Andrew N. Zabrovsky Hicks Morley Hamilton Stewart Storie LLP 416-864-7536

1

Protecting and Managing Personal Information: Custody, Freedom of Information Requests, and Bill 168

Andrew N. ZabrovskyHicks Morley Hamilton Stewart Storie [email protected]

London Region MISA PIM Training WorkshopFebruary 10, 2011

What is “personal information?”

• Information about an “identifiable individual”• MFIPPA, section 2(1):

• Personal Characteristics (race, sex, nationality, etc.)• Education• Medical, psychiatric, psychological• Criminal background• Employment history


What is “personal information”

• MFIPPA, section 2(1) (continued):• Identifying numbers attached to an individual (SIN)• Address, telephone• Private correspondence• Opinions of or about an individual

• Not business contact info• Not public records or records of individuals acting

in a business or professional capacity


4

How MFIPPA Works

• Two central MFIPPA principles• Privacy/Protection of personal information • Access to information (FOI Requests)


5

How MFIPPA Works

• What does MFIPPA do?• Administrative obligations• Right of access• Collection, use and disclosure of information• Information security


6

How MFIPPA Works

• What does MFIPPA do?• Minimum retention• Accuracy of records• Personal information banks• Enforcement


7

How MFIPPA Works

• The Act regulates…• Collection, use and disclosure• Retention• Security• Accuracy


8

How MFIPPA Works

• Disclosure (sections 31-33)• To the individual him/herself• Consent• Purpose obtained or consistent purpose• Within institution on need to know basis and in

discharging institution’s function• To comply with statute


9

How MFIPPA Works

• Disclosure• Officer/employee/consultant/agent who needs

information and “necessary and proper”• Between law enforcement institutions• To aid a law enforcement investigation• Health and safety (“compelling circumstances”)• Contact with next of kin


10

How MFIPPA Works

• Disclosure• To member of Legislature• To responsible minister• To Commissioner• To federal government for shared cost program• To bargaining agent authorized by employee


11

Retention of Personal Information

• Retention under MFIPPA• Minimum one-year period from use unless consent

to shorter period or by resolution• No legislated maximum (unlike other statutes)



• Retention beyond the legislated minimums• The realm of “discretion”• Guided by potential use as evidence in litigation• The most likely claims• How long do you hold onto the employment file of a

terminated employee?• You will never be able to get this 100% perfect



• Records and Information as evidence• How closely will a court scrutinize your retention

rules?• Is there a positive duty at law to retain “litigation-

related” records absent pending litigation?• See Lewy v. Remington• Compare Broccoli v. Echostar



• Litigation Holds• “Spoliation” – failing to preserve records likely to be

relevant to reasonably anticipated litigation• Intentional destruction is bad • Negligent destruction is bad too, but sanctions may

depend on the resulting prejudice


15


• Records Destruction• What are the proper means?• Are the proper means accessible?• Have the reasonable steps been taken to utilize the

proper means?



• Proper means for destruction of paper• Locked bins for holding paper• Cross-cut shredding or better• Outsourcing? Enlist a certified agent and have a

proper “agent’s” contract• Certificate of disposal



• Proper means for destruction of electronics• Methods

• Delete or reformat? – No• Encryption (if you keep the private key) – No• Physical destruction – Yes• Overwriting – Yes

• Get a periodic expert opinion on your processes if you handle destruction in house


18

Access to Information

• Freedom of Information right is broad• Presumptive right of access• All “records” – recorded information only• Records in “custody and control”• Disclose unless exemption applies


Handling a FOI Request

• A proper request is generally…• In writing and properly paid-up• For information in “custody or control”• For information in a “record”• For non-excluded records• Not “frivolous” or “vexatious”


Scope and clarity issues

• You can try to alter the request• Duty to clarify before unilaterally narrowing• Can you reach agreement to exclude what the

requester already has?• Can you reach agreement to exclude what might be

costly to provide?


