Governments and Your Privacy Rights
Different Laws for BC Government and Federal Government
There is a privacy law that applies to British Columbia government entities – the Freedom of Information and Protection of Privacy Act (BC) (FOIPPA) and a different privacy law that applies to entities of the Canadian federal government – the Privacy Act (Canada).
Because they are quite different, they will be discussed separately.
- If you think that you are dealing with a BC government entity: the Freedom of Information and Protection of Privacy Act (BC)
- If you think you are dealing with an entity of the government of Canada
The Freedom of Information and Protection of Privacy Act (BC) “FOIPPA”
The purpose of FOIPPA is to make the British Columbia government more accountable to the public and to protect personal privacy. It gives the public a right of access to records that are in the control of the BC government and prevents the unauthorized collection, use or disclosure of personal information by public bodies. It also gives individuals a right to access and to request correction to their personal information, subject to limited exceptions.
FOIPPA covers every BC government entity that is a “public body.” You have a right to access information under FOIPPA if the entity is listed in the Act as a “public body.” Before you make a request for access you should check Schedule 2
and Schedule 3 of FOIPPA to find out whether the organization is a public body and therefore covered by the Act.
Rights and Duties Under FOIPPA
What is a Public Body?
The term “public body” covers a long list of British Columbia government bodies, agencies and organizations, some of which are:
- a ministry of the government of British Columbia;
- a BC agency, board, commission, society, council, program, foundation or similar organization;
- a BC crown corporation, office or similar body;
- a local government body such as a municipality or regional district;
- a health authority;
- a social services body;
- an educational body such as a university, college, public school or school board; and
- the governing bodies of certain professions (such as the Law Society of BC).
What are Your Rights Under the Freedom of Information and Protection of Privacy Act (BC)?
Under FOIPPA you have the right to:
- request access to records held by public bodies, including records containing your personal information;
- request the correction of your personal information in records held by public bodies;
- ensure that your personal information is collected, used, disclosed and kept secure by public bodies according to specific standards that protect the privacy of your personal information; and
- ask the Office of the Information and Privacy Commissioner of BC to review or investigate decisions by public bodies about privacy or access to records.
What are BC Public Bodies Allowed to Do With Your Personal Information?
Consent is not required under FOIPPA. Public bodies are allowed to collect, use and disclose personal information without consent. However, FOIPPA does put some limits on what purposes a public body is allowed to collect and use your personal information for, and on how and where it can be disclosed.
In addition, public bodies must maintain the accuracy of personal information, keep it secure, limit how and the reasons why it is disclosed outside Canada and inside Canada. A public body must also retain personal information for at least a year if it has been used to make a decision that directly affects the individual.
When Can a BC Public Body Collect Your Personal Information?
Under FOIPPA, personal information may be collected by or for a public body only if:
- a law specifically says that the personal information may be collected; or
- it is collected for law enforcement purposes; or
- the personal information relates directly to an operating program or activity of the public body and the personal information is necessary for the operating program or activity.
Although these are broad categories they do have limits. The BC Information and Privacy Commissioner has decided that when asking whether personal information is “necessary for an operating program or activity,” public bodies should be held to a fairly rigorous standard of necessity, taking into consideration the sensitivity and amount of the personal information collected, the purpose for the collection and the objective of FOIPPA to protect privacy. It is not enough that the information would be helpful. And if the purpose can be accomplished another way, the public body should take that other way.
How is a BC Public Body Allowed to Use and Disclose Your Personal Information?
Your personal information may be used or disclosed for the purpose for which it was obtained or compiled, or for a purpose that is consistent with that purpose. In section 34 of FOIPPA, “for a consistent purpose” means that the purpose has a reasonable and direct connection to the original purpose and it is necessary for performing the duties or carrying out a program of the public body.
Examples of “consistent purposes”
Example 1:
A university is allowed to use student and alumni information for large mail-outs of information about university-related programs, and products and services that are benefits for alumni. It is not allowed to disclose the student and alumni information to outside commercial organizations for marketing purposes, because the outside marketing purposes are not consistent with the purposes the personal information was originally collected for.
Example 2:
A health centre collects the name, address, age, gender, admission and discharge date, discharge status and patient number for the delivery of health care to the patient. It later discloses that information to a contractor to conduct a patient satisfaction survey to be used for quality assurance purposes. Surveying patient concerns is reasonably and directly connected with the original purpose for the collection (to deliver health care), and is necessary for performing the duties of the health centre, (to deliver health care), and therefore the disclosure was for a consistent purpose.
The Procedural Requirements
The FOIPPA Policy and Procedures Manual which applies to all government bodies and establishes what they need to do to follow the FOIPPA states that:
- Public bodies or persons acting on their behalf should consider whether the person the information is about would expect their information to be used in the proposed way.
- Public bodies or persons acting on their behalf must ensure that a consistent use has a logical and plausible link to the original purpose for which the personal information was obtained or compiled. It must flow or be derived directly from the original use or be a logical outgrowth of the original use.
- Where it is not clear that the intended use or disclosure of personal information under section 32 or 33.2 is “consistent” as defined under section 34, the public body or person acting on their behalf shall seek the consent of the individual for the proposed use or disclosure.
Permitted Purposes and Consent
Personal information may also be used or disclosed for certain purposes permitted in FOIPPA. These permitted purposes are extremely broad and include purposes related to the payment to be made to a public body, licensing and regulatory purposes, law enforcement purposes or for any purpose authorized by law.
Under PIPA and PIPEDA, there is an overarching requirement that the collection, use and disclosure must be for purposes that are reasonable and appropriate in the circumstances. There is no such requirement in FOIPPA.
In fact, because FOIPPA states that personal information may be used or disclosed if a law of BC or Canada authorizes or requires the use or disclosure, the government can do just about anything with your personal information once they have collected it. All the government has to do is pass a law to give it the necessary authority. If the law is consistent with the requirements of the Charter of Rights and Freedoms, FOIPPA permits the use or disclosure to be carried out.
And a public body may use or disclose your personal information for any other purpose, if the public body gets your consent.
Your Personal Information Must be Protected and Kept Secure
Your personal information must be kept secure. A public body is required to protect personal information in its custody and under its control by making reasonable security arrangements against unauthorized use, access, collection, disclosure or disposal of the information.
FOIPPA does not specify a technical standard, in part because technical standards change very quickly. The Information and Privacy Commissioner has interpreted the law and determined that the following standards apply:
- Individuals who do not have a need to know the information to carry out their job function should not access the information.
Even if an employee can see the information in a system or a file, he should not be looking at it unless there is a legitimate job-related reason to do so.
- It is a breach of an individual’s right to privacy and a breach of the law for an employee of a public body or of a service provider to a public body to see or use personal information when doing so is not necessary to his or her job function.
A government body and its service providers will breach the law if they fail to ensure that their employees follow the law.
- Security measures must consider paper and electronic storage formats, emerging risks, and the inevitability of human error. Government bodies and their service providers must know about how their systems work, and about any new technological threats to the privacy and security of information. They also have to recognize that everybody makes mistakes and should build redundancies into the security systems, such as using encryption on all portable devices.
- Personal information may be stored or accessed outside Canada only in very limited circumstances.