1

Access to information and Access to information and Protection of Privacy: Protection of Privacy: Putting the Pieces TogetherPutting the Pieces Together

Chris Graves University Records Management Coordinator

University Access and Privacy Website:http://www.uoguelph.ca/secretariat/privacy.shtml

Policies

Use

Consent

NoticeCollecting

FairPractice

PHIPA

PIPEDAFIPPA

2

Learning ObjectivesLearning Objectives Awareness of different types of legislation/

policies and their impact on access, privacy and recordkeeping at the University

1. What must I do to comply with the new privacy legislation?

2. When can I share information? 3. Should I even be creating a record?

3

Access & Privacy ContextAccess & Privacy Context

University Policies (e.g. RM)

Employee Agreements (e.g. HR)

FIPPA (Public sector) PHIPA (Health sector) PIPEDA (Private sector) MTCU (Universities) Other

4

University Access and Privacy PolicyUniversity Access and Privacy Policy http://www.uoguelph.ca/secretariat/privacy.shtmlhttp://www.uoguelph.ca/secretariat/privacy.shtml

AccountableDisseminate operational informationProtect personal privacy Maintain accurate personal informationUse information for consistent purposes Integrity

5

UG Records Management PolicyUG Records Management Policy http://www.uoguelph.ca/secretariat/records.shtmlhttp://www.uoguelph.ca/secretariat/records.shtml

Develop retention and disposition schedules

Manage records according to this RM policy

Involve Records Coordinator in RM developmental processes

6

PrinciplesPrinciples

PRIVACY

Individual has right to “control” collection, use, disclosure of their own personal information

University must protect private information from third-parties

ACCESS

Individuals can request access to their own personal information at the University

Individuals can request access to records at the University (under FIPPA, not PIPEDA)

Exemptions should be limited and specific

versus

7

FIPPA Legislation is to Access and FIPPA Legislation is to Access and Privacy What…Privacy What…Occupational health and safety legislation

is to safety in the workplace Environmental legislation is to

stewardship of the environmentSchool board legislation is to learning

Rule of thumb: FIPPA is just a piece of legislation; access and privacy is the

culture

8

Access to what?Access to what? All recorded information, however

recorded, including:– Drafts, postit notes, hard drive files,

blackberry, email, voice mail, agendas, address books

Expense accounts and receipts E-mails Briefing notes – briefing binders Correspondence Amount of money spent on various

programs Tenders/Bids Consultants (e.g. names, amount

spent, work done, selection process)

9

What is personally identifiable What is personally identifiable information?information? Key term:

– Identifiable

– Name

– Photo

– Student ID #

Rule of thumb: Context is everything!

10

Means of AccessMeans of Access

INFORMAL ACCESS Active Dissemination (AD)

– Website, reports, etc. Routine Disclosure (RD)

– Release of general records on request

– E.g. request to see one’s own health record

FORMAL ACCESS FIPPA Request

– E.g. formal PHIPA request to see one’s own health record

Rule of thumb: No automatic requirement

to invoke FIPPA

11

FIPPA Request ProcessFIPPA Request Process

Requester must:

– Submit written request

– Indicate request is made under FIPPA

– Pay $5.00 fee

University must:

– Process FIPPA request within 30 calendar days

12

FIPPA ExclusionsFIPPA Exclusions Archival records of University—s.65(1)

– Only private donations are excluded Labour relations & employment related information—s.65(6)

– Therefore personnel files function under Employee Agreements and/or HR policies, not FIPPA

– Exception: Expense claims and agreements—s.65(7) Research & teaching materials—s.65(8.1)

– Exception: Subject matter/amount of funding for research—s.65(9)

– Exception: Evaluative/opinion/eligibility qualifications for teaching materials—s.65(10)

Health information is also not under FIPPA—other than formal request process

13

FIPPA ExemptionsFIPPA Exemptions

Mandatory Third-party

Information —s.17(1)

Personal Privacy—s.21

Discretionary Advice/ Recommendations—

s.13(1) Law Enforcement—s.14(1) Economic and Other Interests

—s.18 Educational tests—s.18(1h) Solicitor-Client Privilege—s.19 Danger to Safety or Health—

s.20 Information to be published—

s.22

14

Case 1: ExternalCase 1: ExternalAccess to:

Invoices?Expense Reports?Minutes?Reference Letters?

