ebook img

Guide for Developing Personal Information Sharing Agreements PDF

20 Pages·2009·0.12 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Guide for Developing Personal Information Sharing Agreements

Guide for Developing Personal Information Sharing Agreements Revised October 2003 (updated to reflect A.R. 186/2008) ISBN 0-7785-3104-X Produced by: Access and Privacy Service Alberta 3rd Floor, 10155 – 102 Street Edmonton, Alberta, Canada T5J 4L4 Office Phone: 780-422-2657 Fax: 780-427-1120 FOIP Help Desk: 780-427-5848 Toll free dial 310-0000 first E-mail: Freedom of Information and Protection of Privacy Guide for Developing Personal Information Sharing Agreements Table of Contents 1. INTRODUCTION.........................................................................................................1 2. DEFINITIONS .............................................................................................................2 3. RESEARCH AGREEMENTS......................................................................................2 4. NEED FOR PERSONAL INFORMATION SHARING AGREEMENTS ......................3 5. TYPES OF PERSONAL INFORMATION SHARING AGREEMENTS .......................4 By Purpose of Sharing ................................................................................................4 By Direction of Flow of Information .............................................................................4 6. AUTHORITY FOR PERSONAL INFORMATION SHARING......................................6 7. REQUIREMENTS FOR PERSONAL INFORMATION SHARING AGREEMENTS ...8 8. DATA MATCHING AND LINKAGE............................................................................9 9. PRELIMINARY ASSESSMENT..................................................................................9 10. COMPONENTS OF PERSONAL INFORMATION SHARING AGREEMENTS .......11 Revised October 2003 (updated to reflect A.R. 186/2008) i Personal Information Sharing Agreements 1. INTRODUCTION of any particular personal information sharing agreement. Public bodies subject to the Freedom of Personal information sharing agreements Information and Protection of Privacy Act formalize the mechanism and (the FOIP Act) may need to share personal arrangements for public bodies to share or information for a variety of reasons. exchange personal information. However, Some examples of this sharing might be: before a public body may enter into such an agreement, under the FOIP Act there • A provincial government department must be some authority for the collection, needs to ensure that a client receiving use or disclosure of the personal provincial income support is not information that will be the subject of the receiving employment insurance agreement. (See Authority for Personal benefits at the same time. Information Sharing in section 6 of this • A post-secondary institution wishes to Guide). share the names, addresses and The FOIP Act (section 2(b) and (c)) program of study of its alumni with its provides individuals with: fund-raising foundation for fund- raising purposes. • a right to access personal information • A school board needs to share about themselves that is held by a personal information of certain public body, subject to limited and students with a non-profit organization specific exceptions; and so that they may participate in • control over the manner in which a organized provincial sports. public body collects, uses and • A housing management body needs to discloses their personal information. determine if a tenant is paying the In certain circumstances, the interests of appropriate amount of subsidized rent. individuals in protecting their personal • A faculty association of a post- privacy must be balanced against various secondary institution needs to obtain public interests, as indicated in the certain personal information about its examples above. However, any sharing of members from the institution that personal information, unless it is with the employs them. individual’s consent, is potentially an invasion of personal privacy. This Guide is intended to assist Freedom of Information and Privacy (FOIP) Tom Wright, a former Ontario Information Coordinators in understanding some of the and Privacy Commissioner, pointed out in issues related to the sharing of personal his paper on a Model Information Sharing information with other public bodies or Agreement that “sharing personal with organizations that are not subject to information between two organizations the Act. runs counter to two of the most fundamental principles of data protection The Guide also provides a framework for – that personal information should be drafting personal information sharing collected directly from the individual to agreements. The framework is a guideline whom it pertains, and should only be used only. Legal advice should always be for the purpose for which it was collected sought regarding the terms and conditions (with limited exceptions). Therefore, Revised October 2003 (updated to reflect A.R. 186/2008) Page 1 Personal Information Sharing Agreements where possible, sharing should not occur on identifiable individuals to make without exploring less privacy-invasive decisions about the individuals to whom 1 means of meeting a specific objective.” the data relates. Sharing personal information should be “Data linkage” or “data profiling” the last resort for meeting a specific means a computerized use of personal data objective. Once a public body has made obtained from a variety of sources, the decision that it must share some of the including personal information banks, to personal information it holds, the sharing merge and compare files on identifiable should be supported by a written personal individuals or categories of individuals for information sharing agreement. administrative purposes. This linkage or profiling activity generates a new body of personal information. 2. DEFINITIONS “Personal information” means recorded In this Guide: information about an identifiable individual as set out in section 1(1)(n) of “Information sharing” means the the FOIP Act. exchanging, collecting, using or disclosing of personal information by one public body or other organization with another 3. RESEARCH AGREEMENTS public body or other organization for certain purposes. The sharing may be Personal information sharing agreements carried out using any transmission method shouldn’t be substituted for, or confused and may take place over any time period. with, research agreements under section 42(d) of the FOIP Act. Section 42 of the Public bodies and organizations may Act enables public bodies to disclose include provincial or federal government personal information for a research ministries, agencies, boards or purpose, including statistical research, if commissions, municipalities or other local the conditions in that section have been government bodies, police services, post- met. secondary institutions, health care bodies, school jurisdictions, private companies, One of those conditions is that a non-profit organizations or foreign researcher must sign a research agreement governments. that