Getting Ready for PIPA - PowerPoint PPT Presentation

1 / 49
About This Presentation
Title:

Getting Ready for PIPA

Description:

Office of the Information and Privacy Commissioner of Alberta ... Birth date. Gender. Address. Education. Employment. Income. Medical history. S.I.N.. Held by: ... – PowerPoint PPT presentation

Number of Views:104
Avg rating:3.0/5.0
Slides: 50
Provided by: albertagov
Category:

less

Transcript and Presenter's Notes

Title: Getting Ready for PIPA


1
Getting Ready for PIPA
  • A Workshop for Organizations
  • on the Personal Information Protection Act
  • Alberta Government Services (Information
    Management, Access and Privacy Division)
  • and
  • Office of the Information and Privacy
    Commissioner of Alberta
  • With the assistance of Alberta Chambers of
    Commerce
  • March 2004

2
What we will cover today
  • What is the Personal Information Protection Act
    (PIPA)?
  • Who/what does PIPA apply to?
  • Overview of PIPAs requirements
  • What to do to comply
  • Resources for organizations
  • Questions

3
What is Privacy?
  • the right to be let alone the most
    comprehensive of rights and the right most valued
    by civilized men.
  • U.S. Supreme Court Justice Louis Brandeis in
    Olmstead v. U.S., 1928

4
Threats to privacy
  • Modern threats to privacy chiefly arise in the
    collection and use of information about us
  • Privacy used to be protected by default the
    nature of paper records
  • Electronic records diminish the barriers of time,
    distance and cost that once guarded privacy

5
Personal Information
  • Includes
  • Name
  • Birth date
  • Gender
  • Address
  • Education
  • Employment
  • Income
  • Medical history
  • S.I.N.
  • Held by
  • Credit unions
  • Insurance companies
  • Retailers
  • Landlords
  • Employers
  • Fundraisers
  • Credit bureaus
  • Sports clubs

6
What is PIPA?
  • The Personal Information Protection Act
    balances
  • the right of an individual to have his or her
    personal information protected, and
  • the need of organizations to collect, use or
    disclose personal information for purposes that
    are reasonable
  • Provides common sense rules for collection,
    use and disclosure of personal information by
    private-sector (non-government) organizations
  • The Act also provides a right of access to ones
    own personal information

7
PIPA/PIPEDA
  • Both focus on protecting personal information in
    the private sector
  • Substantially similar, but not necessarily the
    same
  • Federal and Provincial Commissioners are working
    to harmonize practices and protocols

8
PIPA applies to
  • Organizations, including
  • Corporations
  • Unincorporated associations
  • Trade unions (Labour Relations Code)
  • Partnerships (Partnership Act)
  • Individuals acting in a commercial capacity

9
PIPA does not apply to
  • Personal information for personal or domestic
    purposes
  • Personal information for journalistic, artistic,
    literary purposes
  • A public body or personal information protected
    under FOIP Act
  • In a record that is at least 100 years old, or
    about an individual dead for at least 20 years
  • Health information (as defined in HIA) collected,
    used or disclosed for health care purposes, but
    not personal employee information

10
Special provisions for
  • Specified non-profit organizations carrying out
    commercial activities
  • Professional regulatory organizations

11
Personal Information
  • Defined as information about an identifiable
    individual
  • PIPA has broad coverage
  • Applies to personal information regardless of
    whether it is used for commercial purposes
    (except for specified non-profits)
  • Includes personal employee information

12
Business Contact Information
  • Information you would find on a business card or
    company letterhead
  • Includes name, position or title, business
    telephone number, address, e-mail and fax number
  • PIPA does not apply to business contact
    information when it is collected, used or
    disclosed for sole purpose of contacting
    individual in capacity as an employee or official

13
PIPA requires reasonableness
  • When reasonable is used in the Act, it means
  • What a reasonable person would consider
    appropriate in the circumstances