15

Case 2: InternalCase 2: InternalAccess to:

Student Information?Employee Information?

The “University Circle” (video clip)

See also: Privacy Impact Checklist

16

Summary: Summary: Records Creation AwarenessRecords Creation Awareness Today’s memo could be tomorrow’s headline Good records management is vital Create records with access in mind:

– Consider possible future release of information at time the records are created—protect personal information as appropriate

– Better than email/fax disclaimers!

17

1. Restrict access to client information to those that need to know.

2. Ensure client information is not visible or accessible to others.

3. Do not discuss client information in places where others may overhear

4. Do not share existing passwords with anyone or give old passwords to new employees when contractor leaves.

5. Discard old or used client information appropriately

Easy Steps to Privacy ProtectionEasy Steps to Privacy Protection

1. Collection2. Use3. Disclosure4. Retention5. Disposition

versus

18

Why Privacy?

Privacy is:

1. The right to be let alone.2. The right to control one’s

personal information.

One purpose of privacy regulations is to help protect people against the unwanted sharing of personal information.

19

PrinciplesPrinciples

PRIVACY

Individual has right to “control” collection, use, disclosure of their own personal information

University must protect private information from third-parties

Security does not equal privacy

ACCESS

Individuals can request access to their own personal information at the University

Individuals can request access to records at the University (under FIPPA, not PIPEDA)

Exemptions should be limited and specific

versus

Balance

20

Strong Privacy Strong Privacy Compromises Compromises Security Security

e.g. Terrorist anonymity

Privacy

Security

21

Strong Security Limits Privacy Strong Security Limits Privacy

e.g. Digital Trail

Privacy

Security

22

Privacy & SecurityPrivacy & Security

Privacy and security rely on trust:– Trust in policy (to provide rules and guidance)– Trust in process (to ensure compliance)– Trust in technology (to deliver anticipated results)– Trust in people (to act responsibly)

23

If You Wanted to Know…If You Wanted to Know…What must I do to comply with the new policies/legislation?

24

Notices—s.39(2); Notices—s.39(2); 41(1)41(1) (PHIPA or PIPEDA = obtain direct consent not notice)(PHIPA or PIPEDA = obtain direct consent not notice)

Must provide notice to individual indicating: Legal authority for the collection of information

– What gives the University the right to collect this? Purpose for which it is intended

– How will the University use this information? Business contact info for questions

– Who do I contact if I have questions about how my information is being used?

25

AND…

26

Retention & DispositionRetention & Disposition

Must maintain personal info at least 1 year after last use—s.40(1); Reg.460, s.5

Must maintain record of information destroyed (without revealing personal info)—s.40(4); Reg.459,s.6

See also: sample disposal record

27

If You Wanted to Know…If You Wanted to Know…When can I share information?

28

Look to Your Notice!Look to Your Notice!

“Consistent purpose” requires that individual might reasonably have expected the use or disclosure at time info was collected

Consistent purpose therefore depends on the collection notice and what (reasonable) expectations it creates

See also: Privacy Impact Checklist University Circle

29

Above All:Above All:Consistent Purpose—s.41(1.b)Consistent Purpose—s.41(1.b)

Requires that individual might reasonably have expected the use or disclosure at time info was collected

Consistent purpose therefore depends on the collection notice and what (reasonable) expectations it creates

30

Case 3: “Necessary and Case 3: “Necessary and Appropriate”Appropriate”

Too much information (video clip)

31

Fair Information PracticesFair Information Practices Accountability

Consent

Limiting use, disclosure,

and retention

Safeguards

Individual access

Identifying purposes

Limiting collection

Accuracy

Openness

Challenging compliance

32

The Importance of AccuracyThe Importance of Accuracy

33

Privacy Breaches Do HappenPrivacy Breaches Do Happen

34

Be prepared to answer questionsBe prepared to answer questions

such as…

35

Five Key QuestionsFive Key Questions

Why are you asking for this information?How will my information be used?Who will be able to see my information?Will there be any secondary uses?How can I control my data?

