LAW & GOVERNANCE OF SECONDARY DATA USE · 10 LAW & GOVERNANCE OF SECONDARY DATA USE 1. BACKGROUND Before discussing the nuances of data-driven opportunities for NFPs, several key

OBL IGAT I ON S OF N OT-FOR-PROFI T ORGANIZ AT I ON S IN AL BERTA

LAW & GOVERNANCE OF SECONDARY DATA USE

KIR AN P O HAR MANHA S, JD, PHDPOLICYWISE FOR CHILDREN & FAMILIES | UNIVERSITY OF CALGARY

Disclaimer:

This work is for information purposes only, and not intended to be legal advice. For particular legal advice on

your circumstances, the authors recommend that you seek independent legal advice.

This paper would not be possible without the direction and support of a great many people.

First, and foremost, I thank the SAGE (Secondary Analysis to Generate Evidence) leadership

and team at PolicyWise for Children & Families. Jason Lau and Xinjie Cui provided excellent

leadership in requesting this project and guiding its formation. Amanda Lau, Lucie Richard

and Robert Jagodzinski provided important feedback to early drafts of the report. I thank the

numerous external stakeholders who provided thoughtful feedback on a draft version of this

paper amidst their busy schedules. These stakeholders included Chris Stinner (Office of the

Information and Privacy Commissioner of Alberta), Don Fleming (ARECCI/Alberta Innovates),

Katharin Pritchard (Calgary Thrives/Mount Royal University), Geoff Zakaib (Data for Good),

and Robert Perry (CUPS). Although I received important feedback from these individuals, I

take full responsibility for any mistakes or omissions.

I am also very appreciative of the infrastructure and mentorship support I receive from my

postdoctoral team including supervisors Drs. Suzanne Tough and Xinjie Cui, funders including

PolicyWise for Children & Families, and the team including the All Our Families research team.

ACKNOWLEDGEMENTS:

A C K N O W L E D G E M E N T S

E X E C U T I V E S U M M A R Y

1. B A C K G R O U N D

1.1 KE Y T ERMINOLO GY

1. 2 NFP S & DATA OPPORT UNI T IE S

2.0 L E G A L P E R S P E C T I V E

TA B L E O F C O N T E N T S

3

7

10

10

12

17

2.1 PRIVAC Y IS SUE S

2. 2 IN T EL L EC T UAL PROPERT Y IS SUE S

2. 3 GOVERNANCE IS SUE S

3.0 C U R R E N T O R B E S T D ATA G O V E R N A N C E P R A C T I C E S

3.1 OVERVIE W OF T HE RE SPONSIBL E DATA APPROACH

3. 2 SPECIFIC ORGANIZ AT IONAL APPROACHE S TO DATA GOVERNANCE

17

37

41

48

48

51

C O N C L U S I O N S

R E F E R E N C E S

TA B L E S

114

111

59

7POLICYWISE

The data-driven nature of society today involves the collection of significant, if not copious, amounts of

information with the aims to share and re-use that data beyond the original purposes at collection. Not-

for-profit organizations and registered charities (collectively, “NFPs”) are beginning to recognize the value

of, and opportunities within, data especially in the social services sector. This paper presents the legal and

governance issues for, and obligations of, NFPs when trying to harness a particular data-focused opportu-

nity: the sharing and re-use of information beyond the service delivery directing collection.

When personal information or personal health information is collected, handled, used or disclosed, priva-

cy concerns arise and privacy legislation could be invoked. In Alberta, the three privacy-related statutes

are PIPA, the Health Information Act (HIA), and the Freedom of Information and Protection of Privacy

Act (FOIP). This paper details when each of these laws could apply for a NFP, as well as the best practices

dictated by these laws. Those best practices centre around ensuring reasonableness in the purposes for

identifying information collection, use and disclosure; exacting minimalist standards on information use

and disclosure; and ensuring the connection, unless legally exempt, between purposes and consent from

the individuals whom the information is about. The legal interpretations of reasonableness, use and dis-

closure are key to understanding privacy expectations of NFPs. This paper analyzes these interpretations

from the Office of the Information and Privacy Commissioner of Alberta orders from 2012-2017.

With respect to secondary use of data, intellectual property laws especially copyright and governance ex-

pectations around research-related secondary use are considered as they apply to NFPs. Copyright licens-

es represent one potential, but not always applicable, forum. Copyright protects the expression of an idea,

not the raw facts or data in that idea: so when sharing information at the variable-level copyright may

not apply outside of the data layout. Nonetheless, in theory and in practice by one NFP, open or managed

licensing agreements offer a mode of clarifying rights and obligations while making information available

for secondary use. Research ethics board are a critical legal tool in the secondary use of health information

in Alberta. They also act as an important safeguard for NFPs when attempting to manage access to data, as

demonstrated by the Medicins Sans Frontiere data sharing policy.

EXECUTIVE SUMMARY

8 LAW & GOVERNANCE OF SECONDARY DATA USE

NFPs currently fall into several legislative gaps with respect to secondary use of data including identifying

information. For example, privacy laws do not apply to duly incorporated NFPs carrying out non-commer-

cial activities, and research ethics boards are not obliged to review the planned secondary uses of data by

NFPs if there is neither university affiliation nor health information involved. Nevertheless, best practices

around data governance and privacy protection abound. Societal expectations, ethical practices, and con-

servative business approaches all demand that NFPs approach the secondary use of data from a legal and

governance perspective. Such a perspective demands the development of a data and privacy policy. Such a

policy should be formatted to include a vision statement that clearly links to recognized legal requirements

and international Fair Information principles, and which details the NFP’s expectations around the goals

of data sharing and the tensions to balance. The content of the policy should then describe the safeguards

in place, the access processes required for secondary use, and the monitoring processes for compliance.

Prioritization of consent, “need to know” directives, and reasonableness would promote compliance with

privacy laws. Roles and tasks could be enumerated to promote effective implementation.

9POLICYWISE

“The value of data lies in their use” [1]. The data-driven nature of society today confirms the extensive

implementation of this adage. Often this entails the collection of significant, if not copious, amounts of

information with the aims to share and re-use that data beyond the original purposes at collection. The

Government of Alberta has recognized the importance of information as “the lifeblood of social-based, cli-

ent service delivery, planning and policy” [2]. Not-for-profit organizations and registered charities (collec-

tively, “NFPs”) are also beginning to recognize the value of, and opportunities within, data especially in the

social services sector [3-6]. This paper will present the legal and governance issues for, and obligations of,

NFPs when trying to harness a particular data-focused opportunity: the sharing and re-use of information

beyond the service delivery directing collection. The parties involved in these data-focused opportunities

could include the original NFP, other NFPs, researchers, and data repositories.

This paper consists of four sections. First, the background defines key terminology and delineates the gen-

eral views for and against NFPs collecting, storing and using information. Second, the legal perspectives

section considers the legal issues, obligations and limits that arise for NFPs in Alberta, Canada when they

collect, use, and disclose information. Third, industry current or best practices will be discussed to inform

how other NFPs have approached data governance. These current or best practices move beyond what is

addressed by the law when NFPs collect, use and disclose information. This governance perspective builds

on industry standards and best practices in Canada, and abroad, to demonstrate governance tactics and

experiences that are approved or lauded by the community. Finally, the paper concludes by summarizing

key recommendations for NFPs in Alberta, Canada that aim to maximize data-driven opportunities around

the collection, use and disclosure of information by NFPs amongst themselves.


1 . BACKGROUND

Before discussing the nuances of data-driven opportunities for NFPs, several key terms should be clari-

fied: particularly, NFPs, data and the facets of data-driven opportunities at the centre of this paper.

1.1 K E Y T E R M I N O L O G Y

NFPs include the following, as defined by relevant Alberta legislation:

• Nonprofit organizations are formed to promote art, science, religion, charity or other similar endeav

ours, or they may be formed solely for the purpose of promoting recreation for their members. They

are defined by, and governed under, the Companies Act [7]. This type of NFP can include business-like,

or business, activities in its operations.

• A society is an incorporated group of five or more people who share a common recreational, cultural,

scientific, or charitable interest. They are defined and regulated by the Societies Act [8]. This is the most

common, simplest and least-costly way to establish an NFP in Alberta. This type of NFP cannot engage in

any type of one-off, or ongoing, business activities.

• A charitable organization, whether incorporated or unincorporated, (i) is formed for a charitable pur-

pose; (ii) uses a fund-raising business; (iii) intends to or has in fact raise(d) more than $25000 in gross

contributions from solicitations to individuals in Alberta; and thus (iv) is required to be registered under

the Charitable Fund-raising Act [9].

For all of these entities, the common thread is that people cannot form or use them to make personal fi-

nancial gain.

Data represents another key term that can be interpreted differently depending on context and stakehold-

ers. Some define data as simply “any type of information” [10]. In the research realm, the UK’s Medical Re-

search Council defined data as “qualitative or quantitative information created or collected in the course

of research. Sources may include experimental measurements, clinical measurements, observations and

11POLICYWISE

information obtained via survey questionnaires, interviews, non-research documents (for example, let-

ters) or focus groups [11].” In the NFP realm, data and information have been particularly distinguished:

data is considered “raw values or facts… [which] can be qualitative or quantitative and can come in a va-

riety of forms”, while information is “made up of data… [which] has been processed or analyzed within a

context to make it useful” [12].

The Nonprofit Technology Network has surveyed NFPs regarding their relationship with data, or metrics

as they called it [3]. The data types discussed included (a) financial and internal operations data (e.g. ex-

penses, income and cash-on-hand, volunteer hours, staff training); (b) marketing, communications and

fundraising data (e.g. number of people added to NFP mailing list; number of new donors; number of

website visitors, Facebook comments and email opens); (c) tracking programs and outcomes (e.g. actual

financials vs. budget; attendance data; client demographics and geography; program participation; client/

constituent outcomes; client/constituent satisfaction surveys; client recidivism; longitudinal research);

and (d) external data (e.g. open government data that touches on the NFPs’ or their clients’ interests or

needs; government data about their specific clients (if possible given limitations); aggregate data from

other NFPs in the same or similar areas; individual-level data from other NFPs in the same or similar ar-

eas) [3].

Ultimately, data comes in various forms including text, images, video, sound or maps. Metadata represents

the “ ‘data about data’, [by] providing concise information about the content, quality, condition and other

characteristics of datasets [11].” When all data from or about a defined group or study are collated, including

data derived from the originally-collected data and metadata about the collection, governance and inter-

pretation of those data, then that is termed the dataset [11].

Personal data or information represents a critically distinct subset of data, which is recognized as legally,

ethically and practically sensitive. Alberta’s Personal Information Protection Act (PIPA) defines “person-

al information” as “information about an identifiable individual” [13]. Similarly recognized as sensitive is

“personal health information”, which is similarly enumerated in the provincial Health Information Act

(HIA) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA); PIPEDA


defines “personal health information” succinctly as relating to an individual, whether living or deceased,

and includes:

(a) information concerning the physical or mental health of the individual;

(b) information concerning any health service provided to the individual;

(c) information concerning the donation by the individual of any body part or any bodily

substance of the individual or information derived from the testing or examination of a body

part or bodily substance of the individual;

(d) information that is collected in the course of providing health services to the individual; or

(e) information that is collected incidentally to the provision of health services to the individual [14].

Another categorization of data relates to level of availability: private, shared and open [12]. Private data

is “currently held in the private domain, [and] … is not publicly available or shared” [12]. Shared data is

“shared in a limited way, often to researchers or partners through data sharing agreements” [12]. Reposito-

ries represent centralized platforms wherein datasets are deposited and data sharing is managed. Open

data is “a resource that is made available to anyone with the skills and desire to use it” [12]. To meet the

principles of openness, data must be “available under an open license; available in a convenient and mod-

ifiable form; machine-readable; accessible as a whole, with little or no cost associated with its use” [12].

Similarly, open data must not include individually-identifying information [5]. This specific categorization

of data correlates directly with the types of opportunities data present.

1.2 N F P S & D ATA O P P O R T U N I T I E S

The Internet has altered the perceptions and use of information: it has facilitated the availability of a vast

amount of information, the speed at which it can be accessed, and the machine-readiness of the informa-

tion given its digital format [5]. Internet and novel technologies have made it possible, and desirable, to

re-use and re-purpose data collected for one purpose for a different, secondary purpose. Government,

research funders and institutions, researchers, corporations, and NFPs are now all considering the avail-

“

”

13POLICYWISE

ability and opportunity of data. Secondary use of data is the term used to describe the reuse of data for

purposes outside of the original purpose at collection, as such it includes open data and data sharing

initiatives.

The secondary use of data, whether internal or external to the organization, could promote innovation

in the NFP sector by particularly advancing decision-making [5]. A study of 12 NFPs demonstrated that

high-impact, successful organizations, amongst other things, used information to modify their tactics to

increase their success [15]. Data enables the measurement of financial and operational health of an organi-

zation, identifies problems, and measures organizational impact [3]. Three effective ways to mobilize the

secondary use of data include understanding needs or issues better, improving operational effectiveness

(e.g. in service delivery or support functions), and improving understanding of results and impact [16].

Two major trends noted for Canadian NFPs in 2016 include (a) novel technologies and data management

tactics to help NFPs maximize their impact and promote efficiency, and (b) greater reliance on shared

platforms and administrative outsourcing to weather a challenging economy [4].

There are challenges for NFPs to harness the data for secondary use, both internal and external to their

organization. NFPs generally “lack a capacity for numeracy” [5]. Canadian researchers are far behind other

countries’ researchers regarding the study and improvement of domestic NFP sectors [5]. Many are calling

on NFPs that produce their own data to collect and publish data in ways that facilitate reuse, with data

published in easier-to-use formats, in non-aggregated or non-summary form, with explicit permission for

reuse [3-6, 12]. There are noted supply and demand issues that impede many NFPs from getting the most out

of their, or others’, data [16]. Supply issues include various barriers to access of sensitive data: legal barriers

(e.g. the data is identifying); technical barriers (e.g. structure of databases and location of data); attitu-

dinal barriers (e.g. resistance to sharing data with NFPs or concerns regarding misuse overriding desire

to share); and resource-based barriers (e.g. lack of time, skills, and funds to create the requisite systems

and processes). Demand-related issues include lack of awareness of available data; lack of capacity or re-

sources to invest in data reuse; lack of capability to analyze data or understand results; lack of desire for

fear of potentially negative or disruptive results; and lack of incentives to overcome barriers to accessing

and using data [16]. The circumstances for NFPs, in the UK and likely Canada, have been described as be-


ing disincentives: “[t]he current environment – reduced funding, fierce competition for resources, more

results-related payments, and a readiness to criticize charities – creates an even greater aversion to risk,

which in turn is a disincentive to data use [16].”

15POLICYWISE

2. LEGAL PERSPECTIVES

To harness the opportunities in the secondary use of data, NFPs must consider the applicable legal ob-

ligations and rights, as laid out in legislation and case law. Secondary data use confers two crucial legal

perspectives: first, that of the data producer who originally collects information from data sources, and

second, that of the data accessor who aims to reuse information for a different, secondary purpose. With

both perspectives in mind, the driving legal question then becomes: how can NFPs participate in the sec-

ondary use of data that they collect? Three categories of legal issues address this question: (1) privacy

issues; and (2) intellectual property issues; and (3) governance issues.

2.1 P R I VA C Y I S S U E S

When personal information or personal health information is collected, handled, used or disclosed, priva-

cy concerns arise and privacy legislation could be invoked. Privacy has been defined as the “right to be let

alone” and the “entitle[ment] to decide whether that which is his shall be given to the public” [17]. Activities

potentially harmful to privacy relate to information collection (including surveillance and interrogation),

information processing (including aggregation, identification, insecurity, secondary use, and exclusion),

information dissemination (including breach of confidentiality, disclosure, exposure accessibility, black-

mail, appropriation, and distortion), and invasion (including intrusion and decisional interference) [18].

Provincial and federal privacy legislation, as well as case law interpreting such legislation, has been devel-

oped to recognize privacy-related rights and to discourage and sanction activities harmful to privacy. In

Alberta, the three privacy-related statutes are PIPA, the Health Information Act (HIA), and the Freedom of

Information and Protection of Privacy Act (FOIP) [13, 19, 20]. Very generally, privacy and access issues in

Alberta’s private sector are covered by PIPA, those in Alberta’s public sector are covered by FOIP, and any

privacy and access issues relating to personal health information in Alberta is governed by the HIA. There

may be times when an organization attracts more than one piece of privacy legislation. Although highly

similar, there are distinctions between the three privacy statutes in Alberta. A general aide in determining

which privacy law to consider first, one must consider first the information: if it is personal health infor-


mation, HIA applies. FOIP was formed to begin where HIA ends; so the second consideration is whether a

public body or its contractor is involved: if a public body is involved, examine FOIP to determine whether

that the public body role triggers FOIP provisions. If personal information is at issue, then look to PIPA

third to determine if any remaining activities have not been discussed or targeted by HIA or FOIP. That

said, in the following, I will first discuss the role of PIPA for NFPs as this would be the most common first

step in determining legal liability of provincial private sector organizations, including NFPs. I will then

turn to discussing HIA and FOIP provisions and applicability, which could be triggered based on the type

of professional employees or governmental contracts some NFPs may be involved with.

Canada’s PIPEDA is the federal legislation that governs the collection, use and disclosure of personal in-

formation by private sector organizations in all provinces except those with substantially similar privacy

legislation [14]. Alberta’s PIPA has been deemed substantially similar to PIPEDA, so PIPA would govern all

applicable private organizations within Alberta [21, 22]. However, once a private organization transfers per-

sonal information into or out of Alberta, whether during collection, use or disclosure, that organization

may become subject to PIPEDA for the cross-border transfer of information [21, 22]. As will be discussed in

more detail below, when the structure or activity of an NFP triggers PIPA applicability, then where those

same structures or activities cross provincial borders out of Alberta, the information collected, used or

disclosed in those activities will be governed by PIPEDA [21, 22]. Most critically, the exemption from PIPEDA

applies to Part 1, not Part 2 which pertains to electronic documents. Also, in practice, the key difference

for Alberta private organizations governed by PIPA is that if they act across boundaries to trigger PIPEDA,

then complaints and privacy breaches must be addressed or disclosed to, respectively, the Office of the

Privacy Commissioner of Canada not the Office of the Information and Privacy Commissioner of Alberta.

If the privacy-related issues relate to both provincial and cross-provincial activities, then both Commis-

sioners may be involved; with each dealing with the matter in their purview. Currently, the federal Privacy

Commissioner does not possess the same power to make orders, particularly fines, as the Alberta Privacy

Commissioner. Also, as will be discussed in detail below, PIPA contains exemptions for NFPs as long as ap-

propriately incorporated and for all non-commercial activities, but PIPEDA applies to every organization

that collects, uses or discloses personal information in the course of commercial activities. Commercial

17POLICYWISE

activity is thus the threshold for all federal privacy law scrutiny. Private organizations otherwise subject

to provincial law are not subject to PIPEDA’s protection of employee personal information, which only

applies to employee personal information of federal works and undertakings.

These privacy statutes have all been guided by the Fair Information Principles, originally espoused by

the Organization for Economic Co-operation and Development (OECD) in 1980 [23]. These eight principles

call for the necessity of consent to lawfully collect, use and disclose personal information; for accuracy,

completeness and currency to characterize personal data collected; for purposes to direct personal data

consent, collection, use and disclosure; for appropriate security measures to safeguard the personal data

from risks; for transparency to permit individuals to see and correct the information collected about them;

and, for openness and accountability around fair data use by the data controllers [21, 23].

Importantly, neither privacy legislation nor its incumbent obligations apply when the personal informa-

tion is no longer identifying or potentially-identifying, or when the individual about whom the informa-

tion is about consents to the activity in question. For example, Service Alberta specifically states that PIPA

“… does not apply to general information used to operate the business of the organization or to the use of

non-identifiable or aggregate information such as statistical information about groups of individuals” [21].

Historically, individuals and organizations have looked to anonymization and de-identification techniques

to circumvent the requirements of privacy legislation [24]. With advances in technology, some commenta-

tors question whether any information is truly unidentifiable as to avoid privacy laws [24]. Other commen-

tators argue that de-identification is a valid tool that preserves both privacy and utility and that meets the

reasonableness objectives in privacy legislation that call for privacy protection and the ability of organi-

Privacy legislation does not apply when the personal information is no longer identifying or potentially-identifying.


zations to utilize the data they collect for reasonable purposes [25, 26]. In either case, privacy, identifiability

and consent interrelate and will be discussed together.

Alberta’s PIPA governs the collection, use and disclosure of personal information and personal employee

information by private sector organizations in Alberta [13, 22]. Personal information, as defined earlier, in-

cludes name, address, telephone number, email address, picture, as well as other information about the

person, their life and livelihood [13, 22]. Personal employee information refers to personal information about

a potential, current or former employee of an organization, that is “… reasonably required by the organi-

zation for the purposes of (i) establishing, managing, or terminating an employment or volunteer-work

relationship, or (ii) managing a post-employment or post-volunteer-work relationship between the orga-

nization and the individual” [13]. Every private organization within Alberta is subject to PIPA regarding all

personal information, unless exempted by PIPA itself [13].

2.1.1 P I PA A P P L I C A B I L I T Y TO N F P S

An NFP is not automatically subject to PIPA, but rather becomes subject based on two key factors: the

method of incorporation and the activities conducted by the NFP [13, 22].

Section 56 of PIPA particularly deals with the privacy legislation’s approach to non-profit organizations.

PIPA does not apply to any ‘non-profit organization’ (as defined by s. 56(1)(b) of PIPA), or personal infor-

mation in its custody and control, unless that non-profit organization is carrying out a commercial activity

[13, 22]. A ‘non-profit organization’ has a narrow definition under PIPA to mean an organization that is (a) in-

corporated under the Societies Act, (b) incorporated under the Agricultural Societies Act, or (c) registered

under Part 9 of the Companies Act (s. 56(1)(b)) [13, 22]. An NFP that is not so duly incorporated is subject to

PIPA for the entirety of its activities.

An NFP that meets the PIPA non-profit incorporation exceptions could become subject to PIPA for the

personal information that is collected, used or disclosed by the organization in connection with “any com-

mercial activity” carried out by the NFP (s. 56(3)) [13, 22]. Personal information of employees or volunteers

of an NFP are not subject to PIPA [13, 21]. Any activities not commercial in nature would not be subject to

19POLICYWISE

PIPA for a ‘non-profit organization.’

Section 56(1) of PIPA contains the following definition of “commercial activity”:

(i) Any transaction, act or conduct, or

(ii) Any regular course of conduct,

That is of a commercial character and, without restricting the generality of the foregoing, include the fol-

lowing:

(iii) the selling, bartering or leasing of membership lists or of donor or other fund-raising lists;

(iv) the operation of a private school or an early childhood services program as defined in the

School Act;

(v) the operation of a private college as defined by the Post-Secondary Learning Act [13];

A 2013 decision of the OIPC proffers the most guidance around whether an NFP is conducting “commer-

cial activities” to trigger the responsibilities of PIPA [22, 27]. In this case, the Applicant requested access to

his personal information held by the Legal Aid Society of Alberta (LASA) and considered their response

incomplete [27]. The Applicant then complained to OIPC. The Adjudicator first considered whether PIPA ap-

plied to LASA. First, the Adjudicator recognized that the determination of whether a commercial activity

occurred will be on a case-by-case basis. Second, the mere exchange of a service for a fee does not in itself

indicate a commercial activity, rather PIPA intends to include trade or business-like activity. The Adjudi-

cator noted that “… PIPA is meant to apply to non-profit organizations that are carrying out activities as

though they are a business.” LASA could not be distinguished “from an operational or service standpoint”

from a private law practice when LASA assessed individuals for legal aid coverage, arranged for legal ser-

vices to be provided, and provided legal services (para. 33) [27]. As such, LASA’s collection of personal in-

formation for these purposes was subject to PIPA.

For completeness, the following are a few further discussions in OIPC decisions related to the applicability


of PIPA to NFPs and the commercial nature of the impugned activities. First, in the Lindsay Park Sports

Society case, the activity at issue was the placement of security cameras in the men’s locker rooms of the

Talisman Centre to address an increasing number of thefts and property damage in that location [22, 28].

The organization was incorporated under the Societies Act and thus deemed a “non-profit organization”

under PIPA, but it was found to collect personal information in connection to a commercial activity thus

triggering PIPA scrutiny. The factors that turned this determination included the charge of an admission

fee, and the primary motivation for the security cameras (and information collection) was for business

reasons (i.e. to decrease theft and property damage to maintain business) [22, 28].

Second, in the Canadian Skin Cancer Foundation case, the activity at issue was that information from a

Patient History form during a doctor’s visit led to solicitations from her doctor, the Canadian Skin Cancer

Foundation, and another entity that all shared a mailing list database despite the Complainant having opt-

ed out of the mailing list [22, 29]. The OIPC Adjudicator found that the Foundation was a non-profit organiza-

tion appropriately incorporated under the Societies Act [22, 29]. The OIPC Adjudicator considered whether

marketing and soliciting for fundraising was a commercial activity [22, 29]. The OIPC Adjudicator deemed

that commercial activity could be a single act or a course of conduct that is of commercial character. The

Foundation’s fundraising was done to raise funds for charitable purposes and not for regular operations

or non-charitable purposes, and was distinct from the recognized commercial activity of selling member-

ship, donor or fundraising lists [22, 29]. As such, the Foundation was deemed not subject to PIPA. And, finally,

in the Fairways Villas South Homeowners’ Association case, an appropriately incorporated NFP managed

and maintained the Fairways Villas lands for a monthly fee; it also sent emails to the Complainant regard-

ing lawn care and sprinkler testing [22, 30]. Because the maintenance services were provided in exchange for

a monthly fee, the Homeowners’ Association was subject to PIPA for email disclosures as this was in direct

connection to a commercial activity [22, 30].

2.1.2 P I PA G E N E R A L O B L I G AT I O N S

The goal of PIPA is to balance a private sector organization’s needs to collect, use or disclose information

for reasonable purposes against the individual’s right to have their personal information protected [13].

21POLICYWISE

These goals are mirrored in HIA and FOIP. PIPA has delineated the standard of reasonableness to be “what

a reasonable person would consider appropriate in the circumstances” [13]. The legal interpretation of the

terms “collect”, “use”, “disclose”, and “reasonable” are critical and will be discussed more fully below at

section 2.1.3; this section aims to

solely overview the general obli-

gations under PIPA.

PIPA details individuals’ rights and private sector organizations’ obligations including the following:

“identifying the occasions when private sector organizations must obtain consent for the collection, use

and distribution of personal information; how consent must be obtained; how individuals may request ac-

cess to and correction of their personal information; how an organization must respond to an individual’s

request for access to information; how personal information must be protected; and when the Office of the

Information and Privacy Commissioner of Alberta (OIPC) can review complaints” [13, 22]. The details on PI-

PA-mandated procedures and processes for consent and personal information protection will be detailed

below in section 2.1.4 (best practices dictated by PIPA).

PIPA applies to personal information whether the information is recorded or not, but the rights of access

and correction only apply to recorded personal information [13, 21]. PIPA does not apply to general informa-

tion used to operate a business, or to the use of non-identifiable or aggregate information (e.g. statistical

information about groups of individuals). Private-sector organizations subject to PIPA are responsible for

the personal information in their custody (e.g. in their offices, computers, storage devices, etc…) or control

(i.e. can decide how to use, disclose and store the personal information) [13, 21]. With respect to collection,

use and disclosure of personal information, Table 1 broadly presents the key requirements that must be

met by a PIPA-regulated private-sector organization (note: this list is not exhaustive of all PIPA obliga-

tions).

Consent remains a crucial component to privacy protection laws: it provides a means for organizations

and individuals to agree amongst themselves about the appropriate collection, use and disclosure of per-

sonal information, especially when it may move beyond the general rubric of applicable privacy laws. Un-

Only reasonable purposes and methods of collection can be consented to.


less PIPA specifically exempts, organizations must get informed consent to collect, use or disclose person-

al information [21]. In gathering consent, organizations must adequately inform individuals of the purpose

for information collection, as well as the proposed and potential uses, disclosures, storage and disposal of

the information [21]. Only reasonable purposes and methods of collection can be consented to; an individ-

ual cannot consent to unreasonable collection of personal information, including any extra information

disclosed that is not needed for the purpose [21].

Consent can be express (written or verbal), implied (information is volunteered in reasonable and clear

circumstances), or opt-out [21]. The features of opt-out consent include that organizations provide individ-

uals with the reasonable purpose of their need for personal information; with easy-to-understand notice

provided that consent will be imputed if they do not opt-out; with a reasonable window and chance to

say no and opt-out; and with assurance that the personal information is not so sensitive that it would be

unreasonable to use an opt-out form [21]. Unless a legal duty or obligation would be hindered, an individual

can change or withdraw consent by giving the organization reasonable notice (s. 9) [13, 21]. Individuals can

place reasonable terms and conditions on their consent, such as limiting the types of uses that would be

permitted under the consent and those that would not [21]. Importantly, s. 8(2.1) of PIPA indicates that if

an individual consents to disclosure of personal information about the individual by one organization to

another organization for a particular purpose, then the individual is deemed to consent to the collection,

use or disclosure of the personal information for the particular purpose by that other organization [13].

Hence, the entirety of the original consent can carry forward to secondary organizations (including repos-

itories or other NFPS, for example) when collected appropriately by the first organization. All organiza-

Entirety of original consent carry forward to secondary organizations.

23POLICYWISE

tions are limited by the particular purpose, the reasonableness of that purpose, and the limit of using the

minimal amount of personal information necessary to reach that purpose. The consequences of altered or

withdrawn consent should be explained to the individual, such as implications to the service or product

delivery provided by the organization or NFP. Conversely, s. 12 of PIPA is clear that an organization cannot

collect personal information about an individual from someone other than that individual without the

individual’s consent, unless that information could have been collected without consent anyways (i.e. fits

under consent exemptions from ss. 13, 15 or 22). This requirement would not apply in cases where the

other individual does not possess the capacity to consent (e.g. children), in which case the person who is

legally able to provide consent can provide the information about them. Consent to collect, use or disclose

personal information cannot be a condition for an organization to supply an individual with a product or

service, if the information at issue is beyond that necessary to supply the product or service.

PIPA delimits the process for access to, and correction of, personal information held by a private-sector or-

ganization [13, 21]. With few exceptions, organizations must facilitate individuals’ access to their own infor-

mation and must respond openly, completely, accurately and in a timely manner. Generally, when personal

information in a record that is in the custody or under the control of an organization, then the individual

has the right to ask for access to it [13, 21]. Personal information is under the control of an organization if

the organization’s decision-making power applies to how to use, disclose and store the information, how

long to keep it, and how to dispose of it [21]. Personal information is in the custody of the organization if

the personal information is kept in the organization’s offices, facilities, file cabinets, computers, etc… [21].

PIPA’s governance of the exercise of an individual’s general right of access to their information is detailed

in Table 2.

When information collected by one organization is sent to another business for processing or storage,

but the information’s use, disclosure and storage remain in the purview of the original, collecting organi-

zation, then the information remains under the control of the first collecting organization [21]. The obliga-

tions under PIPA, including privacy protection and information access facilitation, remain with the first,

originally collecting organization [21]. This introduces an obligation to ensure that the second organization

protects the information in the same way as the law requires and as the original organization should do


[21]. Service Alberta indicates that “the other [second] business will still be responsible for ensuring its own

compliance with the Act” [21]. With regards to information access requests, the original organization thus

retains their obligation to meet information access requests. The nature of the agreements between these

two parties could elaborate the access request process to include the second other business.

Complaints to OIPC can come from individuals when they think that their personal information has been

inappropriately collected, used or disclosed by a private organization in Alberta (PIPA), by a public body

(FOIP), or a health information custodian (HIA), or when their request for access to information has not

been properly addressed by said applicable entity in Alberta [13, 22]. Investigations and orders around com-

plaints connected to PIPA, HIA, and FOIP are in the purview of the OIPC. Where none of these pieces of

legislation clearly apply but an information or privacy issue is at stake, or where it unclear which or any

of the Albertan privacy legislation applies, it would be prudent to turn to OIPC for a determination of legal

obligations that do apply related to information privacy. If the issue at hand does not relate to information,

data or privacy, then OIPC would not likely have a role. The OIPC website and the Service Alberta web-

site offer guides and pamphlets to assist organizations to understand and comply with PIPA. If a privacy

breach occurs but it involves an organization that is not within the purview of any Canadian privacy laws,

then the party could attempt a private civil lawsuit arguing a breach of privacy, which would require sev-

eral things including proof of harm caused by the data breach and a relationship of responsibility between

the individual and the organization.

Failure to comply with PIPA can lead to a complaint by an individual, which could lead to review, inquiry

and possibly an order by OIPC. Once a final order is pronounced (and there is no further right of appeal),

Obligations under PIPA, remain with the first, originally-collecting organization.

25POLICYWISE

an organization has 50 days to comply (s. 54(1) PIPA) [13]. Beyond the costs of compliance with an order

(and the incurred costs of defending against a complaint), an organization could be liable to the com-

plainant for damages for loss or injury that results from the breach (s. 60(1) PIPA). If an organization

has contravened PIPA and been found guilty of such an infraction, then the organization can be liable for

fines of up to $10000 in the case of an individual, and up to $100000 in the case of a person other than

an individual (e.g. corporation) (s. 59(2) PIPA). Importantly, as stated above, these fines are not currently

available to the Federal Privacy Commissioner to impose. There is also the risk that an OIPC complaint or

order could lead to negative publicity for an NFP and reputational losses in the long-term [22].

2.1.3 P R I VA C Y - R E L AT E D L E G A L I N T E R P R E TAT I O N S O F “ R E A S O N A B L E ”, “ U S E ”

A N D “ D I S C L O S U R E ”

Privacy law encompasses not only the stipulated statutes and regulations, but also the legal interpreta-

tions of those statutes and regulations by judges in courts and by adjudicators at OIPC. This case law and

adjudicative decisions, respectively, provide further information and obligation around the legal rights of

individuals and the legal responsibilities of private-sector organizations.

Three terms used and relied upon heavily in PIPA that require more illumination via legal interpretation

include “reasonable”, “use” and “disclose/disclosure.” These terms set out what activities are permissible

for PIPA-applicable organizations.

Service Alberta has provided a plain language guide for small businesses and organizations around how

to approach and meet the requirements of PIPA [21]. Service Alberta has elaborated the “what is reason-

able” test from PIPA as “what a reasonable person would think is appropriate in the situation” [21]. This

is the question posed when considering the reasonableness of many activities permitted under PIPA. For

example, the reasonableness must be assessed of the purpose in collecting personal information, of any

implied consent, of the development and implementation of organizational privacy policies, and of the use

or disclosure activity involving the personal information.

In the interpretation of “reasonable” in PIPA, there is direction from the highest court in Alberta, the Alber-


ta Court of Appeal, from the 2011 decision of Leon’s Furniture Ltd. v. OIPC: “PIPA balances two competing

values: the right to protect personal information and the need to use that same information. In balancing

these values, PIPA employs the standard of reasonableness, allowing PIPA to be flexible for small- and

medium- sized businesses. Both of these values must be balanced and neither can be given more weight

than the other, as that may lead to an unreasonable result” [31]. Another legal analysis has suggested that

promoting service and sector efficiency and effectiveness would be a reasonable purpose for a private

sector organization, including NFP [22].

Service Alberta distinguished “use” and “disclosure” as follows:

“Using personal information usually means using it internally to carry out the organization’s pur-

poses. These include providing a product or service or evaluating whether an individual is eligible

for a discount. Normally, an organization or its contractors use information within the organiza-

tion. It would be valid for a shipping department to use customer information that was collected by

the billing department.

Disclosing personal information means showing, sending, telling or giving some other organiza-

tion or individual the personal information in question. Information is disclosed externally when

provided outside the organization. To continue the example above, providing the customer’s name

and address when requested by Canada Revenue Agency would be a valid disclosure of personal

information.” [21]

The Service Alberta guidance would be highly persuasive alone in the legal interpretation of these terms

by a judge or OIPC adjudicator. Importantly, it seems “use” and “disclose” are demarcated by an internal

versus external barrier. It would suggest that an NFP that conducts secondary use of personal information

for purposes and activities that are wholly internal to that NFP or organization would fall under PIPA for

“use”-related provisions and limits. “Use” would seem to cover the activities of contractors external to an

organization, but acting for that organization and the various departments of a multi-departmental orga-

nization. Meanwhile, an NFP or organization that conducts or permits secondary use of personal informa-

tion alongside or by an entity completely external to the NFP or organization would fall under PIPA for

27POLICYWISE

“disclose”-related provisions and delimits. It would be likely that the sharing of NFP data between distinct

NFPs or with an external data repository, without any contractor-style agreement amongst them, would

be considered “disclosure” under OIPC.

Further understanding on the legal interpretation and approach to appropriate “use” and “disclosure”

under Alberta’s privacy legislation (whether PIPA, FOIP or HIA) can be garnered by examining the OIPC

adjudication decisions themselves. The online OIPC adjudicative decisions database was hand-searched

using the following inclusion criteria: (1) decision issued in last five years (2012-2015); (2) issues do not

solely consider complaints around requests for information access or correction; and (3) adjudicator con-

siders issues related to “use” or “disclosure” of information. Table 3 provides a detailed analysis of the 36

included OIPC adjudicative decisions, with an emphasis on determining what is considered appropriate

and allowable “use” and “disclosure”, and what is not.

Several key findings can be surmised from this analysis. First, generally, the legal approach to issues of

“collection” and “use” are determined together, while “disclosure” is interpreted separately while being

highly informed from the legal analysis of “collection” and “use.” Second, with respect to complaints, OIPC

examines collections, uses, and disclosures of personal information very specifically and very broadly. The

findings do not turn on, or consider, the possible negative impact of the disclosure (or collection or use).

Such impact is not a consideration of whether the disclosure was authorized or not. Similarly, personal

information is “used” when it is available for consideration, not in the narrower circumstance of being giv-

en any, little, lots or no weight in a determination; information does not have to be relied upon to be used.

“Disclosure” occurs when someone external to the necessary parties could view the personal information;

whether they actually viewed such information does not impact the “disclosure” analysis.

Third, PIPA and FOIP are distinguishable not only for the entities that they govern. These two Acts have

different purposes and PIPA’s definition of “personal information” is considered much broader than that

of FOIP because PIPA’s definition is simply “information about an identifiable individual.” While PIPA aims

to balance personal privacy with organizational activities, FOIP carries an additional aim to promote the

transparency and accountability of public bodies. FOIP provides a list of types of identifiable information,


thus information must be listed or be qualitatively similar to the enumerated to be considered identifiable

information. “Personal information” that triggers privacy legislation scrutiny and protection turns on the

term “about”; information that is related to someone is not necessarily about them. “About” is a highly

significant restrictive modifier, while “related” is narrower; information associated with someone or their

activities is connected to them but is not necessarily “about” them under privacy laws. It is important to

remember that as technologies and society evolves, the scope of what constitutes personal information, or

not, is similarly dynamic. The list of

identifiers is continually growing,

and this is recognized in law, by

courts and the OIPC.

Fourth, the three key, interrelated factors that should guide organizations in their collection, use and dis-

closure of information are consent, purpose, and reasonableness. There should be a reasonable purpose

in collecting the information; there should be consent or statutory exemption to consent that is connected

to the reasonable purpose; the information should only be used and disclosed to extent necessary to meet

that reasonable purpose; the connections between purposes and activities should be reasonable and di-

rect. Where an organization has no authority to collect and use particular personal information, then it

necessarily has neither a reasonable purpose for such information collection and use nor the possibility of

collecting or using that information to a reasonable extent. Where use or disclosure of personal informa-

tion is examined relative to the proviso of only to the extent necessary to meet the previously-established

reasonable purpose, the critical term is extent and it should be the minimal extent required to reasonably

meet the reasonable purpose. The minimal amount of personal information should be used or disclosed

(even if authorized to collect more). As will be discussed again below, the HIA dictates that custodians

should only collect, use or disclose “individually identifying health information” after considering whether

aggregate or other non-identifying health information would adequately achieve the intended purpose [32].

This adage appears to be applied by OIPC Adjudicators when considering use and disclosure of personal

information covered by PIPA and FOIP. The parties both internal or external to the organization or the

organization’s impugned activity should be the minimal number and type of parties necessary. Everyone

The three key, interrelated factors:

consent, purpose, and reasonableness.

29POLICYWISE

should be on a “need to know” basis or assessment: Does each party who could view, examine, or interpret

the personal information reasonably need to know that facet of personal information?

Fifth, databases contain a wealth of personal information and should be safeguarded appropriately, from

nefarious, rogue and negligent infringements of privacy protection laws. Access to information in data-

bases, and the reasons for such accesses, should be appropriately logged; and all parties who do, or could,

partake in such accesses should be properly trained in privacy protection requirements and monitored

for compliance.

Sixth, contracted employees of public bodies can be considered employees for the purposes of FOIP and

bring FOIP scrutiny to their activities, especially where they perform functions of, and on behalf of, the

public body.

Finally, privacy protection laws do not aim to limit information exchange with anonymity provisos around

service delivery itself; but do aim to put limits, constraints and safeguards beyond the point of care. This

may translate to NFPs that any initial point of care and service delivery involves information collection as

necessary; but any secondary use of information must involve the highest degree of anonymity possible.

2.1.4 B E S T P R A C T I C E S D I C TAT E D BY P I PA

NFPs engaged in non-commercial activities are not legally bound by PIPA requirements. It is, however,

highly recommended that NFPs should adhere to PIPA’s guidelines and best practices such as instituting

a privacy policy; appointing a privacy officer to ensure compliance with the policy; ensuring consent is

obtained from individuals for the collection, use and disclosure of personal information; ensuring the pur-

poses of information collection, use and disclosure are clear and reasonable; and, ensuring the adequate

security of information collected and stored. It has been argued that adhering to PIPA would not pres-

ent a significant cost to organizations; would avoid the inefficiency of carrying out different information

handling procedures when an NFP carries out some commercial activities (triggering PIPA) and some

non-commercial activities (not covered by PIPA); and would limit the risk of negative publicity and lost

public trust related to personal information complaints (to OIPC or to the media simply) [22].


Section 2.1.1 above presents the general obligations for information handling procedures by PIPA. Table 4

summarizes and supplements that section to act as a reference for NFPs of the best practices dictated by

PIPA; this along with Table 1 should provide NFPs with a fair understanding of the activities to follow in

order to be compliant with the tenets and requirements of PIPA.

2.1.5 F O I P & H I A C O N S I D E R AT I O N S

Although PIPA remains the primary legislation denoting the privacy and consent obligations for NFPs

around the collection, use and disclosure of personal information, there may be some NFPs by virtue of

their activities or alliances that fall under other Alberta privacy laws, particularly FOIP and HIA. As stated

above, fair information principles guide all privacy legislation in Alberta, the rest of Canada and all other

countries. A privacy-conservative NFP that follows the PIPA requirements should feel relatively confident

in their collection, use and disclosure of personal information. In what follows, a more considered analysis

is provided regarding the triggers of HIA and FOIP applicability and the limits of their jurisdiction, as well

as any notable (but not exhaustive) distinctions from the previously discussed PIPA.

2.1.5.1 F O I P A P P L I C A B I L I T Y

First, NFPs working with a public body should consider the privacy and information-handling require-

ments of FOIP [19, 22]. In some cases, an NFP will work with a public body via contract, in which case the

public body will likely retain control of any re-

cords and FOIP would apply to all records [21, 22].

The contractual terms should reflect the legisla-

tive requirements of FOIP. The Alberta Privacy

Commissioner has criticized the gap in protection when public bodies work with NFPs that are not subject

to privacy legislation (i.e. in their non-commercial activities) [22]. The Alberta Privacy Commissioner has

recommended that FOIP be amended so that when public bodies and NFPs are sharing personal informa-

tion as partners in cross-sectoral initiatives, the public bodies are responsible for the collection, use and

disclosure and protection of that personal information by the NFP [22].

The contractual terms should reflect the legislative requirements of FOIP.

31POLICYWISE

Second, the HIA could be triggered when NFPs collaborate with or employ HIA custodians. Four criteria

trigger HIA: a custodian collects, uses or discloses health information; the information at issue meets the

definition of personal health information; the collection, use or disclosure relates to the provision of a

health service; and the health information is recorded [32]. Importantly, when the information at issue falls

under FOIP or HIA, then that respective Act would apply, not PIPA [13, 21]. For example, when a government

department discloses personal information to a contractor carrying out work for that department, FOIP

applies to the information (and thus the directly-related activities of the contractor) [21]. Similarly, FOIP

has been clearly considered to begin where HIA ends. An organization could be subject to more than one

privacy legislation.

FOIP was created to promote an open and transparent government alongside the promotion of appro-

priate stewardship of personal information to which the government is privy during its public functions.

In this way, it differs from PIPA and HIA, whose language and purpose is much more towards protecting

individuals’ identifying information in a reasonable balance with the needs of private-sector organizations

and health services delivery professions and organizations to realize their delivery of goods and services.

PIPA and HIA focus on ensuring individuals have access to information about themselves held by organiza-

tions or custodians, while FOIP considers individuals access to information held about public bodies and

programs in addition to individual-level information about themselves.

2.1.5.2 H I A A P P L I C A B I L I T Y

The HIA, which limits the collection, use and disclosure of health information, applies to “custodians” of

FOIP was created to promote an open and transparent government alongside the promotion of appropriate stewardship of personal information.


“health information” and to their “affiliates” [20, 32]. The three highlighted terms demarcate the extent of HIA

applicability.

A “custodian” is defined in s. 1(1)(f) of the HIA to include the operators of the majority of organizations

and entities that provide health services in Alberta, such as the board of an approved hospital; the oper-

ator of a nursing home; an ambulance operator; a provincial health board; a regional health authority; a

subsidiary health corporation; any board, council, committee, commission, panel or agency created by a

listed custodian or designated in the regulations; a licensed pharmacy; as well as the Department and the

Minister [20]. In addition, a “custodian” includes a health services provider designated by the regulations to

include professionally licensed and regulated pharmacists, optometrists, opticians, chiropractors, physi-

cians, midwives, podiatrists, denturists, dentists, dental hygienists, and nurses [32, 33].

Section 1(1)(a) of the HIA defines “affiliates” to include custodian’s employees; those with contractual,

volunteer, appointee or student relationships with the custodian; health services providers exercising the

right to admit and treat patients at a hospital; an information manager; and, any person designated under

the regulations as an affiliate [20]. Importantly, custodians are not defined to include all individuals or enti-

ties that may collect or use health information in the course of their work [32]. Rather, custodians are those

individuals and entities that are viewed to be, and are positioned to be, trusted “gatekeepers” of an indi-

viduals’ health information. They can be trusted because of their public foundation or their professional

membership and role; mostly, they can be trusted because there is a level of accountability and compliance

to HIA attached to their roles.

The applicability of the HIA to NFPs, thus, hinges on whether the NFP is legally included as a “custodian”

or its “affiliate.” Unlike with PIPA, there is no exception or delimitation of applicability of HIA to NFPs.

Many enumerated custodians could be NFPs due to their incorporation or charitable status (e.g. hospital

or nursing home operators such as Covenant Health). The HIA would come into effect when a listed health

services provider provides a health service while working for an NFP, even if the NFP does not fit within

the custodian definition in and of itself. Similarly, if an NFP enters into a contractual, volunteer or other

collaborative relationship with an enumerated custodian, then the NFP would be deemed an affiliate and

33POLICYWISE

thus bound by the rules for the collection, use and disclosure of health information.

Because they are not defined as health services providers equal to custodians in the HIA, allied health

professionals such as psychologists, social workers, physical therapists, occupational therapists, and re-

spiratory therapists must consider their employment context, contractual relations, and governmental

relations to determine whether the HIA applies. Importantly, many of these allied health professionals are

employed by NFPs to deliver services; thus, NFPs must also be aware of when HIA scrutiny and obligations

are attracted. If an allied health professional is employed by an NFP, and that NFP is neither a custodian

nor an affiliate of a custodian, then the information collected, used or disclosed about an individual (even

if it is individually identifying health information) would not trigger the HIA (although PIPA could be

triggered). A specifically enumerated example to HIA in this area relates to psychologists who work for

a Director of the Child, Youth and Family Enhancement Act, their work and particularly any assessments

that they conduct are not considered health services and considered exempt to the consent requirements

of the HIA.

“Health information” is the other major determinative factor in assessing HIA applicability. Any and all of

two types of information are included in “health information”: “diagnostic, treatment and care informa-

tion” (s. 1(1)(i)) and “registration information” (s. 1(1)(u)) [20]. The former is broadly information about an

individual’s health and health services provided to the individual, while the latter includes six categories

including specified demographic information about an individual collected during provision of health ser-

vices (e.g. address, billing information). Importantly, it is the context of provision of health services that

trigger the HIA protections and limitations around “health information.” “Diagnostic, treatment and care

information” is deemed the most sensitive information about an individual, and thus the most stringent

rules apply to this information. Table 4 provides details which categories of information are included in

these two types of health information.

If, or once, HIA applicability (or the possibility of its applicability) is determined, then one must consider

what activities are permitted, restricted or banned by the HIA as related to the collection, use and disclo-

sure of health information.


2.1.5.3 H I A , C O N S E N T & D I S C R E T I O N A R Y D I S C L O S U R E

Rather than dictate all the HIA requirements herein, the following will focus on the key and notable re-

quirements of HIA in the context of fair information principles, the recognized sensitivity of health infor-

mation, and the approaches to privacy protection brought along by PIPA and FOIP.

The HIA is clear that personal health numbers are protected as is health information [20, 32]. Also, individu-

als have right to access their own health information, to ask for corrections to be considered; and to know

why it is being collected [20, 32]. There are limits to collection, use and disclosure of health information; and

one must always use the least amount of information at highest degree of anonymity (ss. 57, 58) [20, 32].

As stated earlier, custodians are ex-

pected to first consider whether the

collection, use or disclosure of “ag-

gregate health information” would

be adequate for the intended purpose; if adequate, only aggregate health information should be collected,

used or disclosed [20, 32]. “Aggregate health information” means non-identifying health information about

groups of individuals with common characteristics [20, 32]. Such information is generally statistical informa-

tion of the type that is virtually impossible to identify to the single individual, unless the cell or sample size

is very small (< 10) [20, 32].

If aggregate health information is not adequate for the intended purpose, the custodian must then con-

sider other “non-identifying health information” and whether it would be adequate for the intended pur-

pose [20, 32]. “Non-identifying health information” is defined as information from which the identity of the

individual who is the subject of the information cannot be readily ascertained from the information [20, 32].

Removing an individuals’ name and personal identifiers before information is disclosed and by not pro-

viding other contextual information, information can be essentially anonymous or non-identifying [20, 32]. If

such information would suffice, only that should be made use of [20, 32].

Only when aggregate and other non-identifying health information is inadequate for the intended pur-

“Non-identifying health information” is information from which identity cannot be readily ascertained.

35POLICYWISE

pose, can the custodian collect, use or disclose individually identifying health information, but only if such

activity is authorized by HIA and if such activity is carried out according to the HIA [20, 32]. “Individually

identifying health information” means that the identity of the individual who is the subject of the informa-

tion can be readily ascertained from the information (e.g. name, address, birthdate, full postal code etc…)

[20, 32]. “Readily ascertained” is also defined in the HIA to mean “the identity of an individual (e.g the indi-

vidual’s name or other identifiers or distinguishing characteristics associated with an individual) can be

determined or deduced without having to apply a sophisticated technical method or process, or without

having any particularly technical expertise to do so [20, 32].

This guidance on the order of consideration in the collection, use and disclosure of personal health in-

formation is crucial to all custodians under the HIA, and provides a rubric for all organizations to follow

the minimal extent of collection, use and disclosure of personal information dictated by PIPA and FOIP. It

would be a crucial consideration for all NFPs when determining what data to make available for secondary

use and how. Allowing a case-by-case assessment of purposes for the activity involving the information

(e.g. through controlled access by the NFP or a repository) would ensure the minimal necessary informa-

tion is collected, used and disclosed (with collection historically having a bit more lee-way regarding what

is minimally necessary, for public bodies at least).

Custodians, a term unique to the HIA, can collect, use and disclose non-identifying information for any

purpose, whether it is anonymized health information or aggregate information [20, 32]. As with other pri-

vacy legislation, the legal limitations come to bear on the individually identifying health information.

Here, as always, purpose matters [20, 32]. Only those purposes authorized under s. 27 sanction custodians

Allowing a case-by-case assessment of purposes would ensure the minimal necessary information is collected, used, and disclosed.


to collect and use individually identifying health information, including providing health services to the

individual; determining eligibility for services under Alberta Health Care Insurance Plan; and conducting

investigations or practice reviews of health professionals [20, 32]. The Minister, the Department and AHS

may use individually identifying health information for planning and resource allocation; health system

management; public health surveillance; health policy development, for within geographic area they have

jurisdiction [20, 32].

The principles of highest degree of anonymity does not strictly apply to the collection, use or disclosure

of health information when using this information for the purpose of providing “health services” or for

determining or verifying the eligibility of an individual to receive a “health service” [20, 32]. Privacy laws do

not aim to limit information exchange with anonymity provisos around service delivery itself; but do aim

to put constraints and safeguards beyond the point of care. This may translate to NFPs that any initial

point of care and service delivery involves information collection as necessary; but any secondary use of

information must involve the highest degree of anonymity possible.

Generally, an individual’s consent is needed before disclosure of individually identifying health informa-

tion (s. 34 HIA) [20, 32]. However, HIA is not as primarily consent-driven as PIPA; custodians possess a signif-

icant ability to collect, use and disclose health information without consent. Exceptions to consent (ss. 35,

37.1, 37.3, 38, 39 40, 46, and 47) relate to legally approved discretionary disclosure [20, 32]. Custodians can

disclose individually identifying diagnostic, treatment and care information without individual consent

to specific persons and for specific purposes listed in the legislation and regulations [20, 32]. These discre-

tionary disclosures include to another custodian for s. 27 purpose; to the person responsible for giving

Activity in question must be research to require REB scrutiny before conduct.

37POLICYWISE

continuing care to the individual; to family members or others with a close personal relationship, unless

the individual expressly requests that family and friends not be informed; and, to police to prevent or limit

fraud or abuse of health services or to protect public health and safety [20, 32].

The HIA permits individually identifying health information (both diagnostic and registration categories)

to be disclosed for research purposes by a custodian, without consent, under Part 5, Div 3 conditions [20,

32]. Those conditions include a research proposal assessed by a research ethics board (REB) designated

by Minister; the researcher must agree to comply with conditions in s. 53 (i.e. meet the conditions of the

custodian for access; obtain consent from participants if demanded by the REB); and the researcher must

enter into agreement with custodian (s. 54 conditions) [20, 32].

Data management, in health information and elsewhere, is crucial to good data governance and for com-

pliance with privacy laws. Custodians must enter into agreements with information managers to assist

in the appropriate care and storage of the information under its control. Section 66 of the HIA defines

an “information manager” as “a person or body that (a) processes, stores, retrieves or disposes of health

information, (b) in accordance with the regulations, strips, encodes or otherwise transforms individually

identifying health information to create non-identifying health information, or (c) provides information

management or information technology services” [20, 32]. A written agreement between the custodian and

the information manager must be entered into to ensure privacy protections and compliance with HIA [20,

32]. When those agreements are in place, consent of the individuals who are the subjects of the information

is not required, for the purposes authorized by the agreement. The purpose of the agreement dictates

what the information manager may do with the health information [20, 32]. As with other affiliations and

contracts, the custodian continues to be responsible for HIA compliance regarding the information [20, 32].

2.2 I N T E L L E C T UA L P R O P E R T Y I S S U E S

Intellectual property (IP) issues are separate from privacy and national security issues [34]. Intellectual

property falls under federal or national jurisdiction; thus, while inter-provincial activities are covered

by the same IP laws, international ones may not [34]. Because IP law covers important ownership, usage

and manipulation rights of particular forms of information, it represents an important component to any


discussion on secondary use of data. As will be demonstrated, it is an important but very limited legal

obligation and right in Canada regarding secondary use.

In IP, just as in other key legal arenas including privacy law, permission is key [34]. If a data source (e.g.

researcher, repository, NFP) gives permission to reuse data and one’s intended use fits within scope of

the permission, the permission provides the legal basis for data reuse and potential IP-based barriers are

removed [34]. But, if intellectual property or other legal rights on original data remain, the secondary user

or NFP must not infringe on those. This presents legal uncertainty of when, where and how these other

rights from the original data will play out [34]. Primary data sources need to clearly determine the scope

of the permission granted downstream when making “their” data available. The rights that may apply to

research or NFP data include trade secrets (confidential information), copyrights and the special database

rights established in only EU member countries, Mexico and South Korea (and which apply only to data-

bases created or maintained in their borders) [34].

Trade secrets are proprietary or confidential information [34]. According to international standards, na-

tional laws treat information as a trade secret if it derives economic value from not being generally known

or readily ascertainable, so long as the information has been subject to reasonable measures to keep it

secret [34]. Most research data, and likely NFP data, meet this definition, at least in the early stages of

collection and generation [34]. Public disclosure of information removes any associated trade secret pro-

tection [34]. Thus, data sharing or publication would remove trade secrets in research data [34]. This could

be an issue for NFPs or other private sector organizations that have taken reasonable steps to keep some

information secret, while also taking part in secondary use. If this is a concern, the NFP should provide

for the management of trade secrets in their agreement’s terms including timing and scope of information

disclosure. Discussions should occur early and often at the agreement negotiation stage, and not at later

times of publication or dissemination tactics [34].

Copyright grants author(s) of an original work the exclusive rights to reproduce the work, to publicly

distribute copies, to publicly display, publicly perform, or otherwise communicate the work to the pub-

lic, and to make adaptations of the work [34]. Copyright only becomes an issue for secondary data use if it

39POLICYWISE

is likely or plausible that the creator, owner or repository in which data resides is likely to seek to limit

copying, distribution or other reuses of the data [34]. Copyright imposes no restrictions on sharing of the

basic building blocks of knowledge (i.e. facts and ideas), which are part of the public domain and which

make a lot of the data at issue in secondary use discussions [34]. Raw observations and experimental data

are “facts” for copyright purposes and are free to be shared and reused without copyright restriction [34].

Copyright applies to original works of authorship as an author makes creative or editorial decisions about

how ideas and facts are expressed [34]. Separate copyrights attach to data items, organizational structures

and metadata [34]. In this way, copyright can sit on some but not all levels or layers of a work; the layers

that involve expressive choice generally trigger copyright protection [34]. Tables or figures are likely copy-

rightable; copying a whole dataset will involve copying the copyrighted layer [34]. Most data expressed

as numeric values are likely to be “facts” that are in the public domain [34]. Thus, even if copyright exists

at an organizational level, numeric values can be copied and reused without any copyright restrictions

[34]. Separate copyright can arise in the manner that data are selected and arranged (e.g. organization of

Excel spreadsheet if researcher exercised discretion in selecting field names and arranging their order

but copyright is limited to this layer of the dataset; no infringement of copyright if secondary researcher

republished data with renamed and reorganized fields in spreadsheet) [34]. Annotations, visualizations and

other forms of metadata can receive separate copyright protection if sufficiently original [34]. If we use the

principle of “discretionary decisions about expression”, then copyright applies. Copyright then becomes

an issue for the user seeking to reuse these forms of original expression.

There can be users’ rights expressed as exceptions to copyright or limits to copyright owner’s rights. In the

UK, Canada and other Commonwealth countries, the law conducts a fair dealing analysis to determine ex-

ceptions to copyright: (1) determine whether the use fits within one of a list of categorically eligible types

of use (e.g. using copyrighted work for noncommercial research or private study or criticism or review,

which are examples of categorically acceptable uses); (2) balance similar considerations about purpose of

use, extent of work used and effect of use on copyright owner [34]. By contrast, in the US, Israel and other

non-Commonwealth countries, the fair use doctrine is applied by courts, which “considers [the] nature

and purpose of use, how much authorship is in the source work, how much of author’s expression has


been taken in the use, and whether the use has an adverse effect on copyright owner’s ability to econom-

ically exploit the work” [34]. Some countries provide some level of moral rights in authorship, which are

personal to author and cannot be transferred [34]. These moral rights include that authors have the right to

be attributed; and authors have the right to not be attributed if they no longer wish to be associated with

the work.

In recognition of the growing data deluge and its inherent opportunities, the “UK law recently amended its

copyright to explicitly permit researchers to content mine the research literature because its Parliament

was uncertain whether the existing limitations and exceptions would permit the copying necessary to

engage in content mining” [34]. As stated earlier, in Europe, Mexico and South Korea, a Sui Generis Database

right was created for databases created or maintained in these borders and if the use of these databases

take place in these borders [34]. These special rights apply to any database that requires a “substantial

investment” to assemble or maintain the database; so the investment must be in obtaining the data not

creating the data [34]. This special database right is limited to recognizing the required investments in

obtaining data (not in creating data) [34]. This copyright lasts 15 years [34]. These protections are against

extraction or reutilization of substantial parts of a protected database and frequent extraction of insub-

stantial parts of a protected database [34]. Non-commercial research is not subject to this database right [34].

Usually the person who creates or generates the IP is the initial owner of these rights [34]. When the creator

is an employee, rights holding is more complicated and national variation reemerges as an issue [34]. All IP

rights are transferable (except moral rights in copyright), so the initial owner may not necessarily be the

rights holder [34]. Employers generally own trade secrets developed by employees within the scope of em-

ployment [34]. In the absence of agreement or policy, student or independent researchers would own any

trade secret rights associated with their data [34]. Sponsored research agreements and university or hos-

pital IP policies generally establish rules of ownership and disclosure for trade secrets [34]. Because of the

secret nature of trade secrets, there is no activity required to create it other than the reasonable measures

to keep secret. Copyright is initially owned by author(s) of the copyrighted work; the author made creative

or editorial decisions about how to express the underlying facts and ideas [34]. “If there is a copyright layer

to a dataset or database, the owner(s) of the copyright(s) associated with this layer would be the one(s)

41POLICYWISE

who chose how to organize, arrange, annotate, or visualize the data rather than the one(s) involved in its

generation or collection [34].” The Sui Generis Database rights are held by the person or entity that makes

substantial investment in collecting data from other sources or maintaining database; so, the rights fall to

data aggregators and repositories, not individual researchers, teams, organizations or NFPs [34].

Contracts, licenses and agreements represent a crucial tool for IP rights holders to disclose and share the

data protected by (or connected to) their IP rights under terms that meet their rights and obligations,

including IP rights and privacy policies. Owners of rights can grant permission for reuse through a non-ex-

clusive license [34]. Or, owners can enter into exclusive licenses with secondary users where they give up

the rights to use the IP usually in return for compensation [34]. If the data elements being shared are largely

uncopyrightable, then an agreement may not be necessary. But, agreements are important tools in data

governance to ensure all rights are met and followed. A crucial example of this is in Table 5, which contains

the terms of the copyright license for data shared by Statistics Canada.

2.3 G O V E R N A N C E I S S U E S

Privacy laws are just one area of law that governs the use of information collected by organizations. An-

other crucial governance tactic relates to data governance and research ethics. Data governance relates

to overall management of data, its collection, use, storage and the like. Responsible data stewardship re-

quires a clear and appropriate data governance plan. However, there is no set piece of legislation that sets

out the rules and laws for obligations around data governance. It falls within the previously discussed

privacy legislation, as well as other important normative tactics such as research ethics. Secondary use of

personal health information for research purposes is governed by the HIA; and institutional REBs are rec-

ognized by law as the entities that determine whether such research can proceed. REBs thus have become

legal instruments around the governance of secondary data use. This section will cover research ethics

boards, while the broadest topic of data governance will populate the subsequent section on the ethical

analysis. Ethics builds upon the law, but remains distinct from it.

2.3.1 R E S E A R C H E T H I C S B O A R D S


The Tri-Council Policy Statement on Research with Human Subjects (TCPS2) is a crucial research policy

guidelines in Canada, and it demarcates what is allowed in research with human subjects (whether as in-

dividuals, groups, parts of individuals, or information about individuals) [35]. REBs are defined in the TCPS2

as “a body of researchers, community members, and others with specific expertise (e.g. in ethics, in rele-

vant research disciplines) established by an institution to review the ethical acceptability of all research

involving humans conducted within the institution’s jurisdiction or under its auspices” [35].

In Alberta, there are three REBs designated under the HIA in Alberta, each with a few sub-committees

to focus on areas of specialization. First, there is the Conjoint Health Research Ethics Board (CHREB) of

the University of Calgary, which reviews applications from Researchers affiliated with the University of

Calgary faculties of Kinesiology, Medicine and Nursing. Second, the Health Research Ethics Board (HREB)

of the University of Alberta, administers the ethics review process for all faculty, staff and students of

the University of Alberta health sciences faculties, Alberta Health Services (in Northern Alberta includ-

ing Edmonton), and Covenant Health. There are four sub-committees of the HREB, which generally focus

on qualitative research, interventional research, non-invasive health research, and invasive biomedical

research. Finally, there is the Health Research Ethics Board of Alberta (HREBA), which is housed at the

provincial research funder Alberta Innovates, which consists of three sub-committees: Cancer Committee

(HREBA-CC), Clinical Trials Committee (HREBA-CTC), and Community Health Committee (HREBA-CHC).

The HREBA-CHC is a multi-disciplinary committee with members from both rural and urban Alberta that

provides scientific and ethical review of health research proposed to be conducted in communities across

Alberta.

When an individual or organization falls under the purview of an REB, REB review and approval is re-

quired before research commences when (1) research involves living human participants, or (2) research

involves human biological materials (including human embryos, fetuses, fetal tissue, reproductive materi-

als and stem cells) whether from living or deceased individuals (TCPS Article 2.1). The term “involves” is

more broadly interpreted than the restrictive “about” that triggers privacy law scrutiny. The bar will not

be as high for REB approval as say PIPA or FOIP applicability. Applicants to REBs must complete ethics ap-

plications which include detailed descriptions of the research, of adherence to TCPS2 requirements, and

43POLICYWISE

of the research protocol. REBs review these applications and make determinations on whether research

should be permitted to proceed, if modifications are required before REB permission is granted, or if re-

search cannot proceed without significant changes requiring a new application.

Failure to comply with the REB process or decisions (i.e. to conduct research without appropriate REB

approval) would lead to an institution’s loss (not just that of the infringing research group) of all funding

from the three national Tri-Council public research funders: the Canadian Institutes of Health Research,

the Social Sciences and Humanities Research Council, and the Natural Sciences and Engineering Research

Council. This heavy sanction promotes a community of compliance with the TCPS2.

The applicability of the TCPS2 and REB re-

view process to an NFP engaging in second-

ary data use is influenced by several points.

First, if any of the parties involved in the data

sharing enterprise have affiliations that fall under any of the three Albertan REBs, then the REB process

may be triggered. For example, if a university-affiliated researcher is involved in the NFP’s plans to collect,

use or disclose personal information (or even aggregate or non-identified personal information), then the

conversation should be had to examine whether REB approval is necessary. Generally, northern-Alberta

university affiliates fall to the HREB; southern-Alberta university affiliates fall to the CHREB; and, cancer

researchers, clinical trial researchers, and community-organization researchers fall to HREBA. Other fac-

tors may exempt a researcher from REB approval, but affiliation is an important trigger to liability that

must be fully considered at the start. Second, the activity in question must be research to require REB

scrutiny before conduct; other activities, which could be called quality assurance, program evaluation, or

business intelligence, that involve collection, examination and analysis of information do not require REB

approval. In the subsequent section, I provide more detail on the distinctions between research attracting

REB review and quality-assurance-like activities that do not attract such review and attention.

2.3.2. R E S E A R C H V S . Q UA L I T Y A S S U R A N C E

The CHREB looks closely at the TCPS2 to ascertain the limits of the definition of research: “where “re-

Activity in question must be research to require REB scrutiny before conduct.


search” is defined as an undertaking intended to extend knowledge through a disciplined inquiry or sys-

tematic investigation. This includes pilot studies (Article 6.11). The term “disciplined inquiry” refers to

an inquiry that is conducted with the expectation that the method, results, and conclusions will be able to

withstand the scrutiny of the relevant research community” [36]. Quality assurance work does not require

REB approval as long as “you are a legal custodian of any personal health information that will be used

in the project or already have specific consent from the patients to access their information.” These ex-

empt activities are listed in Article 2.5 of the TCPS2 to “include quality improvement, program evaluation

initiatives, performance reviews, which are

understood to be those things relating to the

assessment, management or improvement

of a local program” [35]. Under the HIA, REB

mandates relate to personal health informa-

tion, and not all personal information. If one wants their quality assurance work to be considered research

(e.g. for funding purposes) under the HIA (s. 27(2)), then the organization or individual must apply to the

REB [36]. The CHREB considers research involving human participants that requires ethics review to be “an

effort to produce new, generalizable knowledge” [36]. Where a competitive grant is involved, the project is

research that requires REB approval (even if the granting agency is not a Tri-Council funder) [36]. On the

other hand, quality assurance or quality improvement work can be a published work; so striving for, or

achieving, publication on its own will not require REB approval. In cases where a quality assurance, or

similar, project has changed focused into research, then it must stop and apply for REB approval: no retro-

active REB approval is possible [36].

