1 / 40

Protecting & Managing Personal Information: Custody, Freedom of Information Requests, and Bill 168

Understand the concept of personal information, how MFIPPA works, retention of personal information, and the rights and obligations associated with access to information. Learn best practices for handling FOI requests.

cwhorton
Download Presentation

Protecting & Managing Personal Information: Custody, Freedom of Information Requests, and Bill 168

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Protecting and Managing Personal Information: Custody, Freedom of Information Requests, and Bill 168 Andrew N. Zabrovsky Hicks Morley Hamilton Stewart Storie LLP416-864-7536 andrew-zabrovsky@hicksmorley.com

  2. What is “personal information?” • Information aboutan “identifiable individual” • MFIPPA, section 2(1): • Personal Characteristics (race, sex, nationality, etc.) • Education • Medical, psychiatric, psychological • Criminal background • Employment history

  3. What is “personal information” • MFIPPA, section 2(1) (continued): • Identifying numbers attached to an individual (SIN) • Address, telephone • Private correspondence • Opinions of or about an individual • Not business contact info • Not public records or records of individuals acting in a business or professional capacity

  4. How MFIPPA Works • Two central MFIPPAprinciples • Privacy/Protection of personal information • Access to information (FOI Requests)

  5. How MFIPPA Works • What does MFIPPA do? • Administrative obligations • Right of access • Collection, use and disclosure of information • Information security

  6. How MFIPPA Works • What does MFIPPA do? • Minimum retention • Accuracy of records • Personal information banks • Enforcement

  7. How MFIPPA Works • The Act regulates… • Collection, use and disclosure • Retention • Security • Accuracy

  8. How MFIPPA Works • Disclosure (sections 31-33) • To the individual him/herself • Consent • Purpose obtained or consistent purpose • Within institution on need to know basis and in discharging institution’s function • To comply with statute

  9. How MFIPPA Works • Disclosure • Officer/employee/consultant/agent who needs information and “necessary and proper” • Between law enforcement institutions • To aid a law enforcement investigation • Health and safety (“compelling circumstances”) • Contact with next of kin

  10. How MFIPPA Works • Disclosure • To member of Legislature • To responsible minister • To Commissioner • To federal government for shared cost program • To bargaining agent authorized by employee

  11. Retention of Personal Information • Retention under MFIPPA • Minimum one-year period from use unless consent to shorter period or by resolution • No legislated maximum (unlike other statutes)

  12. Retention of Personal Information • Retention beyond the legislated minimums • The realm of “discretion” • Guided by potential use as evidence in litigation • The most likely claims • How long do you hold onto the employment file of a terminated employee? • You will never be able to get this 100% perfect

  13. Retention of Personal Information • Records and Information as evidence • How closely will a court scrutinize your retention rules? • Is there a positive duty at law to retain “litigation-related” records absent pending litigation? • See Lewy v. Remington • Compare Broccoli v. Echostar

  14. Retention of Personal Information • Litigation Holds • “Spoliation” – failing to preserve records likely to be relevant to reasonably anticipated litigation • Intentional destruction is bad • Negligent destruction is bad too, but sanctions may depend on the resulting prejudice

  15. Retention of Personal Information • Records Destruction • What are the proper means? • Are the proper means accessible? • Have the reasonable steps been taken to utilize the proper means?

  16. Retention of Personal Information • Proper means for destruction of paper • Locked bins for holding paper • Cross-cut shredding or better • Outsourcing? Enlist a certified agent and have a proper “agent’s” contract • Certificate of disposal

  17. Retention of Personal Information • Proper means for destruction of electronics • Methods • Delete or reformat? – No • Encryption (if you keep the private key) – No • Physical destruction – Yes • Overwriting – Yes • Get a periodic expert opinion on your processes if you handle destruction in house

  18. Access to Information • Freedom of Information right is broad • Presumptive right of access • All “records” – recorded information only • Records in “custody and control” • Disclose unless exemption applies

  19. Handling a FOI Request • A proper request is generally… • In writing and properly paid-up • For information in “custody or control” • For information in a “record” • For non-excluded records • Not “frivolous” or “vexatious”

  20. Scope and clarity issues • You can try to alter the request • Duty to clarify before unilaterally narrowing • Can you reach agreement to exclude what the requester already has? • Can you reach agreement to exclude what might be costly to provide?

