to th     t ti    f      l
          information (collection, use, disclosure, retention and security)
          the underlying principles of transparency and privacy; how to balance
          these fundamental concepts; and tools to aid public bodies
          time permitting, issues in the Information Age & Social Media
    • Session intended to be interactive, flexible and informative
    • PowerPoint will be made available
        Knowledge and Information Services Branch
    •   Information Services
            Governance with regard to: privacy, legislation, information sharing,
            Responsible for the Freedom of Information and Protection of Privacy
            Act (FOIPP Act), Personal Information Protection Act (PIPA), Document
            Disposal Act (DDA), and Electronic Transactions Act (ETA) and all
            policy, standards and directives that flow from them.
            Leadership support and services to government and other public
            bodies to assist them in complying with their privacy and access
    •   Knowledge Services
           OCIO Policy
           Research Services provided across government
           Evaluation Support
           A          i   d    ti    d training
           Accompanying education and t i i

    Information and Privacy Commissioner
• Information and Privacy Commissioner is an independent Officer of
the Legislature
• Paul Fraser is B.C.’s interim Information and Privacy Commissioner
• The Office of the Information and Privacy Commissioner (OIPC):
     conducts reviews and investigations to ensure compliance with
   the FOIPP Act
      mediates FOI disputes
     comments on FOI and privacy implications of proposed legislative
   schemes or public body programs

                 Federal Commissioners
    Privacy Commissioner (Jennifer Stoddart):
       An Officer of Parliament who reports di
       A Offi       f P li       h                l      h House of
                                            directly to the H     f
       Commons and the Senate oversees compliance with federal
       privacy legislation

    Information Commissioner (Suzanne Legault - interim)
       An independent Officer of Parliament who investigates
       complaints from people who believe they have been denied
       access to information from federal institutions

 Introducing th ‘A t t dR        S t ’
 I t d i the ‘Automated Response System’

Voting Tool Technology brought to us by the BC Government’s
              Workplace Technology Services
    Are there privacy implications to a tool like this?
         1. Yes

         2. No

         3. Unsure

    There is no tracking of the hand held devices.
    No information that may be linked to an
     identifiable individual will be collected.
    Like entering your PIN # at a bank machine
      feel free to shield what you enter to ensure
      your responses remain private.

Can you feel secure that our votes are anonymous?

    1. Yes

    2. No

    3. Unsure

              Where are you from?

     1    Victoria
          Vi t i
     2.   Vancouver
     3    Other place in BC
     4.   Other province in Canada
     5.   Outside Canada

 What do you personally work on much of the day?

     A.   Access
     B.   Privacy
     C.   Both equally
     D.   Neither/not applicable

 How long have you worked
 in Access/Privacy?
     1. 1 year or less
     2. >1 – 6 years
     3. More than 6
     4. Not working in

                   FOIPP Act is distinct from
           B.C. private sector and federal legislation
Freedom of Information and Protection of Privacy Act (FOIPP Act)
p                        privacy legislation; applies to “public bodies” in B.C.
public sector access and p     y g             pp         p
Personal Information Protection Act (PIPA)
private sector privacy legislation; applies to “organizations” (more than just
businesses) in B.C.
Personal Information Protection and Electronic Documents Act (PIPEDA)
applies to federal works, undertakings or businesses (banks, airlines, and
telecommunications companies) applies to the collection, use and disclosure of
personal information in the course of a commercial activity and across borders.
Canada’s Access to Information Act and also the Privacy Act
are the federal equivalents to the BC FOIPP Act (access and privacy
            for f                                     f                  )
obligations f federal government institutions and the federally regulated)
         Purposes of the FOIPP Act (s. 2)
      “make public bodies more accountable to the public and to
       protect personal privacy by”
     1. giving the public a right of access to records
     2. giving individuals a right of access to, and a right to request
         correction of personal information about themselves
     3. specifying limited exceptions to the rights of access
     4. preventing the unauthorized collection, use or disclosure of
         personal information by public bodies and
     5. providing for an independent review of decisions made
         under this Act.