The HREBA-CHC and Alberta Innovates have spurred an initiative entitled ARECCI: A pRoject Ethics Com-

munity Consensus Initiative [37]. This initiative has developed a tool and recommendations to support in-

tegration of ethics considerations across a range of knowledge-generating health projects, including re-

search, quality improvement, quality assurance, and program evaluation [37]. The goal has been to promote

confidence in assessing and managing risks to participants in any knowledge-generating project. ARECCI

aims to assist those pursuing knowledge-generating health projects by determining appropriate level of

Research involving human partic-ipants that requires ethics review to is “an effort to produce new, generalizable knowledge”

45POLICYWISE

ethics review, which includes assessing the level of risk to participants and researchers [37].

The Dalhousie University REB has provided a definitive and highly respected table to also assist in distin-

guishing research from quality assurance and program evaluation (which I will collectively term quality

improvement (QI)) [38]. If there is a dual purpose to data collection (both research and QI) and if QI is first,

then research use would be a secondary use of data (different purpose than original collection) and one

would need REB approval for that secondary use [38]. The Dalhousie table compares research from QI, and

considers several factors including: facets and role of hypothesis, aims, audience, theory, transferability/

generalizability, participant burden, data collection, presumption of risks and benefits, recruitment tac-

tics, “study” compared to regular services, and response to the question ‘would this be done anyways?’ [38].

When a study test or question is clearly stated and grounded in theory and existing literature, it is research;

meanwhile, QI relates to existing practice or aimed at program innovation or how a program is working

[38]. When the primary purpose is to publish results through scientific publication to expand knowledge,

then it is research; meanwhile, QI aims to gain information to improve practice or service delivery in

particular location [38]. When the primary audience is scholars, practitioners, and organizations beyond

immediate affiliation, then it is research; meanwhile, QI audiences are the organization or system being

assessed [38]. When generalizability is a clear intention, then it is research; meanwhile, QI is not intended

to be generalizable with results focused mainly on specific services or processes, but QI may eventually

be shared descriptively as experience for learning [38]. When the role of theory is high such that the goal

of research is to develop or test theory, then it is research; meanwhile, QI study goals are not focused on

theory, although there may be a small role for evaluation or improvement of a program with theory assist-

Dalhousie University REB has provided a definitive and highly respected table to also assist in distinguishing research from quality assurance and program.


ing in designing the study [38]. When the

additional burdens on participants are

present such that participation must be

voluntary because additional activities

are required, then it is research; mean-

while, QI often involves less such bur-

dens on participants such that participants continue to engage in routine care [38]. When data collection

is novel compared to the usual project (although secondary data analysis is research), then it is research;

meanwhile, QI data collection is typically not beyond what data is already routinely collected, although

some extra data could be collected for internal or external reporting [38]. When the assumption of benefit

does not exist because research assumes no benefits, then it is research; meanwhile QI often presumes

programs to be effective or beneficial [38]. When the likely beneficiaries are no one or similar individuals

in the future once knowledge attained and translated, then it is research; meanwhile, QI aim to benefit

participants and the local setting [38]. When participants are from multiple sites and/or use control groups,

then it is research; meanwhile, QI involves participants from the practice setting being evaluated [38]. If re-

sults would not apply to anywhere else, then the project would not continue as research as research seeks

to produce results that would apply more broadly; meanwhile, the QI project would continue as it aims to

use information to improve or evaluate that setting [38].

Ultimately, the necessity of REB approval for NFPs projects would need to be determined on a case-by-

case basis, accordingly to the facets and factors listed above. Unless a university-affiliated researcher is

involved in the project, it would be likely that health-related NFP research projects would need to go to

HREBA-CHC for approval. NFP projects that do not involve health information and do not have any affili-

ation to a university fall into a gap wherein no provincial REB is directly responsible. The goals, methods,

activities, information involved, and organizations involved in any data-driven, secondary use opportunity

involving personal information originally collected an NFP would inform the discussion as to whether REB

approval is required. In cases of uncertainty or clear gap, it would be best practice to either partner with

a university-affiliated researcher and utilize their REB, or go to ARECCI and request a review. Also, at the

Projects that do not involve health information and do not have any af-filiation to a university fall into a gap wherein no provincial REB is directly responsible.

47POLICYWISE

start of a larger- or broader- scale secondary use opportunity (e.g. involving more than one NFP, and/or

involving a long-term data mobilization vision), consultation with ARECCI would be prudent as it, along

with compliance with provincial privacy laws, would ensure a strong, legal foundation for the opportunity

and would promote public trust in the NFPs as well as their data-mobilizing tactics.

NFP’s that aim to mobilize the data at their disposal should do so with a clear understanding of their legal obligations and legally informed best practices.


3. CURRENT OR BEST DATA GOVERNANCE PRACTICES

If one sticks to the letter of the law, there may be many circumstances in which an NFP is not governed by

any privacy legislation in its activities, and thus the identifying information provided to it by individuals or

the public would be available to them to do so as they please. This capacity to use data can be quite power-

ful, in many different ways. The data can act as an asset and resource that the NFP could mobilize to better

its services and better meet its aims and objectives. In a world where data is considered an innovation and

asset, and where many commercial entities especially in social media harvest the data provided to them

and leverage it for profit, the public generally and individuals alone are becoming increasingly concerned

about their information, who has access to it, and what people are doing with it. The fine balance between

privacy and utility is something that all data purveyors have had to contend with for many, many years –

even before the invention of many of today’s

popular social media sites.

NFPs that aim to mobilize the data at their

disposal, should do so with a clear under-

standing of their legal obligations and legally-informed best practices. The above legal analysis aimed to

clarify those current obligations and practices. This section further elaborates on data governance best

practices by providing information on thoughtful, rigourous approaches to data governance and man-

agement in the NFP sector. Canadian and international examples are provided; the latter because of the

soundness and rigour of the approach to developing such guidance. After detailing the responsible data

approach that was derived from a review of several humanitarian organizations’ data policies, specific

organizational approaches will be introduced to detail the breadth of options and issues to consider for

NFPs in determining their data governance approach.

3.1 O V E R V I E W O F T H E R E S P O N S I B L E D ATA A P P R O A C H

In 2016, a comparative review of data governance approaches was conducted within the humanitarian

context [39]. This review particularly considered seven United Nations agencies, seven international organi-

There is a vulnerability of data sub-jetcs which creates new risks with siezing data opportunities.

49POLICYWISE

zations, two governmental agencies, and one research institution [39]. The authors argued that “…to create

an adequate level of trust and ensure the effectiveness of data-driven innovations across the humanitar-

ian sector, data policies, guidelines and implementation safeguards need to be developed and rigorously

tested” [39]. In humanitarian spaces, as well as for most NFPs, there is a vulnerability of data subjects which

creates new risks with seizing data opportunities [39].

Organizational data policies can generally focus on the impact of data use, or on responsible use of data

to protect data subjects and their rights, prevent liability risk and harm, or ideally both [39]. Although lack-

ing from the reviewed organizational data policies, data policies with value and impact indicators were

recommended [39]. These measures would allow organizations to determine whether data use was justi-

fied based on the intended deliverables, and fosters appropriate, longitudinal risk assessment, especially

when sensitive data is accessed [39].

A data audit system is also recommended in the data governance framework. Data handling must be de-

scribed to determine risks and to better enforce organizations and users that thoughtfully justify their

access and use of data [39]. Development of the audit system allows the organization to determine what

data are needed to meet goals or solve problems. Implementation of the data audit system primarily aims

to prevent the collection, use or disclosure of data that is unnecessary or nefarious, which increase risks to

data subjects and organizations. Data auditing could be via stipulated guidelines (e.g. level of anonymiza-

tion) or via a data custodian, controller, or auditing body with oversight and accountability responsibility

[39].

Risk assessment and mitigation strategies comprise another important component to a data governance

policy [39]. Risk assessment fosters the promotion of proportionality between risks and benefits [39]. The

available risk assessment strategies in data policies range in likely effectiveness and burden [39]. The least

burdensome, but likely least effective, assessment strategies involve statements of the importance of con-

sidering risk in data-related activities [39]. Slightly more burdensome and likely more effective strategies

would reference particular risk assessment tools [39]. Finally, the most burdensome and likely most effec-

tive risk assessment strategy would incorporate and mandate the use of concrete risk assessment tools [39].


Similarly, risk mitigation strategies range in possibilities: prohibitions on types of data use; preventing

and limiting data access; security safeguards to avoid unsanctioned data violations; consent require-

ments; and, the promotion of appropriate data management [39]. Risk mitigation can be at both the orga-

nizational and technical level [39]. Further technical procedures to mitigate risks include physical security,

access control, data classification, security and encryption [39]. Further organizational procedures in data

governance include standard operating procedures; ensuring legal requirements such as reasonable pur-

pose and consent are met; data sharing protocols; and governance mechanisms [39]. Organizations must

also include specific measures for protecting privacy of data subjects using technology and agreements to

protect against surveillance, inappropriate aggregation, exclusion, confidentiality breaches, inappropriate

accessibility, unsanctioned identification of individuals or groups, unapproved secondary use of data, and

avoiding data duplication [39].

Data policies should include recognition of the Fair Information Principles and the laws that cover the

NFP’s jurisdiction [39]. This recognition promotes the definite consideration of legal requirements in the

policy and ensures best practices are grounded in community standards set by law [39].

Policies and rules are only as effective as the compliance to them. Data policies should, thus, also contem-

plate and include mechanisms for monitoring adherence to the policy [39]. Monitoring, like other strategies,

can include one or more different facets. The policy should describe these facets. There could be technical

monitoring in the database systems as part of the audit system; there could be periodic reports provided

to the organizational leaders on data use metrics and any potential risks to data or subjects; and, there

could be surprise assessments of the data access process in the line of “secret shoppers” to ensure com-

pliance with policies. Monitoring compliance can root out problems as well as demonstrate successes in

data governance and data use.

Another facet to data policies where data is collected directly from subjects includes provisions on dispute

resolution and data withdrawal [39]. Data policies should consider the process that will be triggered if data

subjects wish to withdraw their data from the organization, either entirely or for secondary data use.

This process should include how data subjects will be informed of this policy; how they may make their

51POLICYWISE

preferences known; the implications for previously-collected and to-be-collected data; and, the organi-

zational process to effect this preference. Dispute resolution may be another area to be addressed in the

data policy. As described in Albertan privacy law, designation of a privacy or data officer would introduce a

point of contact for organizations to deal with disputes. Similarly, the data access protocols should include

processes when potential data secondary users wish to dispute access decisions.

The format of the data governance policy is itself quite critical. Enumerating the tasks and responsibilities

for enacting the policy and monitoring it are critical [39]. When all actors possess clear roles, it prevents

duplication and promotes implementation [39]. Also, in drafting the data policy, tradeoffs must be consid-

ered [39]. Greater detail brings clarity, but risks inapplicability to novel circumstances; so, a balance must

be found between detail and vagueness [39]. Simplicity is in tension with complexity: the former promotes

readability and compliance, but leaves room for questions and possibly divergent policy implementations

[39]. Generally, leaning towards greater elaboration of the strategies and values of the policy, in a step-by-

step format, promotes understanding, and thus increases the likelihood of implementation [39].

3.2 S P E C I F I C O R G A N I Z AT I O N A L A P P R O A C H E S TO D ATA G O V E R N A N C E

Data governance best practices for NFPs is a novel point of discussion. Many organizations work individ-

ually, rather than collectively, to determine their approach to data stewardship and governance to balance

privacy protection with organizational and sector utility. The diversity and commonality of these organi-

zations’ approaches would be informative to the diverse NFP sector, where organizations vary on resourc-

es, data capacity, and data interests. Ideally, organizations will consider the following four examples and

the entirety of this report to determine the best, most feasible, approach to data governance as they move

forward in seizing data-driven opportunities.

First, Medicins Sans Frontieres (MSF) is a humanitarian, non-governmental organization that adopted a

data sharing policy for routinely collected clinical and research data in 2012 [40]. The aim of this policy was

to ethically promote the sharing of MSF, and ideally other humanitarian and non-governmental organiza-

tions’, data with public health researchers for the benefit of the populations that they work with [40]. The

precursor to this policy was a public, institutional repository of MSF research publications in the context


of scientific journals prioritizing open access to data [40]. Before this policy was instituted in 2012, MSF

used a case-by-case approach to share their data [40]. This policy was developed in consultation with the

MSF’s own independent Ethics Review Board. Thus, an REB is available to MSF in policy development and

in oversight of policy compliance.

Briefly, the MSF data sharing policy consists of a statement of vision and principles, and then elaborates

the data access process [40]. The vision and principles describe the MSF mandate to promote health data

sharing, to accrue social benefit in opening up access to data, to move MSF towards greater online data

collection, and to prioritize safeguards of patients so that no patients or communities are harmed in the

facilitation of data sharing [40]. With the overriding objective to not do harm, the policy mandates that

sharing should not occur simply for the sake of sharing, but rather when there is the potential for greater

health benefits for populations [40].

The policy begins by defining the data at issue: all health data generated in MSF programs or sites where

MSF is the data custodian [40]. This data includes data from patient records, surveys, health information

systems, research, and human biological material [40]. The data access process is then the focus of the data

sharing policy. Those who can apply for data access include any appropriately qualified researchers from

academia, charitable organizations, and private companies [40]. Qualified is further defined as having au-

thored relevant peer-reviewed articles and still working in the relevant specialty [40]. Preference is given

to researchers from the countries or communities where MSF works, and especially where the datasets

originated [40].

While the policy plans for eventual open access data repositories, managed data access is the policy de-

Qualified is further defined as having authored relevant peer-reviewed articles and still working in the relevant specialty.

53POLICYWISE

fault [40]. The procedure for managed access is planned to be proportionate to the risks associated with

the data, to avoid undue delay or restrict access [40]. The managed access process includes applications to

facilitate assessment of researcher qualifications; consideration of consent issues; and appraisal of scien-

tific merit, potential benefits and risks. The MSF Ethics Review Board must review the applications when

the data includes either (a) identifiable data and/or human samples, even when consent was obtained at

original data collection; or (b) non-identifiable research data for purposes outside the original consent

agreements [40]. For (b), MSF must then attempt to return to study participants to expand their original

consent, or if that is not possible, MSF must secure the consent of the community where the study took

place [40]. This multi-pronged approach to ethics review and consent appears to be MSF’s attempt to en-

sure valuable previously-collected data is not lost to data sharing while also being respectful of participant

and community vulnerability and trust in MSF.

The policy maintains that data sharing must be a cost-neutral exercise, such that data recipients are re-

quired to cover all the costs of retrieving, processing and dispatching MSF datasets [40]. Cost exceptions

could be possible when data recipients demonstrate insufficient funds [40]. This data sharing policy does

not deal with all issues of data governance, but rather establishes a strong foundation for further discus-

sions on data sharing. This policy sets the stage for the use of standard templates including consent to

support the development of data sharing plans and proposals [40]. Data policies and approaches must also

consider the need to promote data quality and the protection of data from corruption or obsolete software

[40]. Data sharing policies must also consider extant agreements that could limit or direct data sharing, such

as contractor agreements with public funding bodies (which also introduce other privacy laws).

Second, another exploration of data governance approaches specifically targeted NFPs [41]. Appropriate

data governance by NFPs should promote the availability of data that is accessible and current to needs;

the usability of data for sound decision-making; the integrity of data that confirms trustworthiness; and

the stewardship of data that protects privacy and complies with legal requirements [41]. A data governance

framework could be divided into three key components: people, policy and technology. The people-fo-

cused facets demarcate authority, accountability and roles in the implementation of data governance, as

well as the fostering of a cultural attitude and collaborative environment with respect to data oppor-


tunities [41]. The policy-focused features delineate how information flow is managed; how data policies

themselves are managed; how issues are resolved; and how data-related communication is realized [41].

The policies guide decision-making and advance rational outcomes [41] Finally, the technology-focused

discussion targets management of data quality, compliance monitoring, data business rules, and process

management [41]. The development of a data governance approach should include team identification, as

well as a lifecycle-style process wherein goals are identified, policies developed, strategies implemented,

progress evaluated, and progress communicated so that the cycle may begin again to consider goals [41]

Third, another organizational data strategy is that of the Ontario Nonprofit Network [6, 42]. This strategy

aims to foster data-drivenness and data sharing amongst NFPs in Ontario (and beyond) [6, 42]. This type

of policy begins with enumeration of the principles that guide the strategy, including the promotion of

effective data use by NFPs, the assurance of responsible and ethical data collection and access to respect

privacy, recognize vulnerability and promote safety of the data subjects, and the accrual of public benefit

when enabling data access [6, 42].

The succinct data strategy then describes the four components to this strategy: standards, policy, skills

and resources, and leadership [6, 42]. The strategy aims for standardization across Ontario NFPs in the

publication of their data and metadata, to better facilitate secondary data use. The strategy demarcates

the rules and recommended legislation that govern what can be done to the data (or not); that clarify data

ownership and cost allocation amongst NFPs; and that secondary data use must benefit public work. The

strategy considers tactics to build NFP sector capacity in data use and management. Finally, the strategy

aims to foster commitment from leadership at the individual NFP level and at the sector level on investing

time and resources to promote data readiness and data sharing.

And, finally, the Vancouver Foundation has taken a copyright licensing approach to promote secondary

use of its data and outputs [43, 44]. The substantive portion of the policy itself is succinct: the foundation

itself and all grantees must share materials and knowledge via open license under the Creative Commons

Open Licenses [43, 44]. This directive is accompanied by a vision statement and policy development history.

The Vancouver Foundation intends to promote “sector-wide, intentional sharing of socially innovative

55POLICYWISE

ideas, information and resources among our peers and the public” [43]. Stakeholder consultation and legal

analyses were solicited in policy formation [43]. Provisos to the open licensing policy are also elaborated

therein including the mandate to not do harm with open access and the recognition of privacy protection,

charities’ financial viability, and the need to protect traditional and cultural rights [43].


4. CONCLUSIONS

This paper has aimed to provide NFPs in Alberta with an understanding of their legal and governance

obligations when considering the secondary use of data that they collect or that they would like to reuse.

These findings demonstrate that the law has somewhat limited direct imperatives for NFPs to follow, but

this does not mean that NFPs can do as they wish with the data that they collect. Best practices can be de-

rived from the clear legal obligations of other more-regulated sectors, including private sector businesses,

public bodies, and health information custodians, as well as from the industry standard best practices

from the NFP sector itself.

Data governance and privacy protection represent the two key considerations for NFPs when contemplat-

ing the collection, use and disclosure of identifying information, for the purposes of service delivery and

possibly secondary use. Privacy laws worldwide are based on the fair information principles, which can

be distilled to some key messages: (a) use the minimal information necessary to complete your task; (b)

have consent whenever possible for that use; (c) have administrative, technical and physical safeguards to

protect the information; and (d) individuals possess the right to access information about themselves and

to request corrections of it. Similarly, the trifecta of purpose, reasonableness and minimal extent appear

throughout the allowances made by privacy laws in Alberta.

When looking for the exact applicable legislation, a flexible order of importance of privacy laws in Alberta

is available:

1) If health information at issue, HIA applies.

2) If personal information at issue (but not health information) and a public body is involved

(whether actual or via contracted affiliate), then FOIP applies.

3) If personal information at issue (but not health information) and a private-sector organization

is involved, then PIPA applies.

a. When there are cross-border transactions, PIPEDA applies to the cross-border transactions

57POLICYWISE

while PIPA applies to the intraprovincial activities.

b. If the private-sector organization is duly incorporated as a NFP and it was involved in activities

of a commercial nature, then PIPA applies to those information-related activities during the

commercial activity.

c. If the private-sector organization is duly incorporated as a NFP and it was not involved in any

activities of a commercial nature, then PIPA does not apply.

Once the relevant legal obligations are determined, NFPs must then consider current and best practic-

es to data governance. NFP clientele place great trust in their organizations when seeking services and

supports. That trust could be severely damaged or lost, if there were privacy breaches or risks of harms

because NFPs did not consider client preferences and protections in their use and disclosure of the data.

NFPs should develop a data policy that details the goals, vision, activities, and responsibilities the NFP

and its staff undertake when collecting, using and disclosing identifying information. These policies vary

between NFPs, based on sectors, services, data types, resources and capacities.

Intellectual property laws and privacy laws represent distinct pathways towards data sharing. Copyright

licensing represent a valid avenue to make data available, but if blanket policies they may not provide the

individual protections necessary when identifying information is at issue. Privacy laws offer guidelines to

how to reasonably, and thus equally, balance the individual’s right to privacy to the organization’s need to

use the data that they have. One should not give way to other. In this way, secondary data use when aimed

at improving service delivery or outcomes within the NFP sector and its client population, respectively,

can be realized without sacrificing individual privacy and organizational trust.

NFPs currently fall into several legislative gaps with respect to secondary use of data including identifying

information. For example, privacy laws do not apply to duly incorporated NFPs carrying out non-com-

mercial activities, and research ethics boards are not obliged to review the planned secondary uses of

data by NFPs if there is neither university affiliation nor health information involved. Nevertheless, best

practices around data governance and privacy protection abound. Societal expectations, ethical practices,


and conservative business approaches all demand that NFPs approach the use and disclosure of data from

a legal and governance perspective. Such a perspective demands the development of a data and privacy

policy. Such a policy should be formatted to include a vision statement that clearly links to recognized

legal requirements and international Fair Information principles, and which details the NFP’s expecta-

tions around the goals of data sharing and the tensions to balance. The content of the policy should then

describe the safeguards in place, the access processes required for secondary use, and the monitoring

processes for compliance. Prioritization of consent, “need to know” directives, and reasonableness would

promote compliance with privacy laws. Roles and tasks could be enumerated to promote effective imple-

mentation.

59POLICYWISE

Tab

le 1

. Key

Obl

igat

ions

of P

IPA

Ten

Key

Obl

igat

ions

to M

eet U

nder

PIP

A

1.

Pers

onal

info

rmat

ion

hand

ling

prac

tices

, pol

icie

s and

pro

cedu

res s

houl

d be

dev

elop

ed to

pro

tect

per

sona

l inf

orm

atio

n, w

hich

sh

ould

cov

er

a. W

hat p

erso

nal i

nfor

mat

ion

is c

olle

cted

(and

ens

urin

g th

at c

olle

ctio

n is

for a

reas

onab

le p

urpo

se a

nd o

nly

info

rmat

ion

is

colle

cted

that

is re

ason

able

for c

arry

ing

out t

hose

pur

pose

s (s.

11))

; b.

How

is c

onse

nt o

btai

ned

for t

he c

olle

ctio

n, u

se a

nd d

iscl

osur

e of

per

sona

l inf

orm

atio

n;

c. H

ow w

ill p

erso

nal i

nfor

mat

ion

be u

sed

and

disc

lose

d;

d. H

ow w

ill a

dequ

ate

stor

age

and

secu

rity

mea

sure

s be

impl

emen

ted;

e.

How

will

per

sona

l inf

orm

atio

n be

dis

pose

d of

; f.

How

will

acc

ess a

nd c

orre

ctio

n re

ques

ts b

e ha

ndle

d; a

nd,

g. H

ow w

ill e

nqui

ries

and

com

plai

nts b

e re

spon

ded

to?

2.

The

priv

acy

and

info

rmat

ion

hand

ling

polic

ies s

houl

d be

revi

ewed

per

iodi

cally

, and

shou

ld a

ddre

ss o

ngoi

ng a

nd n

ew a

ctiv

ities

th

at in

volv

e pe

rson

al in

form

atio

n co

llect

ion,

use

, dis

clos

ure

or st

orag

e.

3.

The

priv

acy

and

info

rmat

ion

hand

ling

polic

ies s

houl

d be

ava

ilabl

e an

d co

mm

unic

ated

to e

mpl

oyee

s, v

olun

teer

s and

oth

er

orga

niza

tiona

l sta

ff, a

s wel

l as t

o th

e pu

blic

incl

udin

g th

e au

dien

ce o

r clie

ntel

e of

the

orga

niza

tion.

Suc

h co

mm

unic

atio

n co

uld

incl

ude

staf

f tra

inin

g, p

amph

lets

and

bro

chur

es, a

nd w

ebsi

te in

form

atio

n.

4.

A pr

ivac

y of

ficer

shou

ld b

e re

cogn

ized

, des

igna

ted

and

supp

orte

d to

exe

rcis

e th

e au

thor

ity to

add

ress

pri

vacy

issu

es re

late

d to

the

orga

niza

tion

and

its o

pera

tions

. Int

erna

l and

ext

erna

l com

mun

icat

ions

shou

ld m

ake

the

iden

tity

and

cont

act i

nfor

mat

ion

of

orga

niza

tiona

l pri

vacy

offi

cer r

eadi

ly a

vaila

ble,

esp

ecia

lly a

t the

tim

e of

gar

neri

ng c

onse

nt fo

r inf

orm

atio

n co

llect

ion.

5.

Al

l con

trac

ts a

nd a

gree

men

ts sh

ould

incl

ude

a pr

ivac

y pr

otec

tion

clau

se, s

o th

at a

ny c

ontr

acto

r of t

he o

rgan

izat

ion

prot

ects

pe

rson

al in

form

atio

n ac

cord

ing

to th

e or

gani

zatio

n’s p

riva

cy a

nd in

form

atio

n ha

ndlin

g po

licie

s.

6.

Unl

ess P

IPA

spec

ifica

lly e

xem

pts,

org

aniz

atio

ns m

ust g

et in

form

ed c

onse

nt to

col

lect

, use

or d

iscl

ose

pers

onal

info

rmat

ion.

In

gath

erin

g co

nsen

t, or

gani

zatio

ns m

ust a

dequ

atel

y in

form

indi

vidu

als o

f the

pur

pose

for i

nfor

mat

ion

colle

ctio

n, a

s wel

l as t

he

prop

osed

and

pot

entia

l use

s, d

iscl

osur

es, s

tora

ge a

nd d

ispo

sal o

f the

info

rmat

ion.

Onl

y re

ason

able

pur

pose

s and

met

hods

of

colle

ctio

n ca

n be

con

sent

ed to

; an

indi

vidu

al c

anno

t con

sent

to u

nrea

sona

ble

colle

ctio

n of

per

sona

l inf

orm

atio

n, in

clud

ing

any

extr

a in

form

atio

n di

sclo

sed

that

is n

ot n

eede

d fo

r the

pur

pose

. Con

sent

can

be

expr

ess (

wri

tten

or v

erba

l), im

plie

d (in

form

atio

n is

vo

lunt

eere

d in

reas

onab

le a

nd c

lear

cir

cum

stan

ces)

, or o

pt-o

ut (o

rgan

izat

ions

pro

vide

indi

vidu

als w

ith th

e re

ason

able

pur

pose

of

thei

r nee

d fo

r per

sona

l inf

orm

atio

n; w

ith e

asy-

to-u

nder

stan

d no

tice

that

con

sent

will

be

impu

ted

if th

ey d

o no

t opt

-out

; with

a

reas

onab

le w

indo

w a

nd c

hanc

e to

say

no a

nd o

pt-o

ut; a

nd w

ith a

ssur

ance

that

the

pers

onal

info

rmat

ion

is n

ot so

sens

itive

it w

ould

be

unr

easo

nabl

e to

use

an

opt-

out f

orm

). Co

nsen

t can

be

chan

ged

or w

ithdr

awn

by th

e in

divi

dual

by

givi

ng th

e or

gani

zatio

n re

ason

able

not

ice,

unl

ess a

lega

l dut

y or

obl

igat

ion

wou

ld b

e in

terf

ered

with

(s. 9

). Th

e co

nseq

uenc

es o

f alte

red

or w

ithdr

awn

cons

ent s

houl

d be

exp

lain

ed to

the

indi

vidu

al. C

onse

nt to

col

lect

, use

or d

iscl

ose

pers

onal

info

rmat

ion

cann

ot b

e a

cond

ition

for a

n or

gani

zatio

n to

supp

ly a

n in

divi

dual

with

a p

rodu

ct o

r ser

vice

, if t

he in

form

atio

n at

issu

e is

bey

ond

that

nec

essa

ry to

supp

ly th

e pr

oduc

t or s

ervi

ce.

7.

As p

er fa

ir in

form

atio

n pr

inci

ples

, org

aniz

atio

ns sh

ould

lim

it th

e co

llect

ion

of p

erso

nal i

nfor

mat

ion,

by

amou

nt a

nd ty

pe, t

o th

e m

inim

um n

eces

sary

to c

arry

out

the

orga

niza

tion’

s obl

igat

ions

. 8.

As

with

info

rmat

ion

colle

ctio

n, p

riva

te se

ctor

org

aniz

atio

ns m

ay o

nly

use

or d

iscl

ose

pers

onal

info

rmat

ion

for r

easo

nabl

e pu

rpos

es

and

mus

t lim

it in

form

atio

n us

e to

the

min

imum

nec

essa

ry to

reas

onab

ly c

arry

out

thos

e en

umer

ated

pur

pose

s.

9.

Som

e ex

cept

ions

to th

e ne

cess

ity o

f con

sent

pri

or to

info

rmat

ion

colle

ctio

n, u

se o

r dis

clos

ure

incl

ude

whe

n co

nsen

t can

not

reas

onab

ly b

e ob

tain

ed in

a ti

mel

y m

anne

r or a

n in

divi

dual

wou

ld n

ot re

ason

ably

be

expe

cted

to re

fuse

con

sent

but

it w

ould


reas

onab

ly b

e co

nsid

ered

in th

e in

divi

dual

’s in

tere

sts;

whe

n an

othe

r sta

tute

or r

egul

atio

n re

quir

es o

r allo

ws f

or in

form

atio

n co

llect

ion

with

out c

onse

nt; w

hen

the

info

rmat

ion

is p

rovi

ded

by a

Pub

lic B

ody

by la

w; w

hen

info

rmat

ion

colle

ctio

n is

reas

onab

le

for t

he p

urpo

ses o

f a le

gal i

nves

tigat

ion

or p

roce

edin

g; w

hen

the

info

rmat

ion

is d

eter

min

e su

itabi

lity

for a

n aw

ard

or h

onou

r;

whe

n th

e pe

rson

al in

form

atio

n is

pub

licly

ava

ilabl

e; w

hen

colle

ctio

n is

by

an a

rchi

val i

nstit

utio

n or

for r

easo

nabl

e ar

chiv

al

purp

oses

; whe

n in

form

atio

n pe

rtai

ning

to d

ebt c

olle

ctio

n fr

om, o

r deb

t rep

aym

ent t

o, th

e in

divi

dual

; and

, whe

n in

form

atio

n gi

ven

to c

redi

t rep

ortin

g ag

ency

to c

reat

e cr

edit

repo

rt a

nd in

divi

dual

ori

gina

lly p

erm

itted

such

dis

clos

ure.

A fe

w a

dditi

onal

exc

eptio

ns

to c

onse

nt fo

r dis

clos

ure

exis

t, w

hich

incl

ude

whe

n di

sclo

sure

is re

quir

ed to

com

ply

with

a su

bpoe

na, w

arra

nt o

r cou

rt o

rder

; whe

n a

Publ

ic B

ody

or p

olic

e se

rvic

e re

quir

e as

sist

ance

in in

vest

igat

ion

rela

ted

to a

law

enf

orce

men

t pro

ceed

ing;

whe

n di

sclo

sure

is in

re

spon

se to

an

emer

genc

y th

at th

reat

ens t

he li

fe, h

ealth

or s

ecur

ity o

f an

indi

vidu

al o

r the

pub

lic; w

hen

disc

losu

re is

requ

ired

to

cont

act a

fam

ily m

embe

r or f

rien

d of

an

inju

red,

ill o

r dec

ease

d pe

rson

; whe

n di

sclo

sure

is re

ason

able

as r

elat

es to

the

surv

ivin

g sp

ouse

, adu

lt pa

rtne

r or r

elat

ive

of a

dec

ease

d in

divi

dual

; whe

n di

sclo

sure

pro

tect

s aga

inst

, pre

vent

s, su

ppre

sses

or d

etec

ts fr

aud.

10

. Whe

re p

erso

nal i

nfor

mat

ion

rela

tes t

o em

ploy

ees a

nd is

wha

t is r

easo

nabl

y ne

eded

to e

stab

lish,

man

age

or e

nd a

wor

k or

vo

lunt

eer,

that

info

rmat

ion

can

be c

olle

cted

, use

d an

d di

sclo

sed

with

out c

onse

nt fo

r rea

sona

ble

purp

oses

rela

ted

to re

crui

ting,

m

anag

ing

or te

rmin

atin

g pe

rson

nel.

Man

agin

g pe

rson

nel i

s rel

ated

to h

uman

reso

urce

man

agem

ent d

utie

s and

resp

onsi

bilit

ies a

s w

ell a

s adm

inis

teri

ng p

erso

nnel

(e.g

. pay

roll,

succ

essi

on p

lann

ing)

. Per

sona

l inf

orm

atio

n no

t rel

ated

to th

e w

ork

rela

tions

hip

is

not s

ubje

ct to

this

em

ploy

men

t-re

late

d ex

cept

ion

to c

onse

nt. T

he w

ork

rela

tions

hip

cove

rs b

oth

whe

n th

e in

divi

dual

is a

n em

ploy

ee, a

nd w

hen

recr

uitin

g a

pote

ntia

l em

ploy

ee. W

hile

con

sent

is n

ot re

quir

ed, n

otic

e is

requ

ired

whe

n co

llect

ing

empl

oyee

in

form

atio

n fo

r em

ploy

ees;

such

not

ifica

tion

is n

ot re

quir

ed d

urin

g re

crui

tmen

t [13

, 21]

.

61POLICYWISE

Tab

le 2

. PIP

A R

equi

rem

ents

aro

und

Acc

ess

to In

form

atio

n R

ight

s

Issu

es

Det

ails

R

eque

sts

• In

divi

dual

s w

ho m

ake

requ

ests

for a

cces

s ar

e ap

plic

ants

. •

App

lican

ts m

ust p

rovi

de e

noug

h in

form

atio

n to

the

orga

niza

tion,

so

that

the

orga

niza

tion

can

mak

e a

reas

onab

le

effo

rt to

find

the

info

rmat

ion.

•

Nor

mal

ly re

ques

ts a

re m

ade

in w

ritin

g, e

spec

ially

for l

arge

r org

aniz

atio

ns. O

rgan

izat

ions

can

cho

ose

to a

ccep

t ora

l re

ques

ts, i

f the

app

lican

t can

not p

ut th

e re

ques

t in

wri

ting

or if

they

are

a s

mal

ler o

rgan

izat

ion.

•

Req

uest

s fo

r acc

ess

to in

form

atio

n in

clud

e ei

ther

vie

win

g/se

eing

the

info

rmat

ion

or re

ceiv

ing

a co

py o

f the

in

form

atio

n.

