Presentation Transcript

1. The Challenges of FOIP

   For Post-Secondary Institutions Veronica Chodak Portfolio Officer, FOIP Office of the Information and Privacy Commissioner (OIPC) PACRAO Conference – Nov 8, 2010
2. Outline The Office of the Information and Privacy Commissioner The FOIP Act Identifying challenges Facing challenges
3. Office of the Information and Privacy Commissioner (OIPC) The Information and Privacy Commissioner is an officer of the Alberta Legislature. Independent of government. Has a broad range of regulatory responsibilities and powers under FOIP, HIA, and PIPA.
4. OIPC Freedom of Information and Protection of Privacy Act (“FOIP” or the “FOIP Act”). Health Information Act (“HIA”). Personal Information Protection Act (“PIPA”).
5. OIPC – Independent Reviews May review any decision, act or failure to act relating to an access request under FOIP, HIA, or PIPA. May investigate a complaint that personal/health information has been collected, used or disclosed in contravention of FOIP, HIA, or PIPA. For matters not settled during mediation - may conduct an inquiry and issue an order.
6. The FOIP Act The FOIP Act (FOIP) was passed by the Alberta Legislature in 1995. FOIP applies to “public bodies” in Alberta. “Public bodies” include Alberta’s public post-secondary institutions (PSIs).
7. The FOIP Act Provides the right to access records in the custody or control of a public body subject to limited and specific exceptions. Controls the manner in which a public body may collect, use or disclose personal information. Provides for independent reviews by the Commissioner.
8. Identifying Challenges The desire to collect more information from a variety of sources. The desire to use information for secondary purposes. Requests for information from inside and outside (parents, government, other institutions, employers...). Cloud computing, social networking sites, employees working off-site, contractors…
9. Is this a FOIP challenge? Is the PSI subject to the FOIP Act? Is there a collection, use or disclosure of personal information by (or for) the PSI? If so, there is a challenge to ensure compliance with Part 2 of the FOIP Act – Protection of Privacy.
10. Is there a collection, use or disclosure of “personal information”… For the purposes of the FOIP Act, “personal information” means recorded information about an identifiable individual.
11. …by or for the PSI? Public bodies are held accountable under the FOIP Act for the actions of their employees (Order 99-032 [51] and Investigation Report F2007-IR-005 [8-9]).
12. Who is the employee? For the purposes of FOIP, “Employee”, in relation to a public body includes a person who performs a service for the public body as an appointee, volunteer or student or under a contract or agency relationship with the public body.
13. Facing the Challenges If there is a collection, use or disclosure of personal information by or for the public body (PSI), take steps to ensure compliance with Part 2 of FOIP - Protection of Privacy.
14. Is the collection authorized? No personal information may be collected by or for a public body unless: The collection is expressly authorized by an enactment, or It is for the purposes of law enforcement, or It relates directly to and is necessary for an operating program or activity of the public body.
15. Is the manner of collection permitted? FOIP requires a public body to collect personal information directly from the individual it is about except in certain limited circumstances. So, if there is a desire to collect the information from a source other than the individual, is there authority in FOIP for the collection?
16. Is adequate notification provided? When you collect personal information directly from the individual you must inform the individual of: The purpose for which the information is collected, The specific legal authority for the collection, and Specific contact information.
17. Is the use permitted by FOIP? A public body may use personal information only: For the intended purpose, If the individual has identified the information and consented in the prescribed format,or For a purpose for which that information may be disclosed to that public body under other sections of the FOIP Act.
18. Is the disclosure permitted by the FOIP? A public body may only disclose personal information for the specific purposes described in the FOIP Act. The disclosure may only be to the extent necessary to fulfill the permitted purpose in a reasonable manner.
19. Some Disclosure Purposes For the purpose for which it was collected, or for a use consistent with that purpose. If the individual has identified the information and consented in the prescribed manner. To an employee of a public body, if the information is necessary for the performance of their duties as an employee.
20. More disclosure purposes To comply with an enactment. To determine or verify an individual’s suitability or eligibility for a program or benefit. To collect a fine or debt owing by an individual. If the head of the public body believes, on reasonable grounds, that the disclosure will avert or minimize an immediate danger to the health or safety of any person.
21. Protect Personal Information Has the public body made reasonable security arrangements to protect the personal information against such risks as unauthorized access, collection, use, disclosure or destruction? Consider what risks exist, and make security arrangements that are reasonable to address those risks.
22. Resources Your FOIP Coordinator, supervisors & management team Alberta Government’s FOIP website http://www.servicealberta.ca/foip FAQ’s for Post-Secondary Institutions Office of the Information and Privacy Commissioner’s website http://www.oipc.ab.ca
23. Questions?
24. Office of the Information and Privacy Commissioner 410, 9925 – 109 Street Edmonton, Alberta T5K 2J8 (780) 422-6860 Promoting a society where personal information is respected & public bodies are open and accountable.