Guide for Local Public Bodies: Protection of Privacy
Contents
Protection of Privacy
What is Personal Information?
Collection of Personal Information
Maintaining Accurate Personal Information
Right to Correct Personal Information
Retention of Personal Information
Protection of Personal Information
Use of Personal Information
Disclosure of Personal Information
Consistent Purpose
Privacy Assessment Review Process
Disclosure of Personal Information for Research Purposes
Protection of Privacy
Part 3 of FIPPA protects an important aspect of privacy: it imposes obligations on public bodies respecting the management of personal information in their custody or under their control.
The provisions of Part 3 of FIPPA do not apply to personal health information. Part 3 of The Personal Health Information Act sets out the rules respecting collection, protection, use and disclosure of personal health information by trustees, including public bodies.
What is Personal Information?
[SECTION 1 Definition]
As discussed in the section "Definitions in FIPPA", "personal information" is defined in FIPPA as "recorded information about an identifiable individual . . . ."
[SECTIONS 36 and 37]
Under FIPPA, a public body may collect personal information only if:
- collection of the information is authorized by or under a statute or regulation of Manitoba or Canada;
- the information relates directly to and is necessary for an existing program or activity of the public body; or
- the information is collected for law enforcement purposes or crime prevention.
For the purposes of this section, a public body "collects" personal information whenever it gathers or brings together or creates, by any means, a record of personal information. For example, a public body is collecting personal information when individuals fill out application forms which request personal information, complete surveys (provided that the individual is identifiable), or provide answers, which are recorded in some way, in an interview. A public body is bound by the requirements of FIPPA whether it collects the personal information itself or authorizes another public body or an outside agent to collect the information on its behalf.
Public bodies are required to collect only as much personal information as is reasonably necessary to accomplish the purpose for which it is collected.
In most circumstances, personal information must be collected directly from the individual the information is about. This ensures that the individual is aware of the personal information that a public body is gathering about him or her.
However, FIPPA authorizes indirect collection of personal information (that is, collection of personal information from someone other than the individual it is about) in a number of circumstances. These situations include when:
- the individual has consented to collection from another source;
- a statute or regulation of Manitoba or Canada authorizes another method of collection;
- direct collection of the information could reasonably be expected to cause harm to the individual the information is about or to another person;
- collection of the information is in the interest of the individual, but time or circumstances do not permit direct collection;
- collection from the individual could reasonably be expected to result in inaccurate information being collected;
- collection is for law enforcement purposes or crime prevention;
- the information is collected for the purpose of legal proceedings or to provide legal advice or legal services to the public body;
- the information concerns the history, release or supervision of an individual in a correctional authority;
- the information concerns the security of a correctional institution;
- the information is collected to enforce a maintenance order under The Family Maintenance Act;
- the information is collected for the purpose of informing The Public Trustee or the Vulnerable Persons’ Commissioner about clients or potential clients;
- the information is collected to determine the eligibility of an individual to participate in a program or receive a benefit from the public body and is collected in the course of processing an application made by or on behalf of the individual the information is about;
- the information is collected to verify the eligibility of an individual who is participating in a program or receiving a benefit or service from the public body;
- the information is collected for the purpose of determining the amount of or collecting a fine, tax or payment owing to the public body;
- the information is collected for the purpose of making a payment;
- the information is collected to manage personnel of the public body;
- the information is collected for the purpose of auditing or evaluating the activities of the public body; or
- the information is required to determine the individual's suitability for an honour or award.
When collecting personal information directly from the individual, the public body must inform the person of the purpose of the collection and the legal authority, and provide the title, business address and telephone number of an officer or an employee of the public body who can answer the individual’s questions about the collection. This information will usually be provided in writing. A sample notification is provided in the Forms, Letters and Notices Section of the Handbook. There may be circumstances in which it is necessary to notify the individual verbally, for example, in some law enforcement situations, in situations where information is collected over the telephone or where the individual has difficulty understanding written information. In these cases, the officer or employee providing the information should keep a written record of the information provided and should also consider whether it is practical and advisable to follow-up with written confirmation.
Where a public body has recently provided the individual with the required information about the collection of the same or similar personal information for the same or a related purpose, the public body is not required to provide this information again.
Maintaining Accurate Personal Information
[SECTION 38]
Public bodies are required to take reasonable steps to ensure that any personal information that they use to make a decision that directly affects the individual is accurate and complete.
Right to Correct Personal Information
[SECTIONS 39 and 40]
An individual who has been given access to a record containing his or her personal information under Part 2 of FIPPA has the right to request corrections to incorrect or incomplete information. The head of the public body must respond to the applicant within 30 days after receiving a request for correction of personal information, unless the time period has been extended for one of the reasons set out in subsection 15(1).
