Monday, March 5, 2018

Privacy law in Manitoba

FIPPA – Freedom of Information and Protection of Privacy Act 

PHIA – Personal Health Information Act 

Why – Privacy law 

  • 1980 – OECD Fair Information Practices 
  • European Union – 1990s – principles enshrined
  • Canadian Standards Association – model code for the protection of personal information – 10 principles 

FIPPA “Public Bodies” covered 

  • Provincial Government Departments and Government Agencies
  • Local Government Bodies 
    • Municipalities 
    • Northern Affairs Councils
    • Conservation and Planning Districts
  • Health Care Bodies
    • Regional Health Authorities 
    • Hospitals 
  • Educational Bodies 
    • School Divisions/School Districts
    • Universities 
    • Colleges

PHIA “Trustees” covered

  • Public bodies under FIPPA
  • Licensed, registered or designated Health Professionals 
  • Health care facilities 
    • Hospitals, Personal care homes 
  • Health services agencies 
    • VON, We Care, Lab/X-Ray Clinics, Cancer Care, Community clinics 


  • FIPPA 
    • Record 
      • Electronic, handwritten, photo, fax, e-mail
    • Personal Information 
      • Recorded about an identified individual – name, address, belief, numbers assigned 
    • Limits
      • Court system, exam question, behalf act 
    • Exercising the rights of another person 
      • Parents, guardian, child can act under minor requires privacy, based upon their maturity 
  • PHIA 
    • Personal Health Information
      • Records identification number 
    • Health Care
      • Provision 
    • Exercising the rights of another person 
      • Require rights, judgement, be compatible on someone else’s behalf

  • Rights under FIPPA
    • Prescribed form, time frame and fees 
    • Section 17 and Section 30 
    • Correction 
  • Rights under PHIA 
    • Requesting one’s own personal health information
    • Section 11 
    • Correction 
FIPPA Board applies to all information. Within 30 days, they can give you access to anything any public body has on you. 

  • Provides for privacy and confidentiality by imposing some restrictions on the: 
    • Collection
    • Use
    • Disclosure 
    • Retention, and 
    • Destruction 
  • Of personal/personal health information 

Privacy limitations 
  • Less is Best – Public Bodies/Trustees/Organizations should only collect, use and disclose the minimum amount of information for an identified purpose
  • Employee access should be limited to and based on the need to know principle 

10 privacy principles
  • Accountability
  • Identifying purposes
  • Consent
  • Limiting collection
  • Limiting use, disclosure, and retention
  • Accuracy
  • Safeguards
  • Openness 
  • Individual access
  • Challenging compliance 

  • Responsible for the information under the organization’s control 
    • FIPPA – Access and Privacy Officer; Access and Privacy Coordinator 
    • PHIA – Privacy Officer 
  • Responsibility assigned, know legislation, rights responsibility
  • Any information in the profession, custody or control of the organization 
    • Inside or outside of organization 
  • If in custody of a 3rd party, ensure confidentiality by contract 
    • Clauses bounded rules 
  • Policies, procedures to protect, an internal review process, training

Identifying purposes
  • Notice – FIPPA/PHIA 
    • Orally or in writing
  • Why was the personal information collected?
  • Explanation 
    • Re use or disclosure 
    • How will this information be shared? 

  • Required for collection, use and disclosure
    • Exceptions – FIPPA/PHIA 
  • At time of collection 
  • Informed consent 
    • Explicitly specified and legitimate purposes 
    • Time limited 
    • Ability to withdraw 
  • Forms of consent
    • Written/oral 
    • Check-off box
    • Implicit/Explicit 
      • Don’t want information
      • Need consent 

Limiting collection 
  • To the necessary information for purpose identified
  • By fair and lawful means
  • Collection with consent

Authorized collection without consent 
FIPPA – Section 37 
  • While determining eligibility
  • Time and circumstances
  • Harm 
  • Inaccurate information
  • Law enforcement 
  • HR activities 
  • Parole/Probation
  • Enforcing maintenance orders
  • Auditing, evaluating programs
  • Informing Public Trustee/Vulnerable Persons Commissioner 