36

Case 4: “Breach”Case 4: “Breach”Theft (video clip)

Audio space (video clip)

37

If a Privacy Breach OccursIf a Privacy Breach Occurs

Notify the University Secretariat of a privacy breach involving personal information

An investigation will most likely result

38

Managing Breach: ProtocolManaging Breach: Protocol

1. Inform your manager– Manager will notify University Secretariat and/or University Legal

counsel

2. Identify the scope– What personal information was involved?– Who had unauthorized access to personal information?

3. Contain the breach– Suspend the process/activity that caused breach– Retrieve records

4. Notify– Individuals whose privacy was breached– University Secretariat will notify IPC if required

39

Preventing Future BreachesPreventing Future Breaches

Educate staff about the privacy rules and privacy regulations

Ensure staff is aware of the consequences of a privacy breach

Each person is accountable for personal information in their custody

Staff should err on the side of protecting privacy– Or should they? E.g. Virginia Tech.

Staff should contact the program manager and/or University Secretariat for advice

40

Risk-based PrioritizationRisk-based Prioritization

Privacy planning is more effective if approached from a risk management perspective than a legal compliance perspective

Risk management permits the efficient allocation of resources

In contrast, legal compliance requires the allocation of resources to all compliance issues regardless of risk

Contact the Secretariat about available assessment options

41

DefaultRisk Tolerance Line

Action not yet startedNo progress reportedModerate progress reportedEvidential progress reportedAction successfully completed

Risk Map with Risk Mitigation Status1. Prevention of Medication Errors2. Resource Issues3. Disaster Preparedness4. Adequacy of Security PracticesImpact

Very High

High

Medium

Low

Very Low

Very Low

Low Medium

High Very High

Likelihood

3

4

1

2

Risk MapRisk Map

42

SummarySummary Periodically review/audit and ensure appropriate processes and

practices are in place re: collection, use, disclosure, retention and disposal of personal information– E.g. Do we really need SINs? How long do we really need to

retain resumes? Build in privacy

– Design collection processes to limit and protect personal information

– Put system in place to update Secretariat when new information is being collected or shared so we can advise on making it FIPPA compliant

Rule of thumb: Data minimization!

43

Lessons Learned cont’dLessons Learned cont’d

Know where your personal information is

– Conduct personal info inventory, including portable computing & storage devices and paper records

Say what you do with personal information

– Post clear notices of privacy practices on Web sites, in offices, and whenever collecting personal info

Do what you say in managing personal information

– Monitor compliance with laws and policies, including content monitoring of Web sites and e-mail

Consider implementing Clean Desk / Clean Drive policy

44

Case 5Case 5Should I create a record?

45

Ask:Ask:

Is there an operational need to create a record? What does the record need to say/contain? What does the record NOT need to say/contain? Who should create / hold / access the record? How are drafts / copies tracked and final version

identified? How are retention and destruction addressed?

See also: Note-taking tip sheets

46

Things To Take AwayThings To Take Away

Secretariat is coordinating FIPPA-related processes

Secretariat is contact-point for specific concerns

Secretariat will share information through Liaison Network

47

Questions?Questions?

Chris GravesUniversity Records Management CoordinatorPhone: 519-824-4120 Ext. 56103 Fax: 519-767-1350

Email:c.graves@exec.uoguelph.ca