The head of the public body may make the requested correction and notify the applicant of the correction. If the head of the public body refuses to make the correction (because, for example, the applicant has not provided adequate proof in support of the requested correction or the information is non-factual evaluative information or an opinion), the head must notify the applicant of the reason for the refusal, that the request for correction has been added to the record and that the applicant has a right to make a complaint to the Ombudsman about the refusal. As well, head of the public body must attach the correction request to the record.
Where practicable, the public body must inform other public bodies, or third parties who have received the personal information from the public body within the previous year, of any corrections or that a request for correction has been added to the record. A public body that receives notice of correction, or of a request for correction, from another public body must either make the correction to its own record of the personal information or add the request for correction to its record.
Retention of Personal Information
[SECTION 40]
Public bodies must establish written policies regarding the retention of personal information which will be used to make a decision that direct affects the individual. Personal information should be kept for a reasonable period of time, to allow individuals an opportunity to access their own information.
The requirement to establish a retention policy under this section does not apply where the retention of records is addressed in another statute or in a regulation.
Protection of Personal Information
[SECTION 41]
The head of a public body must make arrangements to protect the personal information in its custody or under its control against risks such as unauthorized access, use, disclosure or destruction. Such security arrangements must be in accordance with the regulations to FIPPA. While there are no requirements respecting protection of personal information in the Access and Privacy Regulation at the present time, the Personal Health Information Regulation contains requirements respecting security of personal health information which apply to public bodies and other trustees of personal health information.
Use of Personal Information
[SECTIONS 42, 43, 45 and 46]
In Part 3 of FIPPA, "use" of personal information means access to and use of personal information by the officers, employees and agents of the public body with custody or control of the information, for the purposes of that public body.
Under FIPPA, a public body may use personal information only:
- for the purpose for which it was collected or compiled or for a use consistent with that purpose (a "consistent" use is one which has a reasonable and direct connection to the purpose for which the information was collected and which is necessary for performing statutory duties, operating an authorized program, or carrying out an activity of the public body);
- for another purpose if the individual the information is about consents to the use;
- for a purpose for which it has been disclosed to the public body by another public body , when the other public body is authorized to disclose it; or
- to link information databases or to match personal information in different databases, if the use has been approved by the head of the public body following a privacy assessment review.
Every use of personal information by or on behalf of the public body must be authorized under section 43 of FIPPA and must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used. Access to and use of personal information by the employees or agents of the public body must be limited to those who need to know the information to carry out the purpose for which the information was collected or received or to carry out a purpose authorized under section 43 of FIPPA.
Disclosure of Personal Information
[SECTIONS 42, 44 and 48]
A public body "discloses" personal information any time it releases, reveals, shares or sells the information to any person or entity outside the public body by any means (for example, by providing copies, verbally, or electronically). Sharing personal information with other local public bodies, a Manitoba government department, the federal government, or any other government is disclosure of personal information which must be authorized under section 44.
FIPPA authorizes disclosure of personal information only in certain specified situations. However, this is discretionary and the head of the public body must determine whether or not it is appropriate to disclose the personal information in the circumstances (taking into account both the potential harm that would result from disclosure and the consequences of not disclosing the information). The head of the public body must also determine how much personal information should be disclosed, keeping in mind the requirement in FIPPA that every disclosure must be limited to the amount of information necessary to accomplish the purpose for which it is disclosed.
Some clauses of this subsection are, in practice, more discretionary than others. For example, in reality a public body has no discretion to refuse to disclose personal information when disclosure is required (as opposed to authorized) by another Act or regulation of Manitoba or Canada or is required by a court order.
Local public bodies should review their activities to ensure that personal information is being disclosed in accordance with the requirements of FIPPA.