PHIA – Section 14(2)
  • Endanger the mental or physical health or safety of individual or another person 
  • Time and circumstances 
  • Inaccurate information
  • Court order or another Manitoba or Federal Act 

Limiting use, disclosure, and retention 
  • Sharing within an organization 
  • For the purpose it was collected 
  • Other authorized purposes – FIPPA/PHIA 

Authorized use without consen
FIPPA – Section 43 
  • For the purpose identified at collection 
    • Consistent purpose – Section 45 
  • For the reason it was disclosed to the program 

PHIA – Section 21
  • For the purpose directly related to what was identified at collection 
  • To prevent or lessen a serious or immediate threat 
  • Authorized by a Manitoba or Federal Act 

  • Sharing outside the organization’s boundaries 
  • With consent or with authorization

Authorized disclosure without consent 
FIPPA – Section 44 
  • For the purpose identified at collection 
  • Complying with acts/treaties/arrangements/agreements 
  • Authorized/required by federal/provincial Act 
  • Determining/verifying eligibility 
  • Protecting mental/physical health or safety 
  • Law enforcement 
  • Subpoena/Court order/Warrant 
  • Determining/collecting fine, debt, tax or payment owing 
  • Existing or anticipated legal proceedings 
  • If already public 

PHIA – Section 22
  • To a person who is providing or has provided health care 
  • To any person if disclosure is necessary to prevent/lessen a serious and immediate threat to 
  • Contacting a relative/friend of an injured/incapacitated or ill individual 
  • Authorized/required by federal/provincial act 
  • Complying with arrangement/agreement under provincial/federal law 

  • Archives and Record Keeping Act 
  • Records Authority Schedules 
  • Records Management 

  • Do not destroy before retention period
  • In a manner that preservers the confidentiality 
  • PHIA – record of destruction 

  • Accurate, complete, up-to-date 
  • Request for correction – FIPPA/PHIA 
    • Timeframes 
    • Recourse 

  • Appropriate to the sensitivity of information 
  • Higher the sensitivity – higher the security
  • FIPPA – reasonable protection for personal information
  • PHIA 
    • Physical safeguards
      • E.g. locked filing cabinets/rooms 
    • Technical safeguards 
      • E.g. passwords, secure networks, encryption
    • Administrative safeguards
      • E.g. policies, orientation/training, pledge 

Examples of insufficient security 
  • Lack of policies outline appropriate use and access by staff
  • Paper records stored in an area accessible by the public 
  • Improperly stored passwords 
  • Emailing personal health information over an unprotected network (i.e. Internet) without encryption
  • Providing personal health information over the phone without verifying the identity of the individual

  • Name, title, address of Privacy Officer/Access and Privacy Coordinator 
  • Means of gaining access to personal information 
  • Description of the personal information held by the organization 
  • Access and Privacy Directory 
  • How personal information is shared with other organizations 
  • How is the information made available

Individual access 
Individuals must be informed of the existence, use and disclosure 
  • Access 
    • FIPPA application form 
    • PHIA orally or in writing 
  • Timeframe of a request 
      • 30 days 
    • Extension – FIPPA 
  • Fees 
    • No cost recovery 
  • Exceptions to access – reasons for refusal 
    • FIPPA 
      • Sections 17, 24, and 30
        • Another 3rd party’s privacy 
        • Harm to individual or public safety
        • Confidential evaluations 
    • PHIA
      • Section 11
        • 3rd party’s personal information
        • Identity of someone who provided information in confidence
        • Harm to individual or to public safety

Challenging compliance
    • Provincial Ombudsman 
  • Court of Queen’s Bench 
    • Only Access complaints The Provincial Ombudsman receives complaints and initiate investigations regarding said complaints. 
Privacy pyramid
The more sensitive the information, the higher the level of legislative protection 

Adoption Act: sensitivity, Manitoba 
Youth Justice Criminal Act: clear override, sensitive information, conviction principal only
Child & Family Services Act: absolute protection
Mental Health Act: Limited, Record created whilst in 
PHIA: January 2004, private sector only 
PIPEDA: Privacy policies 
FIPPA: personal information

No comments: