Privacy in a School Setting Angela Markel, Portfolio Officer Office of the Saskatchewan Information...

Privacy in a School Setting

Angela Markel, Portfolio OfficerOffice of the Saskatchewan Information and Privacy

Commissioner

February 18, 2010 2

This slide left blank intentionally

What are the Laws?• Federal Legislation:

– Access to Information Act (ATIA)– Privacy Act – Personal Information Protection and

Electronic Documents Act (PIPEDA)

• Provincial Legislation:– The Privacy Act – The Freedom of Information and Protection of

Privacy Act (FOIP)– The Local Authority Freedom of Information

and Protection of Privacy Act (LA FOIP)– The Health Information Protection Act (HIPA)

February 18, 2010 3

Saskatchewan Information and Privacy Commissioner

Oversees 3 statutes: The Freedom of Information and Protection

of Privacy Act (FOIP) The Local Authority Freedom of Information

and Protection of Privacy Act (LA FOIP) The Health Information Protection Act

(HIPA)

Appointed by Legislative Assembly 5 year term Right of appeal to Q.B.

February 18, 2010 4

OIPC Mandate

• Comment on privacy implications of proposed legislation/programs

• Recommend changes in collection, use and disclosure practices

• Recommend destruction of improperly collected personal information

• Authorize indirect collection• Carry out investigations to ensure compliance• Review decisions of public bodies• Undertake public education on access and

privacy matters• Submit Annual Report to Legislative Assembly

February 18, 2010 5

OIPC Activities– Reports (investigations and reviews) – FOIP FOLIO (e-newsletter)– Resource Materials

• Video surveillance guidelines• Faxing Guidelines• Best Practices – Mobile Device Security• Privacy Breach Guidelines• Pamphlets

– “Helpful Tips”– Annual Reports

February 18, 2010 6

Public information must be accessible;

Personal information must be protected.

The Health Information Protection Act

• In force since Sept. 1, 2003• HIPA applies to trustees:

– Government institutions (includes Crown Corporations)– Regional health authorities– Health professionals– Ambulance operators– Pharmacies– Medical laboratories

With custody or control of Personal health information

• Sets out rules for the collection, use and disclosure of personal health information

February 18, 2010 8

What is ‘Personal Health Information’?

• Personal health information includes:– Physical or mental health of individual– Any health service provided to the

individual– Registration information– Information collected in the course of, or

incidentally to, the provision of health services

February 18, 2010 9

HIPA does not apply to:

• Statistical / De-identified health information

• PHI of a person who has been deceased for more than 30 years

• Records that are more than 120 years old

February 18, 2010 10

HIPA Basics

• Facilitates information sharing within the ‘circle of care’

• Limits sharing outside that ‘circle of care’

• “Need to Know” Principle• Three forms of consent

• Express, implied, deemed

• Right of complaint to the OIPCFebruary 18, 2010 11

The Freedom of Information and

Protection of Privacy Act • In force since 1992

• Applies to government institutions:– Government ministries, agencies, boards,

commissions, Crown Corporations

• Entities under contract to a government institution may have records under the control of a government institution


The Local Authority Freedom of

Information and Protection of Privacy

Act • In force since 1993• Applies to local authorities:

– Universities and Colleges– Regional health authorities– School and library boards– Municipalities, cities and towns

• Also, a local authority’s contractors


FOIP & LA FOIP

• Parts II & III deal with access– Sets out the rules for access to records in the

possession or under the control of a public body; exceptions are limited and specific; provides right to request correction / amendment

• Part IV deals with privacy• Governs the collection, use and disclosure of

personal information in the possession or control of a public body

• Provides a right to complain to the Commissioner


Other Relevant Laws• The Education Act• The Child and Family Services Act• The Children’s Law Act• The Emergency Protection for Victims of

Child Sexual Abuse and Exploitation Act• The Public Health Act• The Mental Health Service Act• Youth Criminal Justice Act (federal)• Divorce Act (federal)


Surrogates

• Clarifies who may act on your behalf:– Personal representative of deceased estate– Legal guardian– Attorney under power of attorney– Legal custodian - where the individual is

under 18 and the exercise of the right under the legislation would not constitute an unreasonable invasion of privacy of that individual

– By anyone with written authorization from the individual


Custody & Access Issues• The Children’s Law Act provides that:

9(2) Unless otherwise ordered by the court, a parent who is granted access to a child has the same right as the custodial parent to make inquiries and be given information concerning the health, education and welfare of the child.

• However, having the right to “make inquiries and be given information” does not necessarily equate to the non-custodial parent being allowed to act on behalf of the child, as a surrogate does under FOIP/LA FOIP. Thus, need to consider what information is being sought and what actions are purported to be taken on the child’s behalf. Surrogacy provisions cannot be used to obtain records to further the parent’s own personal objectives.