These are the main purposes or situations in which a public body may disclose personal information:
- for the purpose for which the information was collected or compiled or for a consistent purpose;
- with consent of the individual the information is about;
- in accordance with the Access to Information provisions in Part 2 of FIPPA;
- to comply with a statute or regulation of Manitoba or Canada or a treaty or agreement under a statute;
- in accordance with a statute or regulation of Manitoba that authorizes or requires the disclosure;
- to an elected official of the public body, if the information is necessary to carry out his or her responsibilities;
- for the purpose of administering personnel of the public body or the Government of Manitoba;
- for audit purposes;
- to the Government of Canada to facilitate the monitoring or auditing of shared cost programs;
- to determine or verify an individual's suitability or eligibility for a program or benefit;
- to enforce a maintenance order;
- to protect the health or safety of an individual or groups of individuals;
- to comply with a subpoena or order made by a court or body with jurisdiction to compel the production of information or with a rule of court that relates to the production of information;
- for use in providing legal advice or services to the public body or the Government of Manitoba ;
- to enforce a legal right that the public body or the Government of Manitoba has against any person;
- to determine the amount of or collect a fine, payment or tax owing to the public body or the Government of Manitoba or to make a payment;
- for use in existing or anticipated legal proceedings to which the Government of Manitoba or the public body is a party;
- for law enforcement purposes or crime prevention;
- to supervise an individual in a correctional authority;
- where disclosure is necessary for the security of a correctional institution;
- to an officer of the Legislature, if the information is necessary for the performance of the duties of that officer;
- to contact a relative or friend of an individual who is injured or ill;
- to assist in identifying a deceased individual;
- to inform a relative of a deceased individual, or any other person it is reasonable to inform, of the individual’s death ;
- to a relative of a deceased individual, if the public body believes that disclosure is not an unreasonable invasion of the deceased’s privacy;
- to a person providing information technology services to the public body (an agreement protecting the personal information against risks such as unauthorized access must be in place);
- when the information is available to the public;
- when authorized following a privacy assessment review;
- when authorized for research purposes; or
- when the record is more than 100 years old.
Consistent Purpose
[Section 45]
FIPPA authorizes the use or disclosure of personal information for a purpose consistent with the purpose for which it was collected. A proposed use or disclosure must meet two requirements to meet the test of consistent purpose:
- the proposed use or disclosure must have a reasonable and direct connection to the purpose for which the personal information was originally collected or compiled; and
- the proposed use or disclosure must be necessary for performing the statutory duties, operating an authorized program, or carrying out an activity of the public body that uses or discloses the information.
There are no hard and fast rules as to what constitutes a use for a "consistent purpose". One guideline to consider is whether a reasonable person would anticipate or expect the personal information to be used or disclosed in the proposed way, even if this use or disclosure was not spelled out at the time the personal information was collected.
Privacy Assessment Review Process
[SECTIONS 46 and 77; REGULATION SECTION 13]
There may be some cases where there appears to be a strong public interest in a proposed use or disclosure of personal information which is not specifically authorized under another section in Part 3, or in an access request for a volume or bulk disclosure under Part 2. The Minister Responsible for FIPPA has established a Privacy Assessment Review Committee which local public bodies may use to obtain advice on the proposal or request. Alternatively, a local public body may conduct its own internal privacy assessment. Following the review process, the head of the local public body must make the decision on whether to authorize the use or disclosure.
Section 46 only applies if the proposed use or disclosure is not authorized under another provision in FIPPA and:
- the public body proposes to use or disclose personal information in order to link information databases or match personal information in one information database with information in another database; or
- the public body has received a request for disclosure of personal information in a public registry or in another collection of personal information on a volume or bulk basis.
The procedures of Privacy Assessment Review Committee, and the information and documents which must be submitted to the Committee, may be obtained from the Secretary to the Privacy Assessment Review Committee, Access and Privacy Services, 3 – 200 Vaughan Street, Winnipeg R3C 1T5 (phone: 945-3738).
Where the head of a local public body has referred a proposal to the Privacy Assessment Review Committee for advice, the head must receive and consider the Committee’s advice before making a decision. When considering whether or not to approve a proposal or request, the head must be satisfied that all of the following conditions are met:
- the purpose of the proposal or request cannot reasonably be accomplished unless the personal information is provided in a form that identifies individuals;
- it is unreasonable or impractical to obtain consent from the individuals the personal information is about; and
- the use or disclosure is not likely to harm the individuals the personal information is about and the benefits to be derived are clearly in the public interest.
If the head of a public body approves a proposed use or disclosure of personal information, the public body must conclude a written agreement with the recipient of the information. This agreement must set the conditions for the handling and protection of the personal information.
Disclosure of Personal Information for Research Purposes
[SECTION 47]
The head of a public body has the discretion to disclose personal information for a research purpose if:
- the head is satisfied that the information is legitimate;
- the research cannot be accomplished without the individual identifiers;
- it is unreasonable or impractical for the researcher to obtain consent from the individuals;
- disclosure of the personal information, and any information linkage, is not likely to harm the individuals; and
- the anticipated benefits of the research are clearly in the public interest.
The head may, but is not required to, refer the research proposal to the Privacy Assessment Review Committee for its advice.
If the public body decides to disclose the information for research purposes, it must enter into a written agreement with the researcher. This agreement should describe the research project and cover issues such as security measures to protect the information, removal of personal identifiers as soon as possible, and the prohibition of any subsequent use or disclosure of the information in a form that identifies individuals.