• R

eque

sts

do n

ot h

ave

to in

clud

e a

reas

on fo

r the

requ

est.

Org

aniz

atio

nal

Res

pons

e to

Req

uest

s •

The

orga

niza

tion

mus

t res

pond

with

in 4

5 ca

lend

ar d

ays

of re

ceiv

ing

the

requ

est.

• O

rgan

izat

ions

may

impl

emen

t a p

roce

ss fo

r acc

ess

requ

ests

, inc

ludi

ng a

n of

fice

to re

ceiv

e re

ques

ts a

nd a

tim

e lim

it fo

r pro

cess

ing

a re

ques

t wou

ld n

ot b

egin

unt

il th

e re

ques

t arr

ived

at t

he d

esig

nate

d of

fice.

•

Unl

ess

the

reco

rd d

oes

not e

xist

or t

here

is a

sta

tuto

ry re

fusa

l ava

ilabl

e, th

e O

rgan

izat

ion

mus

t (1)

giv

e th

e in

divi

dual

acc

ess

to h

is o

r her

per

sona

l inf

orm

atio

n; (2

) tel

l the

indi

vidu

al w

hat t

he in

form

atio

n ha

s be

en o

r is

bein

g us

ed fo

r, an

d (3

) tel

l the

indi

vidu

al to

who

m, a

nd in

wha

t situ

atio

ns, t

he in

form

atio

n is

bei

ng o

r has

bee

n di

sclo

sed

by th

e or

gani

zatio

n.

• Th

e or

gani

zatio

n m

ust b

e gu

ided

by

reas

onab

lene

ss in

thei

r dea

lings

with

an

acce

ss re

ques

t. Th

is in

clud

es b

eing

op

en, c

ompl

ete

and

accu

rate

in y

our r

espo

nse

to a

pplic

a nt.

• R

easo

nabl

e fe

es c

an b

e ch

arge

d fo

r acc

ess

to p

erso

nal i

nfor

mat

ion

or to

info

rmat

ion

abou

t the

use

or d

iscl

osur

e of

th

at in

form

atio

n. B

ut, o

rgan

izat

ions

can

not c

harg

e em

ploy

ees

for a

cces

s to

em

ploy

men

t inf

orm

atio

n. W

ritte

n fe

e es

timat

es m

ust b

e pr

ovid

ed b

efor

e or

gani

zatio

ns p

roce

ss a

requ

est.

Dep

osits

can

be

requ

ired

. Rec

ords

can

be

with

held

if fe

es a

re o

win

g.

• Th

e 45

- day

clo

ck s

tops

onc

e an

est

imat

e is

pro

vide

d to

the

appl

ican

t, an

d do

es n

ot s

tart

unt

il es

timat

e ac

cept

ed a

nd

depo

sit r

ecei

ved.

If th

e ap

plic

ant d

oes

not r

espo

nd w

ithin

30

days

of w

hen

the

estim

ate

was

giv

en, t

hen

requ

est

cons

ider

ed w

ithdr

awn.

A

utho

rize

d R

epre

sent

ativ

es

• Th

ose

over

18

year

s of

age

can

exe

rcis

e al

l rig

hts

unde

r PIP

A. M

inor

s ca

n ac

t on

thei

r ow

n be

half

if th

ey u

nder

stan

d th

eir r

ight

s an

d po

wer

s, a

nd th

e co

nseq

uenc

es o

f exe

rcis

ing

them

und

er P

IPA

. •

An

auth

oriz

ed re

pres

enta

tive

is a

noth

er p

erso

n w

ho h

as th

e au

thor

ity to

do

wha

t the

indi

vidu

al c

an d

o un

der P

IPA

. Th

ey in

clud

e (a

) a g

uard

ian

of a

min

or; (

b) a

n ex

ecut

or o

r adm

inis

trat

or o

f the

est

ate

of a

n in

divi

dual

who

has

die

d;

(c) a

gua

rdia

n or

trus

tee

of a

dep

ende

nt a

dult;

(d) a

n in

divi

dual

act

ing

with

the

wri

tten

auth

oriz

atio

n of

an

indi

vidu

al; a

nd (e

) an

indi

vidu

al w

ho is

act

ing

unde

r a p

ower

of a

ttorn

ey.

Exce

ptio

ns to

Giv

ing

Acc

ess

• A

n or

gani

zatio

n ca

n re

fuse

acc

ess

in s

elec

t situ

atio

ns, s

uch

as:

• W

hen

info

rmat

ion

is p

rote

cted

by

any

lega

l pri

vile

ge

• W

hen

disc

losu

re w

ould

giv

e aw

ay c

onfid

entia

l bus

ines

s in

form

atio

n, a

nd it

is n

ot u

nrea

sona

ble

to h

old

back

the

info

rmat

ion

• W

hen

the

info

rmat

ion

was

col

lect

ed fo

r an

inve

stig

atio

n or

lega

l pro

ceed

ing


• W

hen

disc

losu

re m

ight

resu

lt in

that

type

of i

nfor

mat

ion

no lo

nger

bei

ng s

uppl

ied

and

it is

reas

onab

le fo

r the

or

gani

zatio

n to

nee

d th

e ty

pe o

f inf

orm

atio

n •

Whe

n a

med

iato

r or a

rbitr

ator

col

lect

ed th

e in

form

atio

n •

An

orga

niza

tion

MU

ST re

fuse

acc

ess

if di

sclo

sure

: •

Cou

ld re

ason

ably

be

expe

cted

to th

reat

en th

e lif

e or

sec

urity

of a

noth

er in

divi

dual

; •

Wou

ld s

how

per

sona

l inf

orm

atio

n ab

out a

noth

er in

divi

dual

; or

• W

ould

iden

tify

the

indi

vidu

al w

ho g

ave

you

an o

pini

on a

bout

som

eone

els

e in

con

fiden

ce a

nd th

e in

divi

dual

gi

ving

the

opin

ion

does

not

con

sent

to th

e di

sclo

sure

of h

is o

r her

iden

tity.

You

can

hol

d ba

ck th

e id

entit

y of

the

pers

on w

ho w

rote

the

opin

ion

whi

le s

till g

ivin

g ac

cess

to th

e op

inio

n its

elf,

unle

ss th

e ap

plic

ant c

ould

figu

re o

ut

who

gav

e th

e op

inio

n by

read

ing

it.

63POLICYWISE

Tab

le 3

. OIP

C in

terp

reta

tions

and

use

s of

“us

e” a

nd “

disc

lose

” in

PIP

A, F

OIP

, or H

IA c

ompl

aint

s’ a

djud

icat

ion.

OIP

C#

Yea

r

Def

enda

nt

C

ompl

ain

t

Dis

cuss

ion

on

“co

llec

t”

D

iscu

ssio

n o

n “

use”

D

iscu

ssio

n o

n “

disc

lose

” or

“di

sclo

sure

” F2

012

-05

2012

W

orke

rs’

Com

pens

atio

n Bo

ard

• Pu

blic

Bod

y (P

B)

colle

cted

and

use

d in

form

atio

n fr

om

thir

d pa

rty

abou

t Co

mpl

aina

nt.

• Th

at in

form

atio

n w

as

used

to d

eter

min

e Co

mpl

aina

nt w

as (a

) no

t “de

pend

ent”

un

der l

egis

latio

n;

and

thus

(b)

unen

title

d to

de

ceas

ed h

usba

nd’s

pens

ion.

• PB

inve

stig

ator

s und

er

Wor

kers

’ Com

pens

atio

n Ac

t “m

ay c

olle

ct a

ny in

form

atio

n th

at c

ould

reas

onab

ly b

e sa

id to

be

rela

ted

to th

e m

atte

r und

er in

vest

igat

ion

and

pote

ntia

lly re

leva

nt. I

t ne

ed n

ot u

ltim

atel

y be

pr

oven

to b

e re

leva

nt in

fa

ct.”

[par

a. 3

0]. I

f in

vest

igat

ors w

orki

ng in

go

od fa

ith, t

hen

shou

ld b

e fr

ee to

col

lect

all

pote

ntia

lly

rele

vant

info

rmat

ion.

•

Indi

rect

col

lect

ion

was

au

thor

ized

und

er th

e W

CA

[par

a. 3

3].

Argu

men

ts:

• PB

arg

ued

that

in

form

atio

n w

as n

ot

“use

d” b

ecau

se it

was

not

“r

elie

d up

on to

mak

e th

e de

term

inat

ion”

at i

ssue

(d

epen

denc

y is

sue)

. •

Com

plai

nant

arg

ued

that

PB

con

tinue

s to

“ref

er” t

o co

ntes

ted

info

rmat

ion

and

thus

can

not a

rgue

th

at d

id n

ot u

se.

Dec

isio

n •

Whe

n in

form

atio

n in

clud

ed in

the

wri

ting

of

the

deci

sion

lett

er,

cont

este

d in

form

atio

n w

as “u

sed”

, eve

n if

give

n lit

tle to

no

wei

ght i

n de

cisi

on [p

ara.

39]

. •

This

use

was

eith

er to

m

ake

dete

rmi n

atio

n or

to

at le

ast t

horo

ughl

y do

cum

ent e

vide

nce

revi

ewed

[par

a. 4

1].

• Th

e us

e w

as lo

gica

lly

rela

ted

to th

e pu

rpos

e fo

r w

hich

the

info

rmat

ion

was

col

lect

ed

(inve

stig

atio

n of

Co

mpl

aina

nt’s

clai

m

unde

r WCA

) [pa

ra. 4

1].

So, a

utho

rize

d “u

se”

unde

r FO

IP [p

ara.

42]

.

• D

iscl

osur

e of

per

sona

l in

form

atio

n is

eith

er

spec

ifica

lly a

utho

rize

d un

der F

OIP

or i

s not

; “th

e po

ssib

le n

egat

ive

impa

ct

of th

e di

sclo

sure

is n

ot a

fa

ctor

in d

eter

min

ing

whe

ther

the

disc

losu

re

was

aut

hori

zed”

[par

a.

47].

• W

hen

PB d

iscl

oses

in

form

atio

n to

a

repr

esen

tativ

e in

thei

r ca

paci

ty a

s age

nt fo

r the

Co

mpl

aina

nt

(Com

plai

nant

aut

hori

zed

repr

esen

tativ

e to

act

in

thei

r ste

ad a

nd re

ques

t PB

to c

omm

unic

ate

via

repr

esen

tativ

e), t

hen

it is

an

aut

hori

zed

disc

losu

re

[par

a. 4

9].

• Si

gned

aut

hori

zatio

n fo

rm

equa

tes t

o co

nsen

t [pa

ra.

50].

• D

iscl

osur

e by

PB

to

Appe

als C

omm

issi

on u

pon

requ

est,

whi

ch w

as

dire

ctly

aut

hori

zed

by th

e W

CA [p

ara.

51]

.

F20

13-3

1 20

13

Cent

ral A

B Ch

ild

& F

amily

Au

thor

ity

(Reg

ion

4)

• Co

mpl

aina

nt

com

plai

ned

her P

B em

ploy

er c

olle

cted

, us

ed a

nd d

iscl

osed

he

r per

sona

l in

form

atio

n co

ntra

FO

IP.

• PB

col

lect

ed p

erso

nal

info

rmat

ion

dire

ctly

from

Co

mpl

aina

nt (d

octo

r’s

note

s), s

o in

com

plia

nce

s.

34 F

OIP

[par

a. 9

]. •

Man

agin

g em

ploy

ees i

s “an

op

erat

ing

prog

ram

or

activ

ity o

f the

PB”

per

s.

• “S

ame

cons

ider

atio

ns

appl

y w

heth

er it

is a

use

or

a d

iscl

osur

e” [p

ara.

13

]. •

Very

stri

ct in

quir

y in

to

whe

ther

info

rmat

ion

used

or d

iscl

osed

, not

the

• Th

e sh

arin

g of

the

first

D

r’s n

ote

from

ori

gina

l re

cipi

ent (

Offi

ce

Adm

inis

trat

or) t

o O

ffice

M

anag

er a

nd to

Co

mpl

aina

nt’s

Supe

rvis

or

was

dis

clos

ure

[par

a. 2

0].

It w

as fo

r val

id p

urpo

se o

f


• N

otes

from

phy

sici

an

excu

sing

Co

mpl

aina

nt fr

om

som

e ph

ysic

al ta

sks

due

to h

er m

edic

al

cond

ition

wer

e sh

ared

with

PB

supe

rvis

ors,

onl

y on

e of

who

m w

as

supe

rvis

or o

f uni

t w

here

Com

plai

nant

as

ked

to w

ork

(but

co

uldn

’t). A

nd,

Com

plai

nant

was

as

ked

ques

tions

ab

out h

er m

edic

al

cond

ition

that

re

fuse

d to

ans

wer

; m

eetin

g w

ith

Supe

rvis

or a

nd O

ffice

Ad

min

istr

ator

.

33(c

) FO

IP [p

ara.

10].

Pers

onal

info

rmat

ion

in D

r’s

note

s rel

ated

to m

edic

al

cond

ition

and

wha

t co

nditi

on p

reve

nt h

er fr

om

doin

g; so

dir

ectly

rela

ted

to

job

dutie

s.

• N

o pe

rson

al in

form

atio

n co

llect

ed in

mee

ting

beca

use

(a) p

erso

nal i

nfor

mat

ion

in

FOIP

is re

cord

ed

info

rmat

ion,

and

no

reco

rded

info

rmat

ion

colle

cted

in m

eetin

g; (b

) Co

mpl

aina

nt re

fuse

d to

an

swer

que

stio

ns so

no

colle

ctio

n [p

ara.

11].

offic

ial p

roto

col i

n pl

ace

or n

ot [p

ara.

19].

• Sa

me

cons

ider

atio

ns

rega

rdin

g us

e an

d di

sclo

sure

(i.e

. for

pu

rpos

e of

man

agin

g or

ad

min

iste

ring

per

sonn

el;

at m

inim

al n

eces

sary

). •

Prop

er u

se o

f per

sona

l in

form

atio

n.

man

agin

g pe

rson

nel

[par

a. 2

0].

• Si

mila

r dis

clos

ure

for

seco

nd D

r’s n

ote

whe

n pr

ovid

ed to

oth

er

man

agem

ent.

Agai

n va

lid

purp

ose

of m

anag

ing

pers

onne

l [pa

ra. 2

1].

• In

cons

iste

ncy

betw

een

PB

Supe

rvis

or w

itnes

s te

stim

ony

and

Com

plai

nant

spec

ulat

ion

that

seco

nd D

r’s n

ote

shar

ed w

ith o

ther

(h

oriz

onta

l) Su

perv

isor

s.

OIP

C to

ok w

itnes

s te

stim

ony

that

not

e co

nten

ts n

ot d

iscu

ssed

, ra

ther

just

lim

ited

info

rmat

ion

that

Co

mpl

aina

nt c

ould

not

co

ver o

ther

dut

ies a

nd to

pl

an st

affin

g ac

cord

ingl

y.

Man

agin

g pe

rson

nel

purp

ose

valid

. F2

013

-32

&

F20

13-3

3

2013

Ci

ty o

f Edm

onto

n •

PB sh

owed

Co

mpl

aina

nt’s

neig

hbor

cop

y of

bu

ildin

g pl

ans f

or

Com

plai

nant

’s ne

w

hous

e an

d pr

ovid

ed

copy

of p

lans

. •

Com

plai

nant

co

mpl

aine

d th

is

infr

inge

d FO

IP.

• Th

is d

ecis

ion

invo

lved

firs

t OIP

C ad

judi

catio

n; ju

dici

al

revi

ew; s

econ

d O

IPC

adju

dica

tion.

• R

e: a

cces

s: P

B m

ust s

earc

h fo

r rec

ords

that

are

in it

s cu

stod

y an

d co

ntro

l [pa

ra.

10].

• N

ot a

pplic

able

. •

Judi

cial

revi

ew o

f fir

st

OIP

C ad

judi

catio

n in

dica

ted

that

can

not u

se

PIPA

def

initi

on o

f “p

erso

nal i

nfor

mat

ion”

to

inte

rpre

t FO

IP “p

erso

nal

info

rmat

ion:

the

two

Acts

ha

ve d

iffer

ent p

urpo

ses

and

PIPA

’s de

finiti

on

defin

ed to

be

muc

h br

oade

r tha

n th

at o

f FO

IP

[par

a. 2

3].

• PI

PA P

I = in

form

atio

n ab

out i

dent

ifiab

le

indi

vidu

al. F

OIP

PI =

re

cord

ed in

form

atio

n ab

out i

dent

ifiab

le

info

rmat

ion

incl

udin

g se

vera

l spe

cific

pa

ram

eter

s.

65POLICYWISE

• FO

IP in

tend

ed to

fost

er

open

and

tran

spar

ent

gove

rnm

ent [

para

. 26]

. •

Judi

cial

revi

ew a

lso

foun

d th

at “e

xclu

sion

from

the

pres

umpt

ion

of

“unr

easo

nabl

e in

vasi

on o

f pe

rson

al p

riva

cy” d

oes n

ot

nece

ssar

ily m

ean

incl

usio

n in

the

defin

ition

of

“per

sona

l inf

orm

atio

n”

[par

a. 2

9].

• Is

sue

mor

e if

build

ing

plan

s wer

e pe

rson

al

info

rmat

ion

unde

r FO

IP:

seco

nd O

IPC

adju

dica

tion

foun

d th

ey w

ere

not

pers

onal

info

rmat

ion

beca

use

“… th

e pa

rtic

ular

ex

tern

al fe

atur

es o

f the

bu

ildin

g th

at a

re re

veal

ed

in th

e pl

ans …

are

su

ffici

ently

com

mon

plac

e …

that

they

do

not r

evea

l an

ythi

ng su

ffici

ently

pe

rson

al a

bout

[C

ompl

aina

nt] t

o m

ake

the

plan

s mor

e ‘a

bout

’ her

th

an th

ey a

re ‘a

bout

’ the

bu

ildin

g.” [

para

. 34]

. •

Sinc

e th

e in

form

atio

n is

no

t PI,

then

no

need

to

dete

rmin

e if

disc

lose

d co

ntra

FO

IP. B

ut, f

irst

O

PIC

adju

dica

tion

foun

d th

at b

uild

ing

plan

s wer

e PI

and

in sh

owin

g to

ne

ighb

or, i

t was

dis

clos

ed

cont

ra F

OIP

. F2

015

-42

2015

Al

bert

a H

uman

Se

rvic

es

• Th

e Co

mpl

aina

nt

mad

e a

com

plai

nt

to th

e Co

mm

issi

oner

that

th

e PB

had

co

llect

ed h

is

pers

onal

•

•

• Th

e Ad

judi

cato

r fou

nd

that

the

Publ

ic B

ody

had

cont

rave

ned

Part

2

of th

e FO

IP A

ct w

hen

it co

llect

ed th

e Co

mpl

aina

nt’s

pers

onal

in

form

atio

n fr

om th

e


info

rmat

ion

from

th

e JO

IN d

atab

ase.

•

He

com

plai

ned

that

th

e PB

had

co

llect

ed

info

rmat

ion

abou

t an

offe

nce

taki

ng

plac

e w

hen

he w

as

a yo

uth

and

hist

oric

al

alle

gatio

ns a

bout

hi

m th

at d

id n

ot

resu

lt in

co

nvic

tions

. •

The

Com

plai

nant

al

lege

d th

at

Hum

an S

ervi

ces

then

use

d th

e in

form

atio

n it

obta

ined

from

the

JOIN

dat

abas

e to

m

ake

deci

sion

s re

gard

ing

his

empl

oym

ent.

•

He

com

plai

ned

that

th

e PB

dis

clos

ed

his p

erso

nal

info

rmat

ion

to it

s hu

man

reso

urce

s de

part

men

t and

to

a m

embe

r of t

he

Edm

onto

n Po

lice

Serv

ice

(EPS

). H

e co

mpl

aine

d th

at

the

PB’s

use

and

disc

losu

re o

f his

pe

rson

al

info

rmat

ion

are

in

cont

rave

ntio

n of

Pa

rt 2

of t

he F

OIP

Ac

t.

JOIN

dat

abas

e, w

hen

it ha

d us

ed th

is

info

rmat

ion,

and

whe

n it

disc

lose

d th

is

info

rmat

ion

to it

s H

uman

Res

ourc

es

Div

isio

n. S

he a

lso

foun

d th

at th

e Pu

blic

Bod

y ha

d no

t est

ablis

hed

that

its

dis

clos

ure

of th

e Co

mpl

aina

nt’s

pers

onal

in

form

atio

n to

the

EPS

mem

ber w

as in

co

mpl

ianc

e w

ith P

art 2

of

the

FOIP

Act

. The

Ad

judi

cato

r ord

ered

the

Publ

ic B

ody

to st

op

colle

ctin

g, u

sing

, and

di

sclo

sing

the

Com

plai

nant

’s pe

rson

al

info

rmat

ion

in

cont

rave

ntio

n of

the

Part

2 o

f the

FO

IP A

ct.

F20

14-4

2 20

14

Calg

ary

Polic

y Se

rvic

e •

PB p

olic

y of

ficer

re

veal

ed in

form

atio

n •

Not

app

licab

le.

• N

ot a

pplic

able

. •

Sect

ion

4(1)

of F

OIP

ex

clud

es so

me

abou

t the

term

s of a

R

ecog

niza

nce,

a

Cert

ifica

te o

f Ana

lyst

, an

d a

Not

ice

of

Inte

ntio

n to

Co

mpl

aina

nt’s

pare

nts.

•

Com

plai

nant

arg

ued

his P

I dis

clos

ed in

co

ntra

vent

ion

of

FOIP

.

info

rmat

ion

from

FO

IP

info

rmat

ion

rela

ted

to

cour

t file

(jud

ges a

nd

cour

ts) (

a) a

nd re

late

d to

pr

osec

utio

n th

at h

as n

ot

been

com

plet

ed (k

). •

AB C

ourt

of A

ppea

l and

th

is O

IPC

adju

dica

tor b

oth

agre

e th

at s.

4(1

) ex

empt

ions

app

ly to

en

tiret

y of

FO

IP, s

o bo

th

acce

ss to

info

rmat

ion

and

prot

ectio

n of

pri

vacy

pr

ovis

ions

. •

Rec

ogni

zanc

e w

as si

gned

by

a ju

stic

e of

the

peac

e;

info

rmat

ion

rela

yed

to

pare

nts b

y po

licy

offic

er

oral

ly b

ut so

urce

was

R

ecog

niza

nce;

thus

, pol

icy

offic

er d

iscl

osed

in

form

atio

n; b

ut th

e in

form

atio

n an

d di

sclo

sure

bot

h ex

empt

ed

from

FO

IP p

er s.

4(1

)(a)

[p

ara.

18].

• Th

e Ce

rtifi

cate

of A

naly

st

and

Not

ice

of In

tent

ion

from

Cro

wn

pros

ecut

er v

ia

PB: “

… se

rvin

g th

e Ap

plic

ant w

ith th

ese

reco

rds w

as a

step

take

n to

fu

rthe

r an

ongo

ing

pros

ecut

ion

and

… th

e re

cord

s rel

ate

to th

e pr

osec

utio

n” [p

ara.

19].

• Pr

osec

utio

n w

as o

ngoi

ng.

Sect

ion

4(1)

(k) i

nten

ded

to

ensu

re th

at p

rose

cutio

ns

may

pro

ceed

with

out

inte

rfer

ence

. Inf

orm

atio

n in

latt

er tw

o re

cord

s re

late

d to

pro

secu

tion

not

yet c

ompl

ete.

So,

reco

rds

and

disc

losu

re fa

ll w

ithin

s.

4(1

)(k)

exe

mpt

ion

to

FOIP

[par

a. 2

2].

67POLICYWISE

abou

t the

term

s of a

R

ecog

niza

nce,

a

Cert

ifica

te o

f Ana

lyst

, an

d a

Not

ice

of

Inte

ntio

n to

Co

mpl

aina

nt’s

pare

nts.

•

Com

plai

nant

arg

ued

his P

I dis

clos

ed in

co

ntra

vent

ion

of

FOIP

.

info

rmat

ion

from

FO

IP

info

rmat

ion

rela

ted

to

cour

t file

(jud

ges a

nd

cour

ts) (

a) a

nd re

late

d to

pr

osec

utio

n th

at h

as n

o t

been

com

plet

ed (k

). •

AB C

ourt

of A

ppea

l and

th

is O

IPC

adju

dica

tor b

oth

agre

e th

at s.

4(1

) ex

empt

ions

app

ly to

en

tiret

y of

FO

IP, s

o bo

th

acce

ss to

info

rmat

ion

and

prot

ectio

n of

pri

vacy

pr

ovis

ions

. •

Rec

ogni

zanc

e w

as si

gned

by

a ju

stic

e of

the

peac

e;

info

rmat

ion

rela

yed

to

pare

nts b

y po

licy

offic

er

oral

ly b

ut so

urce

was

R

ecog

niza

nce;

thus

, pol

icy

offic

er d

iscl

osed

in

form

atio

n; b

ut th

e in

form

atio

n an

d di

sclo

sure

bot

h ex

empt

ed

from

FO

IP p

er s.

4(1

)(a)

[p

ara.

18].

• Th

e Ce

rtifi

cate

of A

naly

st

and

Not

ice

of In

tent

ion

from

Cro

wn

pros

ecut

er v

ia

PB: “

… se

rvin

g th

e Ap

plic

ant w

ith th

ese

reco

rds w

as a

step

take

n to

fu

rthe

r an

ongo

ing

pros

ecut

ion

and

… th

e re

cord

s rel

ate

to th

e pr

osec

utio

n” [p

ara.

19].

• Pr

osec

utio

n w

as o

ngoi

ng.

Sect

ion

4(1)

(k) i

nten

ded

to

ensu

re th

at p

rose

cutio

ns

may

pro

ceed

with

out

inte

rfer

ence

. Inf

orm

atio

n in

latt

er tw

o re

cord

s re

late

d to

pro

secu

tion

not

yet c

ompl

ete.

So,

reco

rds

and

disc

losu

re fa

ll w

ithin

s.

4(1

)(k)

exe

mpt

ion

to

FOIP

[par

a. 2

2].


F20

16-6

2 20

16

Albe

rta

Hea

lth

Serv

ices

•

An in

voic

e co

ntai

ning

Co

mpl

aina

nt’s

PI w

as

give

n to

her

by

a co

-w

orke

r. T

hen

PI

abou

t her

le

ave/

susp

ensi

on w

as

shar

ed w

ith o

ther

PB

empl

oyee

s (ca

rryi

ng

an u

nsea

led

enve

lope

fo

r del

iver

y). P

B w

as

her e

mpl

oyer

. •

Com

plai

nant

arg

ued

thes

e w

ere

uses

or

disc

losu

res o

f PI i

n co

ntra

vent

ion

of

FOIP

.

• N

ot a

pplic

able

. •

Anal

ysis

by

OIP

C ad

judi

cato

r was

aro

und

whe

ther

this

was

di

sclo

sure

, aut

hori

zed

or

not?

• In

form

atio

n at

issu

e w

as

PI (n

ame,

title

, sal

ary,

in

form

atio

n on

su

spen

sion

/lea

ve).

• D

iscl

osur

e is

abo

ut

whe

ther

the

othe

r [c

owor

ker i

n th

is c

ase]

“w

as a

ble

to v

iew

the

info

rmat

ion”

, not

whe

ther

th

ey a

ctua

lly d

id v

iew

the

PI o

r not

[par

a. 12

]. •

Firs

t dis

clos

ure

to

cow

orke

r in

carr

ying

in

voic

e w

as n

ot a

utho

rize

d be

caus

e co

wor

ker d

id n

ot

need

to se

e de

tails

of

invo

ice

to re

imbu

rse

Com

plai

nant

or e

ven

to

advi

se C

ompl

aina

nt th

at

clai

m a

ppro

ved

[par

a. 2

1].

• Se

cond

dis

clos

ure

to

com

mun

icat

ions

and

ed

ucat

ion

pers

onne

l in

prep

arat

ion

of n

ewsl

ette

r.

This

was

use

and

di

sclo

sure

as i

t was

in

form

atio

n sh

arin

g [p

ara.

25

]. •

Seco

nd d

iscl

osur

e w

as

mor

e in

form

atio

n th

an

reas

onab

le to

mee

t its

pu

rpos

e: g

oal t

o ta

ke

dow

n ar

ticle

abo

ut

Com

plai

nant

on

site

and

re

plac

e ar

ticle

so th

ey d

id

not n

eed

to k

now

of h

er

susp

ensi

on/l

eave

[par

a.

32].

F20

12-2

2 20

12

AB J

ustic

e &

So

licito

r Gen

eral

•

AB J

ustic

e &

Sol

icito

r G

ener

al (J

AG)

disc

lose

d 3

lett

ers o

f Co

mpl

aina

nt’s

med

ical

info

rmat

ion

and

info

rmat

ion

of

WCB

cla

ims t

o AB

• N

ot a

pplic

able

. •

Not

app

licab

le.

• In

itial

bur

den

of p

roof

on

com

plai

nant

to a

dduc

e ev

iden

ce re

gard

ing

wha

t PI

was

dis

clos

ed a

nd h

ow

it w

as d

iscl

osed

. The

pu

blic

bod

y ha

s bud

ento

sh

ow d

iscl

osur

e w

as

acco

rdin

g to

FO

IP.

69POLICYWISE

F20

16-6

2 20

16

Albe

rta

Hea

lth

Serv

ices

•

An in

voic

e co

ntai

ning

Co

mpl

aina

nt’s

PI w

as

give

n to

her

by

a co

-w

orke

r. T

hen

PI

abou

t her

le

ave/

susp

ensi

on w

as

shar

ed w

ith o

ther

PB

empl

oyee

s (ca

rryi

ng

an u

nsea

led

enve

lope

fo

r del

iver

y). P

B w

as

her e

mpl

oyer

. •

Com

plai

nant

arg

ued

thes

e w

ere

uses

or

disc

losu

res o

f PI i

n co

ntra

vent

ion

of

FOIP

.

• N

ot a

pplic

able

. •

Anal

ysis

by

OIP

C ad

judi

cato

r was

aro

und

whe

ther

this

was

di

sclo

sure

, aut

hori

zed

or

not?

• In

form

atio

n at

issu

e w

as

PI (n

ame,

title

, sal

ary,

in

form

atio

n on

su

spen

sion

/lea

ve).

• D

iscl

osur

e is

abo

ut

whe

ther

the

othe

r [c

owor

ker i

n th

is c

ase]

“w

as a

ble

to v

iew

the

info

rmat

ion”

, not

whe

ther

th

ey a

ctua

lly d

id v

iew

the

PI o

r not

[par

a. 12

]. •

Firs

t dis

clos

ure

to

cow

orke

r in

carr

ying

in

voic

e w

as n

ot a

utho

rize

d be

caus

e co

wor

ker d

id n

ot

need

to se

e de

tails

of

invo

ice

to re

imbu

rse

Com

plai

nant

or e

ven

to

advi

se C

ompl

aina

nt th

at

clai

m a

ppro

ved

[par

a. 2

1].

• Se

cond

dis

clos

ure

to

com

mun

icat

ions

and

ed

ucat

ion

pers

onne

l in

prep

arat

ion

of n

ewsl

ette

r.

This

was

use

and

di

sclo

sure

as i

t was

in

form

atio

n sh

arin

g [p

ara.

25

]. •

Seco

nd d

iscl

osur

e w

as

mor

e in

form

atio

n th

an

reas

onab

le to

mee

t its

pu

rpos

e: g

oal t

o ta

ke

dow

n ar

ticle

abo

ut

Com

plai

nant

on

site

and

re

plac

e ar

ticle

so th

ey d

id

not n

eed

to k

now

of h

er

susp

ensi

on/l

eave

[par

a.

32].

F20

12-2

2 20

12

AB J

ustic

e &

So

licito

r Gen

eral

•

AB J

ustic

e &

Sol

icito

r G

ener

al (J

AG)

disc

lose

d 3

lett

ers o

f Co

mpl

aina

nt’s

med

ical

info

rmat

ion

and

info

rmat

ion

of

WCB

cla

ims t

o AB

• N

ot a

pplic

able

. •

Not

app

licab

le.

• In

itial

bur

den

of p

roof

on

com

plai

nant

to a

dduc

e ev

iden

ce re

gard

ing

wha

t PI

was

dis

clos

ed a

nd h

ow

it w

as d

iscl

osed

. The

pu

blic

bod

y ha

s bud

ento

sh

ow d

iscl

osur

e w

as

acco

rdin

g to

FO

IP.

Corp

orat

e H

uman

R

esou

rces

(CH

R).

• Co

mpl

aina

nt a

rgue

d th

is w

as im

prop

er

disc

losu

re p

er F

OIP

.

• O

btai

ning

an

indi

vidu

al’s

cons

ent f

or d

iscl

osur

e is

on

ly o

ne o

f the

way

s a P

B ca

n ha

ve th

e au

thor

ity to

di

sclo

se th

e in

divi

dual

’s PI

[p

ara.

18].

• JA

G w

as a

utho

rize

d to

di

sclo

se P

I to

CHR

in

lett

ers b

ecau

se re

leva

nt to

de

term

ine

whe

ther

and

ho

w to

requ

est f

urth

er

med

ical

ass

essm

ent,

whi

ch C

HR

cou

ld a

ssis

t JA

G w

ith. I

nfor

mat

ion

shar

ing

rela

ted

to h

uman

re

sour

ces m

anag

emen

t be

twee

n JA

G h

uman

re

sour

ces s

taff

and

CHR

si

mila

r sta

ff. T

his

reas

onab

le p

urpo

se a

nd

fits u

nder

FO

IP [p

ara.

21]

. F2

012

-23

2012

Al

bert

a Co

rpor

ate

Hum

an

Res

ourc

es

• Co

nnec

ted

to F

2012

-22

•

AB C

orpo

rate

H

uman

Res

ourc

es

(CH

R) c

olle

cted

3

lett

ers o

f Co

mpl

aina

nt’s

med

ical

info

rmat

ion

from

AB

Just

ice

&

Solic

itor G

ener

al

(JAG

) and

pro

vide

d th

is P

I to

Life

Mar

k O

ccup

atio

nal

Serv

ices

/Life

Mar

k H

ealth

Ser

vice

s (L

M).

Lett

ers

deta

iled

med

ical

in

form

atio

n an

d cl

aim

s inf

orm

atio

n re

gard

ing

her c

laim

to

WCB

. •

Com

plai

nant

arg

ued

this

con

trav

ened

FO

IP.

