Getting ready for pipa
Download
1 / 49

Getting Ready for PIPA - PowerPoint PPT Presentation


  • 274 Views
  • Uploaded on

Getting Ready for PIPA . A Workshop for Organizations on the Personal Information Protection Act Alberta Government Services (Information Management, Access and Privacy Division) and Office of the Information and Privacy Commissioner of Alberta

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Getting Ready for PIPA ' - Sophia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Getting ready for pipa l.jpg

Getting Ready for PIPA

A Workshop for Organizations

on the Personal Information Protection Act

Alberta Government Services (Information Management, Access and Privacy Division)

and

Office of the Information and Privacy Commissioner of Alberta

With the assistance of Alberta Chambers of Commerce

March 2004


What we will cover today l.jpg
What we will cover today

  • What is the Personal Information Protection Act (PIPA)?

  • Who/what does PIPA apply to?

  • Overview of PIPA’s requirements

  • What to do to comply

  • Resources for organizations

  • Questions


What is privacy l.jpg
What is Privacy?

“…the right to be let alone – the most comprehensive of rights and the right most valued by civilized men.”

U.S. Supreme Court Justice Louis Brandeis in Olmstead v. U.S., 1928


Threats to privacy l.jpg
Threats to privacy

  • Modern threats to privacy chiefly arise in the collection and use of information about us

  • Privacy used to be protected by default – the nature of paper records

  • Electronic records diminish the barriers of time, distance and cost that once guarded privacy


Personal information l.jpg

Includes:

Name

Birth date

Gender

Address

Education

Employment

Income

Medical history

S.I.N.

Held by:

Credit unions

Insurance companies

Retailers

Landlords

Employers

Fundraisers

Credit bureaus

Sports clubs

Personal Information


What is pipa l.jpg
What is PIPA?

  • The Personal Information Protection Actbalances:

    • the right of an individual to have his or her personal information protected, and

    • the need of organizations to collect, use or disclose personal information for purposes that are reasonable

  • Provides “common sense” rules for collection, use and disclosure of personal information by private-sector (non-government) organizations

  • The Act also provides a right of access to one’s own personal information


Pipa pipeda l.jpg
PIPA/PIPEDA

  • Both focus on protecting personal information in the private sector

  • “Substantially similar”, but not necessarily the same

  • Federal and Provincial Commissioners are working to harmonize practices and protocols


Pipa applies to l.jpg
PIPA applies to…

“Organizations”, including:

  • Corporations

  • Unincorporated associations

  • Trade unions (Labour Relations Code)

  • Partnerships (Partnership Act)

  • Individuals acting in a commercial capacity


Pipa does not apply to l.jpg
PIPA does not apply to…

  • Personal information for personal or domestic purposes

  • Personal information for journalistic, artistic, literary purposes

  • A public body or personal information protected under FOIP Act

  • In a record that is at least 100 years old, or about an individual dead for at least 20 years

  • Health information (as defined in HIA) collected, used or disclosed for health care purposes, but not personal employee information


Special provisions for l.jpg
Special provisions for…

  • Specified non-profit organizations carrying out commercial activities

  • Professional regulatory organizations


Personal information11 l.jpg
“Personal Information”

  • Defined as “information about an identifiable individual”

  • PIPA has broad coverage

    • Applies to personal information regardless of whether it is used for commercial purposes (except for specified non-profits)

  • Includes “personal employee information”


Business contact information l.jpg
“Business Contact Information”

  • Information you would find on a business card or company letterhead

    • Includes name, position or title, business telephone number, address, e-mail and fax number

  • PIPA does not apply to business contact information when it is collected, used or disclosed for sole purpose of contacting individual in capacity as an employee or official


Pipa requires reasonableness l.jpg
PIPA requires reasonableness

  • When “reasonable” is used in the Act, it means:

    • What a reasonable person would consider appropriate in the circumstances


Be accountable l.jpg
Be accountable

  • An organization is responsible for personal information in its custody or control