       IPP Act does not necessarily cover:

The FOIPP Act does not necessarily apply to:
     1. Ministry of Finance
     2. Office of the Premier
     3. Vancouver Island Health
     4. Canadian Bar Association
     5. City of Victoria
     6. College of Physician and
        Surgeons of BC

                Coverage of the FOIPP Act
                  all records
                  in the custody or under the control
                       p         y
                  of a public body
     There are numerous B.C. public bodies covered including
     government ministries, colleges, universities, school boards,
     g                       ,      g ,              ,           ,
     hospitals, health boards, governing bodies of professions,
     municipalities, regional districts and police boards.

         Coverage of the Act - Public Bodies
     Applies to the public sector in BC:
     Mi i t i of the Province, Crown Corporations,
     Ministries f th P i       C     C      ti
     Agencies, Boards, Commissions
     L    l bli bodies (local government b di
     Local public b di (l    l                     health
                                         t bodies, h lth
     care bodies, municipal police and educational
     Governing bodies of professional organizations
     (e.g., teachers, doctors, nurses, lawyers, engineers)

       Coverage of the FOIPP Act – Records
     A public school videotapes its campus 24 hours a
     day, seven days a week
     • There was an incident on the grounds and the local media
     applies for a copy of the tape at the time of the incident

     Is the FOIPP Act applicable?

Which of the following is not a “record” under
               the FOIPP Act?

     A.   Photograph
     B    Map
     C.   Voicemail message
     D.   Videotape
     E.   All are records

                              Record ?
                   What is a “Record”?
     A “record” is any information recorded or stored by any means
     whether in hard copy or in electronic format

     This includes books, documents, maps, drawings, photographs,
     letters e-mails telephone records black books vouchers
     letters, e mails,         records,      books, vouchers,
     papers, etc...

         What Does “Custody” Mean?
     Physical possession of the record
     May not be responsible for the actual content of
     the record
     Responsible f providing access to and security
     R         ibl for idi               d      i
     of the record
     Responsible for managing, maintaining,
     preserving and disposing of the record

                           y                    y
     What if the Public Body Doesn’t Have Custody?
 • Municipal Council hires a private consultant to prepare a
   report to analyze use of vending machines in the city
 • Council implements changes based on the report
 • General request is received under the FOIPP Act for a copy
   of the report but a copy cannot be found in the Municipality’s
 • Can the Municipality argue it doesn’t have a copy of the
   record, only the consultant has custody (and the consultant
   is t          d by the
   i not covered b th FOIPP A t)?Act)?
            What Does “Control” Mean?
• Control means:
     Authority to manage, restrict, regulate or administer the use
     or disclosure of a record
• Indicators of control are that the record:
     was created by an employee of a public body,
     was created by a consultant for the public body,
     is specified in a contract,
     is subject to inspection, review or copying by the public
     body under contract.

   Access to Information
Freedom of Information
F   d     fI f     ti
               Overarching Purpose
     “the overarching purpose of access to information
     legislation, then, is to facilitate democracy. It does so in
     two related ways. It helps to ensure first, that citizens
     have the information required to participate meaningfully
     in the democratic process, and secondly, that politicians
     and bureaucrats remain accountable to the citizenry.”
                    Justice Laforest, in a landmark Supreme Court of Canada
                                               decision in Dagg vs. Canada

       Culture of O
     A C lt     f Openness
     Increased transparency
     Alters h
     Alt           bli bodies handle information
            how public b di h dl i f         ti
     Common sense (What if it were my information?)
     Not to replace otherA Change of Culture
                          existing methods of access
     (except for personal information)
     Avenue of last resort

                Right of Access
 The public has a right to request access to any record
   in the    t d          t l f     bli body (s.4)
   i th custody or control of a public b d ( 4)
        Includes the right to seek access to personal
      i f     ti    h th in         file,  l    h
      information whether i case fil or elsewhere
      (e.g. email and memos)
 BUT right of access limited by exceptions to disclosure
      (s.12 – 22.1)

          Which is not a FOIPP Act provision:

Which is not a FOIPP Act provision?
     1. A request must be in writing
     2. Applicant can ask to
        examine a record instead of
        getting a copy
     3. Applicant’s request must be
        narrow enough that public
        body can process it without
        unduly interfering with
     4. Applicant must provide
        proof of authority if making
        a request for another
     What form
     of written
     request is

What form does a written FOI request need to take?
     • Applicant handwrites a letter to the public body providing
       his name and address, and stating the following:
                          A Change Report dated
     “Give me a copy of John Smith’s of Culture June 1 2007”
      Give                   Smith s                 1, 2007
     • Applicant fails to use the public body’s FOI request form or
       even cite the FOIPP Act?
     • What are the public body’s obligations?