• CH

R’s

colle

ctio

n of

Co

mpl

aina

nt P

I fro

m J

AG

had

not c

ontr

aven

ed F

OIP

. CH

R h

as a

utho

rity

to c

olle

ct

PI u

nder

s. 3

3(c)

as

info

rmat

ion

rela

ted

dire

ctly

to

and

was

nec

essa

ry fo

r an

oper

atin

g ac

tivity

of C

HR

. CH

R is

resp

onsi

ble

for

advi

sing

and

ass

istin

g go

vern

men

t dep

artm

ents

in

hum

an re

sour

ce m

atte

rs;

here

in J

AG re

quir

ed a

dvic

e an

d as

sist

ance

on

asse

ssin

g Co

mpl

aina

nt’s

func

tiona

l ca

paci

ty to

det

e rm

ine

her

abili

ty to

per

form

pre

viou

s ta

sks [

para

s. 16

-17]

. •

“… a

pub

lic b

ody

is e

ntitl

ed

to c

onsi

dera

ble

latit

ude

in

deci

ding

that

the

colle

ctio

n of

per

sona

l inf

orm

atio

n is

ne

cess

ary

in a

giv

en c

ase,

an

d th

at it

s dec

isio

n sh

ould

no

t be

inte

rfer

ed w

ith u

nle s

s

• N

ot a

pplic

able

. •

PB is

aut

hori

zed

to

disc

lose

PI,

in a

bsen

ce o

f in

divi

dual

’s co

nsen

t, on

ba

sis o

f any

of t

he

purp

oses

or c

ircu

mst

ance

s se

t out

in s.

40(

1) F

OIP

. •

“Eve

n if

the

exch

ange

of

info

rmat

ion

with

in a

PB

mig

ht b

e ch

arac

teri

zed

as

a us

e of

info

rmat

ion,

LM

is

a th

ird

p art

y vi

s-à-

vis

CHR

. [pa

ra. 3

1]” C

HR

ar

gued

LM

was

em

ploy

ee

of C

HR

, but

Adj

udic

ator

fo

und

LM a

s a th

ird

part

y se

rvic

e pr

ovid

ed.

• “.

. whe

n de

cidi

ng w

heth

er

the

purp

ose

of a

use

or

disc

losu

re o

f PI i

s the

sa

me

as o

r con

sist

ent w

ith

the

purp

ose

of c

olle

ctio

n,

one

shou

ld e

xam

ine

the

spec

ific

purp

ose;

ot

herw

ise,

a P

B w

ould

ha

ve to

o w

ide

a la

titud

e to

us

e an

d di

sclo

se P

I sim

ply


pate

ntly

unr

easo

nabl

e.

[par

a. 17

]”

• Th

e le

tter

s con

sist

of P

I be

caus

e co

ntai

n na

me,

in

form

atio

n ab

out h

ealth

an

d he

alth

car

e hi

stor

y,

info

rmat

ion

abou

t em

ploy

men

t his

tory

, and

ot

hers

’ opi

nion

s abo

ut h

er

[par

a. 12

]. •

This

col

lect

ion

was

indi

rect

(v

ia J

AG),

whi

ch is

in

com

plia

nce

with

s. 3

4 (P

I m

ay b

e co

llect

ed in

dire

ctly

or

mus

t be

colle

cted

dir

ectly

fr

om th

e in

divi

dual

in

ques

tion)

[par

a. 2

3].

by c

hara

cter

izin

g th

e pu

rpos

es b

road

ly e

noug

h.”

[par

a. 3

4].

• W

hile

col

lect

ion

of th

e PI

in

the

lett

ers e

nabl

ed th

e CH

R to

pro

vide

adv

ice

and

assi

stan

ce to

JAG

, the

ad

judi

cato

r fou

nd “t

hat

disc

losu

re o

f the

in

form

atio

n to

LM

was

not

ne

cess

ary

in o

rder

for

CHR

to a

ctua

lly a

rran

ge,

and

obta

in th

e re

sults

of,

the

[fun

ctio

nal c

apac

ity

exam

inat

ion]

.” [p

ara.

36]

. LM

’s as

sess

men

t was

re

lativ

ely

limite

d, so

it d

id

not r

equi

re so

man

y de

tails

abo

ut

Com

plai

nant

’s m

edic

al

cond

ition

or a

nyth

ing

abou

t her

WCB

cla

ims t

o ca

rry

out t

he F

CE.

• Th

is d

iscl

osur

e to

LM

had

no

reas

onab

le a

nd d

irec

t co

nnec

tion

to C

HR

’s sp

ecifi

c pu

rpos

e of

ar

rang

ing

the

FCE;

at

mos

t an

i ndi

rect

co

nnec

tion

exis

ted.

CH

R

colle

ctio

n fr

om J

AG w

as to

de

term

ine

if FC

E ap

prop

riat

e; o

nce

FCE

dete

rmin

ed a

ppro

pria

te,

CHR

dis

clos

ure

to L

M w

as

only

reas

onab

le to

ext

ent

to a

ctua

lly a

rran

ge F

CE

[par

a. 3

7].

• D

iscl

osur

e w

as n

ot

cons

iste

nt w

ith p

urpo

se

for w

hich

they

wer

e co

llect

ed fr

om J

AG, p

er s.

41

FO

IP.

• Co

mpl

aina

nt si

gned

co

nsen

t for

m w

ith L

M to

co

llect

ion

of h

ealth

hi

stor

y; b

ut, t

his c

onse

nt

71POLICYWISE

pate

ntly

unr

easo

nabl

e.

[par

a. 17

]”

• Th

e le

tter

s con

sist

of P

I be

caus

e co

ntai

n na

me,

in

form

atio

n ab

out h

ealth

an

d he

alth

car

e hi

stor

y,

info

rmat

ion

abou

t em

ploy

men

t his

tory

, and

ot

hers

’ opi

nion

s abo

ut h

er

[par

a. 12

]. •

This

col

lect

ion

was

indi

rect

(v

ia J

AG),

whi

ch is

in

com

plia

nce

with

s. 3

4 (P

I m

ay b

e co

llect

ed in

dire

ctly

or

mus

t be

colle

cted

dir

ectly

fr

om th

e in

divi

dual

in

ques

tion)

[par

a. 2

3].

by c

hara

cter

izin

g th

e pu

rpos

es b

road

ly e

noug

h.”

[par

a. 3

4].

• W

hile

col

lect

ion

of th

e PI

in

the

lett

ers e

nabl

ed th

e CH

R to

pro

vide

adv

ice

and

assi

stan

ce to

JAG

, the

ad

judi

cato

r fou

nd “t

hat

disc

losu

re o

f the

in

form

atio

n to

LM

was

not

ne

cess

ary

in o

rder

for

CHR

to a

ctua

lly a

rran

ge,

and

obta

in th

e re

sults

of,

the

[fun

ctio

nal c

apac

ity

exam

inat

ion]

.” [p

ara.

36]

. LM

’s as

sess

men

t was

re

lativ

ely

limite

d, so

it d

id

not r

equi

re so

man

y de

tails

abo

ut

Com

plai

nant

’s m

edic

al

cond

ition

or a

nyth

ing

abou

t her

WCB

cla

ims t

o ca

rry

out t

he F

CE.

• Th

is d

iscl

osur

e to

LM

had

no

reas

onab

le a

nd d

irec

t co

nnec

tion

to C

HR

’s sp

ecifi

c pu

rpos

e of

ar

rang

ing

the

FCE;

at

mos

t an

indi

rect

co

nnec

tion

exis

ted.

CH

R

colle

ctio

n fr

om J

AG w

as to

de

term

ine

if FC

E ap

prop

riat

e; o

nce

FCE

dete

rmin

ed a

ppro

pria

te,

CHR

dis

clos

ure

to L

M w

as

only

reas

onab

le to

ext

ent

to a

ctua

lly a

rran

ge F

CE

[par

a. 3

7].

• D

iscl

osur

e w

as n

ot

cons

iste

nt w

ith p

urpo

se

for w

hich

they

wer

e co

llect

ed fr

om J

AG, p

er s.

41

FO

IP.

• Co

mpl

aina

nt si

gned

co

nsen

t for

m w

ith L

M to

co

llect

ion

of h

ealth

hi

stor

y; b

ut, t

his c

onse

nt

only

cov

ered

col

lect

ing

info

rmat

ion

from

her

in

cour

se o

f FCE

, not

from

CH

R p

rior

to F

CE [p

ara.

40

]. F2

012

-28

2012

Ed

mon

ton

Polic

e Se

rvic

e •

Com

plai

nant

nam

e an

d lic

ense

pla

te

num

ber u

sed

to ru

n qu

erie

s on

polic

e in

form

atio

n sy

stem

s by

var

ious

PB

mem

bers

in 2

008

and

2009

. 72

quer

ies,

m

ostly

2 q

ueri

es in

si

ngle

occ

asio

n.

• Co

mpl

aina

nt a

llege

d so

me

quer

ies l

acke

d au

thor

izat

ion

by s.

39

FOIP

.

• PB

may

use

PI f

or p

urpo

se it

w

as c

olle

cted

or c

ompl

ied,

or

for u

s con

sist

ent w

ith th

at

purp

ose

(s. 3

9(1)

(a))

[par

a.

6].

• H

ere,

app

ropr

iate

pur

pose

w

ould

be

law

enf

orce

men

t pu

rpos

e or

for p

urpo

se

rela

ting

to a

nd n

eces

sary

for

an o

pera

ting

prog

ram

of P

B.

Also

, ext

ent o

f its

use

mus

t be

nec

essa

ry to

ena

ble

PB to

ca

rry

out i

ts la

w

enfo

rcem

ent p

urpo

ses i

n a

reas

onab

le m

anne

r.

• In

this

cas

e, C

ompl

aina

nt

had

alte

rcat

ion

with

pol

ice

offic

er; s

teps

take

n fo

r of

ficer

’s sa

fety

; rel

ated

to

Com

plai

nant

dri

ving

. •

Seve

ral q

ueri

es h

ad la

w

enfo

rcem

ent p

urpo

ses a

s th

ey re

late

d to

offi

cers

m

ovin

g th

e cl

aim

aga

inst

Co

mpl

aina

nt fo

rwar

d or

to

dete

rmin

e Co

mpl

aina

nt

iden

tity

etc.

. to

ensu

re h

e co

mpl

ied

with

not

goi

ng

near

hig

h sc

hool

he

was

not

to

go

near

and

to a

sses

s him

be

caus

e he

was

list

ed a

s an

offic

er sa

fety

con

cern

. •

Mos

t con

tent

ious

que

ries

by

polic

e of

ficer

vic

tim w

ho

quer

ied

Com

plai

nant

on

date

of C

ompl

aina

nt

acqu

itted

of c

harg

es.

Adju

dica

tor s

aid

actio

ns

som

ewha

t pre

mat

ure

for l

aw

enfo

rcem

ent p

urpo

se a

nd

not e

xten

t nec

essa

ry to

car

ry

out l

aw e

nfor

cem

ent

•

• Se

cond

issu

e, ra

ther

than

fr

amed

as a

ppro

pria

te

use/

disc

losu

re w

as

whe

ther

PB

mad

e re

ason

able

secu

rity

ar

rang

emen

ts a

gain

st su

ch

risk

s as u

naut

hori

zed

use.

•

“rem

arks

” fie

lds i

n da

taba

se fo

r que

ry sh

ould

be

giv

en b

ecau

se su

peri

or

evid

ence

to th

at o

f a

plau

sibl

e ex

plan

atio

n as

to

why

que

ry c

ondu

cted

, to

geth

er w

ith a

n at

test

atio

n of

usu

al o

r in

vari

able

pra

ctic

e of

co

nduc

ting

quer

ies f

or

auth

oriz

ed p

urpo

ses

[par

a. 4

0].

• O

IPC

requ

ired

a g

reat

dea

l of

ora

l tes

timon

y an

d di

scus

sion

on

the

reco

rdin

g of

spec

ific

reas

ons f

or th

e qu

ery

beca

use

that

is “a

n im

port

ant e

lem

ent o

f re

ason

able

secu

rity

m

easu

res,

in th

at it

bot

h re

quir

es th

e re

ason

to b

e fo

rmul

ated

cle

arly

bef

ore

the

quer

y is

don

e (w

hich

co

uld

diss

uade

in

appr

opri

ate

quer

ies)

, an

d en

able

s an

audi

t afte

r th

e fa

ct th

at c

an d

raw

on

dire

ct e

vide

nce

of th

e re

ason

s, a

s opp

osed

to

conj

ectu

re. …

. If t

he

reas

ons,

or a

bsen

ce o

f re

ason

s, c

anno

t be

dete

rmin

ed, t

here

is n

o di

sinc

entiv

e fo

r mem

bers


purp

ose

in a

reas

onab

le

man

ner [

para

. 20]

. •

21 q

ueri

es w

here

no

reas

on

prov

ided

but

affi

davi

ts th

at

they

wer

e as

sign

ed to

pat

rol

or c

anin

e un

it; th

at n

ot

acqu

aint

ed w

ith

Com

plai

nant

; tha

t the

re

wer

e us

ual r

easo

ns w

hy

quer

ies c

ondu

cted

; and

that

th

eir u

sual

and

inva

riab

le

prac

tice

was

to c

ondu

ct

quer

ies o

nly

for p

olic

e pu

rpos

es. N

one

of q

ueri

es

for v

ehic

le st

ops.

But

, the

tim

ing

and

orde

r of t

he

quer

ies s

ugge

sts t

hey

wer

e in

nocu

ous i

n a

way

that

re

fute

s sug

gest

ion

that

Co

mpl

aina

nt w

as

spec

ifica

lly a

nd

inap

prop

riat

ely

targ

eted

[p

ara.

35]

.

to u

se th

e to

ol fo

r in

appr

opri

ate

purp

oses

” [p

ara.

63]

. •

For C

ompl

aina

nt, a

ll qu

erie

s wer

e pr

oper

and

no

thin

g of

thes

e qu

erie

s su

gges

ts th

e sy

stem

is

faili

ng, s

o no

reas

on to

qu

estio

n w

heth

er s.

38

bein

g m

et [p

ara.

67]

.

F20

13-5

5 20

13

Wor

kers

’ Co

mpe

nsat

ion

Boar

d

• PB

col

lect

ed, u

sed

and

disc

lose

d in

form

atio

n fr

om

med

ical

con

sulta

nts

with

in P

B in

de

term

inat

ions

f or

an o

ngoi

ng c

laim

w

ith th

e PB

re

gard

ing

wor

kpla

ce

inju

ry. Q

uest

ions

re

gard

ing

inju

ry a

nd

abili

ty to

retu

rn to

w

ork.

•

Com

plai

nant

arg

ued

PB n

ot a

utho

rize

d (o

r ou

ght n

ot to

be

auth

oriz

ed) t

o re

ly o

n th

e op

inio

n of

m

edic

al c

onsu

ltant

s in

mak

ing

a de

term

inat

ion

rega

rdin

g he

r cla

im.

• Th

e m

edic

al c

onsu

ltant

s are

co

ntra

ct n

ot sa

lari

ed

empl

oyee

s of P

B; th

ey

perf

orm

func

tions

of P

B on

be

half

of P

B; a

nd m

emos

w

ritt

en o

n le

tter

head

of

Med

ical

Ser

vice

s are

a of

the

PB. T

hus,

they

are

PB

empl

oyee

s for

pur

pose

s of

FOIP

[par

a. 16

].

• Co

llect

ion

of C

ompl

aina

nt

PI b

y m

edic

al c

onsu

ltant

s is

colle

ctio

n by

PB,

as

perf

orm

ed in

cou

rse

of jo

b du

ties [

para

. 16]

. •

Mus

t giv

e de

fere

nce

to P

B to

de

term

ine

wha

t inf

orm

atio

n ne

cess

ary

to p

rope

rly

dete

rmin

e cl

aim

; ind

irec

t co

llect

ions

per

mitt

ed w

ith

this

def

eren

ce a

s the

y re

late

to

cla

im d

eter

min

atio

n [p

ara.

29]

.

• PB

soug

ht o

ut o

pini

ons

from

med

ical

co

nsul

tant

s. “E

ven

if th

ese

opin

ions

wer

e gi

ven

little

to n

o w

eigh

t in

reac

hing

a d

ecis

ion

abou

t th

e Co

mpl

aina

nt, t

hey

wer

e in

corp

orat

ed in

to

the

Com

plai

nant

’s cl

aim

fil

es; I

find

that

the

opin

ions

wer

e us

ed fo

r th

e pu

rpos

es o

f FO

IP

Act”

[par

a. 3

2].

• Se

ctio

n 41

FO

IP li

sts

whe

n us

e or

dis

clos

ure

of

PI is

con

sist

ent w

ith

purp

oses

for w

hich

it w

as

colle

cted

(rea

sona

ble

and

dire

ct c

onne

ctio

n to

that

pu

rpos

e; n

eces

sary

for

perf

orm

ing

lega

lly

auth

oriz

ed d

utie

s) [p

ara.

34

].

• Si

mila

r arg

umen

t for

di

sclo

sure

as f

or u

s. P

B di

sclo

sed

Com

plai

nant

’s PI

to m

edic

al c

onsu

ltant

s fo

r con

sulta

nts t

o fo

rm

info

rmed

opi

nion

re

gard

ing

Com

plai

nant

’s in

jury

. Def

eren

ce g

iven

. Al

l dis

clos

ure

for

reas

onab

le p

urpo

se a

nd

not m

ore

than

nec

essa

ry

[par

as. 3

7 -39

].

• N

o ev

iden

ce th

at P

B us

ed

Com

plai

nant

’s m

edic

al

info

rmat

ion

in

auth

oriz

ed m

anne

r or

beyo

nd e

xten

d ne

cess

ary

to m

ake

clai

m

dete

rmin

atio

n [p

ara.

35]

. F2

012

-27

2012

H

oly

Fam

ily

Cath

olic

Reg

iona

l D

iv N

o. 3

7

• PB

law

yer r

evea

led

info

rmat

ion

(PI v

ia

doct

or’s

refe

rral

le

tter

) to

Com

plai

nant

’s la

wye

r ab

out m

atte

r bef

ore

OIP

C w

hen

law

yer

was

not

repr

esen

ting

Com

plai

nant

in th

at

mat

ter.

The

law

yer

repr

esen

ted

Com

plai

nant

in

sepa

rate

em

ploy

men

t-re

late

d co

urt a

ctio

n; w

hile

th

e is

sue

befo

re th

e O

IPC

rela

ted

to a

n ac

cess

requ

est f

or a

re

ferr

al le

tter

and

w

here

in th

e Co

mpl

aina

nt w

as

self-

repr

esen

ted.

•

Com

plai

nant

arg

ued

this

was

dis

clos

ure

of

his P

I con

tra

FOIP

.

• W

hen

the

PB re

ceiv

ed th

e Co

mpl

aina

nt’s

lett

er to

the

FOIP

Coo

rdin

ator

, it

colle

cted

the

pers

onal

in

form

atio

n th

at th

e le

tter

co

ntai

ned

(incl

udin

g fa

ct

that

Com

plai

nant

mad

e ac

cess

requ

est f

or re

ferr

al

lett

er a

nd fa

ct in

volv

ed in

O

IPC

file)

for t

he p

urpo

se o

f co

urt a

ctio

n, a

nd a

lso

for

purp

ose

of O

IPC

file

[par

a.

28].

• N

ot a

pplic

able

. •

Com

plai

nant

did

indi

cate

th

at h

e so

ught

acc

ess t

o th

e re

ferr

al le

tter

to g

ive

to

his l

awye

r reg

ardi

ng th

e co

urt a

ctio

n. A

lso,

the

refe

rral

lett

er w

as fo

r use

in

a p

roce

edin

g be

fore

a

cour

t to

whi

ch th

e PB

was

a

part

y, so

aut

hori

zed

unde

r s. 4

0(1)

(v) F

OIP

[p

ara.

8].

•

PI u

nder

FO

IP m

ust b

e “a

bout

” an

indi

vidu

al.

“The

term

“abo

ut” i

n th

e co

ntex

t of t

he d

efin

iton

is

high

ly si

gnifi

cant

re

stri

ctiv

e m

odifi

er, i

n th

at “a

bout

” an

indi

vidu

al

is a

muc

h na

rrow

er id

ea

than

“rel

ated

” to

an

indi

vidu

al; i

nfor

mat

ion

that

is g

ener

ated

or

colle

cted

in c

onse

quen

ce

of so

me

actio

n on

the

part

of

, or a

ssoc

iate

d w

ith, a

n in

divi

dual

– a

n th

at is

th

eref

ore

conn

ecte

d to

hi

m o

r her

in so

me

way

–

is n

ot n

eces

sari

ly “a

bout

th

at in

divi

dual

. [pa

ra. 1

3]”

Whe

re P

B la

wye

r di

scus

sed

the

OIP

C fil

e as

re

solv

ed in

the

lett

er is

ab

out t

he fi

le, n

ot a

bout

th

e Co

mpl

aina

nt so

not

PI.

Onl

y PI

dis

clos

ed b

y PB

w

ere

that

he

mad

e ac

cess

re

ques

t and

invo

lved

in a

O

IPC

file;

but

, the

se w

ere

auth

oriz

ed [p

ara.

16].

73POLICYWISE

• N

o ev

iden

ce th

at P

B us

ed

Com

plai

n ant

’s m

edic

al

info

rmat

ion

in

auth

oriz

ed m

anne

r or

beyo

nd e

xten

d ne

cess

ary

to m

ake

clai

m

dete

rmin

atio

n [p

ara.

35]

. F2

012

-27

2012

H

oly

Fam

ily

Cath

olic

Reg

iona

l D

iv N

o. 3

7

• PB

law

yer r

evea

led

info

rmat

ion

(PI v

ia

doct

or’s

refe

rral

le

tter

) to

C om

plai

nant

’s la

wye

r ab

out m

atte

r bef

ore

OIP

C w

hen

law

yer

was

not

repr

esen

ting

Com

plai

nant

in th

at

mat

ter.

The

law

yer

repr

esen

ted

Com

plai

nant

in

sepa

rate

em

ploy

men

t -re

late

d co

urt a

ctio

n; w

hile

th

e is

sue

befo

re th

e O

IPC

rela

ted

to a

n ac

cess

requ

est f

or a

re

ferr

al le

tter

and

w

here

in th

e Co

mpl

aina

nt w

as

self-

repr

esen

ted.

•

Com

plai

nant

arg

ued

this

was

dis

clos

ure

of

his P

I con

tra

FOIP

.

• W

hen

the

PB re

ceiv

ed th

e Co

mpl

aina

nt’s

lett

er to

the

FOIP

Coo

rdin

ator

, it

colle

cted

the

pers

onal

in

form

atio

n th

at th

e le

tter

co

ntai

ned

(incl

udin

g fa

ct

that

Com

plai

nant

mad

e ac

cess

requ

est f

or re

ferr

al

lett

er a

nd fa

ct in

volv

ed in

O

IPC

file)

for t

he p

urpo

se o

f co

urt a

ctio

n, a

nd a

lso

for

purp

ose

of O

IPC

file

[par

a.

28].

• N

ot a

pplic

able

. •

Com

plai

nant

did

indi

cate

th

at h

e so

ught

acc

ess t

o th

e re

ferr

al le

tter

to g

ive

to

his l

awye

r reg

ardi

ng th

e co

urt a

ctio

n. A

lso,

the

refe

rral

lett

er w

as fo

r use

in

a p

roce

edin

g be

fore

a

cour

t to

whi

ch th

e PB

was

a

part

y, so

aut

hori

zed

unde

r s. 4

0(1)

(v) F

OIP

[ p

ara.

8].

•

PI u

nder

FO

IP m

ust b

e “a

bout

” an

indi

vidu

al.

“The

term

“abo

ut” i

n th

e co

ntex

t of t

he d

efin

iton

is

high

ly si

gnifi

cant

re

stri

ctiv

e m

odifi

er, i

n th

at “a

bout

” an

indi

vidu

al

is a

muc

h na

rrow

er id

ea

than

“rel

ated

” to

an

indi

vidu

al; i

nfor

mat

ion

that

is g

ener

ated

or

colle

cted

in c

onse

quen

ce

of so

me

actio

n on

the

part

of

, or a

ssoc

iate

d w

ith, a

n in

divi

dual

– a

n th

at is

th

eref

ore

conn

ecte

d to

hi

m o

r her

in so

me

way

–

is n

ot n

eces

sari

ly “a

bout

th

at in

divi

dual

. [pa

ra. 1

3]”

Whe

re P

B la

wye

r di

scus

sed

the

OIP

C f il

e as

re

solv

ed in

the

lett

er is

ab

out t

he fi

le, n

ot a

bout

th

e Co

mpl

aina

nt so

not

PI.

Onl

y PI

dis

clos

ed b

y PB

w

ere

that

he

mad

e ac

cess

re

ques

t and

invo

lved

in a

O

IPC

file;

but

, the

se w

ere

auth

oriz

ed [p

ara.

16].


• Co

mpl

aina

nt le

tter

to

FOIP

Coo

rdin

ator

refe

rred

to

the

cour

t act

ion;

thus

, Co

mpl

aina

nt li

nked

thes

e tw

o ac

tions

. Co

rres

pond

ence

by

PB

law

yer m

ust o

nly

be to

Co

mpl

aina

nt la

wye

r (L

awye

r’s C

ode

of

Cond

uct)

and

wou

ld o

nly

be c

oher

ent a

nd

unde

rsta

ndab

le if

refe

rred

to

refe

rral

lett

er a

nd O

IPC

file

[par

a. 2

6].

• Th

e di

sclo

sure

was

co

nsis

tent

with

one

of t

he

purp

oses

for w

hich

the

Com

plai

nant

’s le

tter

was

in

itial

ly c

olle

cted

(the

co

urt a

ctio

n), t

hus t

he P

B w

as a

utho

rize

d to

dis

clos

e un

der s

. 40(

1) (c

) [pa

ra.

28].

• Th

e di

sclo

sure

was

onl

y to

th

e ex

tent

nec

essa

ry to

en

able

the

PB to

resp

ond

to th

e Co

mpl

aina

nt’s

lett

er

in a

reas

onab

le m

anne

r (it

com

plet

e th

e di

scus

sion

) [p

ara.

31]

. No

supe

rflu

ous

or e

xtra

neou

s inf

orm

atio

n th

at P

B sh

ould

hav

e re

dact

ed; a

nd, l

ette

r re

fere

nces

the

only

co

here

nt a

nd se

nsib

le w

ay

to a

ddre

ss p

oint

s Co

mpl

aina

nt h

ad m

ade

[par

a. 3

2].

• W

hile

dir

ectio

n of

co

mm

unic

atio

n be

twee

n la

wye

rs g

uide

d by

Law

So

ciet

y of

Alb

erta

Pr

ofes

sion

al C

ode

of

Cond

uct;

the

cont

ent o

f th

e di

scus

sion

and

any

di

sclo

sure

of P

I gui

ded

by

s. 4

0(1)

(c) o

f FO

IP in

that

75POLICYWISE

disc

losu

re m

ust b

e fo

r pu

rpos

e co

nsis

tent

with

pu

rpos

e fo

r whi

ch

info

rmat

ion

was

ori

gina

lly

colle

cted

from

the

Com

plai

nant

. With

thes

e bo

th, P

B au

thor

ized

to

disc

losu

re in

form

atio

n to

Co

mpl

aina

nt la

wye

r [pa

ra.

40].

P20

13-0

3 20

13

Proj

ect

Porc

hlig

ht

• Co

mpl

aina

nt

empl

oyer

trac

ed

pers

onal

tele

phon

e ca

lls m

ade

usin

g a

Blac

kber

ry d

evic

e pr

ovid

ed to

him

by

the

orga

niza

tion.

Co

mpl

aina

nt a

llege

d th

at b

reac

hed

PIPA

al

ong

with

alle

ged

failu

re to

secu

re h

is

PI c

onta

ined

in h

is

empl

oym

ent o

ffer

lett

er a

nd ta

x fo

rms.

• O

rgan

izat

ion

was

in

corp

orat

ed u

nder

Ont

ario

le

gisl

atio

n as

not

-for

-pro

fit

non-

shar

e ca

pita

l co

rpor

atio

n; b

ut, n

ot in

Al

bert

a, so

it w

as n

ot a

not

-fo

r-pr

ofit

and

thus

not

ex

empt

from

PIP

A. It

is a

n or

gani

zatio

n; th

us su

bjec

t to

PIPA

rega

rdin

g al

l PI t

hat i

s co

llect

ed, u

sed

and

disc

lose

d by

it [p

ara.

16].

• O

rgan

izat

ion

calle

d ce

rtai

n nu

mbe

rs o

n th

e Co

mpl

aina

nt’s

call

list

invo

ice

so a

s to

asce

rtai

n th

e re

cipi

ents

of t

he c

alls

and

th

e na

ture

of t

he c

alls

[par

a.

23].

This

was

col

lect

ion

of

info

rmat

ion

[par

a. 2

6].

Org

aniz

atio

n us

ed th

is

info

rmat

ion

beca

use

arra

nged

mee

ting

with

Co

mpl

aina

nt to

cha

stis

e hi

m

for m

akin

g th

e te

leph

one

calls

[par

a. 2

6].

• Th

is in

form

atio

n w

as

pers

onal

info

rmat

ion

(not

pe

rson

al e

mpl

oyee

in

form

atio

n) b

ecau

se it

in

clud

ed id

entit

ies o

f cer

tain

re

cipi

ents

reve

aled

to b

e hi

s fr

iend

s and

/or f

amily

and

th

e na

ture

of a

t lea

st o

ne c

all

reve

aled

one

of h

is in

tere

sts

of a

hig

hly

pers

onal

nat

ure.

Th

is in

form

atio

n w

as

• Sa

me

anal

ysis

for

colle

ctio

n an

d us

e.

• “I

f an

orga

niza

tion

does

no

t hav

e th

e au

thor

ity to

co

llect

and

use

par

ticul

ar

pers

onal

info

rmat

ion,

it

nece

ssar

ily c

olle

cts a

nd

uses

the

info

rmat

ion

for

purp

oses

that

are

not

re

ason

able

, and

ther

e ca

n be

no

poss

ibili

ty o

f co

llect

ion

and

use

to a

re

ason

able

ext

ent.”

[par

a.

59]

• Al

so d

iscu

ssed

re

ason

able

secu

rity

: “An

or

gani

zatio

n ha

s the

bu

rden

of p

rovi

ng th

at it

m

ade

reas

onab

le se

curi

ty

arra

ngem

ents

to p

rote

ct

the

pers

onal

info

rmat

ion

that

is in

its c

usto

dy o

r un

der i

ts c

ontr

ol, a

s it i

s in

the

best

pos

ition

to

prov

ide

evid

ence

of t

he

step

s tha

t it h

as ta

ken.

” [p

ara.

68]

Ask

ing

an

empl

oyee

to re

com

plet

e an

ann

ual f

orm

doe

s nto

m

ean

that

it h

as

lost

/mis

plac

ed/i

nsec

urel

y ha

ndle

d pr

evio

us

info

rmat

ion.

O

rgan

izat

ion

mai

ntai

ns

pers

onne

l rec

ords

in a

se

cure

file

loca

tion

at it

s he

ad o

ffice

. Tha

t suf

ficed

•


“abo

ut” t

he C

ompl

aina

nt a

s an

iden

tifia

ble

indi

vidu

al

[par

a. 2

7].

• Ad

judi

cato

r fou

nd th

ere

was

no

“acc

epta

ble

use”

pol

icy

that

rest

rict

ed th

e ab

ility

of

the

Com

plai

nant

to m

ake

pers

onal

cal

ls u

sing

the

Blac

kber

ry, a

nd th

ere

was

th

eref

ore

no su

ch p

olic

y in

corp

orat

ed in

to h

is

empl

oym

ent a

gree

men

t. Th

is m

eant

, the

re c

ould

be

no p

ossi

ble

brea

ch o

f the

Co

mpl

aina

nt’s

empl

oym

ent

agre

emen

t, no

inve

stig

atio

n,

and

no a

bilit

y fo

r the

O

rgan

izat

ion

to re

ly o

n ss

. 14

(d) a

nd 17

(d) t

o co

llect

an

d us

e th

e Co

mpl

aina

nt’s

PI [p

ara.

41]

. •

An o

rgan

izat

ion

mig

ht b

e ab

le to

col

lect

and

use

in

form

atio

n re

gard

ing

reci

pien

ts a

nd n

atur

e of

ph

one

calls

mad

e by

em

ploy

ee u

sing

em

ploy

er-

issu

ed c

omm

unic

atio

ns

devi

ce (s

s. 15

, 18

PIPA

) if (

a)

it is

reas

onab

le fo

r or

gani

zatio

n to

col

lect

and

us

e th

e in

form

atio

n fo

r the

pa

rtic

ular

pur

pose

; and

(2)

the

colle

ctio

n an

d us

e of

in

form

atio

n in

que

stio

n m

ust r

elat

e to

the

empl

oym

ent r

elat

ions

hip

or

be fo

r pur

pose

s of m

anag

ing

the

empl

oym

ent

rela

tions

hip

[par

a. 4

6].

• Ju

st b

ecau

se e

mpl

oyer

un

ilate

rally

cho

oses

to d

o so

met

hing

rega

rdin

g an

em

ploy

ee d

oes n

ot

auto

mat

ica l

ly m

ake

the

empl

oyer

’s ac

t som

ethi

ng

rela

ting

to e

mpl

oym

ent

for r

easo

nabl

e se

curi

ty

for a

djud

icat

or [p

ara.

70

].

77POLICYWISE

rela

tions

hip

or m

anag

emen

t of

that

rela

tions

hip

[par

a.

47].

• N

o co

nsen

t or p

rior

not

ice

had

occu

rred

in th

is c

ase

to

perm

it co

llect

ion

and

use

of

PI. [

para

. 52]

•

•

Org

aniz

atio

n or

dere

d to

stop

co

llect

ing

and

usin

g PI

in

cont

rave

ntio

n of

PIP

A.

P20

13-0

1 20

13

Prof

essi

onal

D

rive

rs B

urea

u of

Ca

nada

Inc.

• O

rgan

izat

ion

Gat

hers

in

form

atio

n ab

out

truc

k dr

iver

s fro

m

thei

r em

ploy

ers,

and

th

en m

akes

this

in

form

atio

n av

aila

ble

by su

bscr

iptio

n to

its

clie

nts,

whi

ch in

clud

e ot

her e

mpl

oyer

s or

pros

pect

ive

empl

oyer

s of t

ruck

dr

iver

s .

• Co

mpl

aina

nt

requ

este

d ac

cess

to

her P

I; a

nd a

sked

O

IPC

to re

view

O

rgan

izat

ion’

s re

spon

se to

her

and

m

ade

com

plai

nt

rega

rdin

g th

e O

rgan

izat

ion’

s co

llect

ion,

use

and

di

sclo

sure

of h

er P

I.

• Th

e in

form

atio

n at

issu

e w

as

PI a

s it c

onta

ined

her

lice

nse

num

ber,

dat

e of

bir

th, s

ocia

l in

sura

nce

num

ber,

hei

ght,

wei

ght,

e tc…

. Th

e O

rgan

izat

ion

prov

ided

no

subm

issi

ons f

or th

is in

quir

y.

