By Lloyd Mason
Lloyd Mason holds a Paralegal Diploma from the province of Ontario and is a Database Administrator at the Calgary Homeless Foundation.
As I am currently enrolled in the Information Access and Protection of Privacy (IAPP) program at the University of Alberta, I have recently completed my first course: Information Access and Protection of Privacy Foundations. Throughout this program, I will be learning about the different IAPP legislation that has been enacted both federally and provincially across Canada, as well as the roles of the Chief Privacy Officer and the duties and responsibilities of public bodies and organizations with regards to privacy and access to information. In the present blog post, I intend to pass along information that I am currently learning and my understanding of those learnings.
In the non-profit sector, organizations are often working with vulnerable populations; establishing and maintaining trust with clients can therefore be challenging. Demonstrating to a client that you are concerned about their safety, confidentiality and privacy is therefore crucial.
Here are 10 things to know:
- Privacy legislation in Alberta seeks to balance the right to privacy, on the one hand, with access to information, on the other. It is important to explain initially that there are two types of “access to information”. The first relates to general information that is held by government institutions (public bodies) and can only be accessed by a request under the Freedom of Information and Protection of Privacy Act (FOIP) legislation; and the second relates to an individual’s personal information that is held by government institutions that can be accessed by a FOIP request, or an individual’s personal information held by a private sector organization which can be accessed through a request under the Personal Information Protection Act (PIPA) or Health Information Act (HIA) is the information is health information. That said, Information Access and Protection of Privacy (IAPP) legislation is designed to promote an individual’s right to access personal information that has been collected about them; it is also in place to restrict any situations where disclosure of personal information could constitute an unreasonable invasion of privacy. It provides public bodies the authority to refuse disclosure in situations where a release of information could jeopardize investigations (or from a federal perspective, national security). Often referred to as a “balancing act”, IAPP legislation must be broad enough to cover most access to information situations, but specific enough to reduce the number of situations where public bodies have the ability to exempt information from disclosure. This is to ensure that exemptions are only used in situations where it is absolutely necessary. It must ensure that it addresses and responds to the public’s right of access to information, while ensuring that its openness does not infringe on the privacy rights of government officials and third parties who may be included as subjects of access to information requests.
- It’s important to understand legislation, regulations and oversight bodies. It’s also important to know and understand which legislation applies to your organization. In Alberta, there are three access and privacy acts: the Personal Information Protection Act (PIPA), the Health Information Act (HIA) and the Freedom of Information and Protection of Privacy Act (FOIP). FOIP applies to public bodies, PIPA applies to private sector organizations, and the HIA applies specifically to the collection, use and disclosure of health information. Each Act sets out its own provisions regarding the collection, use and disclosure information. Each Act also outlines the powers of Alberta`s oversight body, the Office of the Information and Privacy Commissioner of Alberta (OIPC).
- Alberta’s Freedom of Information and Protection of Privacy Act is commonly referred to as ‘FOIP.’ FOIP legislation governs all information that is held by government institutions – not just an individual’s personal information. This legislation provides an individual with the right to request information from the Government of Alberta, as well as from any public body that may be collecting personal information about that individual. It also provides guidelines to public bodies as to how personal information may be collected, used or disclosed. It further sets out guidelines around when personal information may be exempt from disclosure and when, if necessary, a third party should be notified about an impending disclosure of information. The FOIP Act also provides information as to time-frames within which public body heads should respond to information requests, as well as the redress avenues available to an individual if they are not satisfied with the outcome of an access to information request.
- In 2004, Alberta became one of the first provinces to enact legislation that is deemed to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Alberta’s Personal Information Protection Act (PIPA) allows certain organizations in Alberta to be exempt from the application of Part 1 of the PIPEDA legislation with regards to the collection, use and disclosure of personal information. PIPEDA is one of Canada’s overarching pieces of privacy legislation. To be deemed “substantially similar,” provincially enacted legislation must incorporate the 10 principles of PIPEDA: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure and retention, accuracy; safeguards; openness; individual access; and challenging compliance. It must also restrict collection, use or disclosure to appropriate and legitimate purposes as well as provide an independent oversight and redress body that has the powers of investigation. As of February 2017, there are seven provinces that have legislation that has been deemed to be substantially similar.