 The Request Process (s.5)
 The applicant:
     Must make a written request
     Must provide sufficient detail to identify record sought
     May ask for a copy or to examine record
     Must provide proof of authority if acting for another person*
        persons under 19 years of age
        persons who have committees
        deceased persons
                             * See also s. 3 of the FOIPP Regulation
          Parents, Children and FOI
• School Counsellor interviews an 18 year old girl

• Her mother (separated from her spouse) makes an
          t f th i t i          t
FOI request for the interview notes
• Mother produces a Court Order saying she has
                g        g        p
     Are the daughter’s age and capabilities relevant?
      Duty to Assist (s.6)
                     ( )
• Positive duty in law to ensure that requests are responded
         to “openly, accurately and without delay”
• The requirement to create records
• If there are no records, advise applicant:
       other sources for the records
       other available records that are similar to what the
       applicant has requested.
Transfers – sometimes the public body can transfer a
request to another public body (see s.11)

     Which is NOT true RE: FOIPP Act timelines:
     A. Public body can unilaterally
        take some time extensions
     B. Public b d           ll h
     B P bli body generally has 30
        calendar days to respond
     C. The Commissioner can grant
        extension for any reason if fair
        and reasonable
     D. Issuing a fee will stop the clock

                  Timeline for Responding
•A public body has 30 business days to respond to a request (s. 7)

                                                            days, (s.
•A public body may extend the timeline for responding by 30 days if (s 10):

      1. a large number of records has been requested or must be searched;

      2. there is not enough detail to enable the public body to identify the
         record; OR

      3. more time is needed to consult with a third party or other public body

•Further extensions may be granted to the public body
 for one of the above 3 reasons, by the OIPC

     Other ‘Fair and Reasonable’ Extensions
Although a request is simple (no volume detail or
consultation concerns), the public body is struggling to meet
FOI timelines because of some unexpected circumstances:

                 s.10(2)(b) of the FOIPP Act
              “fair and reasonable” extensions
                                    …consider the following...

                   doesn t            fair
      Which likely doesn’t warrant a ‘fair and
      reasonable’ extension from the OIPC?
     1. Fire damage closes a building housing
                  g                  g        g
        responsive records
     2. Shortage of FOI staff because of national
     3. A labour strike including FOI staff
     4. An earthquake prevents access to records in
        storage areas

Recognize an FOI request
immediately and forward it to the
i    di t l   df      d t th
person designated to handle it
          Disregarding Requests (s. 43)
     The Commissioner may authorize a public body to
               disregard requests that:
                    g      q

     • Would unreasonably interfere with the operations
       of the public body because of their repetitious or
       systematic nature


     • Are frivolous or vexatious
     Creative FOI
                                                Manchester rockers
                                                performed a song in front
                                                of dozens of the CCTV
                                                cameras in Britain, then
                                                made FOI requests for
                                                the tapes thereby saving
                                                the cost of video
                                                They then cut the tapes
                                                into their video (not all of
                                                the footage is from
                                                surveillance cameras, but
                                                most is)
       Link @
                   ‘Third Party’ Notices
What is a ‘third party’?:
person or organization other than the FOI applicant or the public body

A public body:
  must give notice if it intends to give access and harm to either business
interests or personal p
             p                y (section 21 or 22)
                       privacy (                 )
“might” apply
  may give notice if it does not intend to give access

     Notice goes to third party and applicant
     Timelines set out in Act (sections 23 and 24)
     OIPC assists in resolution of access disputes

     • Fees may be charged for locating, preparing,
     handling, and copying records
     • Cannot charge fees for:
          Applicant’s own personal information
          First 3 hours of search for records
          Time spent severing a record
     • Written estimates must be provided
     • Applicants may request a fee waiver
             p           y g
     • Fees prescribed by regulation

     Fees: how
     much is too

     fees versus

        (At right:
      $372,799 fee
     issued in U.S.)