• Th

at “…

the

Org

aniz

atio

n ha

s cus

tody

of t

he re

cord

s es

tabl

ishe

s tha

t the

O

rgan

izat

ion

has c

olle

cted

an

d us

ed th

e Co

mpl

aina

nt’s

pers

onal

info

rmat

ion

with

in

the

term

s of s

. (1)

(k) [

of

PIPA

]” [p

ara.

20]

. •

Alth

ough

the

pers

onal

in

form

atio

n w

as o

rigi

nally

co

llect

ed a

nd u

sed

for

purp

oses

of e

ither

es

tabl

ishi

ng o

r man

agin

g em

ploy

men

t rel

atio

nshi

p,

ther

e w

as n

o em

ploy

men

t re

latio

nshi

p be

twee

n O

rgan

izat

ion

and

Com

plai

nant

. So,

this

is n

ot

pers

onal

em

plo y

ee

info

rmat

ion.

So,

no

exce

ptio

ns to

con

sent

for

disc

losu

re a

vaila

ble

(i.e.

ss.

14, 1

5 an

d 21

). [p

aras

. 22 -

23]

• Al

thou

gh th

e O

rgan

izat

ion

calls

itse

lf an

ass

ocia

tion,

th

e or

gani

zatio

n is

a

corp

orat

ion,

and

dis

tinct

• Sa

me

as c

olle

ctio

n di

scus

sion

. •

The

evid

ence

con

tain

ed o

n O

rgan

izat

ion’

s web

site

ba

se fi

ndin

g th

at

Org

aniz

atio

n ha

s co

llect

ed, u

se a

nd

disc

lose

d th

e PI

of th

e Co

mpl

aina

nt (a

nd o

ther

tr

uck

driv

ers)

[par

a. 2

5].

Org

aniz

atio

n ga

ther

s em

ploy

men

t his

tory

abo

ut

truc

k dr

iver

s and

giv

es

acce

ss to

this

info

rmat

ion

to tr

ucki

ng c

ompa

nies

that

pa

y su

bscr

iptio

n fe

e [p

ara.

27

]. In

form

atio

n ke

pt in

pa

per f

iles a

nd in

a

data

base

[par

a. 2

9].

Rep

orts

they

pro

duce

co

ntai

n dr

iver

’s em

ploy

men

t his

tory

with

em

ploy

ers,

the

empl

oyer

’s op

inio

ns, t

he e

mpl

oyee

’s dr

iver

’s lic

ense

, and

bi

rthd

ate

[par

. 29]

. “Th

e O

rgan

izat

ion

colle

cts

pers

onal

info

rmat

ion

abou

t tru

ck d

rive

rs fr

om

truc

king

com

pani

es, u

ses

this

info

rmat

ion,

by

crea

ting

a fil

e an

d ad

ding

it

to it

s dat

abas

e w

hich

it

will

offe

r for

pur

chas

e,

and

disc

lose

s the

PI t

o cl

ient

s whe

n th

ey re

ques

t a

repo

rt a

nd p

ay fo

r it”

[p

ara.

29]

.


from

the

orga

niza

tions

that

su

bmitt

ed th

e Co

mpl

aina

nt’s

PI to

it [p

ara.

30

]. •

The

Org

aniz

atio

n di

d no

t ob

tain

con

sent

from

Co

mpl

aina

nt in

ci

rcum

stan

ces w

here

it w

as

nece

ssar

y th

at it

do

so, a

nd

had

not p

rovi

ded

notic

e of

its

col

lect

ion

[par

a. 3

5]. T

he

cons

ents

Com

plai

nant

en

tere

d in

to w

hen

appl

yin g

to

a tr

ucki

ng c

ompa

ny w

ere

not e

xten

ded

to th

e O

rgan

izat

ion

and

did

not

auth

oriz

e th

e tr

ucki

ng

com

pany

to d

iscl

ose

the

Com

plai

nant

’s PI

to th

e O

rgan

izat

ion

so th

at th

e O

rgan

izat

ion

coul

d us

e it

for

its b

usin

ess o

r dis

clos

e it

furt

her [

para

. 35]

. Aut

hori

t y

to c

heck

refe

renc

es d

oes n

ot

auth

oriz

e th

is th

ird -

part

y O

rgan

izat

ion

to c

olle

ct, u

se

or d

iscl

ose

PI.

• A

hand

-wri

tten

con

sent

afte

r th

e O

rgan

izat

ion

has

colle

cted

PI d

id n

ot su

ffice

fo

r OIP

C Ad

judi

cato

r. A

lso,

th

e co

nsen

t for

Org

aniz

atio

n to

con

duct

refe

renc

e ch

eck

“can

not b

e in

terp

rete

d as

au

thor

izin

g th

e O

rgan

izat

ion

to c

olle

ct th

e ki

nds o

f in

form

atio

n th

at it

has

co

llect

ed” (

very

per

sona

l in

form

atio

n su

ch a

s hei

ght,

wei

ght,

SIN

) [pa

ra. 3

9].

• N

o st

atut

ory

exem

ptio

ns

appl

ied

to O

rgan

izat

ion

gett

ing

cons

ent.

• R

easo

nabl

enes

s of c

olle

ctio

n re

quir

es th

at c

olle

ctio

n ac

tual

ly m

eet t

he p

urpo

se

for w

hich

it is

inte

nded

• O

rgan

izat

ion

had

not

esta

blis

hed

that

it h

ad

colle

cted

, use

d, a

nd

disc

lose

d on

ly th

e pe

rson

al in

form

atio

n ne

cess

ary

for m

eetin

gs it

s pu

rpos

es. S

o,

Org

aniz

atio

n ha

d br

each

ed P

IPA

in a

ll re

gard

s and

ord

ered

to

ceas

e co

llect

ing,

usi

ng a

nd

disc

losi

ng p

erso

nal

info

rmat

ion

of

Com

plai

nant

in

cont

rave

ntio

n of

PIP

A.

• Be

caus

e no

evi

denc

e th

at

esta

blis

hed

a re

ason

able

pu

rpos

e fo

r col

lect

ion

and

use

of C

ompl

aina

nt’s

PI,

then

no

evid

ence

to

esta

blis

h th

at d

iscl

osur

es

wer

e fo

r rea

sona

ble

purp

ose.

79POLICYWISE

[par

a. 5

0]. B

ecau

se

Org

aniz

atio

n di

d no

t mak

e su

bmis

sion

s for

inqu

iry;

w

ebsi

te a

nd re

cord

s alo

ne

coul

d no

t cor

rela

te th

e in

form

atio

n th

at w

as

colle

cted

with

the

purp

ose

in

colle

ctin

g it.

Can

not f

ind

that

Org

aniz

atio

n tr

ying

to

com

bat f

raud

in c

olle

ctin

g PI

, so

dist

ingu

isha

ble

from

le

gal c

ases

(e.g

. Leo

n’s)

. [p

ara.

52]

. •

Org

aniz

atio

n ha

d no

t es

tabl

ishe

d th

at it

had

co

llect

ed, u

sed

or d

iscl

osed

th

e Co

mpl

aina

nt’s

pers

onal

in

form

atio

n on

ly fo

r re

ason

able

pur

pose

s.

Beca

use

Org

aniz

atio

n di

d no

t exp

lain

pur

pose

, the

n ca

nnot

est

ablis

h a

reas

onab

le p

urpo

se [p

ara.

55

]. •

Sinc

e O

rgan

izat

ion

colle

cts

PI fr

om tr

ucki

ng c

ompa

nies

no

t Com

plai

nant

dir

ectly

, th

en m

ust b

e w

ithin

s. 12

(in

form

atio

n at

issu

e m

ay b

e co

llect

ed w

ithou

t con

sent

of

indi

vidu

al u

nder

s.. 1

4, 15

or

22).

Sinc

e co

nsen

t mus

t be

obta

ined

for P

I at i

ssue

, the

n co

ntra

vene

s. 12

[par

a. 6

8].

• Se

ctio

n 13

requ

ires

not

ice

of

purp

ose

of c

olle

ctin

g PI

and

na

me

of so

meo

ne w

ho

answ

er’s

for O

rgan

izat

ion

any

ques

tions

abo

ut

colle

ctio

n.

F20

13-0

6 20

13

Serv

ice

Albe

rta

• Em

ploy

ee o

f Sen

tinel

R

egis

try

disc

lose

d th

e Co

mpl

aina

nt’s

addr

ess t

o an

in

divi

dual

who

had

th

en g

one

to th

e ad

dres

s with

the

• N

ot a

pplic

able

•

Not

app

licab

le.

• Th

e PI

at i

ssue

dis

clos

ed

from

a re

gist

ry m

aint

aine

d by

PB;

so if

info

rmat

ion

is

in th

e co

ntro

l or c

usto

dy

of a

pub

lic b

ody,

such

as

Serv

ice

Albe

rta,

then

PIP

A do

es n

ot a

pply

. FO

IP


inte

ntio

n of

ha

rass

ing

or

conf

ront

ing

the

Com

plia

nant

. OIP

C pr

evio

usly

de

term

ined

that

FO

IP a

pplie

d.

• Co

mpl

aina

nt

com

plai

ned

of

impr

oper

dis

clos

ure.

•

GET

FR

OM

PAP

ER

AT H

OM

E.

appl

ies a

s thi

s is p

erso

nal

info

rmat

ion

disc

lose

d fr

om M

OVE

S da

taba

se.

• R

egis

try

empl

oyee

di

sclo

sed

PI w

ithou

t au

thor

izat

ion,

con

trar

y to

PB

’s po

licie

s and

pr

oced

ures

. SO

, PB

did

not d

iscl

ose

Com

plai

nant

’s PI

. Dis

clos

ures

by

rogu

e em

ploy

ee, n

ot P

B [p

ara.

10

]. •

PB h

ad n

ot ta

ken

adeq

uate

m

easu

res t

o m

onito

r m

anne

r in

whi

ch R

egis

try

empl

oyee

s acc

esse

d PI

fr

om M

OVE

S da

taba

se.

F20

13-0

1 20

13

Edm

onto

n Po

lice

Serv

ice

• PB

’s pr

evio

us p

olic

y in

clud

ed th

at

web

site

pos

ted

copi

es

of d

isci

plin

ary

deci

sion

s inv

olvi

ng

its m

embe

rs.

• Ap

plic

ant o

ngoi

ng

requ

est t

o PB

for

copi

es o

f dis

cipl

inar

y de

cisi

ons n

ot p

oste

d on

web

site

. PB

resp

onse

d bu

t se

vere

d la

rge

port

ions

per

FO

IP.

• In

form

atio

n at

issu

e w

as

pers

onal

info

rmat

ion

as it

re

late

d to

con

tent

of

disc

iplin

ary

deci

sion

s, 3

pa

rtie

s’ na

mes

, age

s, se

x,

mar

ital s

tatu

s, h

/c a

nd

empl

oym

ent h

isto

ry, a

nd

opin

ions

abo

ut th

em [p

ara.

8]

.

•

• In

its d

ecis

ion

as to

w

heth

er to

with

hold

or

disc

lose

reco

rds

resp

onsi

ve to

requ

est,

PB

not t

aken

into

acc

ount

all

rele

vant

fact

ors e

spec

ially

th

at d

isci

plin

ary

deci

sion

s in

this

inqu

iry

wer

e re

ad

alou

d, p

ublic

ly, a

t he

arin

g’s c

oncl

usio

n.

• S.

17 F

OIP

rela

tes t

o di

sclo

sure

har

mfu

l to

pers

onal

pri

vacy

(with

hold

be

caus

e di

sclo

sure

wou

ld

be u

nrea

sona

ble

inva

sion

of

the

thir

d pa

rtie

s’ pe

rson

al p

riva

cy).

• M

uch

of se

vere

d in

form

atio

n w

as n

ot

med

ical

info

rmat

ion

(whi

ch w

ould

be

unre

ason

able

inva

sion

if

disc

lose

d).

• S

17(5

) req

uire

s co

nsid

erat

ion

of a

ny

over

ridi

ng fa

ctor

s w

eigh

ing

in fa

vour

of

disc

losu

re. P

revi

ous

deci

sion

s fou

nd th

at

81POLICYWISE

desi

rabi

lity

of su

bjec

ting

actio

ns o

f a p

olic

e se

rvic

e to

pub

lic sc

rutin

y ov

erro

de p

resu

mpt

ions

ag

ains

t dis

clos

ure

and

any

poss

ible

repu

tatio

nal

harm

[par

a. 19

]. •

Verb

ally

dis

clos

ing

cont

ent o

f wri

tten

reco

rd

= di

sclo

sure

und

er F

OIP

[p

ara.

33]

. Thu

s, P

B di

sclo

sed

deci

sion

s to

any

mem

ber o

f pub

lic p

rese

nt,

mem

ber o

f med

ia p

rese

nt,

who

may

hav

e th

en

diss

emin

ated

this

in

form

atio

n fu

rthe

r. •

BC O

IPC

deci

sion

: pri

or

publ

ic d

iscl

osur

e by

PB

of

info

soug

ht in

acc

ess

requ

est o

verr

ides

pr

esum

ptio

n th

at

disc

losu

re w

ould

be

unre

ason

able

inva

sion

of a

th

ird

part

y’s p

erso

nal

priv

acy.

[par

a 36

-37]

•

ABQ

B: p

rinc

iple

that

w

hen

polic

e di

scip

linar

y he

arin

gs a

re h

eld

in

publ

ic, t

here

is n

o ex

pect

atio

n of

pri

vacy

. •

Any

repu

tatio

nal h

arm

s or

futu

re e

mpl

oym

ent h

arm

s to

subj

ects

of t

he

disc

iplin

ary

hear

ings

(a

ffect

ed 3

rd p

artie

s) o

n di

sclo

sure

wou

ld h

ave

been

ther

e an

yway

s be

caus

e of

the

disc

iplin

ary

hear

ing

and

not u

nfai

r to

disc

lose

if th

ey h

ad in

fact

br

each

ed p

olic

e re

gula

tions

/cod

es. S

o th

ese

fact

ors d

id n

ot

miti

gate

the

disc

losu

re.

F20

13-0

2 20

13

Gra

nde

Yello

whe

ad

• Co

mpl

aina

nts

succ

essf

ully

sued

for

•

•

• Im

plie

d un

dert

akin

g no

t to

use

info

rmat

ion


Publ

ic S

choo

l D

ivis

ion

No.

77

defa

mat

ion

by

Albe

rta

Teac

hers

’ As

soci

atio

n, p

rinc

ipal

an

d te

ache

r at s

choo

l th

eir s

on a

tten

ded.

•

Com

plai

nant

s co

mpl

aine

d PB

di

sclo

sed

thei

r PI t

o AT

A co

ntra

ct F

OIP

.

disc

lose

d th

roug

h a

pre-

tria

l dis

cove

ry p

roce

ss

appl

ied

to m

uch

of th

e in

form

atio

n at

issu

e. O

IPC

only

dea

lt w

ith in

fo in

Co

mpl

aina

nt’s

poss

essi

on

as re

sult

of a

cces

s req

uest

m

ade

to P

B by

Co

mpl

aina

nts.

•

Info

giv

en b

y PB

to A

TA a

s pa

rt o

f the

pre

-tri

al

disc

over

y pr

oces

s.

Cons

ider

PI b

ecau

e Co

mpl

aina

nts’

nam

es,

mar

ital s

tatu

s, o

pini

ons

abou

t Com

plai

nant

s and

Co

mpl

aina

nts’

pers

onal

vi

ews o

r opi

nion

s.

• Is

sues

with

subm

issi

ons

from

PB.

•

Just

ifica

tion

for

disc

losu

res m

ade

at t r

ial

of d

efam

atio

n cl

aim

by

PB

beca

use

Not

ice

to A

tten

d su

bmitt

ed. B

UT,

not

ju

stify

dis

clos

ure

of

reco

rds p

rior

to th

e tr

ial.

• O

PIC

foun

d th

at

Com

plai

nant

s’ PI

was

di

sclo

sed

to A

TA b

y PB

em

ploy

ees (

eith

er

supe

rint

ende

nt o

r pr

inci

pal)

[par

a. 3

8]. B

oth

mem

bers

of A

TA b

ut o

nly

prin

cipa

l was

par

ty to

lit

igat

ion.

•

FOIP

: gov

erns

the

actio

ns

of p

ublic

bod

ies,

not

in

divi

dual

s. S

o w

hen

indi

vidu

al a

ctin

g as

hea

d of

a p

ublic

bod

y, th

en

FOIP

app

lies b

ut n

ot w

hen

actin

g in

per

sona

l cap

acity

[p

ara.

44]

. •

Teac

hers

’ rig

hts t

o no

t be

defa

med

, wei

gh

83POLICYWISE

pow

erfu

lly in

favo

ur o

f di

sclo

sure

of P

I. [p

ara.

58]

D

iscl

osur

e im

port

ant t

o de

term

inat

ion

of ri

ghts

. P

2013

-08

2013

So

beys

Gro

up

Inc.

•

A fo

rem

an o

f O

rgan

izat

ion

calle

d he

r to

ask

abou

t her

ab

senc

e fr

om w

ork;

fo

rem

an to

ld h

er th

at

he h

ad re

ad h

er

pers

onne

l file

and

re

ad to

her

in

form

atio

n fr

om th

e fil

e ab

out h

er

disa

bilit

y cl

aim

mad

e to

her

insu

ranc

e co

mpa

ny. A

frie

nd o

f Co

mpl

aina

nt a

lso

calle

d he

r afte

r fo

rem

an h

ad to

ld

frie

nd a

bout

Co

mpl

aina

nt’s

disa

bilit

y cl

aim

. •

Com

plai

nt th

at

Org

aniz

atio

n ha

d im

prop

erly

col

lect

ed,

used

and

dis

clos

ed P

I w

hile

Com

plai

nant

on

med

ical

leav

e.

• O

rgan

izat

ion

did

not

part

icip

ate

in th

e in

quir

y.

• us

e •

Com

plai

nant

’s de

scri

ptio

n of

co

nver

satio

ns w

ith

fore

man

and

frie

nd m

et

initi

al b

urde

n of

pro

of

rega

rdin

g us

e an

d di

sclo

sure

[par

a. 12

]. •

PI/P

EI u

sed

whe

n fo

rem

an a

cces

sed

her

pers

onne

l file

and

di

scus

sed

the

disa

bilit

y cl

aim

stat

us w

ith

Com

plai

nant

. •

Beca

use

no su

bmis

sion

s,

uncl

ear w

hy fo

rem

an

wou

ld n

eed

to se

e en

tire

insu

rer l

ette

r and

det

ails

; ra

ther

than

lim

ited

to

know

that

dis

abili

ty c

laim

de

nied

. [pa

ra. 2

9].

• Bu

t, th

is in

fo a

lso

PI.

Coul

d be

exe

mpt

from

co

nsen

t und

er s.

17 P

IPA

unde

r spe

cifie

d ci

rcum

stan

ces.

But

, no

evid

ence

from

O

rgan

izat

ion

so fo

und

that

no

auth

ority

to u

se

PI w

ithou

t con

sent

.

• Fo

rem

an d

iscl

osed

PI/

PEI

whe

n fo

rem

an to

ld h

er

frie

nd/c

owor

ker t

hat t

he

Com

plai

nant

’s cl

aim

had

be

en d

enie

d [p

ara.

34]

. Po

ssib

le th

at fo

rem

an

disc

lose

d in

form

atio

n fo

r pu

rpos

e of

man

agin

g Co

mpl

aina

nt’s

empl

oym

ent;

but n

o su

bmis

sion

s so

not s

ure.

Bu

t, in

any

cas

e, n

ot

reas

onab

le to

dis

clos

e th

e st

atus

of t

he

Com

plai

nant

’s di

sabi

lity

clai

m [p

ara.

35]

. •

But,

this

info

als

o PI

. Co

uld

be e

xem

pt fr

om

cons

ent u

nder

s. 2

0 PI

PA

unde

r spe

cifie

d ci

rcum

stan

ces.

But

, no

evid

ence

from

O

rgan

izat

ion

so fo

und

that

no

aut

hori

ty to

col

lect

PI

disc

lose

con

sent

.

P20

14-0

3 20

14

Mor

pheu

s Th

eatr

e So

ciet

y &

St

oryb

rook

Th

eatr

e So

ciet

y

• M

arke

ting

emai

l fr

om S

tory

book

Th

eatr

e So

ciet

y. H

e co

mpl

aine

d to

St

oryb

ook,

whi

ch

stat

ed th

at a

n er

ror

in it

s dat

abas

e th

at

shar

ed w

ith

Mor

pheu

s The

atre

So

ciet

y ca

usin

g St

oryb

ook

to h

ave

acce

ss to

Mor

pheu

s pa

tron

info

rmat

ion.

• Co

mpl

aina

nt’s

past

sp

onso

rshi

p of

Sto

rybo

ok

mak

es th

e co

llect

ion

of P

I by

Stor

yboo

k no

long

er a

n is

sue

[par

a. 8

]. •

PI in

clud

es n

ame

and

emai

l ad

dres

s. S

o, P

I at i

ssue

. •

Stor

yboo

k is

a N

FP

inco

rpor

ated

und

er S

ocie

ties

Act,

so a

n N

FP u

nder

PIP

A.

• St

oryb

ook

sent

Co

mpl

aina

nt a

n em

ail

adve

rtis

ing

a St

oryb

ook

prog

ram

. So,

Sto

rybo

ok

used

the

Com

plai

nant

’s na

me

and

cont

act

info

rmat

ion

in se

ndin

g th

at e

mai

l. [p

ara.

20]

. •

Base

d on

pas

t dec

isio

n (P

2013

-D-0

1): “

A co

mm

erci

al a

ctiv

ity is

an

y tr

ansa

ctio

n, a

ct,

cond

uct o

r reg

ular

cou

rse

• Co

mpl

aina

nt w

as a

pas

t sp

onso

r of S

tory

book

, w

hich

is w

hy S

tory

book

ha

d th

e Co

mpl

aina

nt’s

PI.

So M

orph

eus d

id n

ot

disc

lose

info

rmat

ion

to

Stor

yboo

k. [p

ara.

8]


• Co

mpl

aint

that

M

orph

eus d

iscl

osed

PI

with

out c

onse

nt

and

Stor

yboo

k co

llect

ed a

nd u

sed

info

rmat

ion

PI

inap

prop

riat

ely.

M

orph

eus c

ompl

aint

w

ithdr

awn.

of c

ondu

ct th

at is

of a

co

mm

erci

al c

hara

cter

. …

the

defin

ition

is m

eant

to

capt

ure

activ

ities

that

are

m

ore

or le

ss c

omm

erci

al,

or a

ppea

r to

be

com

mer

cial

by

mos

t ac

coun

ts.

…. P

IPA

is

mea

nt to

app

ly to

Non

-pr

ofit

orga

niza

tions

that

ar

e ca

rryi

ng o

ut a

ctiv

ities

as

thou

gh th

ey a

re a

bu

sine

ss.”

[ pa

ra. 2

3]

• Se

lling

tick

ets o

r re

gist

ratio

n fo

r the

atre

pr

ogra

ms h

as

com

mer

cial

nat

ure

and

is

com

mer

cial

act

ivity

un

der P

IPA

[par

a. 2

4].

Mar

ketin

g St

oryb

ook’

s pr

ogra

mm

ing

is

com

mer

cial

act

ivity

usi

ng

PI [p

ara.

25]

. •

Stor

yboo

k ar

gues

that

it

inad

vert

ently

use

d Co

mpl

aina

nt’s

info

rmat

ion

for

mar

ketin

g pu

rpos

es. S

O,

cann

ot c

laim

had

au

thor

ity to

use

PI u

nder

s.

17 e

xem

ptio

ns to

co

nsen

t [pa

ra. 2

7].

• St

oryb

ook

disc

usse

d th

e da

taba

se c

olle

ctio

n m

eans

and

reas

ons t

hat

info

rmat

ion

is u

sed.

It

did

not a

rgue

that

it h

ad

obta

ined

con

sent

, in

any

form

, fro

m th

e Co

mpl

aina

nt to

use

his

pe

rson

al in

form

atio

n. S

o fo

und

that

no

cons

ent

exis

ted

[par

a. 3

0]. N

o au

thor

ity to

use

Co

mpl

aina

nt’s

PI to

em

ail h

im m

arke

ting

mat

eria

ls [p

ara.

31]

.

85POLICYWISE

• St

oryb

ook

orde

red

to

dele

te C

ompl

aina

nt’s

info

rmat

ion

from

da

taba

se.

F20

14-0

7 20

14

Bow

Val

ley

Colle

ge

• Pu

blic

Bod

y se

vere

d pe

rson

al in

form

atio

n fr

om re

cord

s whe

n re

spon

ding

to a

cces

s re

ques

t. Co

mpl

aina

nt

aske

d to

hav

e th

at

seve

ring

revi

ewed

. •

Com

plai

nant

co

mpl

aine

d th

at P

B ha

d di

sclo

sed

PI

cont

ra F

OIP

.

• In

form

atio

n at

issu

e in

clud

ed re

ferr

al le

tter

by

prog

ram

coo

rdin

ator

of P

B in

clud

ing

poss

ibili

ty o

f m

enta

l hea

lth a

sses

smen

t of

Com

plai

nant

.

•

• N

ot su

ffici

ent e

vide

nce

to

esta

blis

h th

at th

e PB

had

us

ed o

r dis

clos

ed h

is P

I. •

Com

plai

nant

subm

itted

th

at

• PB

arg

ued

that

shar

ed

cons

ent f

orm

and

refe

rral

fo

rms w

ith n

urse

. Sin

ce n

o as

sess

men

t con

duct

ed; n

o re

port

ing

or sh

arin

g of

in

form

atio

n ab

out

Com

plai

nant

bet

wee

n an

y he

alth

pro

fess

iona

l and

PB

. PB

did

not h

ave

any

evid

ence

to sh

ow P

B di

sclo

sed

his P

I to

med

ical

pr

ofes

sion

als,

stud

ents

or

to Ir

ania

n G

over

nmen

t. N

o ev

iden

tiary

bur

den

met

by

Com

plai

nant

. F2

014

-30

20

14

Appe

als

Com

mis

sion

for

Albe

rta

Wor

kers

’ Co

mpe

nsat

ion

• Ap

plic

ant m

ade

acce

ss re

ques

t und

er

FOIP

to P

B fo

r st

atis

tics r

egar

ding

nu

mbe

r of a

ppea

ls

cond

ucte

d by

PB

addr

essi

ng sp

ecifi

c po

licy

and

how

man

y of

thos

e ap

peal

s wer

e gr

ante

d.

• PB

resp

onde

d th

ere

wer

e no

reco

rds

resp

onsi

ve to

Ap

plic

ant’s

requ

est

and

sent

them

to

CanL

II w

ebsi

te.

• PB

arg

ued

that

it

mai

ntai

ns d

atab

ase

of d

ecis

ions

but

not

to

leve

l of d

etai

l tha

t Ap

plic

ant’s

requ

est

requ

ired

and

als

o

•

•

• An

ade

quat

e se

arch

re

quir

es a

pub

lic b

ody

to

take

eve

ry re

ason

able

ef

fort

to se

arch

for t

he

actu

al re

cord

s req

uest

ed

[par

a. 7

]. •

PB a

rgue

d th

at c

reat

ing

a re

spon

sive

reco

rd fo

r Ap

plic

ant w

ould

am

ount

to

con

duct

ing

rese

arch

for

a pa

rty

appe

arin

g be

fore

it:

“… c

ondu

ctin

g re

sear

ch

that

may

supp

ort a

pa

rtic

ular

app

eal o

r typ

e of

app

eal h

as th

e po

tent

ial

to c

reat

e a

reas

onab

le

appr

ehen

sion

of b

ias a

nd

is b

eyon

d th

e sc

ope

of it

s ro

le a

s an

inde

pend

ent

deci

sion

-mak

er.”

[par

a.

15].


argu

ed th

at c

reat

ing

reco

rd fr

om it

s el

ectr

onic

dat

a bas

e w

ould

unr

easo

nabl

y in

terf

ere

with

its

oper

atio

ns.

• R

eque

stor

’s id

entit

y is

not

to

influ

ence

how

requ

est i

s pr

oces

sed

[par

a. 16

]. •

“Whe

re a

PB

can

crea

te a

re

cord

from

info

rmat

ion

curr

ently

exi

stin

g in

el

ectr

onic

form

by

esse

ntia

lly m

anip

ulat

ing

the

data

, it h

as a

n ob

ligat

ion

to d

o so

in

resp

onse

to a

n ac

cess

re

ques

t, as

long

as i

t can

be

don

e us

ing

the

PB’s

norm

al h

ardw

are,

so

ftwar

e an

d te

chni

cal

expe

rtis

e an

d w

here

cr

eatin

g th

e re

cord

wou

ld

not u

nrea

sona

bly

inte

rfer

e w

ith th

e PB

’s op

erat

ions

.”

[par

a. 2

0].

• Ad

judi

cato

r agr

eed

with

PB

that

step

s req

uire

d (a

bout

1 em

ploy

ee

wor

king

fullt

ime

for 1

m

onth

) exc

eed

FOIP

re

quir

emen

ts.

• H

owev

er, t

here

may

be

anot

her a

venu

e to

sear

ch

the

reco

rds,

whi

ch w

as n

ot

fully

exp

lore

d by

PB.

PB

orde

red

to e

xplo

re th

at

poss

ibili

ty [p

ara.

34]

. P

2014

-02

2014

Co

nsum

er C

hoic

e Aw

ards

•

Org

aniz

atio

n fo

rwar

ded

chai

n of

em

ails

bet

wee

n O

rgan

izat

ion

and

Com

plai

nant

to 3

rd

part

y co

mpa

ny.

Com

plai

nant

arg

ued

this

was

dis

clos

ure

cont

ra P

IPA.

•

Org

aniz

atio

n di

d no

t ha

ve a

utho

rity

to

disc

lose

Co

mpl

aina

nt’s

PI.

• In

form

atio

n at

issu

e in

clud

ed n

ame,

wor

k em

ail

and

opin

ion

on c

ompa

ny.

Nam

e is

cle

arly

PI a

nd

pers

onal

opi

nion

cou

ld b

e PI

. Wor

k em

ail w

as P

I be

caus

e co

mm

unic

atio

n no

t pa

rt o

f job

dut

ies.

• N

/A

• O

rgan

izat

ion

stat

ed it

had

co

nsen

t. N

o ex

cept

ions

to

cons

ent f

rom

PIP

A ap

plie

d. N

o au

thor

ity to

di

sclo

se w

ithou

t con

sent

[p

ara.

19].

• Fo

r s. 8

(2) t

o ap

ply

(if g

ive

info

rmat

ion

with

out

cons

ent v

olun

tari

ly a

nd

reas

onab

le th

at p

erso

n w

ould

vol

unta

rily

pro

vide

in

form

atio

n), m

ust b

e ob

viou

s in

circ

umst

ance

s th

at O

rgan

izat

ion

wou

ld

87POLICYWISE

disc

lose

info

rmat

ion

to 3

rd

part

y co

mpa

ny [p

ara.

23]

. Th

e Co

mpl

aina

nt m

ust

know

the

purp

ose

befo

re

sect

ion

8 is

trig

gere

d [p

ara.

27]

. •

Org

aniz

atio

n in

form

ed

Com

plai

nant

that

they

w

ould

get

in to

uch

with

co

mpa

ny, b

ut it

was

not

ob

viou

s to

him

that

his

PI

wou

ld a

lso

be sh

ared

. R

easo

nabl

e in

terp

reta

tion

of O

rgan

izat

ion’

s st

atem

ent [

para

. 24]

. It

coul

d ha

ve b

een

a re

ason

able

inte

rpre

tatio

n th

at O

rgan

izat

ion

wou

ld

shar

e bo

th n

ame

and

com

plai

nant

. Her

e ke

y is

th

at th

ere

was

mor

e th

an

one

reas

onab

le

inte

rpre

tatio

n. G

iven

the

room

for

mis

inte

rpre

tatio

n, it

was

in

cum

bent

on

Org

aniz

atio

n to

cla

rify

be

fore

rely

ing

on th

e Co

mpl

aina

nt’s

failu

re to

ob

ject

to it

s sta

ted

plan

[p

ara.

27]

. Sec

tion

8(2)

te

st is

obj

ectiv

e[ p

ara.

28]

: “s

how

ing

that

it w

as n

ot

unre

ason

able

for t

he

Org

aniz

atio

n to

thin

k it

had

cons

ent i

s not

the

sam

e th

ing

as sh

owin

g th

at it

did

hav

e co

nsen

t.”

• Ex

pres

s con

sent

ent

ails

“y

ou m

ay d

iscl

ose

this

in

form

atio

n” [p

ara.

26]

. •

Org

aniz

atio

n co

uld

not

rely

on

both

hav

ing

cons

ent a

nd u

sing

the

notic

e op

tion

(opt

-out

) co

nsen

t. Th

ere

was

no

time

limit

prov

ided

to


Com

plai

nant

to st

op

disc

losu

re o

f PI.

Not

ice

that

is su

bjec

t to

diffe

rent

in

terp

reta

tions

is n

ot

notic

e th

at C

ompl

aina

nt

coul

d ha

ve re

ason

ably

be

en e

xpec

ted

to

unde

rsta

nd [p

ara.

31]

. F2

014

-21

2014

Al

bert

a H

uman

Se

rvic

es

• Se

rvic

e pr

ovid

er

cont

ract

ed b

y PB

. Co

mpl

aina

nt

com

plai

ned

that

se

rvic

e pr

ovid

er

colle

cted

, use

d an

d di

sclo

sed

his P

I co

ntra

FO

IP w

hen

arra

nged

refe

rral

s for

as

sess

men

t and

re

habi

litat

ion

serv

ices

to a

ssis

t him

re

: med

ical

co

nditi

on.

• Co

mpl

aina

nt a

rgue

d th

at se

rvic

e pr

ovid

er

acte

d as

PB.

• Se

rvic

e pr

ovid

er =

a

part

icul

ar so

ciet

y th

at h

elps

in

divi

dual

s with

a p

artic

ular

ty

pe o

f med

ical

con

ditio

n th

roug

h ed

ucat

ion

and

refe

rral

s to

com

mun

ity

reso

urce

s for

ass

essm

ent

and

reha

bilit

atio

n (d

oesn

’t pr

ovid

e th

e as

sess

men

t or

reha

bilit

atio

n se

rvic

es

itsel

f). C

ompl

aina

nt le

arnt

ab

out s

ervi

ce p

rovi

der i

n co

urse

of r

ecei

ving

serv

ices

fo

rm A

lber

ta W

orks

(= P

B).

