1 access to information and protection of privacy: putting the pieces together chris graves...
Post on 26-Dec-2015
220 Views
Preview:
TRANSCRIPT
1
Access to information and Access to information and Protection of Privacy: Protection of Privacy: Putting the Pieces TogetherPutting the Pieces Together
Chris Graves University Records Management Coordinator
University Access and Privacy Website:http://www.uoguelph.ca/secretariat/privacy.shtml
Policies
Use
Consent
NoticeCollecting
FairPractice
PHIPA
PIPEDAFIPPA
2
Learning ObjectivesLearning Objectives Awareness of different types of legislation/
policies and their impact on access, privacy and recordkeeping at the University
1. What must I do to comply with the new privacy legislation?
2. When can I share information? 3. Should I even be creating a record?
3
Access & Privacy ContextAccess & Privacy Context
University Policies (e.g. RM)
Employee Agreements (e.g. HR)
FIPPA (Public sector) PHIPA (Health sector) PIPEDA (Private sector) MTCU (Universities) Other
4
University Access and Privacy PolicyUniversity Access and Privacy Policy http://www.uoguelph.ca/secretariat/privacy.shtmlhttp://www.uoguelph.ca/secretariat/privacy.shtml
AccountableDisseminate operational informationProtect personal privacy Maintain accurate personal informationUse information for consistent purposes Integrity
5
UG Records Management PolicyUG Records Management Policy http://www.uoguelph.ca/secretariat/records.shtmlhttp://www.uoguelph.ca/secretariat/records.shtml
Develop retention and disposition schedules
Manage records according to this RM policy
Involve Records Coordinator in RM developmental processes
6
PrinciplesPrinciples
PRIVACY
Individual has right to “control” collection, use, disclosure of their own personal information
University must protect private information from third-parties
ACCESS
Individuals can request access to their own personal information at the University
Individuals can request access to records at the University (under FIPPA, not PIPEDA)
Exemptions should be limited and specific
versus
7
FIPPA Legislation is to Access and FIPPA Legislation is to Access and Privacy What…Privacy What…Occupational health and safety legislation
is to safety in the workplace Environmental legislation is to
stewardship of the environmentSchool board legislation is to learning
Rule of thumb: FIPPA is just a piece of legislation; access and privacy is the
culture
8
Access to what?Access to what? All recorded information, however
recorded, including:– Drafts, postit notes, hard drive files,
blackberry, email, voice mail, agendas, address books
Expense accounts and receipts E-mails Briefing notes – briefing binders Correspondence Amount of money spent on various
programs Tenders/Bids Consultants (e.g. names, amount
spent, work done, selection process)
9
What is personally identifiable What is personally identifiable information?information? Key term:
– Identifiable
– Name
– Photo
– Student ID #
Rule of thumb: Context is everything!
10
Means of AccessMeans of Access
INFORMAL ACCESS Active Dissemination (AD)
– Website, reports, etc. Routine Disclosure (RD)
– Release of general records on request
– E.g. request to see one’s own health record
FORMAL ACCESS FIPPA Request
– E.g. formal PHIPA request to see one’s own health record
Rule of thumb: No automatic requirement
to invoke FIPPA
11
FIPPA Request ProcessFIPPA Request Process
Requester must:
– Submit written request
– Indicate request is made under FIPPA
– Pay $5.00 fee
University must:
– Process FIPPA request within 30 calendar days
12
FIPPA ExclusionsFIPPA Exclusions Archival records of University—s.65(1)
– Only private donations are excluded Labour relations & employment related information—s.65(6)
– Therefore personnel files function under Employee Agreements and/or HR policies, not FIPPA
– Exception: Expense claims and agreements—s.65(7) Research & teaching materials—s.65(8.1)
– Exception: Subject matter/amount of funding for research—s.65(9)
– Exception: Evaluative/opinion/eligibility qualifications for teaching materials—s.65(10)
Health information is also not under FIPPA—other than formal request process
13
FIPPA ExemptionsFIPPA Exemptions
Mandatory Third-party
Information —s.17(1)
Personal Privacy—s.21
Discretionary Advice/ Recommendations—
s.13(1) Law Enforcement—s.14(1) Economic and Other Interests
—s.18 Educational tests—s.18(1h) Solicitor-Client Privilege—s.19 Danger to Safety or Health—
s.20 Information to be published—
s.22
14
Case 1: ExternalCase 1: ExternalAccess to:
Invoices?Expense Reports?Minutes?Reference Letters?
