- B.C. Home
- Ministry of Labour, Citizens’ Services and Open Government
- Office of the Chief Information Officer
- About the OCIO
- Architecture and Standards
- Identity Information Management
- Information Security
- Intellectual Property Program
- Knowledge and Information Services
- Privacy and Legislation
- Strategic Partnerships
- Contact Us
Guide to Good Privacy Practices
Introduction
This guide is intended to assist public bodies and their employees in understanding their privacy responsibilities under Part III (Protection of Privacy) of the Freedom of Information and Protection of Privacy Act (FOIPP Act).
What is Personal Information?
Under the FOIPP Act, "personal information" is recorded information about an identifiable individual. This includes an individual's name, address, blood type, educational history, employment history, financial information, birth date, eye colour, gender, race, and other such information.
Personal information also includes seemingly innocuous separate items of information that, when put together, would allow someone to accurately infer information about an individual. This is called the accurate inference or mosaic test.
The FOIPP Act specifically excludes business "contact information" from the definition of personal information. This is information that enables an individual at a place of business to be contacted, and includes the individual's contact name, position name or title, business address, business phone number, business email, business fax number, and other such information.
Individuals and their Privacy Rights
The FOIPP Act is based on the principles that individuals own their personal information and that they have a general right to privacy.
These principles do not mean that individuals have full control over records containing their personal information, but it does mean that public bodies should consider individuals as stakeholders in the information’s collection, use and disclosure.
Public bodies should be prepared, in most circumstances, to inform individuals about what personal information is in their custody or control and how they manage it. There might be exceptions to this, such as if the information is subject to solicitor client privilege, its disclosure would harm a law enforcement matter, etc.
Public bodies should also be prepared to demonstrate that their record-keeping practices comply with the privacy requirements in the FOIPP Act, other relevant legislation addressing management of information, and records management policy. They should also be prepared to answer questions and address individuals’ privacy concerns.
Limitations on the Collection of Personal Information
Public bodies can collect personal information only when it relates directly to and is necessary for program delivery, for the purposes of law enforcement, or if authorized by an Act.
Public bodies should routinely review personal information collection practices to determine the minimum personal information essential for their operational requirements, and should be prepared to justify why particular information is necessary. If the collection is not necessary, personal information should not be collected.
Example:
The Social Insurance Number (SIN) is used by the federal government for taxation and social security purposes. The SIN is a unique personal identifier and some public bodies have found it useful for identification purposes even when it was not necessary for program delivery. Where collection of personal information is not necessary, it should not occur. If you are uncertain about whether your public body is appropriately collecting the SIN, contact your Director/Manager of Information and Privacy (DMIP) or FOI Coordinator.
When collecting personal information directly from individuals, public bodies must usually inform them of the authority for collecting their information and the purpose for collecting it, as well as the identity of an officer or employee who can answer questions about the collection. The FOIPP Act does list some limited cases where notification is not required, such as for law enforcement or for collecting a debt or fine or making a payment.
If individuals object to the collection of their personal information, public bodies should be prepared to justify why it is necessary to collect it.
Access and Correction
Individuals have a general right of access to their own personal information and to request correction of it.
Providing individuals with the right to obtain access to their personal information enhances transparency and accountability of public bodies. It gives applicants the opportunity to determine what information a public body has about them, if it is accurate and how it is has been used.
Individuals also have the right to request the correction of their personal information when they believe there is an error or omission.
The ability of individuals to request access to, and correction of, their personal information helps to enhance the accuracy of the information and thus reduces the probability of any decisions being based on erroneous or incomplete information.
Example:
Mary, who is due to receive a benefit from a public body based on her age, notes that the public body has incorrectly recorded her date of birth. She may apply to the public body to have this personal information corrected. Mary may have to provide documentation to prove her claim that her birth date information with the public body is incorrect.
Only factual information may be corrected. In most instances, opinions, including evaluations about the individual, cannot be "corrected", even if the individual disagrees with them. A public body must either correct a record containing personal information that is the subject of a correction request, or if the public body disagrees with the correction request, it must place a note on the record that the correction was requested but not made.
Limitations on the Use of Personal Information
Public bodies can use personal information only for the purpose for which it was collected; for a consistent purpose; if the individual consents in writing; or in other limited circumstances.
In most cases public bodies can use personal information only for the purpose for which it was collected. Decision makers should contact their DMIP or FOI Coordinator if they are unsure if a use of personal information complies with the FOIPP Act.
Example:
A public body collects personal information to administer a program and uses the personal information for that purpose. Unless allowed by the FOIPP Act, the public body could not use the information to send the individual unrelated promotional material.
Limitations on the Disclosure of Personal Information
Public bodies can disclose personal information in the circumstances stipulated by the FOIPP Act.
Disclosure of personal information under the FOIPP Act involves the release of, or access to, personal information either externally or internally to the public body. The FOIPP Act permits the disclosure of personal information under stipulated conditions, which will differ depending on whether the disclosure is international or solely within Canada.
In making a decision to disclose personal information, a public body should balance the benefit of the disclosure with potential harms resulting from the information’s release. Decision-makers should obtain advice from their DMIP or FOI Coordinator if they are uncertain about disclosure.
Within public bodies, personal information may only be disclosed on a “need to know" basis. Public body employees should access personal information only when they require it to perform their duties.
Example:
A public body receives an access to information request under the FOIPP Act. The name of the applicant who submitted the request should not be disclosed within the public body except as necessary to process the request. For example, such disclosure would most likely occur when applicants are seeking their own files and their identity had to be shared with specific employees of the public body to retrieve the requested files.
When a public body receives requests for personal information from other public bodies, private organizations, or elsewhere, the onus is on the public body receiving the request to verify the authority for the disclosure. For example, if the authority is an enactment, the receiving public body should require the requester to identify that authority by direct reference to the enactment.