• At

rele

vant

tim

e,

Mem

oran

dum

of A

gree

men

t fo

r Ser

vice

s bet

wee

n PB

and

se

rvic

e pr

ovid

er. P

B ac

know

ledg

es it

is

resp

onsi

ble

for t

he

colle

ctio

n, u

se, a

nd

disc

losu

re o

f the

Co

mpl

aina

nt’s

PI b

y se

rvic

e pr

ovid

er g

iven

latt

er

cont

ract

ed b

y PB

. So,

re

fere

nces

to se

rvic

e pr

ovid

er o

r its

staf

f is

indi

rect

refe

renc

e to

PB

[par

a. 2

]. •

PI a

t iss

ue b

ecau

se in

clud

ed

nam

e, a

ddre

ss, c

onta

ct

info

rmat

ion,

mar

ital s

tatu

s,

pers

onal

hea

lth n

umbe

r,

heal

th a

nd e

mpl

oym

ent

hist

ory

and

opin

ions

abo

ut

him

. [pa

ra. 5

]. •

Serv

ice

Prov

ider

con

trac

ted

to p

erfo

rm se

rvic

es a

s par

t of

pro

vinc

ial i

nita

tive;

thus

• Co

mpl

aina

nt a

llege

d PB

m

ade

impr

oper

use

of h

is

PI. B

ut, d

id n

ot c

lear

ly

expl

ain

that

impr

oper

us

e. H

ence

adj

udic

ator

vi

ewed

the

com

plai

nant

of

impr

oper

use

was

m

ore

rega

rdin

g fa

ct P

I di

sclo

sed

to c

erta

in th

ird

part

ies.

[par

a. 4

1]

• PB

may

bot

h us

e an

d di

sclo

se in

divi

dual

’s PI

fo

r pur

pose

for w

hich

PI

was

col

lect

ed o

r com

pile

d or

for a

use

con

sist

ent

with

that

pur

pose

[par

a.

43].

• In

mak

ing

refe

rral

s,

Serv

ice

Prov

ider

dis

clos

ed

Com

plai

nant

’s PI

[par

a.

27].

• Al

l dis

clos

ures

for p

urpo

se

of a

rran

ging

ass

ess m

ent

and

reha

bilit

atio

n se

rvic

es

as p

art o

f an

oper

atin

g pr

ogra

m o

r act

ivity

of P

B.

Rea

sona

ble

and

dire

ctio

n co

nnec

tion

to th

e co

llect

ion

of th

e PI

in th

e fir

st p

lace

. Nec

essa

ry fo

r op

erat

ing

a le

gally

au

thor

ized

pro

gram

of t

he

PB.

• So

me

agen

cies

no

refe

rral

m

ade,

just

con

tem

plat

ed

so n

o di

sclo

sure

. [pa

ra.

32].

• R

efer

rals

onl

y di

sclo

sed

fact

that

refe

rral

soug

ht,

reas

on fo

r ref

erra

l, an

d th

at C

ompl

aina

nt b

eing

as

sist

ed b

y Se

rvic

e Pr

ovid

er. M

inim

al

info

rmat

ion

nece

ssar

y.

Cons

iste

nt w

ith p

urpo

se o

f co

llect

ion.

[par

a. 3

9].

89POLICYWISE

initi

ativ

e =

oper

atin

g pr

ogra

m o

f the

PB.

•

Serv

ice

prov

ider

col

lect

ed P

I on

initi

al c

onta

ct in

take

fo

rm.

• Co

mpl

aina

nt st

ated

onl

y w

ante

d em

ploy

men

t as

sist

ance

not

re

habi

litat

ion;

so, f

elt t

hat

som

e he

alth

PI c

olle

cted

was

be

yond

wha

t nec

essa

ry.

• “…

eve

n if

the

Com

plai

nant

so

ught

em

ploy

men

t -re

late

d se

rvic

es o

nly,

it w

as st

ill p

art

of th

e PB

’s pr

ogra

m o

r ac

tivity

to c

onsi

der

arra

ngin

g re

ferr

als,

as

sess

men

t or r

ehab

ilita

tion

in o

rder

to d

eter

min

e w

hat

type

of e

mpl

oym

ent b

est

suite

d th

e Co

mpl

aina

nt.

[Adj

udic

ator

] the

refo

re

foun

d th

at th

e co

llect

ion

of

all o

f the

PI o

f the

Co

mpl

aina

nt…

was

au

thor

ized

by

s. 3

3(c)

.”

[par

a. 12

]. •

Whi

le c

onse

nt fo

rm

cont

empl

ated

col

lect

ion

of

PI fr

om c

erta

in a

genc

ies a

nd

indi

vidu

als,

in th

is c

ase

no

info

rmat

ion

colle

cted

in

actu

ality

. [pa

ra. 1

7].

• Se

rvic

e pr

ovid

er, a

s co

ntra

cted

by

PB, c

an fa

ll un

der F

OIP

exc

eptio

ns

rela

ted

to “e

mpl

oyee

s” a

nd

info

rmat

ion

shar

ing

whe

n fo

r pur

pose

of d

eliv

erin

g co

mm

on o

r int

egra

ted

prog

ram

or s

ervi

ce. [

para

. 22

]. F2

014

-28

2014

Al

bert

a H

ealth

•

Com

plai

nant

=

form

er e

mpl

oyee

of

PB. C

ompl

aine

d th

at

supe

rvis

or h

ad

•

•

• PB

cla

imed

that

sent

em

ail

for p

urpo

se o

f man

agin

g an

d ad

min

iste

ring

pe

rson

nel,

but c

once

ded


emai

led

all m

embe

rs

of P

B ex

ecut

ive

team

an

d di

sclo

sed

that

he

wou

ld b

e aw

ay fr

om

offic

e fo

r per

sona

l re

ason

s.

• Cl

aim

ed b

reac

h of

FO

IP.

• Al

so, b

elie

ved

that

em

ail h

ad b

een

forw

arde

d be

yond

or

igin

al d

istr

ibut

ion

list.

that

not

aut

hori

zed

to

disc

lose

nat

ure

of

Com

plai

nant

’s le

ave.

•

PB d

iscl

osed

mor

e PI

than

ne

cess

ary

to m

eet i

ts

stat

ed p

urpo

se. S

O

cont

rave

ned

s. 4

0(4)

FO

IP. D

iscl

osur

e of

leav

e w

as re

ason

able

and

au

thor

ized

; but

dis

clos

ure

of th

e re

ason

for t

he le

ave

was

not

aut

hori

zed.

An

othe

r mor

e ge

neri

c te

rm p

ossi

ble.

No

indi

catio

n of

co

nfid

entia

lity

in e

mai

l so

that

forw

arde

d oc

curr

ed.

• PB

mus

t onl

y di

sclo

se a

s pe

rmitt

ed b

y FO

IP a

nd

mus

t mak

e re

ason

able

se

curi

ty a

rran

gem

ents

to

prot

ect P

I. •

Dis

clo

F20

14-3

6 20

14

Albe

rta

Hea

lth

• In

divi

dual

mad

e ac

cess

requ

est t

o PB

un

der F

OIP

for a

ll po

licie

s, p

ast a

nd

pres

ent,

in re

gard

s to

the

clos

ing

of h

ealth

fa

cilit

ies.

•

PB p

rovi

ded

8 pa

ges

of re

cord

s and

w

ithhe

ld 4

4 pa

ges i

n en

tiret

y.

• Ap

plic

ant a

rgue

d po

licie

s out

line

proc

ess f

or m

akin

g de

cisi

ons o

n a

part

icul

ar m

atte

r,

and

do n

ot c

onta

in

info

rmat

ion

that

can

be

with

held

.

•

•

• W

ithhe

ld re

cord

s wer

e no

t re

spon

sive

to A

pplic

ant’s

re

ques

t. •

With

held

reco

rds “

draf

t in

tern

al c

orre

spon

denc

e an

d an

alys

is.”

Rec

ords

do

not p

erta

in to

com

plet

ed

polic

ies,

whi

ch A

pplic

ant

soug

ht so

not

app

licab

le.

[par

a. 11

].

F20

15-1

5 20

15

Albe

rta

Ener

gy

• Ac

cess

requ

est t

o PB

fo

r stu

dies

, rep

orts

or

docu

men

ts

com

pari

ng A

B

•

•

• N

umer

ical

info

rmat

ion

in

grap

hs o

r cha

rts i

n th

e re

cord

s at i

ssue

fell

unde

r s.

16(1

) of F

OIP

as

91POLICYWISE

roya

lty ra

tes a

nd

regi

me

for n

on-

rene

wab

le e

nerg

y re

sour

ces c

osts

to

roya

lty ra

tes a

nd

regi

mes

in o

ther

ju

risd

ictio

ns.

• So

me

resp

onsi

ve

reco

rds i

nclu

ded

info

rmat

ion

on a

pr

ivat

e se

ctor

or

gani

zatio

n (3

rd

part

y). P

B ga

ve

acce

ss to

App

lican

t; 3r

d par

ty re

ques

ted

revi

ew o

f dec

isio

n ar

guin

g di

sclo

sure

w

ould

be

harm

ful t

o bu

sine

ss in

tere

sts.

info

rmat

ion

was

trad

e se

cret

and

supp

lied

in

conf

iden

ce. D

iscl

osur

e co

uld

resu

lt in

har

m

enum

erat

ed in

s. 16

(1)©

if

disc

lose

d.

• 3r

d par

ty’s

nam

e co

uld

not

be w

ithhe

ld a

s it d

id n

ot

fall

into

any

of c

ateg

orie

s of

info

in s.

16(1

)(a)

.

F20

15-1

7 20

15

Coun

ty o

f St.

Paul

No.

19

• Co

mpl

aina

nt st

ates

G

razi

ng R

eser

ve se

nt

emai

l con

tain

ing

his

PI to

PB;

PB

gave

n em

ail t

o la

w fi

rm

repr

esen

ting

a Co

mm

issi

on o

f whi

ch

PB a

mem

ber f

or

Com

mis

sion

to u

se in

pr

ocee

ding

bef

ore

Envi

ronm

enta

l Ap

peal

s Boa

rd.

Com

mis

sion

no t

G

razi

ng R

eser

ve

part

y to

pro

ceed

ing.

•

Emai

l : in

form

atio

n re

gadi

ng u

nres

olve

d bi

ll fo

r a g

razi

ng fe

e ch

arge

d to

Co

mpl

aina

nt.

• Co

mpl

aina

nt a

rgue

d in

appr

opri

ate

colle

ctio

n an

d di

sclo

sure

of P

I due

to

lack

of a

utho

rity

.

• In

form

atio

n w

as a

bout

Co

mpl

aina

nt’s

agr i

cultu

ral

oper

atio

n, n

ot a

bout

him

as

indi

vidu

al. T

hus F

OIP

doe

s no

t app

ly.

• Pu

blic

Lan

ds A

ct su

ppor

ted

clai

m th

at p

erso

n to

who

m

graz

ing

allo

tmen

ts a

re

gran

ted

are

oper

atin

g a

busi

ness

. Mem

bers

hip

info

rmat

ion

incl

udin

g pa

ymen

t for

mem

bers

hip

is

info

rmat

ion

abou

t tha

t bu

sine

ss, n

ot P

I. [p

ara.

9]

• Pr

evio

us O

IPC

orde

rs fo

und

that

dis

clos

ure

of n

ame

not

unre

ason

able

inva

sion

of

priv

acy

per s

. 17

whe

re

asso

ciat

ed in

form

atio

n re

veal

s onl

y th

at in

divi

dual

ac

ting

in a

form

al,

repr

esen

tativ

e, p

rofe

ssio

nal,

offic

ial,

publ

ic o

r em

ploy

men

t cap

acity

, unl

ess

that

info

rmat

ion

also

has

a

pers

onal

dim

ensi

on. [

para

. 10

].

•

•


• In

farm

ing

cont

ext,

OIP

C pr

evio

usly

stat

ed th

at P

I “is

re

cord

ed in

form

atio

n ab

out

an id

entif

iabl

e in

divi

dual

, w

hich

mea

ns a

hum

an b

eing

ac

ting

in h

is o

r her

nat

ural

ca

paci

ty.”

PI d

istin

ct fr

om

info

rmat

ion

abou

t in

divi

dual

’s bu

sine

ss, n

o m

atte

r how

set -

up (e

.g. s

ole

prop

riet

orsh

ip, p

artn

ersh

ip,

unin

corp

orat

ed a

ssoc

iatio

n,

corp

orat

ion

or o

ther

ent

ity).

[par

a. 11

] •

If m

embe

rshi

p fe

es o

wed

, ow

ned

by C

ompl

aina

nt a

s an

orga

niza

tion,

not

as a

n in

divi

dual

[par

a. 13

]. F2

015

-27

20

15

Albe

rta

Just

ice

&

Solic

itor G

ener

al

• Fo

rmer

em

ploy

ee o

f PB

com

plai

ned

that

PB

CU

D h

is P

I con

tra

FIO

P w

hen

sear

ched

hi

s nam

e in

AB

Com

mun

ity O

ffend

er

Man

agem

ent

data

base

(ACO

M)

whi

le e

mpl

oyed

. •

PB d

id se

arch

to

veri

fy C

ompl

aina

nt’s

hone

sty

and

inte

grity

.

• Se

arch

was

of P

B’s o

wn

data

base

, so

not a

col

lect

ion

of C

ompl

aina

nt’s

PI.

• In

app

lyin

g fo

r job

, su

bmitt

ed c

rim

inal

reco

rd

chec

k, w

hich

show

ed n

o cr

imin

al c

onvi

ctio

ns.

• La

ter P

B co

ncer

ned

abou

t Co

mpl

aina

nt h

ones

ty, s

o ch

ecke

d AC

OM

and

foun

d on

e re

sult

of so

me

cont

act/

invo

lvem

ent.

• PB

did

not

hav

e au

thor

ity

to u

se C

ompl

inan

t’s P

I fr

om A

COM

dat

abas

ed

beca

use

info

rmat

ion

used

in

way

not

con

sist

ent

with

pur

pose

for w

hich

it

was

col

lect

ed.

• Pu

rpos

e of

ori

gina

l co

llect

ion

was

to tr

ack

offe

nder

s ser

ving

in

com

mun

ity a

nd to

ass

ist

empl

oyee

s of P

B in

volv

ed

with

thes

e of

fend

ers.

PB

acce

ss in

this

cas

e to

ve

rify

Com

plai

nant

’s pa

st

and

hone

sty.

Thu

s,

purp

oses

in c

olle

ctio

n an

d us

e no

t con

sist

ent.

Com

plai

n ant

not

of

fend

er se

rvin

g tim

e in

co

mm

unity

and

che

ckin

g ho

nest

y no

t par

t of

ACO

M d

atab

ase.

•

Nee

d co

nsis

tenc

y be

twee

n us

e an

d pu

rpos

e fo

r col

lect

ion.

• Co

mpl

aina

nt d

id n

ot

cons

ent t

o us

e an

d/or

di

sclo

sure

of h

is P

I. •

F20

15-2

6

2015

Ca

lgar

y Po

lice

Serv

ice

• Co

mpl

inan

t bel

ieve

d th

at h

er P

I and

that

•

Adju

dica

tor f

ound

that

PI

was

col

lect

ed fo

r pur

pose

s of

•

•

93POLICYWISE

of h

er k

ids w

as

colle

cted

by

PB

cont

ra F

OIP

. •

PB re

ceiv

ed c

all t

hat

youn

g ch

ild a

nd

infa

nt le

ft al

one

in

mot

or v

ehic

le in

sh

oppi

ng c

entr

e pa

rkin

g lo

t for

10

min

utes

at t

ime

of

call.

Whe

n po

lice

arri

ved,

car

gon

e.

Calle

r gav

e lic

ense

nu

mbe

r.

• PB

team

att

ende

d Co

mpl

aina

nt h

ouse

to

dis

cuss

cas

e an

d is

sue.

Sub

mitt

ed

polic

e re

port

s on

inve

stig

ativ

e fin

ding

s.

• Co

mpl

aina

nt fe

lt PB

sh

ould

not

hav

e co

llect

ed h

er P

I.

law

enf

orce

men

t and

was

th

eref

ore

perm

itted

und

er

FOIP

. •

Safe

ty c

once

rns f

or c

hild

ren.

N

eed

for t

reat

ass

essm

ent,

and

thus

was

law

en

forc

emen

t mat

ter.

•

Afte

r a p

oten

tial l

aw

enfo

rcem

ent m

atte

r is

conc

lude

d, re

cord

s of w

hat

tran

spir

ed sh

ould

still

be

mad

e. T

rans

pare

ncy

of th

ese

inte

ract

ions

is c

ritic

al fo

r up

hold

ing

righ

ts.

F20

16-4

1

2016

Se

rvic

e Al

bert

a •

The

Cana

da R

even

ue

Agen

cy (t

he C

RA)

m

ade

a re

ques

t to

the

PB fo

r the

Ap

plic

ant’s

phy

sica

l ad

dres

s.

• Th

e Pu

blic

Bod

y pr

ovid

ed th

e ad

dres

s it

had

on fi

le;

how

ever

, thi

s add

ress

pr

oved

to b

e a

mai

ling,

rath

er th

an

resi

dent

ial,

addr

ess.

•

Whe

n th

e Ap

plic

ant

appl

ied

to re

new

her

m

otor

veh

icle

re

gist

ratio

n, th

e PB

re

quir

ed h

er to

pr

ovid

e pr

oof o

f the

ad

dres

s of h

er

resi

denc

e (t

he

Appl

ican

t’s “p

hysi

cal

• Th

e Ap

plic

ant c

ompl

aine

d th

at th

e Pu

blic

Bod

y ha

d co

ntra

vene

d th

e FO

IP A

ct

whe

n it

disc

lose

d he

r pe

rson

al in

form

atio

n to

the

CRA.

The

Adj

udic

ator

de

term

ined

that

sect

ion

4 ap

plie

d to

som

e re

cord

s, a

s th

ese

reco

rds w

ere

crea

ted

from

info

rmat

ion

in th

e of

fice

of th

e R

egis

trar

of

Mot

or V

ehic

le S

ervi

ces.

H

owev

er, s

he fo

und

that

se

ctio

n 20

did

not

aut

hori

ze

the

PB to

with

hold

any

of

the

info

rmat

ion

to w

hich

it

had

appl

ied

this

pro

visi

on

and

she

orde

red

disc

losu

re

of th

is in

form

atio

n.

• Th

e Ad

judi

cato

r det

erm

ined

th

at th

e PB

had

two

purp

oses

for c

olle

ctin

g th

e Ap

plic

ant’s

phy

sica

l add

ress

:

•

•


addr

ess”

with

in th

e te

rms o

f the

Ope

rato

r Li

cens

ing

and

Vehi

cle

Cont

rol

Reg

ulat

ion)

. •

Whe

n sh

e pr

ovid

ed

the

requ

este

d pr

oof,

an in

vest

igat

or o

f the

PB

con

tact

ed th

e CR

A to

info

rm it

that

th

e Ap

plic

ant h

ad

prov

ided

a n

ew

phys

ical

add

ress

and

su

ppor

ting

docu

men

tatio

n.

• Th

e CR

A th

en

requ

este

d th

e ph

ysic

al a

ddre

ss a

nd

the

PB p

rovi

ded

it.

Afte

r the

CR

A ob

tain

ed th

e ph

ysic

al

addr

ess,

the

CRA

obta

ined

a C

ourt

or

der t

o ob

tain

the

phys

ical

add

ress

and

th

e su

ppor

ting

docu

men

tatio

n th

e Ap

plic

ant h

ad

prov

ided

. The

CR

A su

bseq

uent

ly

initi

ated

lega

l pr

ocee

ding

s aga

inst

th

e Ap

plic

ant.

The

Appl

ican

t mad

e a

requ

est f

or h

er fi

le

from

the

PB u

nder

th

e Fr

eedo

m o

f In

form

atio

n an

d Pr

otec

tion

of P

riva

cy

Act (

the

FOIP

Act

).

• Th

e PB

refu

sed

acce

ss to

the

file

on

the

basi

s of s

ectio

ns 4

(A

pplic

atio

n) a

nd 2

0 (D

iscl

osur

e H

arm

ful

to L

aw E

nfor

cem

ent)

. Th

e Ap

plic

ant s

ough

t

the

first

was

for e

nsur

ing

that

the

Reg

istr

ar h

ad

suffi

cien

t inf

orm

atio

n to

m

ake

a de

term

inat

ion

as to

w

heth

er th

e Ap

plic

ant w

as a

re

side

nt o

f Alb

erta

and

the

seco

nd w

as to

ass

ist t

he

CRA.

•

The

Adj

udic

ator

det

erm

ined

th

at a

ssis

ting

the

CRA

was

no

t a p

urpo

se fo

r whi

ch th

e PB

was

aut

hori

zed

by th

e FO

IP A

ct to

col

lect

per

sona

l in

form

atio

n. T

he

Adju

dica

tor d

eter

min

ed th

at

the

PB h

ad d

iscl

osed

the

Appl

ican

t’s p

erso

nal

info

rmat

ion

on fo

ur

occa

sion

s. S

he fo

und

that

th

e fir

st th

ree

disc

losu

res

wer

e no

t aut

hori

zed

by th

e FO

IP A

ct, b

ut th

at th

e fo

urth

di

sclo

sure

, whi

ch w

as m

ade

to c

ompl

y w

ith a

Cou

rt

orde

r, w

as a

utho

rize

d. T

he

Adju

dica

tor o

rder

ed th

e PB

to

dis

clos

e th

e in

form

atio

n to

whi

ch it

had

app

lied

sect

ion

20 a

nd o

rder

ed it

to

ceas

e co

llect

ing,

usi

ng, a

nd

disc

losi

ng th

e Ap

plic

ant’s

pe

rson

al in

form

atio

n in

co

ntra

vent

ion

of th

e FO

IP

Act.

95POLICYWISE

revi

ew o

f thi

s de

cisi

on.

F20

16-2

6

2016

Ed

mon

ton

Publ

ic

Scho

ol D

istr

ict

No.

7

• Co

mpl

aina

nt is

fe

mal

e tr

ansg

ende

r st

uden

t at s

choo

l run

by

PB.

•

Com

plai

ned

that

PB

disc

lose

d he

r PI

cont

ra F

OIP

whe

n te

ache

rs d

ispl

ayed

or

calle

d ou

t her

lega

l na

me,

whi

ch is

a

typi

cally

mal

e na

me.

•

Com

plai

nant

and

pa

rent

s met

with

sc

hool

offi

cial

s;

offic

ials

told

that

they

co

uld

advi

se

Com

plai

nant

’s te

ache

rs th

at sh

e w

as

tran

sgen

der b

ut d

id

not w

ant s

choo

l bod

y aw

are

of th

is. S

choo

l of

ficia

ls a

gree

d an

d as

sure

d in

form

atio

n pr

ivac

y. O

ne

acco

mm

odat

ion

was

to

use

pap

er li

st fo

r ro

ll ca

ll (w

ith

pref

erre

d na

me)

not

co

mpu

ter l

ist (

with

le

gal n

ot c

hose

n na

me)

. On

num

ber o

f oc

casi

ons,

lega

l nam

e di

spla

yed

on sc

reen

at

fron

t of c

lass

room

vi

sibl

e to

cla

ss; o

ne 2

oc

casi

ons t

each

er o

r st

uden

t rea

d le

gal

nam

e; 1

o cca

sion

su

pply

teac

her l

oudl

y di

scus

sed

proc

ess f

or

nam

e ch

ange

. •

Man

y of

inci

dent

s in

volv

ed su

pply

te

ache

rs;

Com

plai

nant

adv

ised

• PI

at i

ssue

(nam

e, se

x, a

nd

that

gen

der i

dent

ity

diffe

rent

form

her

sex

at

birt

h).

• Le

gal n

ame

not c

hang

ed a

nd

refle

cted

that

she

was

bor

n ph

ysic

ally

mal

e.

• Be

caus

e Co

mpl

aina

nt

requ

este

d th

at in

form

atio

n no

t be

disc

lose

d, th

en

disc

losi

ng it

not

un

reas

onab

le i n

vasi

on o

f her

pr

ivac

y.

• D

iscl

osur

e w

as n

ot p

rude

nt

or n

eces

sary

in th

e ci

rcum

stan

ces,

so c

ontr

a s.

40

(4) F

OIP

.

•

• PB

agr

eed

it ha

d br

each

ed

FOIP

and

had

not

mad

e pr

oper

secu

rity

ar

rang

emen

ts to

pro

tect

Co

mpl

aina

nt’s

PI.

• PI

Dis

clos

ed in

bre

ach

of

s. 4

0 of

Act

. •

PB fa

iled

to m

ake

prop

er

secu

rity

arr

ange

men

ts, b

ut

note

d th

at d

raft

polic

y cr

eate

d af

ter t

hese

br

each

es a

ddre

ssed

co

ncer

ns ra

ised

by

Com

plai

nant

. Dra

ft po

licy

incl

udes

info

rmin

g st

uden

ts th

at th

eir c

hose

n na

me

and

gend

er c

an b

e ch

ange

d co

nfid

entia

lity

i n

com

pute

r sch

ool r

ecor

ds

with

sign

ed p

aren

t co

nsen

t and

dis

cuss

ion;

w

ithou

t Dis

tric

t let

ter

scho

ol w

ill e

nsur

e st

uden

t’s c

hose

n na

me

and

chos

en g

ende

r co

rrec

tly e

nter

ed in

to h

ard

copy

; sup

ply

teac

hers

will

be

info

rmed

via

info

pa

ckag

e an

d ve

rbal

ly to

us

e on

ly la

st n

ame

for

stud

ents

’ in

roll

call

and

not u

se sc

reen

; pri

ncip

al

to in

stru

ct st

aff t

o on

ly u

se

last

nam

es.


that

bin

der i

s cre

ated

fo

r sup

ply

teac

hers

an

d co

ntai

ns in

fo

that

teac

her m

ust

take

att

enda

nce

from

pa

per c

opy

of c

lass

lis

t. P

2016

-07

20

16

Red

i Ent

erpr

ises

So

ciet

y •

Org

aniz

atio

n re

ques

ted

wri

tten

ac

coun

t of

Com

plai

nant

’s cr

imin

al c

onvi

ctio

n.

• Co

mpl

aina

nt a

rgue

d th

at w

as c

ontr

a PI

PA.

• Em

ploy

ee si

tuat

ion.

•

Did

not

det

erm

ine

if PI

PA

appl

ied

beca

use

NFP

, pa

rtie

s agr

ee to

go

forw

ard

assu

min

g it

did

appl

y.

• In

form

atio

n w

as n

ever

pr

ovid

ed, j

ust r

eque

sted

. •

“PIP

A ba

lanc

es th

e ri

ght o

f an

indi

vidu

al to

pri

vacy

of

thei

r PI w

ith th

e ne

ed fo

r an

orga

niza

tion

to C

UD

PI.

If

an o

rgan

izat

ion

can

dem

onst

rate

the

colle

ctio

n of

PI i

s nec

essa

ry to

ena

ble

it to

mee

t cer

tain

reas

onab

le

purp

oses

and

it is

col

lect

ed

in a

reas

onab

le m

anne

r,

then

the

colle

ctio

n m

ay b

e al

low

ed u

nder

the

Act.”

[p

ara.

10].”

•

Org

aniz

atio

n ha

d po

licy

of

requ

irin

g a

wri

tten

, sig

ned

acco

unt o

f the

cri

min

al

activ

ities

of i

ts e

mpl

oyee

s.

[par

a. 18

]. •

This

info

rmat

ion

is a

re

quir

emen

t to

shar

e [p

ara.

23

]. Co

llect

ion

is so

lely

for

empl

oym

ent r

elat

ed

purp

oses

. Evi

denc

e th

at

info

rmat

ion

cont

aine

d in

em

ploy

ee fi

le a

nd u

sed

only

to

man

age

empl

oym

ent

rela

tions

hip.

Thi

s re

ason

able

exp

lana

tion:

O

rgan

izat

ion

gave

suffi

cien

t no

tice,

use

d to

man

age

empl

oym

ent r

elat

ions

hip,

w

orks

with

vul

nera

ble

•

•

97POLICYWISE

that

bin

der i

s cre

ated

fo

r sup

ply

teac

hers

an

d co

ntai

ns in

fo

that

teac

her m

ust

take

att

enda

nce

from

pa

per c

opy

of c

lass

lis

t. P

2016

-07

20

16

Red

i Ent

erpr

ises

So

ciet

y •

Org

aniz

atio

n re

ques

ted

wri

tten

ac

coun

t of

Com

plai

nant

’s cr

imin

al c

onvi

ctio

n.

• Co

mpl

aina

nt a

rgue

d th

at w

as c

ontr

a PI

PA.

• Em

ploy

ee si

tuat

ion.

•

Did

not

det

erm

ine

if PI

PA

appl

ied

beca

use

NFP

, pa

rtie

s agr

ee to

go

forw

ard

assu

min

g it

did

appl

y.

• In

form

atio

n w

as n

ever

pr

ovid

ed, j

ust r

eque

sted

. •

“PIP

A ba

lanc

es th

e ri

ght o

f an

indi

vidu

al to

pri

vacy

of

thei

r PI w

ith th

e ne

ed fo

r an

orga

niza

tion

to C

UD

PI.

If

an o

rgan

izat

ion

can

dem

onst

rate

the

colle

ctio

n of

PI i

s nec

essa

ry to

ena

ble

it to

mee

t cer

tain

reas

onab

le

purp

oses

and

it is

col

lect

ed

in a

reas

onab

le m

anne

r,

then

the

colle

ctio

n m

ay b

e al

low

ed u

nder

the

Act.”

[p

ara.

10].”

•

Org

aniz

atio

n ha

d po

licy

of

requ

irin

g a

wri

tten

, sig

ned

acco

unt o

f the

cri

min

al

activ

ities

of i

ts e

mpl

oyee

s.

[par

a. 18

]. •

This

info

rmat

ion

is a

re

quir

emen

t to

shar

e [p

ara.

23

]. Co

llect

ion

is so

lely

for

empl

oym

ent r

elat

ed

purp

oses

. Evi

denc

e th

at

info

rmat

ion

cont

aine

d in

em

ploy

ee fi

le a

nd u

sed

only

to

man

age

empl

oym

ent

rela

tions

hip.

Thi

s re

ason

able

exp

lana

tion:

O

rgan

izat

ion

gave

suffi

cien

t no

tice,

use

d to

man

age

empl

oym

ent r

elat

ions

hip,

w

orks

with

vul

nera

ble

•

•

popu

latio

n an

d se

eks s

afe

and

secu

re e

nvir

o nm

ent,

trea

ted

as c

onfid

entia

l in

form

atio

n.

• O

rgan

izat

ion

in c

ompl

ianc

e w

ith s.

15 P

IPA.

P

2016

-08

20

16

Albe

rta

Asse

ssor

s As

soci

atio

n •

Org

aniz

atio

n di

sclo

sed

her P

I by

usin

g a

data

m

atch

ing

data

base

to

anal

yze

dem

onst

ratio

n re

port

su

bmitt

ed to

UBC

. Co

mpl

aina

nt’s

nam

e an

d st

uden

t num

ber

incl

uded

in

dem

onst

ratio

n re

port

. •

Org

aniz

atio

n to

ok

disc

iplin

ary

mea

sure

s aga

inst

Co

mpl

aina

nt o

n ba

sis

of a

naly

sis o

f de

mon

stra

tion

repo

rt.

• Co

mpl

aina

nt

com

plai

ns th

ese

actio

ns c

ontr

a PI

PA>

• O

rgan

izat

ion

= N

FP p

er s.

56

PIP

A. N

ot a

pro

fess

iona

l re

gula

tory

org

aniz

atio

n.

• O

rgan

izat

ion

CUD

Co

mpl

aina

nt’s

PI a

s par

t of

its re

gula

tory

and

di

scip

linar

y fu

nctio

n.

• Co

mm

erci

al a

ctiv

ities

ty

pica

lly th

ose

invo

lvin

g bu

ying

, sel

ling,

or e

xcha

nge

of g

oods

or s

ervi

ces [

para

. 13

]. •

PIPA

did

not

app

ly b

ecau

se

CUD

not

in c

onne

ctio

n w

ith

com

mer

cial

act

ivity

. •

Org

aniz

atio

n CU

D P

I th

roug

h ap

plic

atio

n of

so

ftwar

e fo

r pur

pose

of

regu

latin

g m

embe

r of

asse

ssor

pro

fess

ion,

not

in

conn

ectio

n w

ith p

urch

ase

of

softw

are.

[ pa

ra 19

]. •

Fine

s are

not

goo

ds o

r se

rvic

es, a

nd th

ey a

re n

ot

boug

ht, s

old

or e

xcha

nged

[p

ara.

20]

. In

asse

ssin

g th

e fin

es a

nd c

osts

, the

di

scip

linar

y co

mm

ittee

was

no

t pro

vidi

ng a

goo

d or

a

serv

ice,

or r

equi

ring

that

the

Com

plai

nant

pur

chas

e a

good

or a

serv

ice.

As

sess

men

t of f

ines

doe

s nto

ha

ve a

com

mer

cial

ch

arac

ter.

•

•

H20

16-0

2

2016

Al

bert

a H

ealth

Se

rvic

es

• Co

mpl

aina

nt

requ

este

d di

sclo

sure

lo

gs fo

r her

AB

Elec

tron

ic H

ealth

R

ecor

ds (N

etCa

re).

• Cu

stod

ian

conc

eded

that

Co

mpl

aina

nt’s

heal

th

info

rmat

ion

had

been

use

d w

ithou

t aut

hori

zatio

n.

•

• Ad

judi

cato

r req

uire

d Cu

stod

ian

to p

ut in

pla

ce

safe

guar

ds th

at p

rote

cted

Co

mpl

aina

nt’s

HI f

rom

sp

ecifi

c id

entif

iabl

e ri

sk.


She

disc

usse

d th

at

indi

vidu

al (A

ffilia

te)

had

revi

ewed

her

HI.

Com

plai

nant

kne

w

Affil

iate

and

kne

w

they

had

no

reas

on to

re

view

her

reco

rd.

• Co

mpl

aina

nt b

elie

ves

Affil

iate

may

hav

e ob

tain

ed in

form

atio

n in

reco

rds a

nd u

sed

it to

con

tact

Co

mpl

aina

nt’s

empl

oyer

and

an

othe

r ind

ivid

ual.

• Br

each

of s

. 25

HIA

occ

urre

d by

Cus

todi

an’s

affil

iate

[ pa

ra. 4

]. Af

filia

te a

cces

sed

HI o

n on

e oc

casi

on w

ith n

o ne

ed to

kno

w. U

sed

it to

co

ntac

t Com

plai

nant

em

ploy

er to

com

plai

n ab

out

Com

plai

nant

; day

late

r the

y w

ere

rem

orse

ful a

nd

with

drew

that

com

plai

nant

.

