Guide to Good Privacy Practices
The government of B.C. is responsible for protecting citizens’ privacy and personal information whenever citizens interact with us. This guide will help you understand the privacy responsibilities described in the Freedom of Information and Protection of Privacy Act (FOIPPA).
- Privacy Rights
- Storage and Access in Canada
- Access and Correction
- Service Providers
- Office of the Information and Privacy Commissioner
The purpose of FOIPPA is to promote public sector accountability and to protect personal privacy. To comply with FOIPPA, public sector organizations must prevent the unauthorized collection, use and disclosure of personal information.
When you have control or custody over someone’s personal information, be prepared to:
- Inform that person about what personal information is in your organization’s custody or control and how you manage it
- Ensure you have collected, used and disclosed the information in accordance with FOIPPA. Use a privacy impact assessment to ensure you are complying with legislation.
- Demonstrate that your record-keeping practices comply with the privacy requirements in FOIPPA and other relevant legislation addressing management of information and records management policy
- Answer questions and address any privacy concerns
FOIPPA sets clear limitations on how government handles personal information.
Specific limitations apply to:
Personal information can be collected only when permitted under FOIPPA. Once you have established your legal authority to collection personal information, limit any collection to what is relevant and necessary for your program delivery.
Routinely review your personal information collection practices to determine the minimum personal information needed for your operational requirements. Be prepared to justify why particular information is necessary, especially if someone objects to the collection of their information. Don’t collect personal information if it isn’t necessary.
Personal information must be collected directly from an individual, unless an exception applies. When collecting personal information directly, ensure that you inform the person of:
- The purpose for collecting their information
- The FOIPPA authority under which collection is taking place
- The contact information for an officer or employee who can answer questions about the collection
All of the above considerations are documented and reviewed in the privacy impact assessment process. There are limited cases where notification is not required, such as for law enforcement, collecting a debt or fine or making a payment.
In most cases, you can use personal information only for the purpose for which it was collected, or for a purpose the individual has consented to.
For example, if personal information was collected to administer a program, and it was used for that purpose, this information cannot be used to send that person unrelated promotional material unless they were asked to consent to this secondary purpose.
Disclosure of personal information involves providing access to, or the release of personal information externally or internally to government. The law permits the disclosure of personal information only under certain conditions, which will differ depending on whether the disclosure is international or solely within Canada.
Personal information may only be disclosed on a need to know basis or when you need it to perform your duties. When you make a decision to disclose personal information, consider both the benefit and the potential harm that may result from its release. When you receive requests for personal information from other public bodies, private organizations or elsewhere, it is your responsibility to verify the authority for the disclosure.
If you receive a request from a foreign agency, court, state or other authority outside Canada for the disclosure of personal information that is not authorized by law, immediately notify the Privacy, Compliance and Training Branch.
Personal information must be stored and accessed only in Canada, except in limited circumstances.
As many countries do not have privacy protection standards equivalent to our own, FOIPPA requires us to ensure that personal information is stored and accessed only in Canada. However, you may store or access personal information in another jurisdiction with the person’s consent or in other limited circumstances as outlined in FOIPPA.
Reasonable security arrangements must be made to prevent information incidents, including unauthorized access, collection, use, disclosure or disposal of personal information.
Ensure that personal information is protected by adequate physical, technical and procedural measures. While all personal information requires some degree of protection, the type of security measure taken must be consistent with the sensitivity level of the information. For example, personal health information is more sensitive and requires greater protection than a list of adult registrants for a swimming course.
Breaches in the security of personal information can cause harm to people and damage the relationship they have with government. Once information has been disclosed, it is much more difficult to control further dissemination so it is important to initially prepare appropriate security measures.
Avoid privacy breaches by:
- Developing, implementing, complying with and monitoring the use of privacy and security policies and procedures; for example, follow a “clean desk policy” and store files in a secure location with restricted access
- Implementing scheduled security, privacy and records management awareness and training sessions
- Using individual user IDs, complex passwords, timed screen savers and other technical protections to ensure authorized access to electronic systems
- Ensuring adequate protection for sending and receiving personal information by email, fax and courier
Privacy-enhancing and data protection technologies are key tools for protecting personal information and they play an important role in enhancing privacy protection. You’re encouraged to use these tools to ensure secure data transactions, and prevent the unauthorized collection, use or disclosure of personal information in or from electronic databases.
Ministries must comply with the security requirements in government’s Information Security Policy. Ministries may have additional policies while other public bodies may have their own security policies.
People have a general right to access their personal information and to request corrections to it. The right to obtain access to personal information enhances transparency and accountability within government. This gives people the opportunity to determine what information we have about them, if it is accurate and how it has been used.
They also have the right to request a correction to their personal information if they believe that there is an error or omission. This ensures accuracy and reduces the probability of decisions based on incorrect or incomplete information.
Only factual information may be corrected. Subjective instances such as individual evaluations cannot be corrected, even if the person disagrees with the result. If you reject a correction request, you must annotate the record and state that the correction was requested but not made.
For example, Mary is due to receive a benefit from the government based on her age. She notes that we have incorrectly recorded her date of birth. She can apply to have this personal information corrected, but she will need to provide the appropriate identification to prove her correct birth date.
Personal information must be retained for one year if it’s used to make a decision directly affecting a person. This minimum retention requirement gives people the opportunity to obtain access to their personal information when it has been used to make a decision affecting them.
Other legislative and policy requirements might also apply for the retention of personal information beyond what is required in the law. For example, tax legislation may require you to keep financial records for a specific period or a records retention schedule might indicate that records are to be kept for a specific period for operational reasons.
On the other hand, maintaining personal information that is no longer useful is a security liability. When all relevant retention requirements have been met and the personal information is no longer relevant for business or legal reasons, destroy the information in a manner that will not compromise security or the privacy of the information.
Government retention schedules beyond the FOIPPA requirements outlined above are defined in the Administrative Records Classification System (ARCS) and the Operational Records Classification Systems (ORCS).
A service provider is a person retained under contract to perform services for government. Personal information generated by a service provider under contract to the government is subject to the requirements of FOIPPA. You must ensure that all service providers are aware of their responsibilities and obligations under the law. This includes all employees and associates of the service provider who have access to, custody or control of the personal information.
If you have a contract with a service provider, the contract must indicate who has control of any personal information that will be created or received as a result of the contract. In most cases, it is appropriate for you to have control of the personal information (although the service provider may have custody of the information).
For ministries, a privacy protection schedule must be attached to all contracts involving personal information. The schedule lays out the security, storage, use, retention, disclosure requirements and limitations required by law, as well as a clause for termination for non-compliance.
Contractors or service providers who collect or create personal information are required to complete privacy training.
The Information and Privacy Commissioner for British Columbia is an independent Officer of the Legislature and has broad powers with respect to FOIPPA including:
- Monitoring how FOIPPA is administered to ensure its purposes are achieved
- Conducting investigations and audits to ensure compliance with privacy requirements
- Investigating and attempting to resolve:
- Complaints that a duty imposed by FOIPPA or a regulation has not been performed
- Instances where personal information has been collected, used or disclosed in contravention of the law
- Commenting on protection of privacy concerns as they relate to:
- Proposed legislation or programs
- Automated systems for collection, storage, analysis or transfer of information
- Use or disclosure of personal information for record linkage