meets the requirements of section 9 of the FOIP Regulation. An example of an “Data matching” means a computerized Agreement for Access to Personal comparison of a database(s) or set(s) of Information for Research or Statistical records of personal information held by Purposes is included as an Appendix in the one public body or organization with FOIP Guidelines and Practices manual. another database(s) or set(s) of records held by a different public body or This type of agreement is suitable to use organization, where the computer with an individual or a group of matching program creates or merges files researchers where the public body has approved a research proposal; and the purpose for the disclosure of personal 1 Tom Wright, former Ontario Information and information is for research or statistical Privacy Commissioner, Model Data Sharing Agreement, December, 1995 Page 2 Revised October 2003 (updated to reflect A.R. 186/2008) Personal Information Sharing Agreements analysis only, not for other purposes such collection provisions of the FOIP Act as administration of a program. (sections 33 and 34). On the other hand, research or statistical If a public body which is a recipient of analysis may be one of several purposes personal information uses the information for information sharing between bodies. If that it has collected through the that is the case, then the recitals in the arrangement, it must comply with the personal information sharing agreement accuracy and use provisions of the FOIP must include statements showing that the Act (sections 35 and 39) and also with the requirements of section 42(a) and (b) of research provisions of the Act (section the FOIP Act have been met. In addition, 42), if the information is used for research. the agreement must include clauses that It must also comply with sections 36 and deal with the privacy protection and 38 of the Act respecting the correction, security requirements of section 42(c) and protection and security of the information (d) of the Act. it has collected and that it uses under the arrangement. 4. NEED FOR PERSONAL When a public body is either a source or recipient of personal information, Part 2 INFORMATION SHARING of the FOIP Act applies to all aspects of AGREEMENTS the sharing of personal information. A personal information sharing agreement Information sharing can occur on a one- sets out the parameters of the arrangement time, time-limited or ongoing basis. It may and can help to ensure that the involve the collection or disclosure of a 2 arrangement doesn’t contravene the Act. small number of data elements about a particular client group for the Using a personal information sharing administration of one program or a large agreement to establish the terms and number of data elements compiled about a conditions that will apply to a sharing of number of identifiable clients, client personal information has the following groups or populations for a research benefits: purpose. It may also involve the collection or disclosure of the same data elements for • It provides a formal mechanism for the a number of purposes. efficient and timely sharing of personal information by public bodies If a public body discloses personal which might otherwise require an information under an information sharing authorization or consent each time the arrangement, it is a source of personal information was disclosed. information and must comply with the • It limits the type and amount of disclosure provisions of the FOIP Act personal information that can be (section 40). The data sharing agreement disclosed and the purposes for which it is the means for safeguarding the personal can be used. information once it has been disclosed. If a public body collects personal information under an information sharing arrangement, it is a recipient of personal 2 Office of the B.C. Information and Privacy information and must comply with the Commissioner, Privacy Guide for Personal Information Exchange Agreements (undated) Revised October 2003 (updated to reflect A.R. 186/2008) Page 3 Personal Information Sharing Agreements • It provides an assurance of privacy detecting duplicate or overpayments of protection of the personal information benefits from both federal and both during and after the sharing. Each provincial government programs party to the agreement agrees to be where there is only entitlement to one; bound by enforceable terms and collecting or recovering conditions regarding their access to, overpayments; or instituting legal use, disclosure, protection, retention proceedings against offenders. and disposition of the personal • For research, statistical analysis, information subject to the agreement. policy development or planning. • It ensures that the public becomes • For program evaluation – e.g. aware that their personal information conducting studies or analyses of is being used and disclosed for the information to determine the purposes set out in the agreement. effectiveness of a program or individual intervention. • For accountability – e.g. monitoring 5. TYPES OF PERSONAL and assessing the effectiveness of a INFORMATION SHARING program or expenditure to meet AGREEMENTS reporting requirements under an agreement, statute or regulation. Personal information sharing agreements • For multiple purposes – e.g. for can be used to document many different administration, enforcement and arrangements related to the collection, use evaluation of a program or service and and disclosure of personal information for research and statistical analysis. between public bodies or between public bodies and other organizations. For • For interagency delegation – e.g. illustrative purposes, these agreements can where employees of different levels of be classified according to their purpose or government are co-located and act on according to the way in which the each other’s behalf to provide information flows between the bodies. programs and services to each other’s clients. By Purpose of Sharing Public bodies should always first The sharing of personal information may consider whether some of the above be limited to a single purpose in an noted purposes could be accomplished agreement or may encompass a number of without the use of personal information. purposes. Some of these purposes are: By Direction of Flow of Information • For administration of a program or service – e.g. determining or verifying One-Way Flow: Some personal the eligibility of clients for social information sharing agreements allow assistance or employment insurance. personal information held by a public body to be accessed by designated staff of • For enforcement of legislation or of an another public body or other organization. authorized program – e.g. ensuring This can be accomplished through online compliance with certain conditions or or other types of access to certain eligibility criteria of the Alberta databases or applications containing Student Loan Program; preventing and personal information or through access to Page 4 Revised October 2003 (updated to reflect A.R. 186/2008)

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.