  21. Time limits • 30 days to answer • Extension that is “reasonable in circumstances” based on specified grounds • Must give notice of extension with reasons • A special time line is engaged when an “affected party” must be given notice (section 21(4))

  22. Fees • Privacy Officer of organization can require person who makes request to pay fees as set out in the regulations for costs relating to: • Hours spent on manual search • Cost of preparing record • Computer/printing costs • Shipping • Must provide estimate where costs to exceed $25

  23. Affected persons • No notice required if access will be denied • Two types of “affected persons” • Third-party information (section 10) • Personal information (section 14) • Right to notice before access is granted if record “might contain” information

  24. Decision letters • Letter to contain • The fact that a record does not exist (if applicable) • The specific provision relied upon to deny access (if applicable) • The reason the provision applies to the record • The name and position responsible for the decision • The right of appeal of the decision to the IPC

  25. How to provide access • Must provide a copy unless not “reasonably practicable” because of length or nature • Copies are the norm • Must maintain security in giving access to original records • But examination is an alternative right, also subject to the “reasonable practicable” standard

  26. Access to Information • FOI Exemptions are narrow • Three mandatory exemptions • Nine discretionary exemptions • To be construed narrowly – “limited and specific” • Duty to disclose as much as possible subject to reasonable severance • Exemptions may be overridden by “compelling public interest”

  27. Access to Information • Personal Information (mandatory) • Protects against disclosure of personal information to any person other than the person to whom the information relates • However, for exemption to hold, request for personal information must amount to an “unjustified invasion of personal privacy” (section 14(1)(f), (2))

  28. Access to Information • Unjustified invasion of personal privacy • Must consider the relevant circumstances surrounding the request (balancing interests) • Public health and safety interest? • Sensitivity of information? • Potential harm or damage to reputation of individual to whom information relates? • Affect of information on rights of person making request?

  29. Access to Information • Presumed unjustified invasion where: • Medical, psychiatric, psychological • Compiled in investigation into violation of law (except where release is necessary for that purpose) • Employment or education history • Describes finances, income, creditworthiness, etc. • Indicates race, religion, ethnic origin, etc.

  30. Access to Information • Not presumed an unjustified invasion where: • Discloses salary range, benefits, etc. of officer/employee of the organization • Discloses financial details of contract for personal services between individual and the organization • Discloses personal information to spouse or close relative of a deceased individual (discretion for compassionate reasons)

  31. Access to Information • Other Mandatory Exemptions: • Third-Party Exemption – trade secrets, technical, commercial information supplied in confidence, the release of which is reasonably expected to cause harm • Intergovernmental Relations – information received in confidence from Federal/ Provincial/ foreign government or government agency

  32. Access to Information • Public interest override • Only applies to certain exemptions • Where the compelling public interest in disclosing the record outweighs the purpose of the exemption

  33. Access to Information • Employment and labour exclusion (section 52) • Excludes records…in relation to… • …employment/labour proceedings • …employment/labour negotiations • …meetings about employment/labour in which the institution has an interest

  34. Access to Information • Frivolous and vexatious requests • Must give notice to person making request stating basis for denying request, and inform individual of their right to appeal decision to Privacy Commissioner • Pattern of conduct amounting to abuse of right • Bad faith or purposes other than obtaining access

  35. Disclosure of Information and Bill 168 • Bill 168 – Amendments to the Occupational Health and Safety Act for Workplace Violence and Workplace Harassment • Came into effect on June 15, 2010

  36. Disclosure of Information and Bill 168 • Requirements of Bill 168: • Develop and maintain policies and procedures for workplace violence and workplace harassment • Conduct “risk assessments” of workplace • Develop violence prevention program

  37. Disclosure of Information and Bill 168 • Person with a “history of violence” • Required to provide information to employees/workers about such a person if: • the worker can be expected to encounter that person in the course of his or her work; and, • the risk of workplace violence is likely to expose the worker to physical injury

  38. Disclosure of Information and Bill 168 • “History of Violence” – not defined • How much to disclose? • Only amount reasonably necessary to protect worker • “Person” – other workers, independent contractors, service people, students, parents?

  39. Disclosure of Information and Bill 168 • Create a policy with criteria for when a person is to be deemed a person having a “history of violence” • Create a threat assessment team – ensure consistency

  40. Protecting and Managing Personal Information: Custody, Freedom of Information Requests, and Bill 168 Andrew N. Zabrovsky Hicks Morley Hamilton Stewart Storie LLP416-864-7536 andrew-zabrovsky@hicksmorley.com

More Related