 Introduction This guide is intended to assist public bodies
and their employees in understanding their privacy responsibilities under Part III (Protection of Privacy) of the
Freedom of Information and Protection of Privacy Act (FOIPP Act).
What is Personal Information?
Under the FOIPP Act, "personal information" is
recorded information about an identifiable
individual. This includes an individual's
name, address, blood type, educational history,
employment history, financial information, birth
date, eye colour, gender, race, and other such
information.
Personal information also includes seemingly
innocuous separate items of information that,
when put together, would allow someone to
accurately infer information about an
individual. This is called the accurate
inference or mosaic test.
The FOIPP Act specifically excludes business
"contact information" from the definition of
personal information. This is information
that enables an individual at a place of
business to be contacted, and includes the
individual's contact name, position name or
title, business address, business phone number,
business email, business fax number, and other
such information.
Individuals and their Privacy Rights
The FOIPP Act is based on the
principles that individuals own their personal
information and that they have a general right
to privacy.
These principles do not mean that
individuals have full control over records
containing their personal information, but it
does mean that public bodies should consider
individuals as stakeholders in the information’s
collection, use and disclosure.
Public bodies should be prepared, in most
circumstances, to inform individuals about what
personal information is in their custody or
control and how they manage it. There might be
exceptions to this, such as if the information
is subject to solicitor client privilege, its
disclosure would harm a law enforcement matter,
etc.
Public bodies should also be prepared to
demonstrate that their record-keeping practices
comply with the privacy requirements in the
FOIPP Act, other relevant legislation addressing
management of information, and records
management policy. They should also be prepared
to answer questions and address individuals’
privacy concerns.
Limitations on the Collection of
Personal Information
Public bodies can collect personal
information only when it relates directly to and
is necessary for program delivery, for the
purposes of law enforcement, or if authorized by
an Act.
Public bodies should routinely review personal
information collection practices to determine
the minimum personal information essential for
their operational requirements, and should be
prepared to justify why particular information
is necessary. If the collection is not necessary,
personal information should not be collected.
Example:
The Social Insurance Number (SIN) is used by the
federal government for taxation and social security
purposes. The SIN is a unique personal identifier
and some public bodies have found it useful for
identification purposes even when it was not
necessary for program delivery. Where collection of
personal information is not necessary, it should not
occur. If you are uncertain about whether your
public body is appropriately collecting the SIN,
contact your
Director/Manager of Information and
Privacy (DMIP) or FOI Coordinator.
When collecting personal information directly
from individuals, public bodies must usually inform
them of the authority for collecting their
information and the purpose for collecting it, as
well as the identity of an officer or employee who
can answer questions about the collection. The FOIPP
Act does list some limited cases where notification
is not required, such as for law enforcement or for
collecting a debt or fine or making a payment.
If individuals object to the collection of their
personal information, public bodies should be
prepared to justify why it is necessary to collect
it.
Access and Correction
Individuals have a general right of
access to their own personal information and to
request correction of it.
Providing individuals with the right to
obtain access to their personal information
enhances transparency and accountability of
public bodies. It gives applicants the
opportunity to determine what information a
public body has about them, if it is accurate
and how it is has been used.
Individuals also have the right to request the
correction of their personal information when
they believe there is an error or omission.
The ability of individuals to request access to,
and correction of, their personal information
helps to enhance the accuracy of the information
and thus reduces the probability of any
decisions being based on erroneous or incomplete
information.
Example:
Mary, who is due to receive a benefit from a public
body based on her age, notes that the public body
has incorrectly recorded her date of birth. She may
apply to the public body to have this personal
information corrected. Mary may have to provide
documentation to prove her claim that her birth date
information with the public body is incorrect.
Only factual information may be corrected. In
most instances, opinions, including evaluations
about the individual, cannot be "corrected", even if
the individual disagrees with them. A public body
must either correct a record containing personal
information that is the subject of a correction
request, or if the public body disagrees with the
correction request, it must place a note on the
record that the correction was requested but not
made.