14
Be accountable
  • An organization is responsible for personal
    information in its custody or control
  • Must designate individual(s) to be responsible
    for compliance with the Act
  • Develop policies, practices and procedures and
    make information about them available to public
    on request
  • In meeting responsibilities under the Act,
    organizations must act in a reasonable manner

15
Obtain consent
  • Unless Act allows otherwise, organizations need
    consent
  • to collect, use or disclose personal information
  • to collect personal information from anyone other
    than the individual
  • Consent can be express, implied, or opt-out,
    depending on circumstances
  • Consent invalid if obtained by deception or
    misleading means

16
Withdraw or vary consent
  • An individual may withdraw or vary consent,
    subject to legal obligations
  • Individual must give reasonable notice to
    organization
  • Organization must advise individual of likely
    consequences, unless obvious

17
Grandfathering
  • Personal information collected before January 1,
    2004 is deemed to have been collected with
    consent
  • It may be used and disclosed by the organization
    for the purpose for which it was collected
  • The general rules in the Act regarding
    safeguards, access, correction, etc. still apply
    to this information

18
How to collect personal information
  • Identify purposes for collection
  • Is purpose reasonable?
  • Notify individual of purposes and get consent
  • Except where inappropriate, collect personal
    information directly from the individual
    concerned
  • Limit type and amount of personal information
    collected
  • Is information reasonable to fulfill purpose?

19
Collection from another organization with consent
  • An individual can consent to an organization
    collecting his or her personal information from
    another organization
  • The collecting organization must demonstrate that
    it has obtained consent
  • The disclosing organization must be satisfied
    that the consent complies with the Act

20
Collection without consent
  • The Act permits personal information to be
    collected without consent in limited
    circumstances, including
  • when clearly in the interests of the individual
  • when another Act or regulation authorizes it
  • for investigations or legal proceedings
  • to collect a debt or repay monies owed
  • to create a credit report
  • to determine suitability for honour or award
  • for archival or research purposes

21
Collection without consent
  • Information is publicly available
  • name, address, telephone number in public
    telephone directory, if subscriber can refuse to
    be included
  • name, title, address, telephone number in
    professional or business directory available to
    public where collection, use or disclosure
    relates directly to purpose for which information
    appears in the directory
  • personal information in government registry or
    registry operated under a statute
  • to which public has access
  • collection, use or disclosure relates directly to
    purpose for which information appears in the
    registry

22
Collection without consent
  • Information is publicly available
  • personal information in record of administrative
    tribunal, if
  • available to public
  • collection, use, or disclosure relates directly
    to purpose for which information appears in the
    record
  • personal information in publication, including
    magazine, book or newspaper, in printed or
    electronic form, if
  • available to public
  • reasonable to assume that individual provided the
    information

23
Investigations
  • Organizations do not need consent if the
    collection, use or disclosure of personal
    information is reasonable for an investigation or
    legal proceeding
  • Investigation means an investigation related
    to
  • a breach of agreement
  • a contravention of an enactment
  • circumstances or conduct that may result in a
    remedy or relief being available in law
  • if the breach, contravention, circumstances or
    conduct has or may have occurred or is likely to
    occur, and
  • it is reasonable to conduct an investigation

24
Use of personal information
  • Use personal information only with consent,
    unless otherwise permitted by the Act
  • Use personal information only for purposes that
    are reasonable
  • Use only the personal information reasonably
    needed to fulfill the purposes

25
Use without consent
  • The Act permits the use of personal information
    without consent for purposes including those
    listed under collection without consent, plus
  • to respond to an emergency threatening the life,
    health or security of individual or public

26
Disclosure of personal information
  • Disclose personal information only with consent,
    unless otherwise permitted by the Act
  • Disclose personal information only for purposes
    that are reasonable
  • Disclose only the personal information reasonably
    needed to fulfill the purposes