  • Must designate individual(s) to be responsible for compliance with the Act

  • Develop policies, practices and procedures and make information about them available to public on request

  • In meeting responsibilities under the Act, organizations must act in a reasonable manner


Obtain consent l.jpg
Obtain consent

  • Unless Act allows otherwise, organizations need consent:

    • to collect, use or disclose personal information

    • to collect personal information from anyone other than the individual

  • Consent can be express, implied, or opt-out, depending on circumstances

  • Consent invalid if obtained by deception or misleading means


Withdraw or vary consent l.jpg
Withdraw or vary consent

  • An individual may withdraw or vary consent, subject to legal obligations

  • Individual must give reasonable notice to organization

  • Organization must advise individual of likely consequences, unless obvious


Grandfathering l.jpg
Grandfathering

  • Personal information collected before January 1, 2004 is deemed to have been collected with consent

  • It may be used and disclosed by the organization for the purpose for which it was collected

  • The general rules in the Act regarding safeguards, access, correction, etc. still apply to this information


How to collect personal information l.jpg
How to collect personal information

  • Identify purposes for collection

    • Is purpose reasonable?

  • Notify individual of purposes and get consent

  • Except where inappropriate, collect personal information directly from the individual concerned

  • Limit type and amount of personal information collected

    • Is information reasonable to fulfill purpose?


Collection from another organization with consent l.jpg
Collection from another organization with consent

  • An individual can consent to an organization collecting his or her personal information from another organization

  • The collecting organization must demonstrate that it has obtained consent

  • The disclosing organization must be satisfied that the consent complies with the Act


Collection without consent l.jpg
Collection without consent

  • The Act permits personal information to be collected without consent in limited circumstances, including:

    • when clearly in the interests of the individual

    • when another Act or regulation authorizes it

    • for investigations or legal proceedings

    • to collect a debt or repay monies owed

    • to create a credit report

    • to determine suitability for honour or award

    • for archival or research purposes


Collection without consent21 l.jpg
Collection without consent

  • Information is “publicly available”:

    • name, address, telephone number in public telephone directory, if subscriber can refuse to be included

    • name, title, address, telephone number in professional or business directory available to public where collection, use or disclosure relates directly to purpose for which information appears in the directory

    • personal information in government registry or registry operated under a statute

      • to which public has access

      • collection, use or disclosure relates directly to purpose for which information appears in the registry


Collection without consent22 l.jpg
Collection without consent

  • Information is “publicly available”:

    • personal information in record of administrative tribunal, if

      • available to public

      • collection, use, or disclosure relates directly to purpose for which information appears in the record

    • personal information in publication, including magazine, book or newspaper, in printed or electronic form, if

      • available to public

      • reasonable to assume that individual provided the information


Investigations l.jpg
Investigations

  • Organizations do not need consent if the collection, use or disclosure of personal information is reasonable for an investigation or legal proceeding

  • “Investigation” means an investigation related to:

    • a breach of agreement

    • a contravention of an enactment

    • circumstances or conduct that may result in a remedy or relief being available in law

      if the breach, contravention, circumstances or conduct has or may have occurred or is likely to occur, and

      it is reasonable to conduct an investigation


Use of personal information l.jpg
Use of personal information

  • Use personal information only with consent, unless otherwise permitted by the Act

  • Use personal information only for purposes that are reasonable

  • Use only the personal information reasonably needed to fulfill the purposes


Use without consent l.jpg
Use without consent

  • The Act permits the use of personal information without consent for purposes including those listed under collection without consent, plus:

    • to respond to an emergency threatening the life, health or security of individual or public


Disclosure of personal information l.jpg
Disclosure of personal information

  • Disclose personal information only with consent, unless otherwise permitted by the Act

  • Disclose personal information only for purposes that are reasonable

  • Disclose only the personal information reasonably needed to fulfill the purposes


Disclosure without consent l.jpg
Disclosure without consent

  • The Act permits disclosure of personal information without consent for purposes including those listed under collection and use without consent, plus:

    • in accordance with a treaty

    • to comply with a subpoena or court order

    • to a public body or law enforcement agency to assist in an investigation

    • to contact next of kin of injured or deceased person

    • to a surviving spouse or relative of a deceased individual, if reasonable

    • to protect against fraud or market manipulation, to any agency empowered by legislation


Personal employee information l.jpg
Personal employee information

“Personal employee information” means:

  • personal information of

  • employees or prospective employees

  • reasonably required for the purposes of establishing, managing or terminating the employment or volunteer work relationship


Personal employee information29 l.jpg
Personal employee information

  • “Employee” includes an individual employed by the organization who performs a service for an organization, including as an

    • apprentice

    • volunteer

    • participant

    • student

    • an individual under a contract or agency relationship


Treatment of personal employee information l.jpg
Treatment of personal employee information

  • PIPA recognizes true nature of employment – not consent-based

  • Act allows “personal employee information” to be collected/used/disclosed without consent when

    • reasonably required for establishing, managing or terminating an employment or volunteer work relationship

  • Does not include personal information unrelated to the employment or volunteer relationship

  • Must give notice in case of current employees - transparency

  • Subject to review by Commissioner


Sale of business l.jpg
Sale of Business

  • Special recognition for purchase, sale, lease, merger, etc., of a business

  • Act provides for the collection, use and disclosure of personal information (including employee information) between parties involved if:

    • the information is necessary to decide whether to proceed and complete the transaction, and

    • the parties agree to use the information only for that purpose

  • Provision does not apply where primary purpose of transaction is sale, etc. of personal information


Providing access l.jpg
Providing access

  • Individuals can request access to:

    • own personal information contained in a record

    • information about the purposes for which personal information has been and is being used, and

    • Information about to whom the information is disclosed and under what circumstances

  • Organization has a duty to assist

  • Organization must respond within 45 calendar days


Providing access33 l.jpg
Providing access

  • Organization may designate office to receive requests

  • Organization may charge a reasonable fee

  • Any right under the Act may be exercised by another person on an individual’s behalf (s. 61)


Refusing access l.jpg
Refusing access

  • Access must be refused if disclosure would

    • threaten the life or security of another individual

    • reveal personal information about another individual

    • reveal the identity of an individual who has provided in confidence an opinion about another individual (may disclose with consent)

  • An organization must provide access to remaining information if able to sever

  • Access may be refused if, for example:

    • information is protected by legal privilege

    • disclosure would reveal confidential commercial information (sever)

    • information was collected for an investigation or legal proceeding

    • disclosure might result in that type of information no longer being provided


Making corrections l.jpg
Making corrections

  • Individuals can ask that their personal information be corrected

    • If it is wrong - correct it promptly

  • Notify those to whom the information has been disclosed

  • If you cannot agree that it is wrong, annotate that the information is disputed

  • You cannot correct expert opinions

  • No fees for correction


Safeguarding ensuring accuracy l.jpg
Safeguarding & Ensuring Accuracy

Organization must:

  • Protect personal information in its custody or control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction

  • Make reasonable efforts to ensure that any personal information collected, used or disclosed by or on behalf of an organization is accurate and complete


Records management implications l.jpg
Records management implications

  • Privacy compliance requires sound records management practices

  • Need to locate records quickly in order to process requests within time limit

  • In deciding how long to keep a record, an organization should be guided by legal and business purposes


Oversight by commissioner l.jpg
Oversight – by Commissioner

  • PIPA enforced by the Information and Privacy Commissioner of Alberta

    • same Commissioner for the FOIP Act and the Health Information Act

    • independent Officer of the Legislature

  • The Commissioner can:

    • investigate complaints

    • initiate own investigations & issue Orders

    • authorize an organization to disregard access requests from individuals

    • extend time limit to respond to access request

    • provide non-binding advice and advance rulings


Complaints l.jpg
Complaints

  • Once an individual has brought a case to the OIPC, the Commissioner can:

    • refer an individual to another grievance, complaint or review process before handling the case

    • attempt mediation

    • conduct an inquiry

    • issue binding orders

    • publish those orders (including the name of the organization)


Whistleblower protection l.jpg
Whistleblower protection

  • An organization cannot take adverse employment action against an employee who, acting in good faith and on reasonable belief, informs the Commissioner of a possible breach of the Act


What to do to comply l.jpg
What to do to comply

  • Put someone in charge of privacy

  • Become familiar with the Act

  • Review how your organization handles personal information

  • Put your practices to the test

  • Develop privacy policies and practices


What to do to comply42 l.jpg
What to do to comply

  • Develop an access and complaints handling process

  • Review and revise forms, and create notice statements

  • Review and revise contracts

  • Consider employees’ personal information

  • Train staff


What you might have to change l.jpg
What you might have to change

  • Forms

    • Add collection, use and disclosure notification

    • Use appropriate form of consent

    • Is all the personal information you ask for directly connected to its use and is reasonable?

  • Systems

    • Add database fields to indicate the uses/disclosures individuals consented to

    • Rethink access controls

  • Records management practices

    • New security

    • New retention schedule


What happens if organizations don t comply with pipa l.jpg
What happens if organizations don’t comply with PIPA?

  • Commissioner may make an Order if:

    • complaint or request for review is made

  • Orders will name the organization & will be public

    • Damaging to reputation of organization

  • Commit an offence if don’t comply with order, wilfully contravene PIPA or obstruct Commissioner

  • If convicted of an offence, fines are

    • up to $10,000 for individuals

    • up to $100,000 for businesses

  • An individual can pursue damages in court for loss or injury suffered as a result of breach of privacy


Non profit organizations l.jpg
Non-profit organizations

  • “Non-profit organizations” are defined as organizations incorporated under the:

    • Societies Act

    • Agricultural Societies Act

    • Part 9 of the Companies Act

  • PIPA only applies to non-profit organization’s collection, use or disclosure personal information in connection with a commercial activity

  • All other not-for-profit organizations must comply with PIPA for all their activities


Commercial activity of non profit organizations l.jpg
Commercial activity of non-profit organizations

  • “Commercial activity” means any transaction, act or conduct, or any regular course of conduct, that is of a commercial character, and includes:

    • the selling, bartering or leasing of membership lists or donor or other fund-raising lists

    • operation of a private school or early childhood services program (School Act)

    • operation of a private college (Post-secondary Learning Act)

  • PIPA does not apply to personal employee information of non-profit organizations unless part of a commercial activity


Professional regulatory organizations l.jpg
Professional regulatory organizations

  • Are considered “organizations” under PIPA

  • Have the option of creating a “personal information code” to govern the collection, use and disclosure of personal information

  • An individual would still be able to complain to the Commissioner

  • Details are in the Regulation


Pipa resources for organizations l.jpg
PIPA Resources for Organizations

  • PIPA Websites (including links)

    • OIPC - http://www.oipc.ab.ca/pipa/

    • Access and Privacy Branch - http://www.psp.gov.ab.ca/

  • Access and Privacy Branch Information Line: (780) 644-PIPA (7472)

  • OIPC: (403) 297-2728

  • Consultants List

  • Jointly developed by Access and Privacy Branch & OIPC

    • Workshops in key centres throughout Province

    • Guides and other publications


Pipa publications for organizations l.jpg
PIPA Publications for Organizations

  • PIPA on a Page

  • Summary for Organizations – 4-page summary of organizations’ key obligations

  • Getting Ready for PIPA outlines steps organizations should consider to prepare for PIPA

  • Guide for Organizations and Business on PIPA – Detailed guide to help organizations understand the Act and their obligations

  • Information Sheet on Non-profit Organizations

  • Guidelines for Developing a Personal Information Code for Professional Regulatory Organizations


ad