Sometimes a public body will receive a request from a foreign agency, court, state or another authority outside Canada, for the disclosure of personal information that is not authorized by the FOIPP Act. In these circumstances, the public body is required immediately to notify the Minister responsible for the FOIPP Act via the Ministry of Citizens' Services Knowledge and Information Services Branch. Decision-makers should obtain advice from their DMIP or FOI Coordinator if they do not have sufficient knowledge or experience to make the determination that a disclosure of personal information would be unauthorized.
Storage and Access in Canada
Personal information must be stored and accessed only in Canada, except in limited circumstances.
As many countries do not have privacy protection standards equivalent to our own, the FOIPP Act requires public bodies to ensure that personal information is stored and accessed only in Canada.
A public body may, however, store or access personal information in another jurisdiction with the individual’s consent (in the manner prescribed by the FOIPP Act), or in other limited circumstances outlined by the FOIPP Act.
Retention of Personal Information
Public bodies must retain personal information for one year if it is used to make a decision directly affecting the individual.
This minimum retention requirement gives individuals a reasonable opportunity to obtain access to the personal information when it has been used to make a decision affecting them.
Other legislative and policy requirements might also apply for the retention of personal information beyond what is required in the FOIPP Act. For example, tax legislation might require a public body to retain financial records for a specified period, or a public body’s records retention schedules might indicate that records are to be retained for a specific time for operational reasons.
Maintaining personal information that is no longer useful is a security liability. When all relevant retention requirements have been met and the personal information is no longer relevant for business or legal reasons, a public body should destroy the information in a manner that will not compromise security or the privacy of the information.
Security
Public bodies must make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure or disposal of personal information.
Public bodies are required to ensure that personal information is protected by adequate physical, technical and procedural measures. While all personal information requires some degree of protection, the type of security measure taken should be consistent with the level of the sensitivity of the information. For example, health personal information will be more sensitive and will require greater protection than a list of adult registrants for a swimming course.
Breaches in the security of personal information can cause harm to individuals and damage the credibility and trust relationship of the public body. Once information has been disclosed, it is far more difficult to control further dissemination so it is important at the outset to put in place appropriate security measures. The following are just a few examples of security measures that public bodies should consider adopting to avoid privacy breaches:
- Developing, implementing, and complying with the public body’s policies and procedures regarding the protection, use and disposal of information and technology containing information assets;
- Implementing scheduled security, privacy and records management awareness and training sessions;
- Documenting, employing and monitoring sound privacy and security business processes; for example, ensuring that files containing personal information are not left open on desks or in places where unauthorized people will see them, storing files in a secure location with restricted access, such as a locked room or a locked filing cabinet;
- Using individual user IDs, complex passwords, timed screen savers and other technical protections to ensure authorized access to electronic systems; and
- Ensuring adequate protections for sending and receiving personal information by fax and courier.
Privacy enhancing and data protection technologies are key tools for protecting personal information and play an important role in enhancing privacy protection. Public bodies are encouraged to incorporate the use of privacy-enhancing and data protection solutions, such as encryption, into their policies and practices to ensure secure data transactions of personal information and to prevent the unauthorized collection, use or disclosure of personal information in / or from electronic databases.
Provincial ministries are required to comply with the security requirements in the Information Security Policy and other public bodies will have their own security policies.
Service Providers
Personal information generated by a service provider under contract to a public body is likely subject to the requirements of the FOIPP Act.
Under the FOIPP Act, a service provider is defined as a person retained under contract to perform services for a public body. In some instances in the FOIPP Act, service providers are referred to directly and in other places indirectly. For example, in terms of how personal information is protected the FOIPP Act states, “A public body must collect personal information or cause personal information to be collected directly”. The “cause personal information to be collected” incorporates service providers.
Public bodies must take care to ensure that all service providers are aware of their responsibilities and obligations under the FOIPP Act. This Act’s requirements extend to employees and associates of the service provider who have access to or custody or control of personal information as a result of the service provider’s contracts with the public body.
Where a public body has entered into a contract for services with a service provider, it is good practice for the language of the contract to indicate who has control of any personal information that will be created or received as a result of the contract. In most cases it will be appropriate for the public body to have control of the personal information (although the service provider may have custody of the information) and it will only be the exception for the public body not to have control.
For ministries, a Privacy Protection Schedule (PPS) must be attached to all contracts involving personal information. A PPS lays out the security, storage, use, retention, disclosure requirements and limitations required by the FOIPP Act, as well as a clause for termination for non-compliance. If the PPS is to be altered in any way, approval must be obtained from the Office of the Chief Information Officer, Knowledge and Information Services Branch.
Powers of the Commissioner of Information and Privacy
The Information and Privacy Commissioner is an independent Officer of the Legislature and has broad powers with respect to the FOIPP Act including:
- Generally responsible for monitoring how the FOIPP Act is administered to ensure its purposes are achieved;
- Conducting investigations and audits to ensure compliance with privacy requirements;
- Investigating and attempting to resolve complaints that a duty imposed by the FOIPP Act or the regulations has not been performed, or that personal information has been collected, used or disclosed in contravention of the Act’s privacy provisions;
- Commenting on the implications for protection of privacy of proposed legislative schemes or programs of public bodies;
- Commenting on the implications for protection of privacy of automated systems for collection, storage, analysis or transfer of information; and
- Commenting on the implications for protection of privacy of using or disclosing personal information for record linkage.
This document was prepared by the Office of the Government Chief Information Officer in cooperation with provincial ministry and Crown corporation Directors and Managers of Information and Privacy in September 1996.
This document may be printed and distributed.
Last update on July 17, 2009