Time limits

• 30 days to answer• Extension that is “reasonable in circumstances”

based on specified grounds• Must give notice of extension with reasons• A special time line is engaged when an “affected

party” must be given notice (section 21(4))


Fees

• Privacy Officer of organization can require person who makes request to pay fees as set out in the regulations for costs relating to:•Hours spent on manual search

• Cost of preparing record• Computer/printing costs• Shipping

• Must provide estimate where costs to exceed $25


Affected persons

• No notice required if access will be denied• Two types of “affected persons”

• Third-party information (section 10)• Personal information (section 14)

• Right to notice before access is granted if record “might contain” information


Decision letters

• Letter to contain• The fact that a record does not exist (if applicable)• The specific provision relied upon to deny access (if

applicable)• The reason the provision applies to the record• The name and position responsible for the decision• The right of appeal of the decision to the IPC


How to provide access

• Must provide a copy unless not “reasonably practicable” because of length or nature

• Copies are the norm• Must maintain security in giving access to original

records• But examination is an alternative right, also

subject to the “reasonable practicable” standard


26


• FOI Exemptions are narrow• Three mandatory exemptions• Nine discretionary exemptions• To be construed narrowly – “limited and specific”• Duty to disclose as much as possible subject to

reasonable severance • Exemptions may be overridden by “compelling

public interest”


27


• Personal Information (mandatory)• Protects against disclosure of personal information

to any person other than the person to whom the information relates

• However, for exemption to hold, request for personal information must amount to an “unjustified invasion of personal privacy” (section 14(1)(f), (2))


28

Access to Information• Unjustified invasion of personal privacy

• Must consider the relevant circumstances surrounding the request (balancing interests)

• Public health and safety interest?• Sensitivity of information?• Potential harm or damage to reputation of individual

to whom information relates?• Affect of information on rights of person making

request?


29


• Presumed unjustified invasion where:• Medical, psychiatric, psychological• Compiled in investigation into violation of law

(except where release is necessary for that purpose)

• Employment or education history• Describes finances, income, creditworthiness, etc.• Indicates race, religion, ethnic origin, etc.


30


• Not presumed an unjustified invasion where:• Discloses salary range, benefits, etc. of

officer/employee of the organization

• Discloses financial details of contract for personal services between individual and the organization

• Discloses personal information to spouse or close relative of a deceased individual (discretion for compassionate reasons)


31


• Other Mandatory Exemptions:• Third-Party Exemption – trade secrets, technical,

commercial information supplied in confidence, the release of which is reasonably expected to cause harm

• Intergovernmental Relations – information received in confidence from Federal/ Provincial/ foreign government or government agency


32


• Public interest override• Only applies to certain exemptions• Where the compelling public interest in disclosing

the record outweighs the purpose of the exemption


33


• Employment and labour exclusion (section 52)• Excludes records…in relation to…• …employment/labour proceedings• …employment/labour negotiations• …meetings about employment/labour in which the

institution has an interest


34


• Frivolous and vexatious requests• Must give notice to person making request stating

basis for denying request, and inform individual of their right to appeal decision to Privacy Commissioner

• Pattern of conduct amounting to abuse of right• Bad faith or purposes other than obtaining access


Disclosure of Information and Bill 168

• Bill 168 – Amendments to the Occupational Health and Safety Act for Workplace Violence and Workplace Harassment

• Came into effect on June 15, 2010



• Requirements of Bill 168:• Develop and maintain policies and procedures for

workplace violence and workplace harassment• Conduct “risk assessments” of workplace• Develop violence prevention program


37


• Person with a “history of violence”• Required to provide information to

employees/workers about such a person if:

a) the worker can be expected to encounter that person in the course of his or her work; and,

b) the risk of workplace violence is likely to expose the worker to physical injury



• “History of Violence” – not defined• How much to disclose?

• Only amount reasonably necessary to protect worker

• “Person” – other workers, independent contractors, service people, students, parents?



• Create a policy with criteria for when a person is to be deemed a person having a “history of violence”

• Create a threat assessment team – ensure consistency

40

Protecting and Managing Personal Information: Custody, Freedom of Information Requests, and Bill 168

Andrew N. ZabrovskyHicks Morley Hamilton Stewart Storie [email protected]

Documents

Andrew N. Zabrovsky Hicks Morley Hamilton Stewart Storie LLP 416-864-7536