     Applying Exceptions to Disclosure
     Must release unless an exception applies
     (there are limited exceptions to disclosure)

     Two types of exceptions:

               Mandatory and Discretionary

     Mandatory Exceptions
The head must not release requested information:

     • Section 12: Cabinet confidences

     • Section 21: Third party business information

     • Section 22: Unreasonable invasion of
                           person s
                   another person’s personal privacy

     • Section 22.1: Related to abortion services

 Which can’t be your personal
        i f      ti
     A. A photograph of you
     B. Your name
     C. Your opinion of someone else
     D. Your blood-type
     E Your address

                  Personal Information ?
         What is “Personal Information”?
     “Personal information” means recorded information about an identifiable
                    individual other than contact information”
        (Sched le 1 definition in the FOIPP Act)
 Examples of your personal information:
        race                  origin,
 • Your race, national/ethnic origin skin colour
 • Your religious or political beliefs or associations
 • Your age, sex, sexual orientation, marital status
 • Your fingerprints, blood type, DNA information, biometrics
 • Your health care, educational, financial, criminal, employment history
 • Your opinion unless it is your opinion about someone else

     Applying s. 22 (personal privacy)
 Three-part test:

 1. Is it personal information?
 2. Whose personal information is it?
 3. Would disclosure be an unreasonable invasion
    of a third party’s personal privacy?

              Would Disclosure be an
         Unreasonable Invasion of Privacy?
1. Covered by 22(4) - Not unreasonable – RELEASE
2. Covered by 22 (3) – Presumed unreasonable but…
3. Must consider 22 (2) factors:
      if weigh in favour of disclosure – RELEASE
      if weigh in favour of protection – DENY
4. Sections 22(3) and 22(2) not exhaustive – consider relevant circumstances.
5. If denying access to applicant’s own personal information, can a summary
   be      id d
   b provided ? – see 22 (5)
                 s.22 (3)(b) of the FOIPP Act
 Hospital employee makes a complaint about a Doctor.
 Hospital Management investigates and an investigation report
    is prepared
 A meeting takes place with the Doctor and notes and minutes
    are prepared.
 Employee makes an FOI request for all these records.
     Does s.22(3)(b) apply?
     What,      hi        b   l    d?
     Wh if anything, can be released?
         Discretionary Exceptions
The head of a public body may refuse to disclose
       t d information
 requested i f      ti
Two parts to applying a discretionary exception:
   Does the exception apply?
   Exercise di
   E                ti
          i discretion

Which is not a factor in exercising discretion?
 1. Age of the record
 2. Cooperation of the
 3. Historical practice
 4. Whether disclosure
    would increase public
 5. Nature of record

             Exercising Discretion
     •The purpose of the Legislation
     •Balance of interests (what is purpose of exception)
     •Historical practice
     •Nature of the record
     •Will disclosure increase public confidence?
     •Age of the record
     •Sympathetic or compelling need
     •Previous orders

              Discretionary Exceptions
     local public body confidences (section 12)
     policy advice or recommendations (section 13)
     legal advice (section 14)
     law enforcement (section 15)
     disclosure harmful to intergovernmental relations
          (section 16)
          (sect o 6)
     disclosure harmful to financial or economic interests of the public body
     (section 17)
     disclosure harmful to conservation of heritage sites (section 18)
     disclosure harmful to individual or public safety
     (section 19)
     information to be released in 60 days (section 20)

     Embarrassment is not an exception

                    is not an
                    to disclosure


     ctional index

         p              g       q
       Tips in Processing FOI Requests
     Maintain good communication with the
         li  t
     applicant, your program areas and th d those
     involved in the ‘signing off’ of releases

     Consider a ‘staged’ release of records

     Raise awareness of legislated timelines and
     other requirements in the FOIPP Act

      Public Interest Paramount – s. 25
Overrides any other provision of the Act:
       Whether or not request for access made
       Must release information, without delay
              p blic           group
       To the public, affected gro p or applicant
       Information about a risk of significant harm to
        i       t health         f t f th       bli
     environment or h lth or safety of the public or a
     group of people; or other disclosure which is, for any
           reason,                      interest.
     other reason clearly in the public interest
     Which of the following does
     the       A t t do?
     th FOIPP Act not d ?
     1. Define “public body”
     2. Establish the
     2 E t bli h th powers of thf the
        Office of the Information &
        Privacy Commissioner
     3. Ensure private organizations
        protect the privacy of
     4. Govern access and privacy

