presentation

Overview of the
Freedom of Information and
Protection of Privacy Act
What do I need to know?
Office of the Chief
Information Officer
Overview
An overview of the Freedom of Information
and Protection of Privacy Act (FOIPPA)
including:
Purpose and Scope of the legislation
Exceptions to Disclosure
Privacy Requirements
Office of the Chief
Information Officer
Office of the Chief
Information Officer
Freedom of Information and
Protection of Privacy Act of
BC
Legislation was proclaimed on
Oct 4, 1993.
Office of the Chief
Information Officer
Intended Effect of the Act
According to the Supreme Court of Canada:
The overarching purpose of access to information
legislation…is to facilitate democracy. It does so in
two related ways. It helps to ensure first, that citizens
have the information required to participate
meaningfully in the democratic process and secondly,
that politicians and bureaucrats remain accountable
to the citizenry...
Office of the Chief
Information Officer
Access and Privacy Legislation
 Freedom of Information and Protection of
Privacy Act (FOIPP Act)
 Personal Information Protection Acts
(PIPA)
 Personal Information Protection and
Electronic Documents Act (PIPEDA)
 Canada’s Access to Information Act
 Canada’s Privacy Act
Office of the Chief
Information Officer
British Columbia’s
Health Information Legislation
Pharmacists, Pharmacy Operations and
Drug Scheduling Act – (PPODS)
Pharmacy Operations and Drug Scheduling
Act – (PODSA)
Medicare Protection Act
E-Health (Health Information Protection and
Privacy) Act
Public Health Act (currently the Health Act)
Office of the Chief
Information Officer
British Columbia’s
E-Health Legislation
• Foundation legislation to support the
electronic health record
• Enables the designation of Health
Information Banks
• Enables individuals to put Disclosure
Directives on personal information in a
Health Information Bank
Office of the Chief
Information Officer
British Columbia’s
E-Health Legislation
• Establishes the Data Stewardship
Committee
• Data Stewardship Committee is the
vehicle for disclosure of personal health
information from a HIB
Office of the Chief
Information Officer
FOIPPA
The Act is divided into 6 parts
Part One
Introductory Provisions
Part Two
Information Rights and How to Exercise Them
Exceptions to the Act
Notice to 3rd Parties
Public Interest Paramount
Part Three
Protection of Privacy
Collection, Protection and Retention,
Use and Disclosure
Part Four
Office and Powers of the IP Commissioner
Part Five
Reviews and Complaints
Part Six
General Provisions
Fees, Delegations, etc...
Office of the Chief
Information Officer
Purpose
• Not intended to replace other procedures for
access to information
• Accountability to the public
• Protection of Privacy
• Provides an individual with an independent
review of decisions of Public Bodies
regarding release of information
Office of the Chief
Information Officer
Office of the Information & Privacy Commissioner
 Established in 1993
 Independent review of access to information decisions
made by public bodies under the Freedom of Information
and Protection of Privacy Act
 OIPC investigates complaints that public bodies have
failed to comply with privacy protection provisions of the
legislation which also restricts the collection, use and
disclosure of personal information
 The Information and Privacy Commissioner is also
responsible for overseeing compliance by private sector
organizations with the Personal Information Protection Act
(PIPA).
Office of the Chief
Information Officer
Who is Covered by the Act?
• All provincial ministries, provincial agencies, boards,
commissions, crown corporations and smaller
agencies
• Local public bodies
– school districts
– colleges and universities
• Regional health boards & community health councils
• Governing bodies of Professions
Office of the Chief
Information Officer
Act applies to:
All records in the custody or control of
the public body
– Books, documents, maps, drawings,
photographs, letters, vouchers, papers,
etc.
– anything on which information is recorded
or stored by graphic, electronic or other
means
Office of the Chief
Information Officer
What if the Public Body
Doesn’t Have Custody?
Example
•
Hospital hires a private consultant to prepare a report on the use
of MRI machines
•
Hospital reads and then disposes of the report as required by
record retention schedule
•
General request is received under the FOIPP Act for a copy of the
report
•
Can the hospital argue it doesn’t have a copy of the record, only
the consultant has custody (and the consultant is not covered by
the FOIPP Act)?
Office of the Chief
Information Officer
Office of the Chief
Information Officer
Making a request
Tips on making an
information
request
Office of the Chief
Information Officer
Must make a written request
Provide sufficient detail to allow public body to
identify the records sought
Submit to the public body who you believe has
custody and control of the records
Remain in contact with the FOI Analyst
May ask for a copy or to examine record
Must provide proof of authority if acting for
another person
Office of the Chief
Information Officer
Common situation
Information or Records?
• Do you want answers to
questions or do they
want records?
• Remember - The
legislation refers to
records.
Office of the Chief
Information Officer
Question
• Applicant handwrites a letter to the public
body, providing his name and address, and
stating the following:
“I would like a copy of John Smith’s Report “ dated
June 1, 2007”
• Applicant fails to use the formal FOI request
form or even cite the FOIPP Act
What are the public body’s obligations?
Office of the Chief
Information Officer
What form of request is needed
Would the following be acceptable?
•
•
•
•
•
•
•
Request submitted on the FOI form
Letter to the public body
Email to the public body
Fax to the public body
Phone call to the public body
A crumpled napkin
Dirty Sock with request written
Office of the Chief
Information Officer
Table exercise one
• School counsellor interviews a 17 year old girl
• Her mother (separated from her spouse) makes
an FOI request for the interview notes
• She produces a Court Order saying she has
custody
1. Are the daughter’s age and capabilities
relevant?
2. If you were the analyst how would process
this request, and what considerations would
you make?
Office of the Chief
Information Officer
Table exercise 2
• A 16 year old boy commits suicide
• The school finds a suicide note and gives it
to the investigating coroner’s office
• The boy’s father (who has custody) makes an
FOI request for the note.
Should he get a copy of the suicide note so
he can put his mind at ease?
What were some of the items to consider in
making this decision?
Office of the Chief
Information Officer
Table exercise 3
• School counsellor interviews a 7 year old girl
• The girl’s father (separated from his wife) wants
copies of the interview notes
• Although the father doesn’t have custody, he
points out to the school that the Divorce Act
gives him the right to make inquiries and to be
given information about his child’s education
and health.
Should the school give him a copy of the notes?
Office of the Chief
Information Officer
Timelines and Fees
Office of the Chief
Information Officer
Timeline for Responding
• 30 business days to respond to a request
• Public body may extend the timeline
• Further extensions may be granted
Office of the Chief
Information Officer
Fees may be charged
Fees
Cannot charge fees for:
Applicant’s own personal information
First 3 hours of search for records
Time spent severing a record
Written estimates must be provided
Applicants may request a fee waiver
Fees prescribed by regulation
Office of the Chief
Information Officer
You receive your requested
records but portions of the
documents have been removed
WHY?
Office of the Chief
Information Officer
Two types of exceptions:
mandatory and
discretionary
Office of the Chief
Information Officer
Section
12
Cabinet Confidences
Office of the Chief
Information Officer
Section
13
Policy Advice or
Recommendations
Office of the Chief
Information Officer
Section
14
Solicitor Client Privilege
Office of the Chief
Information Officer
Section
15
Disclosure Harmful to Law
Enforcement
Office of the Chief
Information Officer
Section
16
Harmful to
Intergovernmental
Relations or Negotiations
Office of the Chief
Information Officer
Section
17
Disclosure Harmful to
Financial Interests of the
Public Body
Office of the Chief
Information Officer
Section
18
Disclosure Harmful to
the Conservation of
Heritage Sites
Office of the Chief
Information Officer
Section
19
Disclosure Harmful to
Individual or Public
Safety
Office of the Chief
Information Officer
Section
20
Information that will be
published or released
within 60 days
Office of the Chief
Information Officer
Section
21
Disclosure Harmful to
the Business Interests
of a Third Party
Office of the Chief
Information Officer
Section
22
Disclosure Harmful
to Personal Privacy
WHAT IS PERSONAL INFORMATION?
Office of the Chief
Information Officer
Overrides any other provision of the Act
Section 25
Public Interest Paramount
Office of the Chief
Information Officer
Information
Different Sections
Trade secrets—specifications for a piece of specialized lab
equipment developed by a private company’s research
s. 12: Cabinet and local public body
confidences
Information related to an individual’s eligibility for income
assistance or social assistance
s. 13: Advice or Recommendations
An incident form completed by staff in unusual detail
because an injured client was threatening to go to Court for
compensation
s. 14: Legal advice
A Treasury Board submission
s. 15: Disclosure harmful to law enforcement
Transcripts of a confidential meeting between western
province premiers
s. 16: Disclosure harmful to
Intergovernmental relations or negotiations
Government publications available at university bookstores
or other retail sources
s. 17: Disclosure harmful to financial or
economic interests of a public body
A prehistoric village or similar archaeological site could be
damaged through vandalism or looting if its whereabouts
are revealed
s. 18: Disclosure harmful to the conservation
of heritage sites, etc.
