3Privacy and Confidentiality at Mohawk College Good afternoon:Now I know that you have been waiting for this topic, but I would ask that you keep your excitement in check!As an employee you have given the college a lot of your personal informationI’m sure that you want the college to protect your privacy and the confidentiality of that personal informationThe college is committed, legally and ethically to protecting not only your information but that of our students, clients and donors.
5Definition of Privacy “The right to be let alone” Judge Thomas Cooley“The right to exercise control over your personal information.”Ann Cavoukian, IPC ComissionerLet’s start with simple definitions of PrivacyThe second is from Anne Cavoukian, the information and Privacy Commissioner of Canada
6Definition of Confidentiality Ensuring that information is accessible only to those authorized to have accessI know other speakers joke about a quiz laterI’m not going to do thatI’m going to give you a quiz now
7How well do you know our rights to privacy? A quiz …
8Question 1My name, job title and work phone number is personal information.TRUE?FALSE?Show of hands?
9Question 1My name, job title and work phone number is personal information.TRUEFALSE
10False Personal information (PI) is: Factual or subjective Recorded or not…about an identifiable individualSimple guidelineIf it’s on your business card it’s not personal information
11Personal information includes: Home addressHome phone numberHomePhoto IDSINIncomeMarital statusEmployment historyEmployee numberPerformance appraisalsFinancial informationEducational credentialsMedical recordsFund raising recordsOpinions or views on the personThis is a partial list of categories of personal information
12…and of course, the “A” word “… they even know my age!”Pat MacdonaldAssociate Dean, Continuing Education
13Question 2A man phones you asking if his wife is attending your class. You are allowed to tell him.TRUE?FALSE?A frequent question to instructors and the receptionists at the Front Desk
14Question 2A man phones you asking if his wife is attending your class. You are allowed to tell him.TRUEFALSE
15Question 3A police officer conducting an investigation phones you asking if a graduate was registered in a C.E. course. You are allowed to tell her.TRUE?FALSE?
16Question 3A police officer conducting an investigation phones you asking if a graduate was registered in a C.E. course. You are allowed to tell her.TRUEFALSE
17Question 4A student about to write an exam does not have an ID card, so the instructor asks for his SIN card as ID. This is illegal.TRUE?FALSE?
18Question 4A student about to write an exam does not have an ID card, so the instructor asks for his SIN card as ID. This is illegal.TRUEFALSE
19Question 5A new student does not yet have her student ID number, or a driver’s licence, and so you note her health card number as proof of identity. You just broke the law.TRUE?FALSE?
20Question 5A new student does not yet have her student ID card, or a driver’s licence, and so you note her health card number as proof of identity. You just broke the law.TRUEFALSEIt is illegal to record the health card number unless you are a health care provider. The college cannot even pass on this number to an agency.
21Question 6Someone hit your car in the parking lot and you ask Security if you can view the recording to see the incident. Security tells you that is illegal.TRUE?FALSE?
22Question 6Someone hit your car in the parking lot and you ask Security if you can view the recording to see the incident. Security tells you that is illegal.TRUEFALSEComment on severing imagesHiding the TV monitor in the Front Lobby
23Question 7A family member arrives at the Front Desk saying that there has been a death in the family. They want to know what classroom their father is in so that they can inform him. The receptionist cannot give them that information.TRUE?FALSE?
24Question 7A family member arrives at the Front Desk saying that there has been a death in the family. They want to know what classroom their father is in so that they can inform him. The receptionist cannot give them that information.TRUEFALSE
25Question 8Sears Security department phones the Associate Dean of your department and says that they suspect that one of your students has been stalking an employee. They ask if the college can provide a photo to confirm this. The Associate Dean could an ID photo to help in the investigation.TRUE?FALSE?
26Question 8Sears Security department phones the Associate Dean of your department and says that they suspect that one of your students has been stalking an employee. They ask if the college can provide a photo to confirm this. The Associate Dean could an ID photo to help in the investigation.TRUEFALSE
27Question 9An employer sponsoring one of your students asks if the student passed the course, so that they can reimburse him. It’s OK to confirm.TRUE?FALSE?
28Question 9An employer sponsoring one of your students asks if the student passed the course, so that they can reimburse him. It’s OK to confirm.TRUEFALSE
30Our privacyis protected by Federal and Provincial legislation
31The Acts … Legislation Sector Date Fed/Prov Fed Access to Privacy Gov. Institutions1980FedFIPPAProvincial1987ProvMFIPPAMunicipal1991PIPEDACommerce1999PHIPAHealth2004The original is the Federal Access to Privacy Act, known as The ActIt regulates the transfer of personal information between levels of government and government institutionsPIPEDA The Personal Information Protection and Electronic Documents ActBusinesses sharing/selling/bartering your info.Does not apply yet to colleges except in the areas of the Book Store, Fund raising, The Fitness Centre, parking, etc. but it is good practice to follow itPHIPA the Personal Health Information Protection Act protects your Health recordsSo this would apply if you use our Health Services ClinicWe also collect PHI about our students - absence due to illness, WSIB injuries, health tests for placements, etc.And it will apply to your students if they are Health Sciences or Human Services students on clinical placement. They will be asked to sign a Confidentiality Agreement regarding clients’/patients’ PHI (Personal Health Information).Or if you go for a check up in Health Services and they passed that information on to the Fitness Centre
32Freedom of Information and Protection of Privacy Act (FIPPA) Safety & CorrectionsWSIBCommunity & Social ServicesDistrict Health CouncilsConsumer & Business AffairsOntario Human RightsColleges and universitiesWe are primarily regulated by FIPPA
33Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) MunicipalitiesBoards of EducationBoards of HealthPolice ServicesPublic utilities(2,500 in total)For our students in C&Y, ECE, Educational Assistant, Public Safety & Security programs this will apply to your students on work placementThey will usually be asked to sign a confidentiality agreement at their field placement
34The College gathers personal information from… StudentsStaffDonorsand clientsand is committed to protecting that information
35Information is collected by … Human ResourcesPayrollFinancial ServicesOH&SHealth ServicesRegistrarContinuing EducationThese are just some of the departments gathering personal information about you
36So, what is a record?Any record of information, however recorded, whether in printed form, on film, by electronic means or otherwise.