Protection of Privacy
To protect personal privacy by
preventing the unauthorized
collection, use, or disclosure of
personal information by public bodies.
                           privacy ?
                  What is ‘privacy’?
 •It is not defined in the Freedom of Information and Protection
 of Privacy Act (FOIPP Act) the Personal Information
 Protection Act (PIPA), or any legislation in Canada
 •Different types of privacy:
      physical, spatial, informational
 •None of the statutes define “privacy” but they aim to
 achieve it with rules on how personal information may be
 collected, used and disclosed

     Pizza Delivery in the 21st Century
        Created by the American Civil Liberties Union

       p              gp                   g

     benefits of
     b    fit f

         “right information to the right person      Link:
        at the right time for the right purpose in      p           g
                       th right way”
                       the i ht      ”

                       p     y
     The foundation of privacy laws
•‘Informational self-determination’
     Individuals’ personal information is their own
     to the extent possible, individuals control
     how their personal information is collected
     used and disclosed
•This is reflected in a Code of Fair Information

The Code of Fair Information Practices includes:
     A. Personal information shall be accurate,
                      up to date
        complete and up-to-date
     B. Personal information shall be protected by
               y     g
        security safeguards
     C. Retain personal information only as long as
        is necessary
     D. All of the above
                               Understands purpose               Knows who to
                                of Program and use            contact for queries
FAIR INFORMATION                of their information           re: collection/use
                                                                                     Directly provides
         Has access to                                                             personal information
        own personal file

       Can request                                                                      Authorises indirect
   corrections and up-                                                                     collection of
 dates to own information                                                              personal information

      Understands and
                                                                                    Is protected from un-
            t to     d
     consents t record                                                          authorised access/disclosure
         linkages                                                                  of personal information

                            Information is only                Only provides
                                                       information that is necessary
                            retained for as long
                                                              to the program
                              as is necessary

                                   (    )
Collection of Personal Information (s.26)
1.                               fingerprint readers
1 Public body wants to introduce fingerprint-readers at
   all building access points
2. Public body wants to collect personal information
     hi h i ht be handy in the future. It ensures it only
   which might b h d i th f t                          l
   collects information from those who have signed
   informed consents
Which of the following does NOT authorize a public body
            to collect personal information?
           A. The collection is expressly
                 th i d d the Act
              authorized under th A t
           B. The individual has consented
              to the collection
           C. The information is collected for
              law enforcement purposes
           D The information related directly
              to and is necessary for an
              operating program or activity

                                   (    )
Collection of Personal Information (s.26)
     • Key to protecting privacy
     • Personal information can only be collected if:
          Authorized under an Act
          For law enforcement
          If related directly to and necessary for an operating program or activity
     • Consent is not an authority for collection
How Personal Information is Collected (s.27)
  • Information must be collected directly from the individual, except in
                                          y                           p
    limited circumstances.
  • Must notify the individual of the purpose, the legal authority, and who to
    contact with questions, except in limited circumstances.
                 q                 p

                                 (     )
     Use of Personal Information (s. 32)
 Public body has already collected employee home addresses
 for tax purposes and now wants to use the information to send
 employees birthday cards.
 Public body wants to use student email addresses to canvas
 students for suggestions to improve registration services.

Which of the following does NOT necessarily authorize a
          bli b d t              li f     ti ?
       public body to use personal information?

         1.                                  y
              For a use which can reasonably be
              expected to protect the public body’s
              financial interests
         2    For a use consented to by an individual
         3.   For a use different from but consistent with
              original purpose of collection
         4.   For a purpose for which that information
              may be disclosed to that public body

                                  (    )
      Use of Personal Information (s.32)
A public body may only use personal information:
     • For the purpose for which it was obtained or compiled, or for a
       consistent purpose.
           A consistent purpose (s.34):
               has a reasonable connection to the original purpose, and
               Is necessary to perform the duties of, or for operating a
               legally authorized program, of the public body;
     • If the individual has consented to another use; OR
     • For purpose for which the personal information has been disclosed to
       it under the Act.

       Disclosure of Personal Information
               (ss. 33, 33.1, 33.2)

     An individual calls your office claiming that he is a
     police officer and wants to know the home address
     of one of your employees?
                    What do you do?

