Student Privacy and Your OntarioCollegeDan MichalukCSC Annual ConferenceMay 29, 2012
Student Privacy and Your Ontario College•   FIPPA Basics•   FIPPA and Collection of PI•   Use and Disclosure of PI under F...
FIPPA Basics•   FIPPA is the “Freedom of Information and    Protection of Privacy Act”•   FIPPA does two things     •   Pr...
FIPPA Basics•   Josie enrols in a concurrent education course.    The registrar’s office opens a record for her in its    ...
FIPPA Basics•   In, class Josie’s professor is de-briefing a self-    reflection unit. Quite spontaneously, Josie shares  ...
FIPPA Basics•   The privacy part protects “personal information”     •   Information about an identifiable individual     ...
FIPPA and Collection of PI•   FIPPA is not a consent-based statute•   Ordinarily must meet two essential requirements     ...
FIPPA and Collection of PI•   Who’s collecting it?     •   An institution that collects PI is accountable for it     •   S...
FIPPA and Collection of PI•   For what purpose is it being collected?     •   The stated purpose is the key basis for coll...
FIPPA and Collection of PI•   Is the collection necessary in light of the purpose?     •   Applies with or without consent...
FIPPA and Collection of PI•   Can you collect indirectly?     •    Consent     •    Determining suitability for honour or ...
Use and Disclosure of PI under FIPPA•   Use versus disclosure     •   Neither are defined     •   Under FIPPA an internal ...
Use and Disclosure of PI under FIPPA•   The statute is fairly permissive     •   Yes - for the purpose you collected it   ...
Use and Disclosure of PI under FIPPA•   The statute is fairly permissive (cont.)     •   Yes – to an employee/agent “who n...
Use and Disclosure of PI under FIPPA•   FAQ – Can a college report crime to the police?     •   Yes     •   There’s a publ...
Use and Disclosure of PI under FIPPA•   FAQ – Can a college share information about a    former student with another colle...
Use and Disclosure of PI under FIPPA•   FAQ – Can a college share information with a    student’s parents?     •   General...
Safeguarding PI under FIPPA•   The chair of the each college board has a duty to     •   ensure “reasonable measures” are ...
Safeguarding PI under FIPPA•   Best practices for safeguarding PI     •   Periodic risk assessment procedures     •   Intr...
Safeguarding PI under FIPPA•   Systematic is good, but what’s your low hanging    fruit?Student Privacy and Your Ontario C...
Safeguarding PI under FIPPA•   Systematic is good, but what’s your low hanging    fruit?     •   Anecdotally…     •   …Los...
Enforcement and Liability•   FIPPA enforcement     •   Rests on voluntary compliance of public sector         institutions...
Enforcement and Liability•   Civil liability for privacy breaches     •   Data breach liability is real     •   Breach res...
Enforcement and Liability•   The new intrusion upon seclusion cause of action     •   Not clear how this will affect day-t...
College Adult Upgrading IssuesStudent Privacy and Your Ontario College
Question & AnswerStudent Privacy and Your Ontario College
Student Privacy and Your OntarioCollegeDan MichalukCSC Annual ConferenceMay 29, 2012
Upcoming SlideShare
Loading in...5
×

Student privacy and your ontario college

188

Published on

FIPPA, MFIPPA, privacy regulation, education law

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
188
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Student privacy and your ontario college