Limitations on the Use of Personal
Information
Public bodies can use personal information only
for the purpose for which it was collected; for
a consistent purpose; if the individual consents
in writing; or in other limited circumstances.
In most cases public bodies can use personal
information only for the purpose for which it
was collected. Decision makers should contact
their DMIP or FOI Coordinator if they are unsure
if a use of personal information complies with
the FOIPP Act.
Example:
A public body collects personal information to
administer a program and uses the personal
information for that purpose. Unless allowed by the
FOIPP Act, the public body could not use the
information to send the individual unrelated
promotional material.
Limitations on the Disclosure of
Personal Information
Public bodies can disclose personal information
in the circumstances stipulated by the
FOIPP Act.
Disclosure of personal information under the
FOIPP Act involves the release of, or access to,
personal information either externally or
internally to the public body. The FOIPP Act
permits the disclosure of personal information
under stipulated conditions, which will differ
depending on whether the disclosure is
international or solely within Canada.
In making a decision to disclose personal
information, a public body should balance the
benefit of the disclosure with potential harms
resulting from the information’s release.
Decision-makers should obtain advice from their
DMIP or FOI Coordinator if they are uncertain
about disclosure.
Within public bodies, personal information may
only be disclosed on a “need to know" basis.
Public body employees should access personal
information only when they require it to perform
their duties.
Example:
A public body receives an access to information
request under the FOIPP Act. The name of the
applicant who submitted the request should not be
disclosed within the public body except as necessary
to process the request. For example, such disclosure
would most likely occur when applicants are seeking
their own files and their identity had to be shared
with specific employees of the public body to
retrieve the requested files.
When a public body receives requests for personal
information from other public bodies, private
organizations, or elsewhere, the onus is on the
public body receiving the request to verify the
authority for the disclosure. For example, if the
authority is an enactment, the receiving public body
should require the requester to identify that
authority by direct reference to the enactment.
Sometimes a public body will receive a request from
a foreign agency, court, state or another authority
outside Canada, for the disclosure of personal
information that is not authorized by the FOIPP Act.
In these circumstances, the public body is required
immediately to notify the Minister responsible for
the FOIPP Act via the Ministry of Citizens' Services
Knowledge and Information Services Branch.
Decision-makers should obtain advice from their DMIP
or FOI Coordinator if they do not have sufficient
knowledge or experience to make the determination
that a disclosure of personal information would be
unauthorized.
Storage and Access in Canada
Personal information must be stored and accessed
only in Canada, except in limited circumstances.
As many countries do not have privacy protection
standards equivalent to our own, the FOIPP Act
requires public bodies to ensure that personal
information is stored and accessed only in
Canada.
A public body may, however, store or access
personal information in another jurisdiction
with the individual’s consent (in the manner
prescribed by the FOIPP Act), or in other
limited circumstances outlined by the FOIPP Act.
Retention of Personal Information
Public bodies must retain personal information
for one year if it is used to make a decision
directly affecting the individual.
This minimum retention requirement gives
individuals a reasonable opportunity to obtain
access to the personal information when it has
been used to make a decision affecting them.
Other legislative and policy requirements might
also apply for the retention of personal
information beyond what is required in the FOIPP
Act. For example, tax legislation might require
a public body to retain financial records for a
specified period, or a public body’s records
retention schedules might indicate that records
are to be retained for a specific time for
operational reasons.
Maintaining personal information that is no
longer useful is a security liability. When all
relevant retention requirements have been met
and the personal information is no longer
relevant for business or legal reasons, a public
body should destroy the information in a manner
that will not compromise security or the privacy
of the information.
Security
Public bodies must make reasonable security
arrangements to prevent unauthorized access,
collection, use, disclosure or disposal of
personal information.
Public bodies are required to ensure that
personal information is protected by adequate
physical, technical and procedural measures.
While all personal information requires some
degree of protection, the type of security
measure taken should be consistent with the
level of the sensitivity of the information. For
example, health personal information will be
more sensitive and will require greater
protection than a list of adult registrants for
a swimming course.
Breaches in the security of personal information
can cause harm to individuals and damage the
credibility and trust relationship of the public
body. Once information has been disclosed, it is
far more difficult to control further
dissemination so it is important at the outset
to put in place appropriate security measures.
The following are just a few examples of
security measures that public bodies should
consider adopting to avoid privacy breaches:
- Developing, implementing, and complying with
the public body’s policies and procedures
regarding the protection, use and disposal of
information and technology containing
information assets;
- Implementing scheduled security, privacy and
records management awareness and training
sessions;
- Documenting, employing and monitoring sound
privacy and security business processes; for
example, ensuring that files containing personal
information are not left open on desks or in
places where unauthorized people will see them,
storing files in a secure location with
restricted access, such as a locked room or a
locked filing cabinet;
- Using individual user IDs, complex passwords,
timed screen savers and other technical
protections to ensure authorized access to
electronic systems; and
- Ensuring adequate protections for sending and
receiving personal information by fax and
courier.
Privacy enhancing and data protection
technologies are key tools for protecting
personal information and play an important role
in enhancing privacy protection. Public bodies
are encouraged to incorporate the use of
privacy-enhancing and data protection solutions,
such as encryption, into their policies and
practices to ensure secure data transactions of
personal information and to prevent the
unauthorized collection, use or disclosure of
personal information in / or from electronic
databases.
Provincial ministries are required to comply
with the security requirements in the
Information Security Policy and other public
bodies will have their own security policies.
Service Providers
Personal information generated by a service provider
under contract to a public body is likely subject to
the requirements of the FOIPP Act.
Under the FOIPP Act, a service provider is defined
as a person retained under contract to perform
services for a public body. In some instances in the
FOIPP Act, service providers are referred to
directly and in other places indirectly. For
example, in terms of how personal information is
protected the FOIPP Act states, “A public body must
collect personal information or cause personal
information to be collected directly”. The “cause
personal information to be collected” incorporates
service providers.
Public bodies must take care to ensure that all
service providers are aware of their
responsibilities and obligations under the FOIPP
Act. This Act’s requirements extend to employees and
associates of the service provider who have access
to or custody or control of personal information as
a result of the service provider’s contracts with
the public body.
Where a public body has entered into a contract for
services with a service provider, it is good
practice for the language of the contract to
indicate who has control of any personal information
that will be created or received as a result of the
contract. In most cases it will be appropriate for
the public body to have control of the personal
information (although the service provider may have
custody of the information) and it will only be the
exception for the public body not to have control.
For ministries, a
Privacy Protection Schedule (PPS)
must be attached to all contracts involving personal
information. A PPS lays out the security, storage,
use, retention, disclosure requirements and
limitations required by the FOIPP Act, as well as a
clause for termination for non-compliance. If the
PPS is to be altered in any way, approval must be
obtained from the Office of the Chief Information
Officer,
Knowledge and Information Services Branch.
Powers of the Commissioner of Information and Privacy
The Information and Privacy Commissioner is an
independent Officer of the Legislature and has broad
powers with respect to the FOIPP Act including:
- Generally responsible for monitoring how the FOIPP
Act is administered to ensure its purposes are
achieved;
- Conducting investigations and audits to ensure
compliance with privacy requirements;
- Investigating and attempting to resolve complaints
that a duty imposed by the FOIPP Act or the
regulations has not been performed, or that personal
information has been collected, used or disclosed in
contravention of the Act’s privacy provisions;
- Commenting on the implications for protection of
privacy of proposed legislative schemes or programs
of public bodies;
- Commenting on the implications for protection of
privacy of automated systems for collection,
storage, analysis or transfer of information; and
- Commenting on the implications for protection of
privacy of using or disclosing personal information
for record linkage.
This document was prepared by the Office
of the Government Chief Information Officer in cooperation with provincial ministry and Crown corporation
Directors and Managers of Information and Privacy
in September 1996.
This document may be printed and distributed.
Last update on July 17, 2009
|
