Privacy and Confidentiality at Mohawk College

FOIFIPPAMFIPPA

PHIPA

PIPEDAIPC

PIATRA

Definition of Privacy

“The right to be let alone” Judge Thomas Thomas

CooleyCooley

“The right to exercise control over your personal information.”

Ann Cavoukian, IPC Ann Cavoukian, IPC ComissionerComissioner

Definition of Confidentiality Ensuring that information is accessible

only to those authorized to have access

How well do you know our rights to privacy? A quiz …

Question 1 My name, job title and work phone

number is personal information.

TRUE? FALSE?

Question 1 My name, job title and work phone

number is personal information.

TRUE FALSE

False Personal information (PI) is:

Factual or subjective Recorded or not …about an identifiable individual

Personal information includes: Home address Home phone number Home email Photo ID SIN Income Marital status Employment history

Employee number Performance appraisals Financial information Educational credentials Medical records Fund raising records Opinions or views on

the person

…and of course, the “A” word

“… they even know my age!”

Pat MacdonaldAssociate Dean, Continuing Education

Question 2 A man phones you asking if his wife is

attending your class. You are allowed to tell him.

TRUE? FALSE?

Question 2 A man phones you asking if his wife is

attending your class. You are allowed to tell him.

TRUE FALSE

Question 3 A police officer conducting an

investigation phones you asking if a graduate was registered in a C.E. course. You are allowed to tell her.

TRUE? FALSE?

Question 3 A police officer conducting an

investigation phones you asking if a graduate was registered in a C.E. course. You are allowed to tell her.

TRUE FALSE

Question 4 A student about to write an exam does

not have an ID card, so the instructor asks for his SIN card as ID. This is illegal.

TRUE? FALSE?

Question 4 A student about to write an exam does

not have an ID card, so the instructor asks for his SIN card as ID. This is illegal.

TRUE FALSE

Question 5 A new student does not yet have her

student ID number, or a driver’s licence, and so you note her health card number as proof of identity. You just broke the law.

TRUE? FALSE?

Question 5 A new student does not yet have her

student ID card, or a driver’s licence, and so you note her health card number as proof of identity. You just broke the law.

TRUE FALSE

Question 6 Someone hit your car in the parking lot and

you ask Security if you can view the recording to see the incident. Security tells you that is illegal.

TRUE? FALSE?

Question 6 Someone hit your car in the parking lot and

you ask Security if you can view the recording to see the incident. Security tells you that is illegal.

TRUE FALSE

Question 7 A family member arrives at the Front Desk saying

that there has been a death in the family. They want to know what classroom their father is in so that they can inform him. The receptionist cannot give them that information.

TRUE? FALSE?

Question 7 A family member arrives at the Front Desk saying

that there has been a death in the family. They want to know what classroom their father is in so that they can inform him. The receptionist cannot give them that information.

TRUE FALSE

Question 8 Sears Security department phones the Associate

Dean of your department and says that they suspect that one of your students has been stalking an employee. They ask if the college can provide a photo to confirm this. The Associate Dean could email an ID photo to help in the investigation.

TRUE? FALSE?

Question 8 Sears Security department phones the Associate

Dean of your department and says that they suspect that one of your students has been stalking an employee. They ask if the college can provide a photo to confirm this. The Associate Dean could email an ID photo to help in the investigation.

TRUE FALSE

Question 9 An employer sponsoring one of your

students asks if the student passed the course, so that they can reimburse him. It’s OK to confirm.

TRUE? FALSE?

Question 9 An employer sponsoring one of your

students asks if the student passed the course, so that they can reimburse him. It’s OK to confirm.

TRUE FALSE

How did you do?

Our privacy is protected by Federal and Provincial

legislation

The Acts …Legislation Sector Date Fed/Prov

Fed Access to Privacy

Gov. Institutions

1980 Fed

FIPPA Provincial 1987 Prov

MFIPPA Municipal 1991 Prov

PIPEDA Commerce 1999 Fed

PHIPA Health 2004 Prov

Freedom of Information and Protection of Privacy Act (FIPPA)

Safety & Corrections WSIB Community & Social Services District Health Councils Consumer & Business Affairs Ontario Human Rights Colleges and universities

Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)

Municipalities Boards of Education Boards of Health Police Services Public utilities (2,500 in total)

The College gathers personal information from… Students Staff Donors and clients

and is committed to protecting that information

Information is collected by … Human Resources Payroll Financial Services OH&S Health Services Registrar Continuing Education

So, what is a record? Any record of information, however

recorded, whether in printed form, on film, by electronic means or otherwise.

Records include … Application forms Registration forms OSAP forms Section lists Class lists Exams Address books Memos Draft memos Agendas

Plus … files on your hard drive files on your iPhone files on your Blackberry your email your voice mail

and even …

Privacy Laws & College policies dictate how information is:

Collected Used Disclosed Retained Destroyed

Collection: We must have legal authority to collect collect it directly from the person provide a notice of collection, stating the

above and provide the title, business address and telephone number of a college official.

So what do we have to do?

Safeguard our User Name and Passwords Access records only relevant to our duties Do not disclose personal information to any

unauthorized person Protect personal information of staff and

students

Specifically: Do Protect students’ (and employees’)

information Phone numbers Addresses SIN numbers Employee number Student number Grades and marks

Specifically: email/voice mail Don’t leave PI on voice mail - call back Email should be called epostcard! Assume additional copies exist Assume it will be forwarded

There was a privacy breach…

What do I do?

What is a privacy breach? A privacy breach occurs when personal

information (PI) is: Collected Retained Used Disclosed

in ways that are not in accordance with FIPPA.

Most common breaches: Unauthorized disclosure of personal

information, contrary to Sect. 42, for example: a file is misplaced a USB flash drive is lost a form is mailed to the wrong person a document is left in the photocopier a fax is sent to the wrong number an email is sent to the wrong address a document is not disposed of correctly a laptop is stolen

Privacy breach protocol

1. Prevention

2. Scope

3. Containment

4. Notification

5. Investigation

6. Remediation

Prevention 1 Know your department’s procedures on;

Collection Retention Use Disclosure Security Disposal

Prevention 2 Know that you are accountable for the PI in

your custody Do not discuss PI in public places Do not leave documents where they can be

seen by the public Do not disclose PI to those who do not need

to know it Turn your monitor away from the public

Prevention 3 Get written consents before disclosing

PI Know the consequences of a privacy

breach Ensure that documents are shredded

when no longer in use Password protect and/or encrypt data

on your laptop, PDA, Flash drive

Notification Immediately inform

Your boss

Consequences … Compliance orders from IPC Penal offences

Fines ($250K) Possible personal liability ($50K!)

Civil liability Loss of Trust

In summary …

As a new College employee, you are expected to protect the privacy of individuals and the confidentiality of Personal Information under your control!

Q & A

Have you any questions, additional examples, comments?

John Guilfoyle

Director, Corporate Services

Ext. 2174