Privacy & Access to Information ICT Support Services February 2018 Rayelle Johnston, Access and Privacy Officer

Legislation and Policy The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) Policies Freedom of Information and Protection of Privacy Data Management Computer Use E-mail Management of University Records Information Security

Other Compliance Legislated reporting requirements Funding agency requirements Contractual requirements Confidentiality Reporting

Access to Information Any person Any record Limited exemptions With application form and fee Any record Limited exemptions Others’ personal information (including child or family member), certain financial and third party information Time limits Informal/formal processes

Privacy Protection of personal information Any information in our custody or control about an identifiable individual is protected Except – certain employment information about university employees; the degrees awarded by the university Can only be used and disclosed in accordance with the Act Rules around collection, use, and disclosure Consent – express or implied Without consent in very limited circumstances

Privacy Limited collection Shall not collect personal information unless the information is collected for a purpose that relates to an existing or proposed program or activity of the university Personal information should generally be collected from the individual to whom it relates, with informed consent Need to ensure personal information is accurate and complete Need to know vs. nice to know

Privacy Use and disclosure Shall not use or disclose personal information without express consent, except: With implied consent - “for the purpose for which the information was obtained or compiled by the university or for a use that is consistent with that purpose” Without consent in very limited circumstances As required or permitted by law Protection of mental or physical health or safety Public interest outweighs invasion of privacy or a clear benefit to the individual – high bar and rarely relied on Where the information is otherwise publicly available

Privacy Steps to considering use and disclosure of PI Should we be collecting the information in the first place? Do we have express consent to use or disclose the information in the manner or for the purpose proposed? Do we have implied consent? Can we do it without consent? If we can use or disclose, what it the best way to do so? Best practices, other laws (eg. CASL), university policy and other compliance requirements (contracts, etc.)

Privacy Breach Improper collection Improper use or disclosure intentional or unintentional, malicious or not Privacy breach response guidelines Contain Notify Investigate Mitigate Report

Important Changes Duty to Protect Outsourcing – IMSPs Mandatory Breach Notification Penalties

Duty to Protect Administrative safeguards Technical safeguards Policies, procedures, guidelines Appropriate contracts with service providers Technical safeguards Encryption, role-based access, secured connections, password protected mobile devices Physical safeguards Lock doors, filing cabinets, don’t leave files/laptops in car

Penalties Institution: 1 year in prison and/or $50,000 fine New – Individuals who wilfully access or use personal information that is not reasonably required to carry out an authorized purpose (snooping): 1 year in prison and/or $50,000 fine

Contact & Other Resources Access and Privacy Office privacy@usask.ca www.privacy.usask.ca Rayelle Johnston rayelle.johnston@usask.ca 966-8596 Saskatchewan Information and Privacy Commissioner www.oipc.sk.ca

Contact & Other Resources Internal Resources Access and Privacy Officer FOIP Liaisons (coming soon!) University Archives – records management policy and records retention schedules Research Services and Ethics Office Legal Services Data Classification, Data Stewards and Data Dictionary Technology Assessment Team

Questions?