Upload
bevis
View
29
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Protecting and Managing Personal Information: Custody, Freedom of Information Requests, and Bill 168. Andrew N. Zabrovsky Hicks Morley Hamilton Stewart Storie LLP 416-864-7536 [email protected]. What is “personal information?”. Information about an “identifiable individual” - PowerPoint PPT Presentation
Citation preview
1
Protecting and Managing Personal Information: Custody, Freedom of Information Requests, and Bill 168
Andrew N. ZabrovskyHicks Morley Hamilton Stewart Storie [email protected]
London Region MISA PIM Training WorkshopFebruary 10, 2011
What is “personal information?”
• Information about an “identifiable individual”• MFIPPA, section 2(1):
• Personal Characteristics (race, sex, nationality, etc.)• Education• Medical, psychiatric, psychological• Criminal background• Employment history
London Region MISA PIM Training WorkshopFebruary 10, 2011
What is “personal information”
• MFIPPA, section 2(1) (continued):• Identifying numbers attached to an individual (SIN)• Address, telephone• Private correspondence• Opinions of or about an individual
• Not business contact info• Not public records or records of individuals acting
in a business or professional capacity
London Region MISA PIM Training WorkshopFebruary 10, 2011
4
How MFIPPA Works
• Two central MFIPPA principles• Privacy/Protection of personal information • Access to information (FOI Requests)
London Region MISA PIM Training WorkshopFebruary 10, 2011
5
How MFIPPA Works
• What does MFIPPA do?• Administrative obligations• Right of access• Collection, use and disclosure of information• Information security
London Region MISA PIM Training WorkshopFebruary 10, 2011
6
How MFIPPA Works
• What does MFIPPA do?• Minimum retention• Accuracy of records• Personal information banks• Enforcement
London Region MISA PIM Training WorkshopFebruary 10, 2011
7
How MFIPPA Works
• The Act regulates…• Collection, use and disclosure• Retention• Security• Accuracy
London Region MISA PIM Training WorkshopFebruary 10, 2011
8
How MFIPPA Works
• Disclosure (sections 31-33)• To the individual him/herself• Consent• Purpose obtained or consistent purpose• Within institution on need to know basis and in
discharging institution’s function• To comply with statute
London Region MISA PIM Training WorkshopFebruary 10, 2011
9
How MFIPPA Works
• Disclosure• Officer/employee/consultant/agent who needs
information and “necessary and proper”• Between law enforcement institutions• To aid a law enforcement investigation• Health and safety (“compelling circumstances”)• Contact with next of kin
London Region MISA PIM Training WorkshopFebruary 10, 2011
10
How MFIPPA Works
• Disclosure• To member of Legislature• To responsible minister• To Commissioner• To federal government for shared cost program• To bargaining agent authorized by employee
London Region MISA PIM Training WorkshopFebruary 10, 2011
11
Retention of Personal Information
• Retention under MFIPPA• Minimum one-year period from use unless consent
to shorter period or by resolution• No legislated maximum (unlike other statutes)
London Region MISA PIM Training WorkshopFebruary 10, 2011
Retention of Personal Information
• Retention beyond the legislated minimums• The realm of “discretion”• Guided by potential use as evidence in litigation• The most likely claims• How long do you hold onto the employment file of a
terminated employee?• You will never be able to get this 100% perfect
London Region MISA PIM Training WorkshopFebruary 10, 2011
Retention of Personal Information
• Records and Information as evidence• How closely will a court scrutinize your retention
rules?• Is there a positive duty at law to retain “litigation-
related” records absent pending litigation?• See Lewy v. Remington• Compare Broccoli v. Echostar
London Region MISA PIM Training WorkshopFebruary 10, 2011
Retention of Personal Information
• Litigation Holds• “Spoliation” – failing to preserve records likely to be
relevant to reasonably anticipated litigation• Intentional destruction is bad • Negligent destruction is bad too, but sanctions may
depend on the resulting prejudice
London Region MISA PIM Training WorkshopFebruary 10, 2011
15
Retention of Personal Information
• Records Destruction• What are the proper means?• Are the proper means accessible?• Have the reasonable steps been taken to utilize the
proper means?
London Region MISA PIM Training WorkshopFebruary 10, 2011
Retention of Personal Information
• Proper means for destruction of paper• Locked bins for holding paper• Cross-cut shredding or better• Outsourcing? Enlist a certified agent and have a
proper “agent’s” contract• Certificate of disposal
London Region MISA PIM Training WorkshopFebruary 10, 2011
Retention of Personal Information
• Proper means for destruction of electronics• Methods
• Delete or reformat? – No• Encryption (if you keep the private key) – No• Physical destruction – Yes• Overwriting – Yes
• Get a periodic expert opinion on your processes if you handle destruction in house
London Region MISA PIM Training WorkshopFebruary 10, 2011
18
Access to Information
• Freedom of Information right is broad• Presumptive right of access• All “records” – recorded information only• Records in “custody and control”• Disclose unless exemption applies
London Region MISA PIM Training WorkshopFebruary 10, 2011
Handling a FOI Request
• A proper request is generally…• In writing and properly paid-up• For information in “custody or control”• For information in a “record”• For non-excluded records• Not “frivolous” or “vexatious”
London Region MISA PIM Training WorkshopFebruary 10, 2011
Scope and clarity issues
• You can try to alter the request• Duty to clarify before unilaterally narrowing• Can you reach agreement to exclude what the
requester already has?• Can you reach agreement to exclude what might be
costly to provide?