15
Case 2: InternalCase 2: InternalAccess to:
Student Information?Employee Information?
The “University Circle” (video clip)
See also: Privacy Impact Checklist
16
Summary: Summary: Records Creation AwarenessRecords Creation Awareness Today’s memo could be tomorrow’s headline Good records management is vital Create records with access in mind:
– Consider possible future release of information at time the records are created—protect personal information as appropriate
– Better than email/fax disclaimers!
17
1. Restrict access to client information to those that need to know.
2. Ensure client information is not visible or accessible to others.
3. Do not discuss client information in places where others may overhear
4. Do not share existing passwords with anyone or give old passwords to new employees when contractor leaves.
5. Discard old or used client information appropriately
Easy Steps to Privacy ProtectionEasy Steps to Privacy Protection
1. Collection2. Use3. Disclosure4. Retention5. Disposition
versus
18
Why Privacy?
Privacy is:
1. The right to be let alone.2. The right to control one’s
personal information.
One purpose of privacy regulations is to help protect people against the unwanted sharing of personal information.
19
PrinciplesPrinciples
PRIVACY
Individual has right to “control” collection, use, disclosure of their own personal information
University must protect private information from third-parties
Security does not equal privacy
ACCESS
Individuals can request access to their own personal information at the University
Individuals can request access to records at the University (under FIPPA, not PIPEDA)
Exemptions should be limited and specific
versus
Balance
20
Strong Privacy Strong Privacy Compromises Compromises Security Security
e.g. Terrorist anonymity
Privacy
Security
21
Strong Security Limits Privacy Strong Security Limits Privacy
e.g. Digital Trail
Privacy
Security
22
Privacy & SecurityPrivacy & Security
Privacy and security rely on trust:– Trust in policy (to provide rules and guidance)– Trust in process (to ensure compliance)– Trust in technology (to deliver anticipated results)– Trust in people (to act responsibly)
23
If You Wanted to Know…If You Wanted to Know…What must I do to comply with the new policies/legislation?
24
Notices—s.39(2); Notices—s.39(2); 41(1)41(1) (PHIPA or PIPEDA = obtain direct consent not notice)(PHIPA or PIPEDA = obtain direct consent not notice)
Must provide notice to individual indicating: Legal authority for the collection of information
– What gives the University the right to collect this? Purpose for which it is intended
– How will the University use this information? Business contact info for questions
– Who do I contact if I have questions about how my information is being used?
25
AND…
26
Retention & DispositionRetention & Disposition
Must maintain personal info at least 1 year after last use—s.40(1); Reg.460, s.5
Must maintain record of information destroyed (without revealing personal info)—s.40(4); Reg.459,s.6
See also: sample disposal record
27
If You Wanted to Know…If You Wanted to Know…When can I share information?
28
Look to Your Notice!Look to Your Notice!
