Privacy and Confidentiality at Mohawk College

Download Report

Transcript Privacy and Confidentiality at Mohawk College

Privacy and Confidentiality at
Mohawk College
FOI PIPEDA
FIPPA
IPC
MFIPPA
PIA
PHIPA TRA
Definition of Privacy
“The right to be let alone”
Judge Thomas Cooley
“The right to exercise control over your
personal information.”
Ann Cavoukian, IPC Comissioner
Definition of Confidentiality

Ensuring that information is accessible
only to those authorized to have access
How well do you know our
rights to privacy?

A quiz …
Question 1

My name, job title and work phone
number is personal information.

TRUE?
FALSE?

Question 1

My name, job title and work phone
number is personal information.

TRUE
FALSE

False

Personal information (PI) is:



Factual or subjective
Recorded or not
…about an identifiable individual
Personal information includes:








Home address
Home phone number
Home email
Photo ID
SIN
Income
Marital status
Employment history







Employee number
Performance appraisals
Financial information
Educational credentials
Medical records
Fund raising records
Opinions or views on
the person
…and of course, the “A” word

“… they even know my age!”
Pat Macdonald
Associate Dean, Continuing Education
Question 2

A man phones you asking if his wife is
attending your class. You are allowed
to tell him.

TRUE?
FALSE?

Question 2

A man phones you asking if his wife is
attending your class. You are allowed
to tell him.

TRUE
FALSE

Question 3

A police officer conducting an
investigation phones you asking if a
graduate was registered in a C.E.
course. You are allowed to tell her.

TRUE?
FALSE?

Question 3

A police officer conducting an
investigation phones you asking if a
graduate was registered in a C.E.
course. You are allowed to tell her.

TRUE
FALSE

Question 4

A student about to write an exam does
not have an ID card, so the instructor
asks for his SIN card as ID. This is
illegal.

TRUE?
FALSE?

Question 4

A student about to write an exam does
not have an ID card, so the instructor
asks for his SIN card as ID. This is
illegal.

TRUE
FALSE

Question 5

A new student does not yet have her
student ID number, or a driver’s licence,
and so you note her health card number as
proof of identity. You just broke the law.

TRUE?
FALSE?

Question 5

A new student does not yet have her
student ID card, or a driver’s licence, and so
you note her health card number as proof of
identity. You just broke the law.

TRUE
FALSE

Question 6

Someone hit your car in the parking lot and
you ask Security if you can view the
recording to see the incident. Security tells
you that is illegal.

TRUE?
FALSE?

Question 6

Someone hit your car in the parking lot and
you ask Security if you can view the
recording to see the incident. Security tells
you that is illegal.

TRUE
FALSE

Question 7

A family member arrives at the Front Desk saying
that there has been a death in the family. They
want to know what classroom their father is in so
that they can inform him. The receptionist cannot
give them that information.

TRUE?
FALSE?

Question 7

A family member arrives at the Front Desk saying
that there has been a death in the family. They
want to know what classroom their father is in so
that they can inform him. The receptionist cannot
give them that information.

TRUE
FALSE

Question 8

Sears Security department phones the Associate
Dean of your department and says that they
suspect that one of your students has been stalking
an employee. They ask if the college can provide a
photo to confirm this. The Associate Dean could
email an ID photo to help in the investigation.

TRUE?
FALSE?

Question 8

Sears Security department phones the Associate
Dean of your department and says that they
suspect that one of your students has been stalking
an employee. They ask if the college can provide a
photo to confirm this. The Associate Dean could
email an ID photo to help in the investigation.

TRUE
FALSE

Question 9

An employer sponsoring one of your
students asks if the student passed the
course, so that they can reimburse him.
It’s OK to confirm.

TRUE?
FALSE?

Question 9

An employer sponsoring one of your
students asks if the student passed the
course, so that they can reimburse him.
It’s OK to confirm.

TRUE
FALSE

How did you do?
Our privacy

is protected by Federal and Provincial
legislation
The Acts …
Legislation
Sector
Date
Fed/Prov
Fed Access
to Privacy
Gov.
Institutions
1980
Fed
FIPPA
Provincial
1987
Prov
MFIPPA
Municipal
1991
Prov
PIPEDA
Commerce
1999
Fed
PHIPA
Health
2004
Prov
Freedom of Information and
Protection of Privacy Act (FIPPA)







Safety & Corrections
WSIB
Community & Social Services
District Health Councils
Consumer & Business Affairs
Ontario Human Rights
Colleges and universities
Municipal Freedom of Information and
Protection of Privacy Act (MFIPPA)






Municipalities
Boards of Education
Boards of Health
Police Services
Public utilities
(2,500 in total)
The College gathers personal
information from…





Students
Staff
Donors
and clients
and is committed to protecting that
information
Information is collected by …







Human Resources
Payroll
Financial Services
OH&S
Health Services
Registrar
Continuing Education
So, what is a record?

Any record of information, however
recorded, whether in printed form, on
film, by electronic means or otherwise.
Records include …










Application forms
Registration forms
OSAP forms
Section lists
Class lists
Exams
Address books
Memos
Draft memos
Agendas
Plus …





files on your hard drive
files on your iPhone
files on your Blackberry
your email
your voice mail
and even …
Privacy Laws & College policies
dictate how information is:





Collected
Used
Disclosed
Retained
Destroyed
Collection: We must



have legal authority to collect
collect it directly from the person
provide a notice of collection, stating the
above and provide the title, business
address and telephone number of a
college official.
So what do we have to do?




Safeguard our User Name and Passwords
Access records only relevant to our duties
Do not disclose personal information to any
unauthorized person
Protect personal information of staff and
students
Specifically: Do

Protect students’ (and employees’)
information






Phone numbers
Addresses
SIN numbers
Employee number
Student number
Grades and marks
Specifically: email/voice mail




Don’t leave PI on voice mail - call back
Email should be called epostcard!
Assume additional copies exist
Assume it will be forwarded
There was a privacy breach…
What do I do?
What is a privacy breach?

A privacy breach occurs when personal
information (PI) is:




Collected
Retained
Used
Disclosed
in ways that are not in accordance with
FIPPA.
Most common breaches:

Unauthorized disclosure of personal
information, contrary to Sect. 42, for example:








a file is misplaced
a USB flash drive is lost
a form is mailed to the wrong person
a document is left in the photocopier
a fax is sent to the wrong number
an email is sent to the wrong address
a document is not disposed of correctly
a laptop is stolen
Privacy breach protocol
1.
2.
3.
4.
5.
6.
Prevention
Scope
Containment
Notification
Investigation
Remediation
Prevention 1

Know your department’s procedures on;






Collection
Retention
Use
Disclosure
Security
Disposal
Prevention 2





Know that you are accountable for the PI in
your custody
Do not discuss PI in public places
Do not leave documents where they can be
seen by the public
Do not disclose PI to those who do not need
to know it
Turn your monitor away from the public
Prevention 3




Get written consents before disclosing
PI
Know the consequences of a privacy
breach
Ensure that documents are shredded
when no longer in use
Password protect and/or encrypt data
on your laptop, PDA, Flash drive
Notification

Immediately inform

Your boss
Consequences …


Compliance orders from IPC
Penal offences




Fines ($250K)
Possible personal liability ($50K!)
Civil liability
Loss of Trust
In summary …
As a new College employee, you are
expected to protect the privacy of
individuals and the confidentiality of
Personal Information under your control!
Q&A
Have you any questions,
additional examples, comments?
John Guilfoyle
Director, Corporate Services
Ext. 2174