How to survive as a FOIP/HIPA Coordinator
How to survive as a FOIP/HIPA Coordinator Office of the Saskatchewan Information and Privacy Commissioner Discussion led by Larissa McWhinney Portfolio Officer OIPC Brown Bag Workshop 1 February 25, 2009 How to survive as a FOIP/HIPA Coordinator You’ve been designated a FOIP/HIPA Coordinator – now what? What is the Chain of Command? What does a Coordinator Do? What does a Coordinator Need? OIPC Brown Bag Workshop 2 February 25, 2009 Chain of Command Term “FOIP/HIPA Coordinator” doesn’t appear in Acts; The Acts place responsibility on the “head” of a government institution or local authority (e.g., a minister, a mayor), or on a “trustee” (e.g., head of government institution, head of RHA, a proprietary pharmacist, health professional, etc.) But head/trustee may delegate his/her powers to someone else in the organization: FOIP s.60; LA FOIP s.50; HIPA makes no explicit reference to delegation, but it is implied. Despite delegation, ultimate responsibility still lies with head or trustee. However, Coordinator should have as much authority as possible (more later). OIPC Brown Bag Workshop 3 February 25, 2009 Coordinator Liaison with OIPC Part of Coordinator’s role is to liaise with the OIPC; OIPC mandate to oversee compliance and promote robust ATIP culture (ATIP = access to information and privacy protection); OIPC role: Interpret and apply FOIP, LA FOIP and HIPA; Conduct reviews/investigations; Provide guidance, recommendations and education to public bodies, trustees and the public. OIPC Brown Bag Workshop 4 February 25, 2009 Coordinator Liaison with OIPC We encourage and welcome strong Coordinator connections with OIPC: Not only an oversight body – also a resource; Open channels of communication; Informal contact welcome; We offer summary advice & advice and commentary; Early intervention can help prevent major media crises (City of Regina case); We informally resolve 97% of cases without Report: Coordinator assistance and cooperation is key; Please notify us of change of staff to keep channels open. OIPC Brown Bag Workshop 5 February 25, 2009 Access and Privacy Coordinator – A Coordinated Approach What should role of FOIP/HIPA Coordinator look like? Coordinated approach is best practice across Canada based on 27 years of ATIP experience; A single person, delegated as both Privacy Officer and Access Coordinator; Why? Access and privacy legislation has two themes: 1. 2. access to information, and protection of privacy; These are two sides of the same coin: must be read together, not separately…. OIPC Brown Bag Workshop 6 February 25, 2009 Access and Privacy Coordinator – A Coordinated Approach Privacy refers to the right to control how one’s personal (health) information is collected, used and disclosed – subject to statutory exemptions; Access is the right to request general or personal information (in FOIP and LA FOIP) and to personal health information (in HIPA); The two rights are intimately intertwined… OIPC Brown Bag Workshop 7 February 25, 2009 Access and Privacy Coordinator – A Coordinated Approach Privacy and access are integral to each other: – One of the most common exemptions to access is the claim that releasing certain records would prejudice the privacy of a third party; – Conversely, third party information cannot automatically be invoked to prevent access, but must be carefully considered to determine whether or not it is privacy related (i.e., personal (health) information) or protected third party business information. Not all third party information is exempted. Intimate knowledge of access rights and appropriate exemptions, are integral to the functioning of a FOIP/HIPA coordinator. OIPC Brown Bag Workshop 8 February 25, 2009 Access and Privacy Coordinator – A Coordinated Approach Efficiency: – Can be inefficient to have two individuals within an organization responsible for privacy and access respectively. – There is value in a single individual representing your institution who can develop positive working relationships within the organization and with OIPC staff. OIPC Brown Bag Workshop 9 February 25, 2009 Access and Privacy Coordinator – A Coordinated Approach Even in the federal government where there are two separate laws dealing with access and privacy respectively, ATIP coordination is usually vested in one person who is: “the one point of coordination and authority accountable for all aspects of the administration of the two Acts as they are applied to records under the control of the institution.” Allows members of your organization to know who to go to. Be sure to identify stand-in when on holidays or leave, etc. (case of recent privacy breach where Coordinator absent) OIPC Brown Bag Workshop 10 February 25, 2009 The importance of Coordinators “Access to Information Coordinators are the lynchpin of the access to information regime” – John Reid, former Federal Information Commissioner We would add that same applies to the privacy side of the FOIP/HIPA Coordinator’s position: “keystone” of privacy protection; The way Coordinators