Recommendations provided to a public body on how to
deal with a financial surplus
s. 19: Disclosure harmful to individual or
public safety
Information on the government’s investment strategies
which affects the government’s interests or future position
in the financial market
s. 20: Information that will be published or
released within 60 days
An emergency radio broadcast advising the public of the
presence of the polio virus in the public drinking water
s. 21: Disclosure harmful to business
interests of a third party
Information about the location of a transition house
Office of the Chief
Information
An audit report setting
out weaknesses inOfficer
the security of
s. 22: Disclosure harmful to personal privacy
the public body’s office building
s. 25: Information must be disclosed if in the
public interest
Information
Trade secrets—specifications for a piece of specialized lab
equipment developed by a private company’s research
Information related to an individual’s eligibility for income
assistance or social assistance
An incident form completed by staff in unusual detail
because an injured client was threatening to go to Court for
compensation
A Treasury Board submission
Transcripts of a confidential meeting between western
province premiers
Government publications available at university bookstores
or other retail sources
A prehistoric village or similar archaeological site could be
damaged through vandalism or looting if its whereabouts
are revealed
Recommendations provided to a public body on how to
deal with a financial surplus
Information on the government’s investment strategies
which affects the government’s interests or future position
in the financial market
An emergency radio broadcast advising the public of the
presence of the polio virus in the public drinking water
Office of the Chief
Information
An audit report setting
out weaknesses inOfficer
the security of
Information about the location of a transition house
the public body’s office building
Different Sections
S21
S22
S14
S12
S16
S20
S18
s. 12: Cabinet and local public body
confidences
s. 13: Advice or Recommendations
s. 14: Legal advice
s. 15: Disclosure harmful to law enforcement
s. 16: Disclosure harmful to
Intergovernmental relations or negotiations
s. 17: Disclosure harmful to financial or
economic interests of a public body
s. 18: Disclosure harmful to the conservation
of heritage sites, etc.
S13
S17
s. 19: Disclosure harmful to individual or
public safety
S25
S19
S15
s. 21: Disclosure harmful to business
interests of a third party
s. 20: Information that will be published or
released within 60 days
s. 22: Disclosure harmful to personal privacy
s. 25: Information must be disclosed if in the
public interest
Protection of Privacy
Office of the Chief
Information Officer
What is privacy?
None of the statutes define
“privacy” but aim to achieve it
with rules for how personal
information is to be collected,
used and disclosed.
Office of the Chief
Information Officer
Office of the Chief
Information Officer
FAIR INFORMATION PRACTICES
Understands purpose
of Program and use
of their information
Has access to
own personal file
Knows who to
contact for queries
re: collection/use
Directly provides
personal information
Can request
corrections and updates to own information
Understands and
consents to record
linkages
Authorises indirect
collection of
personal information
Is protected from unauthorised access/disclosure
of personal information
Information is only
retained for as long
as is necessary
Office of the Chief
Information Officer
Only provides
information that is necessary
to the program
Collection
of
Personal Information
• Personal information can only be collected if:
 Authorized by or under an Act
 For law enforcement
 If necessary for an operating program or activity
• Consent is not an authority for collection
Office of the Chief
Information Officer
Collection
• Information must be collected directly from the
individual, except in limited circumstances
• Must notify the individual of the purpose, the legal
authority, and who to contact with questions, except
in limited circumstances.
Office of the Chief
Information Officer
Use of Personal Information
(s.32)
• A public body may only use personal information:
 For the purpose for which it was obtained or
compiled, or for a consistent purpose.
• A consistent purpose (s.34):
 has a reasonable connection to the original purpose, and
 Is necessary to perform the duties of, or for operating a
legally authorized program, of the public body
 If the individual has consented to another use
 For purpose for which the personal information has
been disclosed to it under the Act.
Office of the Chief
Information Officer
Disclosure of Personal Information
(ss. 33, 33.1, 33.2)
•
Disclosure only in limited circumstances.
For example:
 Consent
 For the purpose for which was obtained or
compiled or a consistent purpose
 If an enactment authorizes disclosure
 To comply with a subpoena, warrant, or
order
Office of the Chief
Information Officer
Office of the Chief
Information Officer
Section 35 - FOIPPA
Disclosure for research
or statistical purposes
Office of the Chief
Information Officer
Office of the Chief
Information Officer
Office of the Chief
Information Officer
Information Sharing
Agreements
Where there is systematic,
regular and ongoing disclosure
of personal information between
public bodies or between a
public body and an external
agency.
Office of the Chief
Information Officer
Privacy Protection
Schedules
Forms part of the contract
with service providers
Office of the Chief
Information Officer
Security measures
A public body must make reasonable
security arrangements to protect
personal information
Office of the Chief
Information Officer
Office of the Chief
Information Officer
Crossing the Border
The USA PATRIOT Act, signed into law on
October 26, 2001.
The acronym stands for Uniting and Strengthening
America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism Act
of 2001
Office of the Chief
Information Officer
Approaches to security
• Make sure electronic systems are
encrypted, password protected, firewalls
established, etc.
• The more sensitive the personal
information the greater the care should be
taken
Office of the Chief
Information Officer
Always need to consider –
Is this enough?
Office of the Chief
Information Officer
Office of the Chief
Information Officer
Privacy and the administration of
personal information
• Organizations and public bodies have millions of
pieces of personal information, on paper, in
databases, on laptops, etc.
• What tools are available to keep track of this
information and ensure it is administered
appropriately?
Office of the Chief
Information Officer
Office of the Chief
Information Officer
TABLE EXERCISE
At your tables discuss the scenario below and what some of your
suggestions would be for Sally when you see her on Monday morning.
It is late on a Friday afternoon and Sally is running a bit behind. Her impatient
teenaged daughter is sitting next to her in her office waiting for Sally to finish up.
She completes her online assessment of eligibility for a client and is about to
logout when her phone rings. She answers and has a brief discussion about the
psychological condition of another client. By now her daughter is quite impatient
and has starting leading through documents on the desk. Sally ends her call,
throws some duplicate medical reports into her recycling box under her desk and
heads for the door. She doesn’t bother locking her office door because she
knows the cleaner usually vacuums on Fridays. She is almost out of the office
when she realizes she forgot to give a co-worker a phone message from one of
his clients. She says hello to the cleaners and then yells to her co-worker, who is
just down the hallway, advising him to call the client who is suffering a recurrence
of his persistent lumbago.
What is your security diagnosis for Sally?
Office of the Chief
Information Officer
Office of the Chief
Information Officer
Privacy Impact Assessments
What are they?
Office of the Chief
Information Officer
Freedom of Information and Protection of Privacy Act
What is the purpose of the Act?
Review
The Act provides public access to "records". What is a record?
Who is covered by the Act?
What is the time limit for responding to a formal FOI request?
Does the information your supervisor provides about you in a
reference check belong to you or to your supervisor?
Embarrassing information can be excepted from disclosure under the
Act. True or False?
One public body cannot share personal information with another
public body. True or False?
What would you do?
• An applicant has requested a briefing note prepared for the
minister regarding a proposed new school under FOI. The
briefing note contains background information, analysis,
options as well as recommendations. What exceptions might
apply to which part of the briefing note?
• A ministry hires a contractor to deliver a program on its behalf.
Are the records that the contractor creates and the contract
subject to the Act?
• An individual calls your office claiming that he is a police
officer and wants to know the home address of one of your
employees. What do you do?
• A ministry client has behaved violently in the past when
dealing with members of your Branch. The individual’s file has
been annotated with a warning about this behaviour. Can this
information be shared with other staff members so that they
can take precautions when dealing with the individual?
Office of the Chief
Information Officer
Useful Links
•
Knowledge and Information Services Branch, OCIO:
http://www.cio.gov.bc.ca/services/privacy/default.asp
•
The Freedom of Information and Protection of Privacy Act:
www.qp.gov.bc.ca/statreg/stat/F/96165_00.htm
•
Office of the Information and Privacy Commissioner for B.C.
www.oipc.bc.ca
•
On-line Training: www.openschool.bc.ca/foippa/
•
Privacy Impact Assessment Template:
http://www.cio.gov.bc.ca/services/privacy/Public_Sector/PIA/default
.asp
Office of the Chief
Information Officer
Thank you
Office of the Chief
Information Officer