Section 30 - Protection of personal information

 Overview

Section 30 requires a public body to provide appropriate physical and procedural security measures to protect personal information in its custody or under its control.

Section Reference

Section 30 of the Freedom of Information and Protection of Privacy Act

A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.

Summary

Section 30 imposes a duty upon the public body to prevent unauthorized access to personal information in its custody or control both from within and outside the public body. This section also requires the public body to ensure that access by members within the public body is governed by the principle of need to know.  Appropriate physical and procedural arrangements are discussed below.

Policy

  1. Public bodies must:

  • ensure their employees are trained to follow proper security procedures;
  • monitor their employees’ compliance with security standards;
  • ensure physical and procedural security precautions are established and maintained at appropriate levels; and,
  • comply with the Core Policy and Procedures Manual.
  1. Public bodies shall analyze the types and level of sensitivity of the personal information in their custody and control. Public bodies shall follow the directions on security of information, provided in the Core Policy and Procedures Manual's (CCPM) Chapter 12 and take the necessary steps, over time and within available resources, to implement those physical and procedural safeguards.

  2. A Privacy Protection Schedule (PPS) for use by ministries must be completed and attached as a schedule to any contract between ministries and a contractor under which the contractor will be collecting, creating, using, disclosing or storing "personal information" (as defined by the FOIPP Act ) unless it is not intended that the ministry will own or control the personal information. The CCPM reference is Contract Award Administration Policy 11 that can be found at CCPM 6.3.3(e) (11).

  3. The PPS for use by other public bodies may be completed and attached as a schedule to any contract between a public body and service provider under which the service provider will be collecting, creating, using, disclosing or storing "personal information" (as defined in the FOIPP Act) unless it is not intended that the public body will own or control the personal information.

  4. Public bodies should develop policy governing the use of and access to non-written formats of recorded personal information (e.g. audio tapes, video tapes, photographs, and discs) to supplement the policies governing the use of and access to written information.

  5. Public bodies must ensure that the disposal of personal information has been approved by the designated authority and meets all the requirements of any governing legislation. For Ministries, this means disposal in accordance with the Document Disposal Act and ARCS/ORCS On-line. Public bodies not covered by the Document Disposal Act are encouraged to use procedures outlined in Procedure 5 below.

  6. Notwithstanding any other authorities that any public body may be subject to, a public body must retain personal information that has been used to make a decision affecting an individual for a minimum of one year.

Procedure

  1. Review all records containing personal information to determine which category of the Core Policy and Procedures Manual's (CCPM) Chapter 12 applies to those particular records.  The CCPM's Chapter 12 defines the security arrangements for all forms of government documents.

  2. Those public bodies not governed by the CCPM should consider using a sliding scale of security as defined under Interpretation Note 1 in this section.

  3. To ensure the security and retention of audio tapes, video tapes or discs, public bodies should follow the guidelines as stated in the Records and Information Management Manual (RIM).

  4. Establish procedures to minimize the risk of unauthorized access. Permit access to personal information only by personnel who require it in order to perform their duties. Log all access, including who accessed the information, their purpose for access and the time of access. Establish a Security Access Matrix that describes which job functions are permitted access to specific types or groups of personal information. These access charts should be available to all staff. Access to personal information should only be permitted to those who demonstrate their right of access on the security access chart.

  5. The public body is responsible for ensuring that the disposal of personal information has been approved by the designated authority. This responsibility may be exercised in several ways:

    • For public bodies who are subject to the Document Disposal Act:  disposal of records must be authorized by a records retention and disposition authority.

    • For public bodies not subject to the Document Disposal Act, no disposal of personal information should occur without the authorization of the head of that public body. The head may delegate this responsibility.

    • Authorized disposal of information may be either:

    • transfer of the record to the legal custody of the archives of the government of British Columbia or the archives of a public body; or

    • physical destruction of the record containing the personal information in such a way that it cannot be retrieved or reconstructed (e.g. paper records should be shredded, burned or pulped; magnetic media should be erased or physically destroyed).

    • Standards for the destruction of records are available from the archives of the government of British Columbia.

    • Public bodies should keep a record of the personal (and non-personal) information they destroy, transfer to the archives of the government of British Columbia, or transfer to the archives of a public body.

    • If the final disposition of records containing personal information is to the legal custody of the the archives of the government of British Columbia or to the archives of a public body, the public body must ensure that the security and confidentiality of personal information is protected during storage and transfer.

  6. A review of security arrangements should be undertaken as part of any Privacy Impact Assessment conducted by completing the Privacy Impact Assessment Process.  Additionally, a more in depth evaluation of security standards can be undertaken by completing a Security Threat and Risk Assessment.