exercise their role will determine how the legislation will actually manifest itself – Rick Snell Coordinators are critical to a robust ATIP regime; provinces/territories need Coordinators to spread the statutory message, and to promote strong ATIP culture; Interface between legislation and the public: “Medium of Message.” OIPC Brown Bag Workshop 11 February 25, 2009 Role of Coordinators To “assist institutions in meeting their statutory responsibilities under the Acts, promoting open government and fostering an organizational culture that advances [four] fundamental… principles….” - - Ontario Coordinator Toolkit OIPC Brown Bag Workshop 12 February 25, 2009 Coordinator Principles 1. Provision of general information to the public; 2. Promotion of individual access to their personal (health) information; 3. Narrow interpretation of exemptions to access; 4. Protection of the privacy of individuals with respect to their personal information. OIPC Brown Bag Workshop 13 February 25, 2009 What does a Coordinator Do? Responds professionally, efficiently and lawfully to access requests and privacy complaints; Raises awareness of access and privacy issues on a regular and proactive basis within their organization; Represents and advises senior members of the organization in regard to access and privacy; Liaises with the OIPC for advice, guidance, reviews and investigations. OIPC Brown Bag Workshop 14 February 25, 2009 How does a Coordinator perform his/her Role? Be the resident ATIP expert: intimately know which Acts your organization is subject to, and understand their requirements; Be aware of the OIPC’s and the Courts’ interpretation of the Acts, e.g., as discussed in Commissioner’s online Reports and in our FOIP Folios (see also Annotated Indexes); “no surprises approach.” Be aware of all operations of the organization; Ensure that employees at all levels of the organization (including senior management) are informed and trained in the importance of the relevant laws, and that they understand their obligations under those Acts; Be aware of the type of information collected, used and disclosed by the organization, and ensure that CUD is authorized by law; Be able to distinguish personal (health) information from other information…. OIPC Brown Bag Workshop 15 February 25, 2009 How does a Coordinator perform his/her Role? Be involved in, and offer direction regarding, new programs that impact on access or privacy; – E.g., be ready and able to implement a PIA; – Be instrumental in writing and reviewing ATIP policy; Ensure existence of adequate policies and safeguards as required by s.16 of HIPA implied in FOIP/LA FOIP by virtue of Part IV CUD duties) – administrative, physical and technical; Understand and employ “data-minimization” and “need-toknow” principles (see HIPA s.23) OIPC Brown Bag Workshop 16 February 25, 2009 How does a Coordinator perform his/her Role? Establish efficient methods for addressing access requests: – Be aware of the kinds of records possessed or controlled by the organizations, who is in charge of them and where they are kept; – Ensure that there are proper, accessible, record-management systems; – Have methods to: keep track of access requests, clarify or narrow requests, adequately search for records, apply exemptions, sever, determine when to consult, when to notify third parties, when to apply for time extensions, how to make fee estimates, and how/when to notify applicants…(we will cover many of these topics in future BBLs) OIPC Brown Bag Workshop 17 February 25, 2009 How does a Coordinator perform his/her Role? Establish efficient methods for dealing with privacy complaints or breaches: – Have proper channels and mechanisms in place to deal with privacy complaints; – Ensure there are rehearsed protocols and procedures for responding to breach (see OIPC Privacy Breach Guidelines); Be able to deal professionally with unhappy applicants/complainants; Be able to cope with managerial pressure to make challenging applicants/complainants go away. OIPC Brown Bag Workshop 18 February 25, 2009 What does a Coordinator Need? Tall order! Referencing access, former Federal Information Commissioner said: – “The coordinator operates under considerable pressure from applicants and the oversight office, as well as from their co-workers and senior officials.” – Annual Report 1987 2002 Access to Information Task Force reported: – “The government is facing a looming crisis in the recruitment and retention of these skilled individuals.” OIPC Brown Bag Workshop 19 February 25, 2009 What does a Coordinator Need? What can make the Coordinator’s job easier? Get senior management onside to create appropriate ATIP culture: “In those Canadian jurisdictions where the Premier or CEO has stressed the importance of FOIP in promoting transparency and accountability, overall compliance has significantly improved.” – OIPC Annual Report, 2007 Biggest help to Coordinator is organizational culture of openness, and strong understanding, and respect for, appropriate privacy rules and safeguards at all levels of the