“Consistent purpose” requires that individual might reasonably have expected the use or disclosure at time info was collected
Consistent purpose therefore depends on the collection notice and what (reasonable) expectations it creates
See also: Privacy Impact Checklist University Circle
29
Above All:Above All:Consistent Purpose—s.41(1.b)Consistent Purpose—s.41(1.b)
Requires that individual might reasonably have expected the use or disclosure at time info was collected
Consistent purpose therefore depends on the collection notice and what (reasonable) expectations it creates
30
Case 3: “Necessary and Case 3: “Necessary and Appropriate”Appropriate”
Too much information (video clip)
31
Fair Information PracticesFair Information Practices Accountability
Consent
Limiting use, disclosure,
and retention
Safeguards
Individual access
Identifying purposes
Limiting collection
Accuracy
Openness
Challenging compliance
32
The Importance of AccuracyThe Importance of Accuracy
33
Privacy Breaches Do HappenPrivacy Breaches Do Happen
34
Be prepared to answer questionsBe prepared to answer questions
such as…
35
Five Key QuestionsFive Key Questions
Why are you asking for this information?How will my information be used?Who will be able to see my information?Will there be any secondary uses?How can I control my data?
36
Case 4: “Breach”Case 4: “Breach”Theft (video clip)
Audio space (video clip)
37
If a Privacy Breach OccursIf a Privacy Breach Occurs
Notify the University Secretariat of a privacy breach involving personal information
An investigation will most likely result
38
Managing Breach: ProtocolManaging Breach: Protocol
1. Inform your manager– Manager will notify University Secretariat and/or University Legal
counsel
2. Identify the scope– What personal information was involved?– Who had unauthorized access to personal information?
3. Contain the breach– Suspend the process/activity that caused breach– Retrieve records
4. Notify– Individuals whose privacy was breached– University Secretariat will notify IPC if required
39
Preventing Future BreachesPreventing Future Breaches
Educate staff about the privacy rules and privacy regulations
Ensure staff is aware of the consequences of a privacy breach
Each person is accountable for personal information in their custody
Staff should err on the side of protecting privacy– Or should they? E.g. Virginia Tech.
Staff should contact the program manager and/or University Secretariat for advice
40
Risk-based PrioritizationRisk-based Prioritization
Privacy planning is more effective if approached from a risk management perspective than a legal compliance perspective
Risk management permits the efficient allocation of resources
In contrast, legal compliance requires the allocation of resources to all compliance issues regardless of risk
Contact the Secretariat about available assessment options
41
DefaultRisk Tolerance Line
Action not yet startedNo progress reportedModerate progress reportedEvidential progress reportedAction successfully completed
Risk Map with Risk Mitigation Status1. Prevention of Medication Errors2. Resource Issues3. Disaster Preparedness4. Adequacy of Security PracticesImpact
Very High
High
Medium
Low
Very Low
Very Low
Low Medium
High Very High
Likelihood
3
4
1
2
Risk MapRisk Map
42
SummarySummary Periodically review/audit and ensure appropriate processes and
practices are in place re: collection, use, disclosure, retention and disposal of personal information– E.g. Do we really need SINs? How long do we really need to
retain resumes? Build in privacy
– Design collection processes to limit and protect personal information
– Put system in place to update Secretariat when new information is being collected or shared so we can advise on making it FIPPA compliant
Rule of thumb: Data minimization!
43
Lessons Learned cont’dLessons Learned cont’d
Know where your personal information is
– Conduct personal info inventory, including portable computing & storage devices and paper records
Say what you do with personal information
– Post clear notices of privacy practices on Web sites, in offices, and whenever collecting personal info
Do what you say in managing personal information
– Monitor compliance with laws and policies, including content monitoring of Web sites and e-mail
Consider implementing Clean Desk / Clean Drive policy
44
Case 5Case 5Should I create a record?
45
Ask:Ask:
Is there an operational need to create a record? What does the record need to say/contain? What does the record NOT need to say/contain? Who should create / hold / access the record? How are drafts / copies tracked and final version
identified? How are retention and destruction addressed?
See also: Note-taking tip sheets
46
Things To Take AwayThings To Take Away
Secretariat is coordinating FIPPA-related processes
Secretariat is contact-point for specific concerns
Secretariat will share information through Liaison Network
47
Questions?Questions?
Chris GravesUniversity Records Management CoordinatorPhone: 519-824-4120 Ext. 56103 Fax: 519-767-1350
Email:c.graves@exec.uoguelph.ca
top related