  1. 1. Student Privacy and Your OntarioCollegeDan MichalukCSC Annual ConferenceMay 29, 2012
  2. 2. Student Privacy and Your Ontario College• FIPPA Basics• FIPPA and Collection of PI• Use and Disclosure of PI under FIPPA• Safeguarding PI under FIPPA• Enforcement and Liability• Discussion of College Adult Upgrading Issues• Question & AnswerStudent Privacy and Your Ontario College
  3. 3. FIPPA Basics• FIPPA is the “Freedom of Information and Protection of Privacy Act”• FIPPA does two things • Protects student privacy • Provides a right of access to college recordsStudent Privacy and Your Ontario College
  4. 4. FIPPA Basics• Josie enrols in a concurrent education course. The registrar’s office opens a record for her in its student records system. It includes her name, address and date of birth. When Josie finishes the course successfully, her record is updated. What personal information has the College collected?Student Privacy and Your Ontario College
  5. 5. FIPPA Basics• In, class Josie’s professor is de-briefing a self- reflection unit. Quite spontaneously, Josie shares a very sensitive personal story about her upbringing with the class. The professor takes no notes. Does the College have applicable duties under FIPPA?Student Privacy and Your Ontario College
  6. 6. FIPPA Basics• The privacy part protects “personal information” • Information about an identifiable individual • Not business contact information • Generally not information about someone in a professional capacity – e.g. work product• This includes information that is not recordedStudent Privacy and Your Ontario College
  7. 7. FIPPA and Collection of PI• FIPPA is not a consent-based statute• Ordinarily must meet two essential requirements • necessary to the proper administration of a lawfully authorized activity and • collected directly from the individual unless exception applies• Plus must give notice of collectionStudent Privacy and Your Ontario College
  8. 8. FIPPA and Collection of PI• Who’s collecting it? • An institution that collects PI is accountable for it • So in collaborative efforts, you need to understand who is doing the collection • Two potential scenarios involving Ministry • You’re collecting PI for you and the Ministry • You’re collecting PI for the Ministry aloneStudent Privacy and Your Ontario College
  9. 9. FIPPA and Collection of PI• For what purpose is it being collected? • The stated purpose is the key basis for collection, use and disclosure • Notice of collection must state the “principal purpose or purposes” • Must also state the legal authority for the collection – ordinarily section 2 of the OCAAT – and provide certain contact informationStudent Privacy and Your Ontario College
  10. 10. FIPPA and Collection of PI• Is the collection necessary in light of the purpose? • Applies with or without consent • Applies to each data element collected • IPC applies a strict test (upheld by Court of Appeal) • More than merely helpful • Less intrusive means must be taken • Different than reasonable in all the circumstancesStudent Privacy and Your Ontario College
  11. 11. FIPPA and Collection of PI• Can you collect indirectly? • Consent • Determining suitability for honour or award • Law enforcement (but internal disciplinary investigations have been ruled not to be law enforcement) This restriction is so strict it is a problem for colleges, especially because it could preclude legitimate threat assessment efforts.Student Privacy and Your Ontario College
  12. 12. Use and Disclosure of PI under FIPPA• Use versus disclosure • Neither are defined • Under FIPPA an internal communication or a communication to an agent is treated as a disclosure • A communication to an external entity for its own purposes usually represents a disclosureStudent Privacy and Your Ontario College
  13. 13. Use and Disclosure of PI under FIPPA• The statute is fairly permissive • Yes - for the purpose you collected it • Yes - for a “consistent” “secondary purpose” • Consistent if individual “might reasonably have expected such a use or disclosure”Student Privacy and Your Ontario College
  14. 14. Use and Disclosure of PI under FIPPA• The statute is fairly permissive (cont.) • Yes – to an employee/agent “who needs the record in the performance of their duties and where disclosure is necessary and proper in the discharge of the institution’s functions”Student Privacy and Your Ontario College
  15. 15. Use and Disclosure of PI under FIPPA• FAQ – Can a college report crime to the police? • Yes • There’s a public interest in the reporting of crime • There’s a very broad exception in FIPPA • Note – the police may not be able to receive student records without first seeking a warrant • Note – the same rule doesn’t apply to concerns that arise out of a health care relationshipStudent Privacy and Your Ontario College
  16. 16. Use and Disclosure of PI under FIPPA• FAQ – Can a college share information about a former student with another college? • Institutions sometimes ask other institutions for a summary of their dealings with a student • In most circumstances sharing this information without consent is prohibitedStudent Privacy and Your Ontario College
  17. 17. Use and Disclosure of PI under FIPPA• FAQ – Can a college share information with a student’s parents? • Generally not (age 16 is the cut off) • Beware of the “health and safety” exceptions in sections 42(1)(h) and 11 We know that some parents can be great allies in helping to manage students at risk. It may be reasonable in some circumstances to impose a parental contact requirement as part of a behavioral contract.Student Privacy and Your Ontario College
  18. 18. Safeguarding PI under FIPPA• The chair of the each college board has a duty to • ensure “reasonable measures” are taken • ensure access is on a need to know basis • ensure “reasonable steps” taken in destruction process (secure destruction per IPC guideline)• Duty may be delegated via governance structure• No maximum retention duty, but keeping PI comes with a responsibility for securityStudent Privacy and Your Ontario College
  19. 19. Safeguarding PI under FIPPA• Best practices for safeguarding PI • Periodic risk assessment procedures • Intrusion detection and security audit structures • Records management structures • Human resources policy • Physical transfer of personal information policy • Disposal procedures • Privacy breach proceduresStudent Privacy and Your Ontario College
  20. 20. Safeguarding PI under FIPPA• Systematic is good, but what’s your low hanging fruit?Student Privacy and Your Ontario College
  21. 21. Safeguarding PI under FIPPA• Systematic is good, but what’s your low hanging fruit? • Anecdotally… • …Lost USB keys • …Lost laptops • …Recycling versus shredding • …Departing employeesStudent Privacy and Your Ontario College
  22. 22. Enforcement and Liability• FIPPA enforcement • Rests on voluntary compliance of public sector institutions • IPC will handle most complaints through an informal resolution process • Complaints that are not resolved will be investigated and the subject of a public report, often with recommendationsStudent Privacy and Your Ontario College
  23. 23. Enforcement and Liability• Civil liability for privacy breaches • Data breach liability is real • Breach response costs are significant and will be borne for breaches of almost any consequence • Damage claims are possible • A question of negligence • Best defence will arise from due diligenceStudent Privacy and Your Ontario College
  24. 24. Enforcement and Liability• The new intrusion upon seclusion cause of action • Not clear how this will affect day-to-day college administration • Only covers unauthorized collections of information • Rests on a “reasonable expectation of privacy” • Also must establish the an intrusion that is “highly offensive”Student Privacy and Your Ontario College
  25. 25. College Adult Upgrading IssuesStudent Privacy and Your Ontario College
  26. 26. Question & AnswerStudent Privacy and Your Ontario College
  27. 27. Student Privacy and Your OntarioCollegeDan MichalukCSC Annual ConferenceMay 29, 2012
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×