organization. Ultimate management endorsement: – “Starting today, every agency and department should know that this administration stands on the side not of those who seek to withhold information, but those who seek to make it known.” – Pres. Barack Obama, Jan. 21, 2009 OIPC Brown Bag Workshop 20 February 25, 2009 What does a Coordinator Need? What can make the Coordinator’s job easier…? Ensure sufficient resources/seniority to do the job: – Access/privacy duties should be seen as core and essential, not superfluous, additional or a necessary evil; – Importance of, and expertise required for, Coordinator’s role should be reflected in the Coordinator’s seniority and authority within the organization; – Decision-making should be centralized, and Coordinator should have as much authority as possible to prevent lost time waiting for multiple approvals from within the organization; … OIPC Brown Bag Workshop 21 February 25, 2009 What does a Coordinator Need? What can make a Coordinator’s job easier…? – Adequate staff to ensure effective responses to access requests within statutory timelines, to be able to address security issues, to respond to privacy complaints/breaches and provide organizational awareness, education and training; General guideline: no single analyst should be processing more than 100 access requests per year – if so, need more staff; – Time to engage in professional education re access/privacy: IAPP courses, mediation/negotiation training, FOIP/HIPA sessions, exposure to OIPC reports and other materials (FOIP Folio, Helpful Tips, Privacy Breach Guidelines, etc.), and other materials on other provincial and the federal (O)IPC offices. OIPC Brown Bag Workshop 22 February 25, 2009 What does a Coordinator Need? What can make a Coordinator’s job easier…? Ability and protection to address any tendencies by organization to treat certain applicants/cases differently than others: “contentious issues management;” – Applicant and complainant identities should be confidential (need-toknow only); – Access should not be refused, or privacy complaints played down, because of organizational embarrassment or PR concerns: – Former Information Commissioner Annual Report, 1987: Re access: “Discomfort alone does not give rise to a right to withhold. Making coordinators scapegoats leaves them torn between what they perceive to be their public, professional duty and what might be better for the department, their colleagues or their careers.” – OIPC Brown Bag Workshop 23 February 25, 2009 What does a Coordinator Need? You may already have seniority and management buy-in; If not, remind managers of statutory significance of FOIP/HIPA laws, and their “quasi-constitutional nature;” – Supreme Court of Canada “Public servants should…strive to ensure that the value of transparency in government is upheld while respecting their duties of confidentiality under the law.” – Values & Ethics Code for Public Service; Better to be prepared than to risk bad press or a Commissioner’s Report; OIPC supports you by regularly reinforcing the importance of a Coordinator’s status in the organization through letters to ministers, annual reports, etc. Culliton Award!! OIPC Brown Bag Workshop 24 February 25, 2009 What does a Coordinator Need? Where resources inevitably tight and time short, efficiency is key; In addition to streamlining processes and ensuring expert understanding of requirements and interpretation of FOIP/HIPA laws, you should practice: – Active Dissemination & Routine Disclosure AD/RD are part of strong ATIP culture, and excellent efficiency mechanism. OIPC Brown Bag Workshop 25 February 25, 2009 Main Messages Your role is critical; we are here to help; Access requests and privacy complaints only part of your role: critical function is to facilitate robust access and privacy culture and to be the medium of the ATIP message; To perform your role properly, you need seniority, resources, healthy ATIP culture and expert knowledge; Expert knowledge is based on understanding of OIPC and Court interpretations of FOIP/HIPA laws, not just familiarity with laws themselves; Please remember to protect the identities of applicants and complainants: this information is personal; Please remember to delegate authority when away and to notify us of change in staff, especially on open files. OIPC Brown Bag Workshop 26 February 25, 2009 Resources The Ontario Information and Privacy Commissioner has provided an excellent job description and tips for Access and Privacy Coordinators based on being the province with the longest ATIP experience in Canada: See the Basic Tool Kit for New Co-ordinators at www.ipc.on.ca OIPC Brown Bag Workshop 27 February 25, 2009 Next Brown Bag Luncheon Severing Made Easy March 25, 2009: 12 noon to 12:45 Led by Aaron Orban [email protected] 798-2261 OIPC Brown Bag Workshop 28 February 25, 2009 Questions? Office of the Saskatchewan Information and Privacy Commissioner - Phone: (306) 787-8350 - Fax: (306) 798-1603 - Email: [email protected] - Website: www.oipc.sk.ca OIPC Brown Bag Workshop 29 February 25, 2009
© Copyright 2024