37Records include … Application forms Registration forms OSAP forms Section listsClass listsExamsAddress booksMemosDraft memosAgendasComment on draft memos - a Blast o gram
38Plus … files on your hard drive files on your iPhone files on your Blackberryyouryour voice mailHow long does the college retain your ?How many copies are there out there?Use the cc for ing to students!You can re-save your voice mail indefinitely
40Privacy Laws & College policies dictate how information is: CollectedUsedDisclosedRetainedDestroyedAt the departmental level, staff should be instructed the correct methods of gathering, storing and securing personal informationWe are all issued with User names and Passwords to protect informationOur IT system is protected by firewalls and security systemsThe hard copy, personal Information of our staff and students should be locked awayOur facilities are protected by security patrols and CCTV systems
41Collection: We must have legal authority to collect collect it directly from the personprovide a notice of collection, stating the above and provide the title, business address and telephone number of a college official.
42So what do we have to do? Safeguard our User Name and Passwords Access records only relevant to our dutiesDo not disclose personal information to any unauthorized personProtect personal information of staff and studentsEach year as staff you are able to access more information on-line.You can check class and section lists, you will have your students’ phone numbers, addresses.The faculty are starting to submit their grades on-line
43Specifically: Do Protect students’ (and employees’) information Phone numbersAddressesSIN numbersEmployee numberStudent numberGrades and marksAsk students if they want their phone numbers used in a phone tree. If they do not you will have to phone them.
44Specifically: email/voice mail Don’t leave PI on voice mail - call backshould be called epostcard!Assume additional copies existAssume it will be forwarded
45There was a privacy breach… 3/31/2017There was a privacy breach…What do I do?
46What is a privacy breach? 3/31/2017What is a privacy breach?A privacy breach occurs when personal information (PI) is:CollectedRetainedUsedDisclosedin ways that are not in accordance with FIPPA.
473/31/2017Most common breaches:Unauthorized disclosure of personal information, contrary to Sect. 42, for example:a file is misplaceda USB flash drive is losta form is mailed to the wrong persona document is left in the photocopiera fax is sent to the wrong numberan is sent to the wrong addressa document is not disposed of correctlya laptop is stolenLost USB = 603 recordsKim Hill case = 400 recordsWe tend not to delete outdated filesOn a fax machine, reprint will print the last document??Photocopiers store documents in memory??Dept. of Veterans Affairs = 23,000,000City of Toronto, Court Services sent out Notices of Conviction with names, address, charge, drivers license # readable through cellophane windowSept 12, 2001 international student organization requested and got plans for Toronto City Hall, Waste water treatment plants and other buildings, a manager drove out and retrieved them.Oct 2005, 3 boxes of patient records scattered on street for movie of 911 set in Toronto
49Prevention 1 Know your department’s procedures on; Collection 3/31/2017Prevention 1Know your department’s procedures on;CollectionRetentionUseDisclosureSecurityDisposalCollection noticesHow long does your department retain records?How does it use them?Who are they disclosed to?How are they protected, locks, passwords, “clean desk”How are they disposed of?Shred it? Diagonal cut shredders.
50Prevention 2 Know that you are accountable for the PI in your custody 3/31/2017Prevention 2Know that you are accountable for the PI in your custodyDo not discuss PI in public placesDo not leave documents where they can be seen by the publicDo not disclose PI to those who do not need to know itTurn your monitor away from the publicPublic places: Customer Service Windows (Financial Aid, Accounting), cafeteria, hallways“Clean desk”Use strong passwords: 8 characters, upper/lower, numbers/, not in any dictionary
51Prevention 3 Get written consents before disclosing PI 3/31/2017Prevention 3Get written consents before disclosing PIKnow the consequences of a privacy breachEnsure that documents are shredded when no longer in usePassword protect and/or encrypt data on your laptop, PDA, Flash driveStudents do not sign consents at MohawkMany departments have releasesSome use hand written notesPrivacy breaches are serious = bad publicity, legal action
52Notification Immediately inform Your boss 3/31/2017 Emphasis on “Immediately”FOIC = MeI should inform IPC! And possibly our legal counsel
53Consequences … Compliance orders from IPC Penal offences Fines ($250K)Possible personal liability ($50K!)Civil liabilityLoss of Trust
54In summary …As a new College employee, you are expected to protect the privacy of individuals and the confidentiality of Personal Information under your control!
55Have you any questions, additional examples, comments? Q & AHave you any questions, additional examples, comments?Any questions?
56Director, Corporate Services John GuilfoyleDirector, Corporate ServicesExt. 2174