- Privacy legislation in Alberta gives individuals the right to review information collected about them. An individual has the right under any of the three access and privacy acts to request a review of the information that a public body or organization has collected about them. Each Act sets out the process for requesting this information as well as the duties and responsibilities of the public body or organization with regards to responding to those requests. Each Act also sets out the process that an individual should follow to request a review of any information request that they feel was mishandled, or any response with which they are otherwise unhappy. And any complaints are handled by Alberta’s information and privacy oversight body, which brings us to the next point.
- The Office of the Information and Privacy Commissioner (OIPC) of Alberta is the oversight body that enforces Alberta’s privacy legislation. Reporting to the Legislative Assembly of Alberta, the OIPC is responsible for oversight of Alberta’s three access and privacy acts (FOIP, PIPA, and the HIA). The OIPC advocates for the access and privacy rights of Albertans, reviews complaints brought to its attention, and provides many educational resources for Albertans, public bodies and public and private sector organizations. In Alberta, the OIPC operates under the “Adjudicative” or “Order-Making” model. This means that the OIPC has the power to make orders that are binding on those bodies that process and respond to access to information requests. More information on the OIPC can be found here.
- Alberta has implemented “mandatory breach reporting”. Section 34.1(1) of the Personal Information Protection Act (PIPA) sets out the expectation that any organization falling under this legislation has the duty to advise the Office of the Information and Privacy Commissioner of Alberta (OIPC) of any incident where there has been unauthorized access, disclosure or loss of personal information that may pose significant harm to an individual as a result of the incident. Alberta is currently the only province in Canada that has this reporting requirement for all private sector organizations. When a suspected breach is discovered within an organization, that organization has the duty to notify the OIPC, at which point the OIPC will conduct an investigation to determine if there is a real risk of significant harm to an individual, as a result of the breach. If that risk has been identified, the OIPC can order the organization to notify those individuals affected by the breach and post the decision on their website.
- Non-Profit Organizations (NPOs) in Alberta should care about privacy legislation. In February of 2016, the Office of the Information and Privacy Commissioner of Alberta released a Personal Information Protection Act review which renewed previously-made recommendations by the 2007 Special PIPA Review Committee to have PIPA apply to all NPOs. Currently, PIPA only applies to a NPO when their activities fall under the definition of “commercial activity” in section 53 of PIPA. This means that NPOs not falling into this category currently have no requirement to advise the individual of the reason or purpose of the collection; nor does the NPO have to make reasonable efforts to ensure that any personal information collected is secure or accurate. The NPO is also not required to notify to the OIPC of any data breach that may occur with regards to personal information in their custody. I would argue that, should this recommendation be implemented in the future, it is better for NPOs to already be in compliance, rather than have to find new resources to become compliant.
- Privacy is important for Calgary’s Homeless-Serving System of Care for several reasons. Calgary’s Homeless-Serving System of Care should pay special attention to the privacy and security of the personal information of the clients that they serve. As discussed above, this is important because of the vulnerability of these clients. Whereas most everyday consumers have safeguards in place to protect their personal information, such as automated email alerts for bank accounts, the clients served by these agencies will not always have such notifications in place. If the personal information of persons experiencing homelessness were to be released into the public view, the possibility exists that the client could become victim of identity theft and, as such, suffer setbacks of this crime.
- Privacy is important to Calgary’s Homelessness Management Information System (HMIS). In my position at the Calgary Homeless Foundation, I support Calgary’s Homeless Management Information System (HMIS), which is used to collect information regarding the individuals that are served by the homeless-serving agencies in our Homeless-Serving System of Care. Although important to any organization or public body, understanding our ability to collect, use and disclose information under the authority of the governing privacy laws is of particular importance to us due to the vulnerable nature of the individuals we serve. Although we are a NPO, we adhere to the provisions set forth under the FOIP legislation and mandate that any agency using the HMIS system do the same. We take great strides to ensure that the information we collect is protected and secure.
The author wishes to thank Dr. Nick Falvo and Laurence Kearley, whose invaluable feedback and guidance have helped shape this post. Any errors or discrepancies are solely that of the author’s.