Which of the following is NOT an authority for a
public body to disclose personal information?
     A.   In accordance with an enactment of BC or
          Canada that authorizes or requires the
     B.   For purposes of collecting amounts owing to the
          govt of BC
     C.   To a government outside Canada for the
          preservation of intergovernmental relations
     D.   For research or statistical purposes
        Disclosure of Personal Information
                       (ss. 33, 33 1 33 2)
                       (    33 33.1, 33.2)
 •   Disclosure only permitted in limited circumstances, for example:
        For the purpose for which was obtained or compiled or a consistent
        If an enactment authorizes disclosure
        To comply with a subpoena, warrant, or order
 •   Inside versus outside Canada
 •   Di l       b     d     th   i i l
     Disclose based on the principles of ‘need to know’
                                           f‘    dt k    ’
        limit distribution (who needs to know)
        limit content (what do they need to see)

                             Disclosure for
                             Di l       f
                             Research Purposes
                             (     )
                             (s. 35)

     Disclosure for
     Archival or Historical Purposes
     ( 36)

     What if there were no individual privacy rights?
         Joe applies to a public body for entrance into a highly competitive
         Joe provides certain educational information and personal references
         in support of the application
         Acceptance to the program is denied and Joe has no idea why
         Two weeks later, Joe contacts the public body to follow up and wants
         to see the information written down about him in the application
         process (because he thinks an error may have been made)
         The public body tells Joe it based its decision on the information it
         had in its file, but has since destroyed the file – and by the way, “feel
         free to apply next year”.

                     q       p         y
FOIPP Act does not require a public body to:

     1. Retain Joe’s personal information for at least 1 year
     2. Make efforts to ensure Joe’s personal information
        is used in a “fair and reasonable” way
     3. Allow J t seek “
     3 All    Joe to                ti ” f his         l
                           k “correction” of hi personal
     4.        every                effort
     4 Make “every reasonable effort” to ensure Joe’sJoe s
        personal information is accurate

               y      p         (s.28)
        Accuracy & Completeness (    )
 If :
       personal information is in the custody and under the
       control of a public body, and
       will be used by or on behalf of the public body to make
         decision that directly ff t th i di id l
       a d i i th t di tl affects the individual,
 then the public body must make every reasonable effort to
 ensure that the personal information is accurate and complete.

                  g        q
 Individual has right to request correction of
         personal information (s.29)
        co ec o o ade, annotation s equ ed
     If correction not made, a o a o is required
     Assume what you write will be viewed by the individual
     Ensure language is clear and understandable
     Avoid jargon and labels – be objective
     Section 29 applies to factual errors or omissions in personal
        information, not to expressions of judgement
     Section 29 does not function as an avenue for appeal

                    Retention (s.31)
     • Must retain personal information for at least 1
       year if it was used to make a decision that
       directly affects the individual; so the individual
       has a reasonable opportunity to access it
                             pp       y
     • This is a minimum requirement:
       ensure that you also meet any other applicable
       legal and policy requirements

         Management of Personal Information
  Ensure you have authorities for collection, use and disclosure of personal
information before you implement an initiative, and consider all the potential
impacts on privacy
     Limit use to original purpose or consistent purpose
       (beware of “scope creep”/ “function creep”)
  Li it di l         d data-sharing ith
  Limit disclosure and d t h i with
the need-to-know principle

  Set strict policies for security, retention
and destruction of personal information
from the outset, not as an afterthought …

Privacy and Security
Which is not a FOIPP Act provision ?
      1. Security arrangements must be proportional to the
         sensitivity of the p
                   y        personal information
      2. Security arrangements must include physical,
         technological and organizational measures
      3 Security arrangements must protect personal
         information throughout its lifecycle
      4. Security arrangements must include a “security
         access matrix”
      5. None of the above are FOIPP Act provisions.

                       y q
     FOIPP Act: security requirements
 • A public body must make “reasonable security arrangements” to
 protect personal information (s.30)
 • Should be appropriate and proportional to the sensitivity of the
 personal information
 • Safeguards should include:
       Physical measures (e.g. locked file cabinets, restricted access to
                                 (e.g.    IDs, passwords,
       Technological measures (e g user IDs passwords encryption)
       Policy measures (e.g. ‘clean desk’ policy)

Privacy Breaches
A privacy breach can affect any
organization, even if it has good
privacy and security practices.
Are you ready for a privacy breach and
do you know what to do when one
•Government‘s ‘Policy and Procedure for Public Bodies Responding to
Privacy Breaches‘
http://www cio gov bc ca/services/privacy/default asp

     Ministries must follow; other public bodies are advised to follow
     Most directly deals with loss or theft but applicable to all privacy breaches

•OIPC’s resources on how public bodies shoulf to respond to privacy

                      p          p     y
       It’s better to prevent a privacy breach
                   in the first place!
     Prevent breaches through compliance with the FOIPP Act, for example:

       Reasonable security arrangements (including physical, technical and
     policy measures)
       Awareness of the disclosure authorities and other provisions of the
     FOIPP Act
       Reasonable policy and p
                     p    y                       p           personal information
                                procedures for disposition of p
     (not selling old hard-drives; etc) ...