London Region MISA PIM Training WorkshopFebruary 10, 2011
Time limits
• 30 days to answer• Extension that is “reasonable in circumstances”
based on specified grounds• Must give notice of extension with reasons• A special time line is engaged when an “affected
party” must be given notice (section 21(4))
London Region MISA PIM Training WorkshopFebruary 10, 2011
Fees
• Privacy Officer of organization can require person who makes request to pay fees as set out in the regulations for costs relating to:•Hours spent on manual search
• Cost of preparing record• Computer/printing costs• Shipping
• Must provide estimate where costs to exceed $25
London Region MISA PIM Training WorkshopFebruary 10, 2011
Affected persons
• No notice required if access will be denied• Two types of “affected persons”
• Third-party information (section 10)• Personal information (section 14)
• Right to notice before access is granted if record “might contain” information
London Region MISA PIM Training WorkshopFebruary 10, 2011
Decision letters
• Letter to contain• The fact that a record does not exist (if applicable)• The specific provision relied upon to deny access (if
applicable)• The reason the provision applies to the record• The name and position responsible for the decision• The right of appeal of the decision to the IPC
London Region MISA PIM Training WorkshopFebruary 10, 2011
How to provide access
• Must provide a copy unless not “reasonably practicable” because of length or nature
• Copies are the norm• Must maintain security in giving access to original
records• But examination is an alternative right, also
subject to the “reasonable practicable” standard
London Region MISA PIM Training WorkshopFebruary 10, 2011
26
Access to Information
• FOI Exemptions are narrow• Three mandatory exemptions• Nine discretionary exemptions• To be construed narrowly – “limited and specific”• Duty to disclose as much as possible subject to
reasonable severance • Exemptions may be overridden by “compelling
public interest”
London Region MISA PIM Training WorkshopFebruary 10, 2011
27
Access to Information
• Personal Information (mandatory)• Protects against disclosure of personal information
to any person other than the person to whom the information relates
• However, for exemption to hold, request for personal information must amount to an “unjustified invasion of personal privacy” (section 14(1)(f), (2))
London Region MISA PIM Training WorkshopFebruary 10, 2011
28
Access to Information• Unjustified invasion of personal privacy
• Must consider the relevant circumstances surrounding the request (balancing interests)
• Public health and safety interest?• Sensitivity of information?• Potential harm or damage to reputation of individual
to whom information relates?• Affect of information on rights of person making
request?
London Region MISA PIM Training WorkshopFebruary 10, 2011
29
Access to Information
• Presumed unjustified invasion where:• Medical, psychiatric, psychological• Compiled in investigation into violation of law
(except where release is necessary for that purpose)
• Employment or education history• Describes finances, income, creditworthiness, etc.• Indicates race, religion, ethnic origin, etc.
London Region MISA PIM Training WorkshopFebruary 10, 2011
30
Access to Information
• Not presumed an unjustified invasion where:• Discloses salary range, benefits, etc. of
officer/employee of the organization
• Discloses financial details of contract for personal services between individual and the organization
• Discloses personal information to spouse or close relative of a deceased individual (discretion for compassionate reasons)
London Region MISA PIM Training WorkshopFebruary 10, 2011
31
Access to Information
• Other Mandatory Exemptions:• Third-Party Exemption – trade secrets, technical,
commercial information supplied in confidence, the release of which is reasonably expected to cause harm
• Intergovernmental Relations – information received in confidence from Federal/ Provincial/ foreign government or government agency
London Region MISA PIM Training WorkshopFebruary 10, 2011
32
Access to Information
• Public interest override• Only applies to certain exemptions• Where the compelling public interest in disclosing
the record outweighs the purpose of the exemption
London Region MISA PIM Training WorkshopFebruary 10, 2011
33
Access to Information
• Employment and labour exclusion (section 52)• Excludes records…in relation to…• …employment/labour proceedings• …employment/labour negotiations• …meetings about employment/labour in which the
institution has an interest
London Region MISA PIM Training WorkshopFebruary 10, 2011
34
Access to Information
• Frivolous and vexatious requests• Must give notice to person making request stating
basis for denying request, and inform individual of their right to appeal decision to Privacy Commissioner
• Pattern of conduct amounting to abuse of right• Bad faith or purposes other than obtaining access
London Region MISA PIM Training WorkshopFebruary 10, 2011
Disclosure of Information and Bill 168
• Bill 168 – Amendments to the Occupational Health and Safety Act for Workplace Violence and Workplace Harassment
• Came into effect on June 15, 2010
London Region MISA PIM Training WorkshopFebruary 10, 2011
Disclosure of Information and Bill 168
• Requirements of Bill 168:• Develop and maintain policies and procedures for
workplace violence and workplace harassment• Conduct “risk assessments” of workplace• Develop violence prevention program
London Region MISA PIM Training WorkshopFebruary 10, 2011
37
Disclosure of Information and Bill 168
• Person with a “history of violence”• Required to provide information to
employees/workers about such a person if:
a) the worker can be expected to encounter that person in the course of his or her work; and,
b) the risk of workplace violence is likely to expose the worker to physical injury
London Region MISA PIM Training WorkshopFebruary 10, 2011
Disclosure of Information and Bill 168
• “History of Violence” – not defined• How much to disclose?
• Only amount reasonably necessary to protect worker
• “Person” – other workers, independent contractors, service people, students, parents?
London Region MISA PIM Training WorkshopFebruary 10, 2011
Disclosure of Information and Bill 168
• Create a policy with criteria for when a person is to be deemed a person having a “history of violence”
• Create a threat assessment team – ensure consistency
40
Protecting and Managing Personal Information: Custody, Freedom of Information Requests, and Bill 168
Andrew N. ZabrovskyHicks Morley Hamilton Stewart Storie [email protected]