PROTECTION OF

PRIVACY


What is ‘privacy’?• Not defined by privacy laws

• Privacy definitions:– Right to be free from intrusion or

interference– Right to be left or let alone

• Different dimensions:– Physical or bodily privacy– Territorial privacy– Privacy of communications– Information or data privacy


It’s all about me

• Information privacy is defined as:– Right of an individual to determine for

him/herself when, how and to what extent he/she will share his/her ‘personal information’

• ‘Personal information’ is:– Generally, it is information about an

identifiable individual– Defined by the applicable privacy law


It’s all about me

• What is not personal information – No concern if de-identified, provided as

statistics only, or as aggregate data– Employment specific information (i.e.

business card information, job duties, salary, etc)

– However, employment history is personal information


Personal Information• About an identifiable individual that is

recorded in any form and includes:– Name, if appears with other personal info or if

the name itself would reveal personal information about the individual

– Race, creed, religion, colour, sex, sexual orientation, family status, marital status, disability, age, nationality, ancestry or place or origin

– Education, criminal, employment or financial history

– Health history or health care received– Identifying number, symbol


Personal Information• About an identifiable individual that is

recorded in any form and includes:– Contact information (home or business address,

phone #), fingerprints, blood type– Confidential correspondence to a local authority

(except if your views or opinions about another)– Opinions of another about you – Your personal opinions (unless about another

person)– Information on a tax return– Information describing someone’s finances,

assets, liabilities or credit worthiness


NOT Personal Information

• Classification, salary of officer or employee (past or present)

• Personal opinions in the course of work (other than about another person)

• Details of contract for personal services• Details of a license, permit or discretionary

benefit/financial benefit granted by a local authority to an individual

• Traveling expenses of individual paid by a local authority• Academic ranks or departmental designations of

members of faculties of U of S and U of R• Degrees, certificates, or diplomas received from SIAST,

U of R and U of S• Discretionary benefits



Public

Information

Potentially

Damagin

g

My

nam

e &

wor

k ad

dres

sA

ge

My

SIN

num

ber

I am

HIV

pos

itive

My

opin

ion

of y

ou


This slide left blank intentionally

What does CUD have to do with it?


Collection• For a purpose that relates to an existing or

proposed program or activity of the local authority

• Collect directly where reasonably practicable unless…

• it would result in inaccurate information; or• defeat the purpose; or• prejudice the use

– inform the individual why the information was collected

• If you collect it, you must keep it accurate and complete


Use

• Sharing of information within a public body is a use

• Use with consent unless:– For purposes of collection for which it was

obtained or a consistent purpose– For purposes permitted as specified

• This is discussed under disclosures

• ‘Need to know’ principle• Restrict to least amount of identifying

information necessary for the purpose


Disclosure “To give out, release or make available”

Sharing of information outside of the public body is a disclosure

Disclose only with consent unless…– One of 20 different circumstances apply (plus more

in the Regulations)

• Examples: for providing an employment reference, where necessary to protect the mental or physical health or safety of an individual, where disclosure may reasonably be expected to assist in the provisions of services for the benefit of the individual.


Disclosure Request byPolice or Social Services

• As with any request for disclosure by external parties without consent, the onus is on the requestor to provide authority for the disclosure

• FOIP/LA FOIP/HIPA has provisions for disclosure without consent to occur for purposes of law enforcement and health or safety matters

• In addition, disclosure is allowed if authorized by another piece of legislation

• However, as the public body responsible for the personal information you must be satisfied that the requirements of the legislation have been met in the circumstances


Did privacy laws prevent disclosure?

• February 2004, 18 year old UBC student commits suicide in her Vancouver dormitory.

• Girl was suffering from sever depression. One month earlier, she attempted suicide and was hospitalized.

• The university and hospital both had knowledge but did not inform the girl’s family.

• University and hospital staff claimed privacy laws prevented them from informing the girl’s parents.


Criteria for making assessment

• Criteria used in other provinces to make this decision include:

• must be a reasonable expectation of probable harm;• harm must constitute damage or detriment and not

more inconvenience; and• must be a causal connection between disclosure and

the anticipated harm.

• An assessment of the risk must be made and a determination of whether there are reasonable grounds for concluding there is a danger to the health or safety of any person. That assessment must be specific to the circumstances of the case under consideration.

*See Alta OIPC Orders 96-003 and 96-004 and British Columbia OIPC Order PO6-02


Privacy laws contemplatepotential harm

• Risks to health (mental or physical) or safety to self or others– Uses and Disclosures without consent

•FOIP section 29(2)(m) and LA FOIP section 28(2)(l):

– “where necessary to protect the mental or physical health or safety of any individual”

•HIPA section 27(4)(a):– where the trustee believes, on reasonable

grounds, that the disclosure will avoid or minimize a danger to the health or safety of any person


Criteria to Examine• “Physical health” refers to the well-being of an

individual’s physical body - relative to injury, illness or disease.

• “Mental health” refers to the functioning of a person’s mind – may involve distress, suffering, or functional impairment.– “Inconvenience, upset or unpleasantness of dealing with a

difficult or unreasonable person” is not sufficient

• "Safety" generally means the condition of being safe; freedom from danger or risks.

• Generally there is little or no discernable difference between endangering someone’s “physical and mental health” or endangering their “safety”.


Access to Personal Information

• Right of access to personal information

• May be refused if provided in confidence and information to measure the suitability for employment, or if evaluative or opinion

• Application for personal information on behalf of another person exists

• Right to request correction

• Rights of a third party to receive written notice of an intent to disclose personal information about him/herself


Case StudyFogal v. Regina School Division No.

4• Appeal from decision of Information and

Privacy Commissioner to Court of Queen’s Bench

• Background:– Teacher with 20+ years experience was told, “you will be

placed on extensive performance evaluation process commencing February 5, 2001 due to parental concerns”.

– On behalf of Fogal the STF applied for access to records (parent’s comments) from the Board of Education

– The Board denied the request as it contained, “personal information that is of an evaluative or opinion material compiled solely for the purpose of determining the individual’s suitability, eligibility or qualifications for employment” – section 30 (2) of LA FOIP

• Was the board right to deny the request?February 18, 2010 37

Case StudyFogal v. Regina School Division

No. 4• At issue – Was it her personal information?

– Yes - the views or opinions of another person about a teacher

• section 23(1)(h) of LA FOIP

• Is the Board of Education entitled to rely on the exemption contained in section 30(2) of LA FOIP?– Yes. This section does not just apply to information

compiled at the time of hiring. The court ruled that the board was entitled to withhold the documents.


Consent• Consent cures all• Must be in writing unless it is not

“reasonably practicable” to obtain written consent

• Informed consent:– Requires that the person consenting:

•understands the exact nature of the information for which consent is sought;

•understands the potential consequences of signing the consent; and

•be given the right to revoke consent at any time.


Other Key Terms• Confidentiality

•Obligation to protect the information entrusted to an organization

• Security•Assessing threats & risks to

information and taking steps to protect


Adequate Safeguards• To prevent privacy breaches

– Physical safeguards:• locked doors/filing cabinets• Proper Disposal Methods

– Administrative safeguards• Orientation & Training• Policies and Procedures

– Technical safeguards• User IDs and passwords• Firewalls and encryption of data


“All the security in the world will not help if the

employees keep their passwords in an unlocked

desk drawer”


When does aPrivacy Breach occur?

• When there is an unauthorized collection, use or disclosure of information about an identifiable individual

• May be a verbal breach or involve recorded personal information

• May be accidental or intentional• May be one time occurrence or due to

systemic inadequacies• Often predictable


How to respond prior to involvement of

OIPC1. Take immediate action to stop breach and secure the affected records, systems or websites.

2. Ensure appropriate officials are notified including the Privacy Officer, the head and/or designate, and police if necessary.

3. Conduct an internal investigation (informal or formal)a. Document details of the privacy breachb. Evaluate the risks (immediate and ongoing)c. Inventory and review safeguards in place prior

to incidentd. Findings and recommendationse. Write report or summary, as

appropriate/warranted


How to respond4. Try to resolve affected individuals complaints

informally at the onset of the complaint if individual is already aware of incident

5. Consider whether to:• Notify the Commissioner• The individual whose personal

information has been wrongly disclosed, stolen or lost (if unaware).

6. Prevention and follow-up: implementation of plan and ongoing monitoring


Role of the OIPC• Not an advocate for either the

complainant or public body

• Role is to investigate and determine if a public body’s actions were in contravention of FOIP/LA FOIP and/or HIPA

• Will provide analysis, findings and recommendations to public body which may result in an informal resolution


OIPC Investigation• During the inquiry, OIPC may request the

following:– A copy of the public body’s internal investigation

report, if one prepared– The public body’s position in writing– Additional documentation of steps/actions taken

and safeguards in place at time of incident– Copies of any relevant contracts, PIAs, information

sharing agreements, MOUs, etc.– To interview witnesses– To attend on site for various purposes (i.e. observe

work processes, capabilities of technology, etc.)


Current Issues• Video Surveillance

– Safety vs. privacy

• School Web-sites– Sharing of general school information– Personal information of students and staff

• Data Mining– Identity Theft– Child Protection issues


Questions ??


Contact Information

Office of the Saskatchewan Information and Privacy Commissioner

503-1801 Hamilton StreetREGINA, SK S4P 4B4

Phone: (306) 787-8350Fax: (306) 798-1603

Email: [email protected]: www.oipc.sk.ca


mailto:[email protected]

http://www.oipc.sk.ca/

Date post:	19-Dec-2015
Category:	Documents
View:	216 times
Download:	3 times