     Protect personal information throughout its lifecycle
     (e.g. storing inactive records, destroying records –
                      tifi t f d t ti )
                   certificate of destruction)

                   When things go wrong!
•Inadvertently fax medical records to a newspaper which just so happens to be on the
doctor’s fax machine speed dial.

•Store your law firm’s files, awaiting pick up for shredding, in an unlocked storage bin in
a back alley, where they are captured on videotape blowing down the alleyway.

                              p            ,          g
•Put a national bank’s un-wiped hard drives, containing detailed financial information
on clients, up for sale on the web.

•Permit janitor to dispose of old hospital records by lighting a bonfire on a public beach,
                        yp         y,        g                             put
at the same time a ferry passes by, sending waves onto the beach that p out the fire
and wash the half-burned records down the shoreline of B.C.

•Accidentally email an AIDS patient list, including their addresses, to more than 800
unauthorized recipients.

 Privacy and the administration of personal
                i f     i
     • new initiatives involving personal information may be
     regularly considered by public bodies
     •public bodies have millions of documents of personal
                  ,   p p ,                ,    p p ,
     information, on paper, in databases, on laptops, etc.
     •Information may be regularly provided to other public
     bodies or organizations
     What tools are available to keep track of this information
     and ensure it is administered appropriately?
     Privacy Tools

Which is not a commonly used privacy tool?

       1. Privacy Impact Assessment (PIA)

       2. Privacy Review Order (PRO)

       3. Information Sharing Agreement (ISA)

       4 Privacy Protection Schedule (PPS)

             When to do a PIA?

     •any time personal information will be
     collected, used, disclosed (shared),
     retained or stored
     •for any new or significantly amended
     program, project system legislation,
     program project, system, legislation
     technology, or other initiative

 PIA Process and Template:

     PIA Process & Template:
     htt //      i      b    /    i   / i     /P bli S t /PIA/d f lt

                        e e ts of
                       Benefits o PIA
     •If used as part of normal business processes, the PIA can
     ensure that privacy requirements are identified and satisfied in
     a timely and cost efficient manner.
     •PIA process is also designed as an educational tool –
     participating in privacy impact assessments promotes privacy
     •The PIA can make the difference between a privacy invasive
     and a privacy enhancing initiative, without compromising
     business objectives or adding significant costs.

        Information Sharing Agreement (ISA)
     ISA documents the terms and conditions of the exchange of personal
          information in compliance with the provisions of the FOIPP Act and
          any other applicable legislation.
     ISA is normally used where there is a regular and systematic exchange
          between public bodies; and between public bodies and external
          organizationsInformation Sharing Agreements
     ISA Best Practices / Guidelines:
     http://www cio gov bc ca/legislation/best practices/privacy/guidelines isa pdf

     ISA template:

         Privacy Protection Schedule (PPS)
     •   PPS attached to contracts with service providers (contractors)
     •   PPS ensures high privacy standards are maintained for personal
         information held by those performing services for public bodies
     •   Mandatory for ministries; recommended for other public bodies
                        Privacy Protection Schedule (PPS)
     PPS Information, including separate forms for ministries and other public
       bodies, at:
           p           g         p     y

Privacy in the Information Age
            The Information Age is...
      “…the global economy's shift in focus away from
      the production of physical goods (as exemplified
      by the industrial age) and towards the
      manipulation of information.”
                             (‘Information Age’ – Wikipedia)
      “... noted for the abundant publication,
      consumption, and manipulation of information,
      especially by computers and computer networks.”
                                            (Answers com)
      The Internet is Central to the Information Age
      Personal Information Can Be Distributed Like Never Before
                                           In 2002, classmates found Quebecois
                                           high school student’s video of himself
                                             i ldi      lf ball t i       like Star
                                           wielding a golf b ll retriever lik a St
                                           Wars light-saber.