27
Disclosure without consent
  • The Act permits disclosure of personal
    information without consent for purposes
    including those listed under collection and use
    without consent, plus
  • in accordance with a treaty
  • to comply with a subpoena or court order
  • to a public body or law enforcement agency to
    assist in an investigation
  • to contact next of kin of injured or deceased
    person
  • to a surviving spouse or relative of a deceased
    individual, if reasonable
  • to protect against fraud or market manipulation,
    to any agency empowered by legislation

28
Personal employee information
  • Personal employee information means
  • personal information of
  • employees or prospective employees
  • reasonably required for the purposes of
    establishing, managing or terminating the
    employment or volunteer work relationship

29
Personal employee information
  • Employee includes an individual employed by the
    organization who performs a service for an
    organization, including as an
  • apprentice
  • volunteer
  • participant
  • student
  • an individual under a contract or agency
    relationship

30
Treatment of personal employee information
  • PIPA recognizes true nature of employment not
    consent-based
  • Act allows personal employee information to be
    collected/used/disclosed without consent when
  • reasonably required for establishing, managing or
    terminating an employment or volunteer work
    relationship
  • Does not include personal information unrelated
    to the employment or volunteer relationship
  • Must give notice in case of current employees -
    transparency
  • Subject to review by Commissioner

31
Sale of Business
  • Special recognition for purchase, sale, lease,
    merger, etc., of a business
  • Act provides for the collection, use and
    disclosure of personal information (including
    employee information) between parties involved
    if
  • the information is necessary to decide whether to
    proceed and complete the transaction, and
  • the parties agree to use the information only
    for that purpose
  • Provision does not apply where primary purpose of
    transaction is sale, etc. of personal information

32
Providing access
  • Individuals can request access to
  • own personal information contained in a record
  • information about the purposes for which personal
    information has been and is being used, and
  • Information about to whom the information is
    disclosed and under what circumstances
  • Organization has a duty to assist
  • Organization must respond within 45 calendar days

33
Providing access
  • Organization may designate office to receive
    requests
  • Organization may charge a reasonable fee
  • Any right under the Act may be exercised by
    another person on an individuals behalf (s. 61)

34
Refusing access
  • Access must be refused if disclosure would
  • threaten the life or security of another
    individual
  • reveal personal information about another
    individual
  • reveal the identity of an individual who has
    provided in confidence an opinion about another
    individual (may disclose with consent)
  • An organization must provide access to remaining
    information if able to sever
  • Access may be refused if, for example
  • information is protected by legal privilege
  • disclosure would reveal confidential commercial
    information (sever)
  • information was collected for an investigation or
    legal proceeding
  • disclosure might result in that type of
    information no longer being provided

35
Making corrections
  • Individuals can ask that their personal
    information be corrected
  • If it is wrong - correct it promptly
  • Notify those to whom the information has been
    disclosed
  • If you cannot agree that it is wrong, annotate
    that the information is disputed
  • You cannot correct expert opinions
  • No fees for correction

36
Safeguarding Ensuring Accuracy
  • Organization must
  • Protect personal information in its custody or
    control by making reasonable security
    arrangements against such risks as unauthorized
    access, collection, use, disclosure, copying,
    modification, disposal or destruction
  • Make reasonable efforts to ensure that any
    personal information collected, used or disclosed
    by or on behalf of an organization is accurate
    and complete

37
Records management implications
  • Privacy compliance requires sound records
    management practices
  • Need to locate records quickly in order to
    process requests within time limit
  • In deciding how long to keep a record, an
    organization should be guided by legal and
    business purposes

38
Oversight by Commissioner
  • PIPA enforced by the Information and Privacy
    Commissioner of Alberta
  • same Commissioner for the FOIP Act and the Health
    Information Act
  • independent Officer of the Legislature
  • The Commissioner can
  • investigate complaints
  • initiate own investigations issue Orders
  • authorize an organization to disregard access
    requests from individuals
  • extend time limit to respond to access request
  • provide non-binding advice and advance rulings