Interpretation

Interpretation Note 1:

For public bodies covered by the Core Policy and Procedures Manual (Core), "reasonable security arrangements" are those as provided for in the Core Policy and Procedures Manual.

For public bodies not covered by the Core Policy and Procedures Manual, "reasonable security arrangements" are those that a fair, rational person would think were appropriate to the sensitivity of the information and to the medium in which it is stored, transmitted, handled, or transferred. A sliding scale of security arrangements is appropriate, depending on the sensitivity of the personal information that a public body handles.

Stringent security measures (e.g., locked filing cabinets, computer access codes and a physically secure room to which access is controlled by a guard, receptionist, locked door or electronic access control device) are appropriate for particularly sensitive information such as medical records, personnel files or inmate files.

Less rigorous methods (e.g., unlocked filing cabinets; computers kept behind a counter or other barrier to the public; office doors locked at night) are adequate for less sensitive information, such as names and addresses.

Examples of physical security arrangements

  • Storing records containing personal information in locked storage rooms or locked filing cabinets, with controls over distribution of keys or lock combinations.

  • Use of numbers or other methods to label file drawers, records storage boxes and other storage containers so as not to reveal the fact that they contain personal information.

Examples of procedural security arrangements

  • Access controls on computer systems (i.e., passwords that allow different levels of access to various screens and differing capabilities to read, extract or change data).

  • Where contracted services are used for storage, transportation or destruction of records, including security provisions in the service contract, public bodies should require the contractors to provide a certificate of destruction.

"Unauthorized access"

Access to personal information is unauthorized if an employee of a public body does not have approved access according to the security access chart (i.e., if the employee has access to personal information which they do not need to see or handle in the course of their job duties).

"Unauthorized collection"

"Collection" of personal information is unauthorized if it is not done in accordance with sections 26 (Purpose for which information may be collected) and section 27 (How personal information is collected) of the Act.

"Unauthorized use"

"Use" of personal information is unauthorized if it is not in accordance with section 32 (Use of personal information) of the Act.

"Unauthorized disclosure"

An unauthorized disclosure is revealing, exposing, showing, providing copies of, selling, giving or telling personal information in a way that is not in accordance with section 33 (Disclosure of personal information) of the Act. The public body ensures that disclosures of personal information are authorized under section 33.1 or section 33.2 of the Act.

"Unauthorized disposal" of personal information means destruction or removal of records containing personal information from the custody and/or control of a public body without the approval of the designated authority or in ways which do not adhere to approved methods and standards. Public bodies must not dispose of personal information within a year of that information being used to make a decision about an individual. See section 31 (Retention of personal information) and section 31.1 (Application to employees and others).

"Authorized Disposal" means disposing of records containing personal information in accordance with approved legislated government records standards and procedures.  For public bodies which are covered by the Document Disposal Act:  disposal of records must be authorized by a records retention and disposition authority. Such retention and disposition schedules may require a public body to retain the records well past the 1-year period required under section 31 of this Act.

A public body ensures that the disposal of personal information is approved by the designated authority. For public bodies, which are subject to the Document Disposal Act, disposal of records must be authorized by a records retention and disposition authority approved either by the Executive Council or the Legislative Assembly, depending on the age of the records.

If the public body is not subject to the Document Disposal Act, no disposal of personal information occurs without the authorization of the head of the public body. The head may delegate this responsibility.

Authorized disposal of information may be either:

  • Transfer of the record to the legal custody of the archives of the government of British Columbia or the archives of a public body; or,

  • Physical destruction of the record containing the personal information in such a way that it cannot be retrieved or reconstructed (e.g., paper records should be shredded, burned or pulped; magnetic media should be erased or physically destroyed).

Standards for the destruction of records are available from the archives of the government of British Columbia for public bodies subject to the Document Disposal Act.

Examples of unauthorized disposal

  • Destroying sensitive medical records by throwing them into an ordinary garbage can, instead of using approved methods of destruction such as shredding or incineration.

  • Destroying employment competition files immediately after the competition when the approved retention and disposition schedule requires that they be kept for the current year plus three additional years before destruction.

Public bodies should keep a record of the personal (and non-personal) information they destroy or transfer to the archives of the government of British Columbia or to the archives of a public body.

If the final disposition of records containing personal information is their transfer to the legal custody of the archives of the government of British Columbia or to the archives of a public body, the public body must ensure that the security and confidentiality of personal information is protected during storage and transfer.

Sectional Index of Commissioner's Orders

For orders organized by the Act's section numbers, Click here.

For a summary of Commissioner's orders and policy interpretation of key points, Click here.

Last updated: July 19, 2007