                                           By 2007, video viewed an estimated
                                           900 million times, making it then the
                                                            ,       g
                                           most popular “viral video”.

                                           It resulted in a harassment law suit and
                                           out-of-Court settlement.

                                           It spawned many spoofs on television,
                                           including episodes of Arrested
                                           Development, Cory on the House,
                                           South Park and American Dad.

                    Privacy & the Internet
   Many public bodies are now trying to follow the lead of the private sector in
 using Web 2.0 (e.g. sites such as Facebook and You Tube) for business
 purposes (e.g. for awareness building, other messaging, recruitment)

    Public bodies need to be sure they have appropriate legislative authority
 to use these sites, and that they consider all the privacy implications of doing

    In addition, a public body needs to develop sound and fair policies on how
 to deal with those who use sites set up outside of the public body

      Privacy & the Internet

                           b d
                            h ld
                           be clear
                             df i
                           and fair

      Privacy & the Internet

        Social networking and Privacy
•Make informed choices:

       Think about what you put on a social networking site
       Be careful about who you let see the information
       Make informed choices about the social networking site you choose and
       the privacy settings
       Read the site’s privacy policies

•Organizations and public bodies also need to be sure they have appropriate
authority under their legislation, if they use these websites

founder Mark
Zuckerberg[‘s] …
statement may
not be a surprise,
particularly since
it helps to justify
the company's
recent – and
controversial –
decision to
change the
privacy settings of
its 350 million
users ”

Aug 2009 – “Facebook to comply with privacy recommendations: Commissioner”
        year long                                      negotiations,
After a year-long investigation followed by 30 days of negotiations [Federal] Privacy
commissioner Jennifer Stoddart… announced Facebook will add "significant new privacy
safeguards" to bring the California company into compliance with Canada's private-
       p      y
sector privacy law.

August 2007 – Google Inc. – In 2007, Canada’s Privacy Commissioner, Jennifer
Stoddart, i d                 the Google's St t Vi
St dd t raised concerns over th G                          b h t      li ti    The
                                        l ' Street View web photo application. Th
federal Commissioner felt many of the street-level images Google is making available on
the internet could break Canada's privacy laws.

September 2007 – Google Inc.’s top voice on privacy said the company is working on
a version of its controversial Street View application that will adhere to Canada's privacy
laws, a move that could pave the way for a new, albeit blurry, way of navigating through
Canadian cities.                   htt //      b    /    d / t /2007/09/25/t h        l t t i       ht l

                    Privacy & the Internet
“Swiss government expressed
its displeasure with how
“numerous faces and vehicle
number plates are not made
sufficiently unrecognisable
from the point of view of data
protection especially where
the persons concerned are
shown in sensitive locations,
e.g. outside hospitals, prisons
      h l ” S it l d
or schools.”… Switzerland
isn’t alone. Germany, Greece,
Japan and the U.K. have all
made their concerns clear”

                                                                   “Identity theft
                                                                   occurs when
                                                                   a person’s
                                                                   actual identity
                                                                   is stolen and
                                                                   used for a
                                                                   number of

Short Video on the Basics of:

             The Freedom of
             Information and
             Protection of Privacy Act

               ( i back to when the Act
               (going b k t      h th A t
                first came into force: 1993 !)

                Useful Links and Resources
•   OCIO:
    - for public bodies, see ‘Freedom of Information and Protection of Privacy -
    Public Sector’ (includes Information Access Operations contacts; Policy &
    Procedures Manual; PIA Process with Template; Contracting link to PPS; etc)

•   The Freedom of Information and Protection of Privacy Act:
         0 t%20%20 b %201996%20%20 %20165/00             t/96165 00 ht

•   On-line Training:

       Other Useful links and Contact Information
      •BC Office of the Information and Privacy Commissioner:
      •Federal – Office of the Privacy Commissioner of Canada:
      •BC Provincial Legislation:
                up to date and o charge o
              ~ up-to-date a d no c a ge for access ~
      Additional Resource:
            BC Privacy Helpline: (250) 356-1851

         Kash Basi: (250) 952-0747 or email to:

      Joanne Gardiner: (250) 387-8628 or email to:
              J       G di @        b

        Privacy Helpline: (250) 356-1851