39
Complaints
  • Once an individual has brought a case to the
    OIPC, the Commissioner can
  • refer an individual to another grievance,
    complaint or review process before handling the
    case
  • attempt mediation
  • conduct an inquiry
  • issue binding orders
  • publish those orders (including the name of the
    organization)

40
Whistleblower protection
  • An organization cannot take adverse employment
    action against an employee who, acting in good
    faith and on reasonable belief, informs the
    Commissioner of a possible breach of the Act

41
What to do to comply
  • Put someone in charge of privacy
  • Become familiar with the Act
  • Review how your organization handles personal
    information
  • Put your practices to the test
  • Develop privacy policies and practices

42
What to do to comply
  • Develop an access and complaints handling process
  • Review and revise forms, and create notice
    statements
  • Review and revise contracts
  • Consider employees personal information
  • Train staff

43
What you might have to change
  • Forms
  • Add collection, use and disclosure notification
  • Use appropriate form of consent
  • Is all the personal information you ask for
    directly connected to its use and is reasonable?
  • Systems
  • Add database fields to indicate the
    uses/disclosures individuals consented to
  • Rethink access controls
  • Records management practices
  • New security
  • New retention schedule

44
What happens if organizations dont comply with
PIPA?
  • Commissioner may make an Order if
  • complaint or request for review is made
  • Orders will name the organization will be
    public
  • Damaging to reputation of organization
  • Commit an offence if dont comply with order,
    wilfully contravene PIPA or obstruct Commissioner
  • If convicted of an offence, fines are
  • up to 10,000 for individuals
  • up to 100,000 for businesses
  • An individual can pursue damages in court for
    loss or injury suffered as a result of breach of
    privacy

45
Non-profit organizations
  • Non-profit organizations are defined as
    organizations incorporated under the
  • Societies Act
  • Agricultural Societies Act
  • Part 9 of the Companies Act
  • PIPA only applies to non-profit organizations
    collection, use or disclosure personal
    information in connection with a commercial
    activity
  • All other not-for-profit organizations must
    comply with PIPA for all their activities

46
Commercial activity of non-profit organizations
  • Commercial activity means any transaction, act
    or conduct, or any regular course of conduct,
    that is of a commercial character, and includes
  • the selling, bartering or leasing of membership
    lists or donor or other fund-raising lists
  • operation of a private school or early childhood
    services program (School Act)
  • operation of a private college (Post-secondary
    Learning Act)
  • PIPA does not apply to personal employee
    information of non-profit organizations unless
    part of a commercial activity

47
Professional regulatory organizations
  • Are considered organizations under PIPA
  • Have the option of creating a personal
    information code to govern the collection, use
    and disclosure of personal information
  • An individual would still be able to complain to
    the Commissioner
  • Details are in the Regulation

48
PIPA Resources for Organizations
  • PIPA Websites (including links)
  • OIPC - http//www.oipc.ab.ca/pipa/
  • Access and Privacy Branch - http//www.psp.gov.ab.
    ca/
  • Access and Privacy Branch Information Line (780)
    644-PIPA (7472)
  • OIPC (403) 297-2728
  • Consultants List
  • Jointly developed by Access and Privacy Branch
    OIPC
  • Workshops in key centres throughout Province
  • Guides and other publications

49
PIPA Publications for Organizations
  • PIPA on a Page
  • Summary for Organizations 4-page summary of
    organizations key obligations
  • Getting Ready for PIPA outlines steps
    organizations should consider to prepare for PIPA
  • Guide for Organizations and Business on PIPA
    Detailed guide to help organizations understand
    the Act and their obligations
  • Information Sheet on Non-profit Organizations
  • Guidelines for Developing a Personal Information
    Code for Professional Regulatory Organizations
Write a Comment
User Comments (0)
About PowerShow.com