The workshop was very informative and I learned a lot. A couple of things that surprised me in the workshop:
- Parents should not be giving out their children's Health Services Number to schools, sports groups, and other after school activities.
- In the past I have asked parents and teachers if I could take photos of the group. I won't be doing that again without the written consent of parents.
·
Individual salaries are public information
(person and position); paid by public dollars
·
There are no reasonable person status in FOIP
·
Photographs are covered as well such as an
anonymous photo (due to face matching technology)
·
Any request is without qualification
·
Responsibility for privacy can be delegated to
another position; this should be formalized
·
To gather information about self it is Access to
Information
·
SK has FOIP 1992, LA FOIP 1993, Health
Information Protection Act (HIPA)
·
Non-health care practitioners are not covered
under HIPA
·
Food banks can collect health numbers
·
The information is only verified, not collected
·
Driver’s License, health number etc is only for
verification, not for collection
·
No reason for schools, sports organizations,
clubs, to be collecting health numbers
·
For those who want to verify location they can
use “I Swear” rather than health numbers
·
Question collectors that they are authorized to
collect personal information such as Health Number and Driver’s License
·
New guides are now available on the
Commissioners website
·
Regarding cameras:
·
Is it being used for its original intent?
·
How is it stored?
·
Erased or written over?
·
Have to be signed?
·
Need appropriate SOPs and policies
·
Personal information from HR can be given if
there are no other documents identifying persons filing grievances etc?
·
People want to know how their money is being
spent
·
Council should have a ‘work through device’ and
stored on Town server
·
Record information in any form in the possession
or under the control of local authority that is created and received by your
organization as part of its functions and activities
·
Record of business value, decision, financial,
source of ‘truth’
·
Retain notebooks for a year if it is transitory
·
Need policies regarding keeping information
·
Ministry of Justice administers the Act
·
Commissioners don’t have authority to enforce
compliance, we can do our own ‘right’ thing but the Commissioner can go to Court seeking
compliance may result in fine, sanctions and other penalties
·
Individuals have right of access to all
information unless personal or exceptions apply
·
Third party persons can’t be identified
·
Third party business information (proprietary,
competitive)
·
Personal
·
Routine and general information without any
sensitivities does not need a formal FOIP
·
You can provide ownership name of property but
no other information
·
When a lawyer or bank seeks personal information
of client they need verification
·
Taxes owing on a property is public information
·
The more information provided informally the
better
·
Keep routinely released information separate
from unique requests
·
FOIP forms are available on Commissioners
website
·
Form is fairly comprehensive to enable the
request to access the information they desire
·
FOIP requests indicates that all requests must
be acted upon within 30 calendar days and an unilateral extension of another 30
days
·
Emails are considered written requests
·
Frivolous and vexatious requests can be refused
·
Business proposals may be released if there is
no proprietary information but they are given notice
·
A business has 20 days to appeal
·
Business must be reasonably located
·
Requests are considered abandoned if not replied
within 30 days
·
Document everything; develop a spreadsheet
·
Third party identity must be protected
·
We can withhold drafts of plans and budget
(publication may be detrimental) during process
·
Health and safety: example is of a woman fleeing
an abusive relationship and she may inquire if someone has been looking for her
– this third party information may be released
·
Personal information is:
·
Race, religion, sexual orientation, family
status, age, nationality etc
·
Financial transactions and status
·
Educational, criminal, employment, health
history
·
Identifying numbers or symbols except HSN
·
Home or business address, phone numbers, finger
prints
·
Personal opinions
·
Tax information
·
Name associated with other information
·
Everything in an HR personnel file is private
and confidential
·
If someone calls over the phone ask for
verification
·
We are obligated to protect private information
from Police, CRA, and Stats Canada; they need written verification and
designated authority (have them quote the act in the letter)
·
Only give the information they need
·
Personal opinions such as advice are considered
‘work product’ and opinion about someone is subject to act
·
Written notes should be very professional
·
Record facts, describe behaviour but leave
judgements out of it
·
Not personal information is
·
About ‘you’
·
Work product opinion
·
Salary, benefits
·
Contract fees and details of services
·
Details of a license, permit or discretionary
benefit granted by a government
·
Details of financial benefit granted an
individual by government
·
Post-secondary degrees granted and faculty ranks
or designations
·
Personal information can only be collected for
the purpose of an existing program/activity of organization
·
Purpose must be communicated when personal
information is collected
·
The least amount of information is to be
collected that is non-identifying
·
“why are you photocopying/copying my Driver’s
License, Health Services Number (life threatening allergies), Birth Certificate”?
·
Service can’t be denied if parent refuses to
provide information
·
18 is not a standard for privacy but a gray area
of “mature minors”
·
Collect information from people if they are
incapable (drunk, unconscious, incentive to lie, etc)
·
If you don’t want photo please indicate,
·
If an organization is taking pictures of an
event then notice, on a variety of platforms) must be given for people to have
an opportunity to refuse
·
No photos of children should be posted unless
written permission
·
I will no longer be using photos of children on
my blog
·
Privacy Objectives
·
Control personal information flow
·
Accurate and complete records
·
Right of access (to my own)
·
With disclosures you need verification that they
are who they say they are and have the authority referring back to the Act;
only give what they need
·
Three security categories
·
Physical
·
Administrative: governance, policy, and training
·
Technical: computer timeouts should be 5
minutes, 7 at the most, change passwords frequently
·
Privacy breach is unauthorized access to, losss,
or modification of personal information
·
If there is a breach then:
·
Contain the breach
·
Evaluate the risk
·
Notify effected parties and authorities
·
Investigate
·
Implement sanctions and new preventive measures
No comments:
Post a Comment