• Cu

rren

t saf

egua

rds

incl

uded

trai

ning

and

aw

aren

ess p

roce

dure

s; IT

po

licie

s lim

iting

CU

to

auth

oriz

ed p

erso

n nel

; po

licie

s pro

vidi

ng fo

r ed

ucat

ion,

trai

ning

and

au

ditin

g of

com

plia

nce

with

pol

icie

s; p

olic

ies

outli

ning

repo

rtin

g an

d br

each

dis

cipl

ine;

pol

icie

s re

: mon

itori

ng a

nd

audi

ting

of IT

reso

urce

s.

• Cu

stod

ian

reco

gniz

ed ri

sk

that

em

ploy

ees a

nd

affil

iate

s may

use

or a

cces

s H

I with

out a

utho

rity

; po

licy

mea

sure

s out

lined

in

tend

ed to

pro

tect

ag

ains

t suc

h un

auth

oriz

ed

use

or a

cces

s. [p

ara.

12].

• Al

l sec

urity

step

s mus

t be

reas

onab

le: m

itiga

tion

stra

tegi

es d

o no

t nee

d to

be

per

fect

; inf

orm

atio

n se

curi

ty a

nd b

reac

hes m

ay

still

occ

ur e

ven

whe

n re

ason

able

safe

guar

ds

have

bee

n im

plem

ente

d [p

ara.

13].

• Cu

stod

ian

foun

d to

hav

e ta

ken

reas

onab

le st

eps t

o m

aint

ain

safe

guar

ds to

ge

nera

lly p

rote

ct H

I co

nfid

entia

lity

and

gene

rally

pro

tect

aga

inst

re

ason

ably

ant

icip

ated

un

auth

oriz

e d U

D o

r acc

ess

to H

I [pa

ra. 1

5].

• Bu

t, no

t cle

ar th

at

reas

onab

le st

eps t

aken

to

miti

gate

risk

from

id

entif

iabl

e in

divi

dual

(A

ffilia

te).

[par

a. 16

]. N

o in

form

atio

n re

gard

ing

revi

ew o

f Affi

liate

’s ac

cess

in

Med

itech

and

Net

care

99POLICYWISE

[par

a. 19

]. O

IPC

not t

old

date

s tha

t rev

iew

per

iod

cove

red

nor t

hat t

here

w

ould

be

furt

her r

evie

ws.

•

Affil

iate

face

d sa

nctio

ns

from

gov

erni

ng

prof

essi

onal

bod

y in

clud

ing

man

dato

ry

com

plet

ion

of m

odul

es o

n et

hics

and

pri

vacy

. [ p

ara.

21

]. •

Cust

odia

n m

aske

d Co

mpl

aina

nt’s

Net

care

in

form

atio

n so

add

ition

al

laye

r of p

riva

cy to

her

in

form

atio

n fr

om a

ll em

ploy

ees a

nd a

ffilia

tes o

f Cu

stod

ian

(not

just

this

Af

filia

te).

• Af

filia

te h

ad to

wri

te le

tter

of

apo

logy

to C

ompl

aina

nt

and

her e

mpl

oyer

. But

le

tter

of a

polo

gy d

iffer

ent

from

fact

s to

prof

essi

o nal

bo

dy. T

o pr

ofes

sion

al

body

, adm

itted

acc

ess f

or

pers

onal

use

, not

“no

reas

on” a

s to

OIP

C. [p

ara.

25

]. •

Foun

d th

at C

usto

dian

not

de

mon

stra

ted

how

to

prot

ect a

gain

st a

ny

reas

onab

ly a

ntic

ipat

ed

unau

thor

ized

use

, di

sclo

sure

or a

cces

s to

Com

plai

nant

’s or

oth

ers’

HI b

y Af

filia

te [p

ara.

27]

. •

Com

plai

nant

des

crib

ed

harm

she

suffe

red

from

Af

filia

te’s

actio

ns

incl

udin

g si

gnifi

cant

re

ticen

ce to

acc

ess

heal

thca

re.

H20

16-0

6 (n

ot

2016

Al

bert

a H

ealth

Se

rvic

es

• Th

e Co

mpl

aina

nt

mad

e a

com

plai

nt

that

two

phys

icia

ns

• Sh

e fo

und

that

the

phys

icia

ns h

ad g

aine

d ac

cess

ed to

the

• Sh

e de

term

ined

that

af

filia

tes m

ay u

se o

r di

sclo

se h

ealth

• Th

e tw

o ph

ysic

ians

als

o di

sclo

sed

the

heal

th

info

rmat

ion

they

had


prin

ted)

ga

ined

acc

ess t

o he

r he

alth

info

rmat

ion

from

Alb

erta

Net

care

in

con

trav

entio

n of

th

e H

ealth

In

form

atio

n Ac

t (H

IA).

• Al

bert

a H

ealth

Se

rvic

es (A

HS)

, w

hich

ope

rate

d th

e fa

cilit

ies a

t whi

ch th

e ac

cess

es o

ccur

red,

an

d th

e tw

o ph

ysic

ians

invo

lved

co

nced

ed th

at th

e tw

o ph

ysic

ians

had

ga

ined

acc

ess t

o th

e Co

mpl

aina

nt’s

heal

th

info

rmat

ion

in 2

008

for t

he p

urpo

se o

f ad

dres

sing

a

com

plai

nt to

the

Dep

artm

ent C

hair

th

at h

ad b

een

mad

e ab

out c

are

they

had

pr

ovid

ed to

the

Com

plai

nant

, and

ag

ain

in 2

012

for t

he

purp

ose

of d

efen

ding

th

emse

lves

in a

re

late

d he

arin

g co

nduc

ted

by th

e Al

bert

a Co

llege

of

Phys

icia

ns a

nd

Surg

eons

(the

Co

llege

).

Com

plai

nant

’s he

alth

in

form

atio

n fo

r the

ir o

wn

pers

onal

pur

pose

s, ra

ther

th

an th

ose

of A

HS,

and

that

AH

S ha

d, b

y op

erat

ion

of

sect

ion

62(2

) of t

he H

IA,

cont

rave

ned

sect

ion

25

(pro

hibi

tion

rega

rdin

g us

e of

he

alth

info

rmat

ion)

of t

hat

Act o

n th

ose

occa

sion

s whe

n th

e tw

o ph

ysic

ians

did

this

. Al

thou

gh th

e Ad

judi

cato

r or

dere

d th

e tw

o ph

ysic

ians

to

mee

t the

ir d

uty

to c

ompl

y w

ith th

e H

IA a

nd it

s re

gula

tions

whe

n th

ey u

se

and

disc

lose

hea

lth

info

rmat

ion,

the

Adju

dica

tor

deci

ded

that

she

coul

d no

t or

der t

he tw

o ph

ysic

ians

to

com

ply

with

AH

S’s p

o lic

ies

and

proc

edur

es, g

iven

that

do

ing

so w

ould

not

ens

ure

the

conf

iden

tialit

y of

the

Com

plai

nant

’s he

alth

in

form

atio

n.

info

rmat

ion

only

at t

he

dire

ctio

n of

, und

er th

e au

thor

ity o

f, or

on

beha

lf of

, the

cus

todi

an w

ith

who

m th

ey a

re a

ffilia

ted.

obta

ined

to th

e Co

llege

. Th

e Ad

judi

cato

r de

term

ined

that

AH

S w

as

the

cust

odia

n in

this

cas

e,

and

that

the

two

phys

icia

ns w

ere

affil

iate

s of

AH

S.

• Th

e Ad

judi

cato

r als

o de

term

ined

that

the

Com

plai

nant

’s he

alth

in

form

atio

n ha

d be

en

disc

lose

d to

the

Colle

ge b

y th

e tw

o ph

ysic

ians

for t

he

purp

ose

of d

efen

ding

th

emse

lves

in a

com

plai

nt.

She

foun

d th

at a

ffilia

tes

may

dis

clos

e he

alth

in

form

atio

n on

ly u

nder

th

e au

thor

ity o

f, or

on

beha

lf of

the

cust

odia

n w

ith w

hom

they

are

af

filia

ted

and

are

subj

ect

to th

e sa

me

limita

tions

to

whi

ch th

e 2

cust

odia

n is

su

bjec

t whe

n th

ey d

o so

. •

She

dete

rmin

ed th

at A

HS

wou

ld h

ave

had

no

auth

ority

to d

iscl

ose

the

Com

plai

nant

’s he

alth

in

form

atio

n in

the

circ

umst

ance

s in

whi

ch

the

two

affil

iate

s dis

clos

ed

it, a

s AH

S w

as n

ot a

par

ty

to th

e co

mpl

aint

co

nduc

ted

by th

e Co

llege

, an

d ha

d no

t rec

eive

d a

form

al d

eman

d fo

r the

re

cord

s.

• Th

e Ad

judi

cato

r co

nclu

ded

that

thes

e ac

cess

es a

nd d

isc l

osur

es

caus

ed A

HS

to c

ontr

aven

e se

ctio

ns 2

5 an

d 31

of t

he

HIA

. The

Adj

udic

ator

de

term

ined

that

AH

S’s

polic

ies a

nd p

roce

dure

s w

ere

not a

dequ

ate

to

101POLICYWISE

prot

ect t

he C

ompl

aina

nt’s

heal

th in

form

atio

n fr

om

the

risk

s of u

naut

hori

zed

use

and

disc

losu

re, a

s the

y ap

pear

ed to

per

mit

affil

iate

s to

use

and

disc

lose

hea

lth

info

rmat

ion

for t

heir

ow

n pe

rson

al p

urpo

ses,

rath

er

than

pur

pose

s of A

HS

that

ar

e au

thor

ized

by

sect

ions

27

and

35

of th

e H

IA.

Whi

le th

e Ad

judi

cato

r fo

und

that

use

and

di

sclo

sure

of t

he

Com

plai

nant

’s he

alth

in

form

atio

n by

the

two

phys

icia

ns h

ad le

d AH

S to

co

ntra

vene

the

HIA

, it

appe

ared

that

the

two

phys

icia

ns h

ad n

ot

cont

rave

ned

AHS

polic

ies

and

proc

edur

es w

hen

they

us

ed a

nd d

iscl

osed

the

Com

plai

nant

’s he

alth

in

form

atio

n fo

r the

ir o

wn

pers

onal

pur

pose

s.

• Th

e Ad

judi

cato

r ord

ered

AH

S to

cea

se u

sing

and

di

sclo

sing

the

Com

plai

nant

’s he

alth

in

form

atio

n in

co

ntra

vent

ion

of th

e H

IA.

She

sugg

este

d th

at

com

plia

nce

with

the

orde

r co

uld

be a

chie

ved

by

revi

sing

the

polic

ies a

nd

proc

edur

es fo

r affi

liate

s su

ch th

at th

ey w

ould

co

nvey

the

follo

win

g: 1)

on

ly A

HS

is th

e cu

stod

ian

and

auth

oriz

ed c

usto

dian

at

site

s it o

pera

tes,

2) t

he

HIA

aut

hori

zes o

nly

an

“aut

hori

zed

cust

odia

n” to

us

e or

dis

clos

e he

alth

in

form

atio

n vi

a th

e


Albe

rta

EHR

, and

3)

affil

iate

s may

use

or

disc

lose

he a

lth

info

rmat

ion

via

the

Albe

rta

EHR

at A

HS’

s si

tes o

nly

whe

re A

HS

wou

ld h

ave

auth

ority

to

use

or d

iscl

ose

heal

th

info

rmat

ion.

The

Ad

judi

cato

r als

o de

term

ined

that

AH

S sh

ould

revi

ew it

s pol

icie

s to

ens

ure

that

they

cre

ate

enfo

rcea

ble

oblig

atio

ns fo

r af

filia

tes t

o co

llect

, use

, or

disc

lose

hea

lth

info

rmat

ion

unde

r the

au

thor

ity o

f AH

S, in

co

mpl

ianc

e w

ith th

e H

IA,

such

that

sect

ion

62(4

)(b)

is

eng

aged

shou

ld a

n af

filia

te u

se o

r dis

clos

e he

alth

info

rmat

ion

in a

w

ay th

at c

ontr

aven

es th

e H

IA

F20

16-0

1

2016

Bo

w V

alle

y Co

llege

•

Com

plai

nant

co

mpl

aine

d th

at P

B us

ed o

r dis

clos

ed h

is

PI c

ontr

a FO

IP w

hen

Acad

emic

Pr

epar

atio

n Co

ordi

nato

r em

aile

d nu

mbe

r of e

mpl

oyee

s of

PB

to a

dvis

e th

em

of o

ngoi

ng c

onfli

ct

betw

een

Com

plai

nant

(s

tude

nt) a

nd

anot

her s

tude

nt.

• Co

mpl

aina

nt h

ad

succ

essf

ully

sued

ot

her s

tude

nt a

roun

d is

sue.

• In

form

atio

n co

llect

ed w

as

nece

ssar

y fo

r an

activ

ity o

f PB

. Nec

essa

ry to

use

nam

e be

caus

e st

uden

t at P

B so

ne

cess

ary

for o

pera

ting

prog

ram

and

act

ivity

[par

a.

15].

• Co

ntex

t of e

mai

l and

use

of

Com

plai

nant

’s fir

s t n

ame

= PI

und

er a

ct. [

para

. 11]

. •

Acad

emic

Pre

para

tion

Coor

dina

tor w

rote

em

ails

to

two

supe

rvis

ors a

nd a

noth

er

empl

oyee

of P

B st

atin

g th

at

talk

ed to

oth

er st

uden

t in

clud

ing

that

wou

ld b

e re

ceiv

ing

war

ning

lett

er;

that

not

hav

e co

ntac

t with

Co

mpl

aina

nt; a

n d to

info

rm

PB if

Com

plai

nant

con

tact

ed

him

. Oth

er st

uden

t inf

orm

ed

them

of l

itiga

tion.

• In

form

atio

n w

as u

sed

whe

n se

nt v

ia e

mai

l. Co

uld

be se

en a

s di

sclo

sure

bet

wee

n on

e em

ploy

ee to

oth

ers.

OIP

C Ad

judi

cato

r tre

ated

it a

s us

e an

d di

sclo

sure

, with

re

sults

bei

ng sa

me.

[par

a.

12]

• In

form

atio

n us

ed fo

r re

ason

con

sist

ent w

ith

why

info

rmat

ion

was

co

llect

ed.

• R

esol

ving

issu

es b

etw

een

stud

ents

and

rela

ted

conc

erns

ari

sing

from

ca

mpu

s -re

late

d ac

tiviti

es

is re

spon

sibi

lity

of P

B.

[par

a. 17

]. •

Emai

ling

Com

plai

nant

’s PI

to li

mite

d nu

mbe

r of

empl

oyee

s had

a

• PB

foun

d to

hav

e m

ade

reas

onab

le se

curi

t y

arra

ngem

ent a

gain

st th

e ri

sk o

f una

utho

rize

d ac

cess

, CU

D o

f Co

mpl

aina

nt’s

PI: e

mai

l ac

coun

ts re

mai

n w

ithin

PB

com

pute

r net

wor

k;

netw

ork

mon

itore

d by

IT

serv

ices

dep

artm

ent f

or

thin

gs su

ch a

s sec

urity

th

reat

s, v

irus

es a

nd

unau

thor

ized

acc

ess;

em

ploy

ee e

ma i

l acc

ount

s ar

e pa

ssw

ord

prot

ecte

d an

d al

l em

ploy

ees m

ust

follo

w P

B IT

pol

icie

s [p

ara.

22]

. •

PB m

et is

dut

y un

der s

. 38

whe

n em

aile

d Co

mpl

aina

nt’s

PI.

103POLICYWISE

reas

onab

le a

nd d

irec

t co

nnec

tion

to th

e pu

rpos

e of

the

colle

ctio

n an

d w

as n

eces

sary

for

oper

atin

g a

lega

lly

auth

oriz

ed p

rogr

am o

f PB

[par

a. 19

]. N

o co

ntra

vent

ion

of P

art 2

of

FOIP

. P

2016

-02

20

16

Gra

ndin

Man

or

Ltd.

•

Cond

o un

it ow

ner

com

plai

ned

that

O

rgan

izat

ion

put u

p su

rvei

llanc

e sy

stem

no

t in

com

plai

nanc

e w

ith P

IPA.

Co

mpl

aine

d th

at n

o si

gns n

otify

ing

indi

vidu

als o

f ext

ent

of su

rvei

llanc

e an

d ex

tent

that

cam

eras

in

use

. Com

plai

ned

that

Con

do b

oard

re

view

ed fo

otag

e an

d us

ed in

fo fr

om

foot

age

to re

view

by

law

infr

actio

ns a

nd

to e

nfor

c e

com

plia

nce

with

co

ndo

byla

ws.

Co

mpl

aine

d th

at

Org

aniz

atio

n co

llect

ed h

is P

I with

ca

mer

as w

hen

he

scri

bble

d co

mm

ents

on

not

ice

post

ed b

y el

evat

or a

nd w

hen

use

info

to se

nd h

im

war

ning

lett

er a

bout

co

nduc

t.

• O

wne

rs h

ad p

asse

d re

solu

tion

to in

crea

se

surv

eill a

nce

in

cond

omin

ium

. The

y ac

ted

as

Org

aniz

atio

n.

• W

hen

visi

tors

vis

it co

ndom

iniu

m th

ey h

ave

suffi

cien

t not

ice

of p

rese

nce

of su

rvei

llanc

e th

at th

ey m

ay

be d

eem

ed to

con

sent

to

Org

aniz

atio

n’s c

olle

ctio

n of

PI

for p

urpo

ses o

f m

aint

aini

ng se

curi

ty o

f bu

ildin

g. P

urpo

se o

f de

terr

ing

vand

alis

m a

nd

prom

otin

g se

curi

ty in

bu

ildin

g; a

lso

to in

crea

se

valu

e of

pro

pert

y an

d m

ake

resi

dent

s fee

l saf

e.

• Su

rvei

llanc

e ca

mer

as

capt

ure

PI o

f ind

ivid

uals

in

disc

rmin

antly

.

• W

hen

Org

aniz

atio

n re

view

ed su

rvei

llanc

e fo

otag

e fo

r pur

pose

of

dete

rrin

g th

e Co

mpl

aina

nt fr

om

scri

bblin

g co

mm

ents

on

notic

es in

the

futu

re, i

t di

d so

for p

urpo

se fo

r w

hich

PIP

A re

quir

es it

to

obta

in c

onse

nt a

nd to

pr

ovid

er n

otic

e pr

ior t

o co

llect

ion.

•

Org

aniz

atio

n m

ust c

ease

co

llect

ing

and

usin

g PI

fr

om su

rvei

llanc

e ca

mer

as fo

r pur

pose

s ot

her t

han

obvi

ous

purp

oses

for h

avin

g su

rvei

llanc

e un

less

it fi

rst

prov

ided

app

ropr

iate

no

tice

unde

r PIP

A of

its

inte

ntio

n to

col

lect

and

us

e in

form

atio

n fo

r the

se

purp

oses

. •

Adju

dica

tor u

nabl

e to

say

that

scri

bblin

g no

tes o

n no

tices

is c

rim

inal

va

ndal

ism

, so

nto

sure

th

at fi

ts in

no

tice/

purp

ose.

•


Tab

le 4

. Bes

t pra

ctic

es d

icta

ted

by P

IPA

Tac

tics

Req

uire

d by

PIP

A

Det

ail

Priv

acy

polic

y §

Nee

d po

licie

s and

pro

cedu

res i

n pl

ace

to c

over

all

pers

onal

info

rmat

ion

that

is in

you

r cus

tody

(s

tore

d) o

r con

trol

(dec

ide

how

to u

se, d

iscl

ose,

stor

e an

d fo

r how

long

kee

p).

§ Po

licie

s sho

uld

cove

r §

Wha

t per

sona

l inf

orm

atio

n is

col

lect

ed?

§ H

ow o

btai

n co

nsen

t for

col

lect

ing,

usi

ng a

nd d

iscl

osin

g pe

rson

al in

form

atio

n?

§ H

ow u

se a

nd d

iscl

ose

pers

onal

info

rmat

ion?

§

How

ens

ure

that

ade

quat

e se

curi

ty m

easu

res a

re in

pla

ce?

§ W

here

is in

form

atio

n st

ored

? §

How

is it

secu

red?

§

Who

has

acc

ess t

o or

use

s it?

§

How

is in

form

atio

n di

spos

ed o

f?

§ H

ow p

roce

ss a

cces

s req

uest

s?

§ To

who

m is

it d

iscl

osed

? §

How

is d

iscl

osur

e de

cide

d?

§ H

ow re

spon

d to

enq

uiri

es a

nd c

ompl

aint

s?

§ Th

e re

ason

able

ness

test

indi

cate

s tha

t rev

iew

pri

vacy

and

info

han

dlin

g pr

oced

ures

for b

oth

new

an

d on

-goi

ng a

ctiv

ities

Pr

ivac

y of

fice

r §

Nee

d to

des

igna

te:

§ 1 o

r mor

e in

divi

dual

s to

mak

e su

re th

at th

e or

gani

zatio

n fo

llow

s the

rule

s in

PIPA

§

1 or m

ore

indi

vidu

als t

o be

the

cont

act p

erso

n(s)

for a

nsw

erin

g qu

estio

ns a

bout

PIP

A, ta

king

ac

cess

requ

ests

and

com

plai

nts r

elat

ed to

PIP

A §

Del

egat

e al

tern

ate

indi

vidu

als a

s ba

ck u

p.

Con

sent

§

Nee

d co

nsen

t of i

ndiv

idua

l to

§

Colle

ct p

erso

nal i

nfor

mat

ion

(fro

m in

divi

dual

or s

omeo

ne o

ther

than

indi

vidu

al)

§ U

se p

erso

nal i

nfor

mat

ion,

or

§ D

iscl

ose

pers

onal

info

rmat

ion

§ U

sual

ly g

et c

onse

nt a

t inf

orm

atio

n co

llect

ion

§ Co

nsen

t onl

y va

lid if

col

lect

ion

is re

ason

able

. Con

sent

doe

s not

per

mit

unre

ason

able

col

lect

ion

of

info

rmat

ion.

§

Cons

ent c

an b

e ex

pres

s (w

ritt

en o

r ver

bal;

elec

tron

ic o

r har

d co

py, b

ut e

lect

roni

c co

py sh

ould

be

turn

ed in

to h

ard

copy

), im

plie

d (v

olun

teer

info

rmat

ion

for a

n ob

viou

s pur

pose

and

reas

onab

le to

vo

lunt

eer;

don

’t ha

ve to

giv

e no

tice

beca

use

obvi

ous c

olle

ctin

g in

form

atio

n; if

not

obv

ious

then

ne

ed e

xpre

ss o

r opt

-out

) or n

ot o

ptin

g ou

t. §

If in

divi

dual

vol

unte

ers m

ore

pers

onal

info

rmat

ion

than

nee

ded

for p

urpo

se, o

rgan

izat

ion

cann

ot c

olle

ct, u

se o

r dis

clos

e th

e ex

tra

info

rmat

ion.

§

Base

d on

reas

onab

le e

xpec

tatio

ns in

cir

cum

stan

ces a

nd g

iven

sens

itivi

ty o

f inf

orm

atio

n §

Cons

ent m

ust b

e in

form

ed so

that

eno

ugh

info

rmat

ion

prov

ided

by

orga

niza

tion

on c

olle

ctio

n on

th

e pu

rpos

e of

col

lect

ion

and

prop

osed

use

of i

nfor

mat

ion

to m

ake

an in

form

ed d

ecis

ion.

§

Opt

-out

con

sent

is p

ossi

ble

whe

n

105POLICYWISE

§ O

rgan

izat

ion

info

rms i

ndiv

idua

l abo

ut th

e pu

rpos

e in

col

lect

ing,

usi

ng o

r dis

clos

ing

info

rmat

ion

§ G

ive

easy

-to-

unde

rsta

nd n

otic

e be

fore

or a

t tim

e of

col

lect

ion,

use

or d

iscl

osur

e §

Indi

vidu

als h

ave

reas

onab

le c

hanc

e to

say

no (r

e: fo

rmat

, pro

cedu

re, t

ime)

§

The

pers

onal

info

rmat

ion

is n

ot to

o se

nsiti

ve

§ In

divi

dual

can

cha

nge

or w

ithdr

aw c

onse

nt b

y gi

ving

org

aniz

atio

n re

ason

able

not

ice

(as l

ong

as it

do

es n

ot in

terf

ere

with

lega

l dut

y or

obl

igat

ion

betw

een

any

2 pa

rtie

s)

§ In

divi

dual

can

put

reas

onab

le te

rms a

nd c

ondi

tions

on

thei

r con

sent

§

Org

aniz

atio

n ca

nnot

mak

e co

nsen

t reg

ardi

ng p

erso

nal i

nfor

mat

ion

colle

ctio

n, u

se o

r dis

clos

ure

a co

nditi

on to

supp

ly a

pro

duct

or s

ervi

ce, i

f ask

ing

for t

he in

form

atio

n is

bey

ond

wha

t is r

equi

red

to g

ive

serv

ice.

§

The

cons

ent w

ill b

e de

emed

ille

gal a

nd in

valid

if fa

lse

or m

isle

adin

g m

eans

wer

e pu

rpos

ivel

y us

ed to

obt

ain

the

cons

ent.

Secu

rity

§

Take

reas

onab

le s

teps

to m

ake

sure

that

per

sona

l inf

orm

atio

n co

llect

ed, u

sed

or d

iscl

osed

is

accu

rate

and

com

plet

e.

§ U

pdat

ing

info

rmat

ion

to th

e ex

tent

reas

onab

le fo

r its

use

, rat

her t

han

rout

inel

y is

acc

epta

ble.

So,

fr

eque

ntly

use

d in

form

atio

n sh

ould

be

upda

ted

mor

e fr

eque

ntly

than

info

rmat

ion

used

rare

ly.

§ U

se re

ason

able

saf

egua

rds

(phy

sica

l, ad

min

istr

ativ

e an

d te

chni

cal)

to p

rote

ct p

erso

nal

info

rmat

ion

from

uns

anct

ione

d ac

cess

, mis

use,

thef

t, lo

ss, d

estr

uctio

n. S

afeg

uard

s sh

ould

be

appr

opri

ate

to th

e se

nsiti

vit y

of t

he in

form

atio

n.

§ Ex

ampl

es o

f phy

sica

l saf

egua

rds

incl

ude

§ Lo

ckin

g fil

e ca

bine

ts a

nd a

reas

whe

re fi

les

are

stor

ed w

hen

no o

ne is

ther

e.

§ A

llow

ing

only

em

ploy

ees

who

nee

d ac

cess

to s

tora

ge a

reas

or f

iling

cab

inet

s to

hav

e ac

cess

to

them

§

Cle

arin

g fil

es a

nd re

cord

s co

ntai

ning

per

sona

l inf

orm

atio

n of

f you

r des

k at

the

end

of th

e da

y §

Shre

ddin

g pa

pers

con

tain

ing

pers

onal

info

rmat

ion

rath

er th

an p

laci

ng th

em in

a g

arba

ge b

ag

or re

cycl

ing

bin.

§

Exam

ples

of a

dmin

istr

ativ

e sa

fegu

ards

incl

ude

§ Tr

aini

ng e

mpl

oyee

s on

pol

icie

s an

d ru

les

for p

rote

ctin

g pe

rson

al in

form

atio

n an

d th

e co

nseq

uenc

es o

f not

follo

win

g th

em

§ En

suri

ng th

at p

erso

nal i

nfor

mat

ion,

esp

ecia

lly s

ensi

tive

info

rmat

ion,

is a

cces

sibl

e on

ly to

th

ose

empl

oyee

s w

ho n

eed

to k

now

the

info

rmat

ion

§ St

orin

g on

ly a

s m

uch

pers

onal

info

rmat

ion

as n

eces

sary

on

mob

ile d

evic

es (e

.g. l

apto

ps, U

SB

flash

dri

ves)

§

Usi

ng c

over

she

ets

whe

n fa

xing

per

sona

l inf

orm

atio

n, a

nd e

stab

lishi

ng p

roto

cols

to e

nsur

e on

ly a

utho

rize

d re

cipi

ents

rece

ive

fax

(esp

ecia

lly fo

r sen

sitiv

e in

form

atio

n)

§ H

avin

g em

ploy

ees

take

an

oath

of c

onfid

entia

lity

§ C

ondu

ctin

g au

dits

to e

nsur

e em

ploy

ee c

ompl

ianc

e w

ith s

afeg

uard

pro

cedu

res.

§

Exam

ples

of t

echn

ical

saf

egua

rds

§ U

sing

equ

ipm

ent o

r sof

twar

e th

at tr

unca

tes

debi

t and

cre

dit c

ard

num

bers

on

rece

ipts


§ U

sing

pas

swor

d-pr

otec

ted

scre

ensa

vers

so

visi

tors

can

not s

ee in

form

atio

n on

com

pute

rs

§ U

sing

fire

wal

ls a

nd a

nti-v

irus

pro

gram

s on

com

pute

rs

§ U

sing

pas

swor

ds to

mak

e su

re o

nly

cert

ain

wor

kers

hav

e ac

cess

to in

form

atio

n on

co

mpu

ters

and

cha

ngin

g pa

ssw

ords

ofte

n §

Encr

yptin

g m

obile

ele

ctro

nic

devi

ces

cont

aini

ng p

erso

nal i

nfor

mat

ion

(e.g

. lap

tops

, USB

fla

sh d

rive

s)

§ Er

asin

g co

mpu

ter h

ard

driv

es b

efor

e yo

u se

ll or

don

ate

them

§

Ret

entio

n po

licie

s m

ust a

lso

be e

stab

lishe

d an

d ex

ecut

ed a

ppro

pria

tely

. Per

sona

l inf

orm

atio

n sh

ould

onl

y be

kep

t as

long

as

reas

onab

le to

car

ry o

ut b

usin

ess

or le

gal p

urpo

ses.

§

Whe

re a

ppro

ved

base

d on

fina

ncia

l, le

gal,

oper

atio

nal,

audi

t or a

rchi

val r

equi

rem

ents

, or

gani

zatio

ns m

ay fo

llow

thos

e ap

prov

ed re

tent

ion

peri

ods

or s

ched

ules

. §

Even

if a

n in

divi

dual

has

cha

nged

or w

ithdr

awn

his

or h

er c

onse

nt fo

r col

lect

ing,

usi

ng o

r di

sclo

sing

info

rmat

ion,

an

orga

niza

tion

may

kee

p th

at in

form

atio

n if

ther

e ar

e le

gal o

r bus

ines

s re

ason

s to

do

so (b

ut c

anno

t use

or d

iscl

ose

that

info

rmat

ion)

. A

cces

s an

d co

rrec

tion

requ

ests

Se

e T

able

2

107POLICYWISE

Tab

le 4

. The

cat

egor

ies

of “

heal

th in

form

atio

n” u

nder

HIA

.

Typ

e of

“H

ealth

info

rmat

ion”

In

clud

ed C

ateg

orie

s “D

iagn

ostic

, tre

atm

ent a

nd c

are

info

rmat

ion”

•

The

phys

ical

and

men

tal h

ealth

of a

n in

divi

dual

•

A “

heal

th s

ervi

ces”

(def

initi

on H

IA s

. 1(1

)(m

)) p

rovi

ded

to a

n in

divi

dual

for t

he

purp

oses

of:

• Pr

otec

ting,

pro

mot

ing

or m

aint

aini

ng p

hysi

cal a

nd m

enta

l hea

lth;

• Pr

even

ting

illne

ss;

• D

iagn

osin

g an

d tr

eatin

g ill

ness

; •

Reh

abili

tatio

n; o

r •

Car

ing

for t

he h

ealth

nee

ds o

f the

ill,

disa

bled

, inj

ured

or d

ying

; •

Don

atio

n by

an

indi

vidu

al o

f a b

ody

part

or s

ubst

ance

, inc

ludi

ng in

form

atio

n de

rive

d fr

om th

e te

stin

g or

exa

min

atio

n of

a b

ody

part

or b

odily

sub

stan

ce;

• A

dru

g as

def

ined

in th

e Ph

arm

acy

and

Dru

g A

ct p

rovi

ded

to a

n in

divi

dual

; •

A h

ealth

car

e ai

d, d

evic

e, p

rodu

ct, e

quip

men

t or o

ther

item

pro

vide

d to

an

indi

vidu

al p

ursu

ant t

o a

pres

crip

tion

or o

ther

aut

hori

zatio

n;

• Th

e am

ount

of a

ny b

enef

it pa

id o

r pay

able

und

er th

e A

lber

ta H

ealth

Car

e Ins

uran

ce

Act

or a

ny o

ther

am

ount

pai

d or

pay

able

in re

spec

t of a

hea

lth s

ervi

ce p

rovi

ded

to

an in

divi

dual

; and

•

Any

oth

er in

form

atio

n ab

out a

n in

divi

dual

that

is c

olle

cted

whe

n a

heal

th s

ervi

ce is

pr

ovid

ed to

the

indi

vidu

al b

ut d

oes

not i

nclu

de in

form

atio

n th

at is

not

wri

tten,

ph

otog

raph

ed, r

ecor

ded

or s

tore

d in

som

e m

anne

r in

a re

cord

. •

The

follo

win

g in

form

atio

n ab

out t

he h

ealth

ser

vice

pro

vide

r atte

ndin

g to

the

indi

vidu

al:

• N

ame;

•

Busi

ness

title

; •

Busi

ness

mai

ling

addr

ess

and

busi

ness

ele

ctro

nic

addr

ess;

•

Busi

ness

tele

phon

e nu

mbe

r and

bus

ines

s fa

csim

ile n

umbe

r; •

Type

of h

ealth

ser

vice

s pr

ovid

er;

• Li

cens

e nu

mbe

r or a

ny o

ther

num

ber a

ssig

ned

to th

e he

alth

ser

vice

s pr

ovid

er b

y a

heal

th p

rofe

ssio

nal b

ody

to id

entif

y th

at h

ealth

ser

vice

s pr

ovid

er;

• Pr

ofes

sion

; •

Job

clas

sific

atio

n;

• Em

ploy

er;

• M

unic

ipal

ity in

whi

ch th

e he

alth

ser

vice

s pr

ovid

er’s

pra

ctic

e is

loca

ted;

•

Prov

inci

al s

ervi

ce p

rovi

der i

dent

ifica

tion

num

ber t

hat i

s as

sign

ed to

the

heal

th

serv

ices

pro

vide

r by

the

Min

iste

r to

iden

tify

the

heal

th s

ervi

ces

prov

ider

; •

Any

oth

er in

form

atio

n sp

ecifi

ed in

the

regu

latio

ns.


“Reg

istr

atio

n in

form

atio

n”

• Ba

sic

info

rmat

ion

colle

cted

whe

n in

divi

dual

s re

gist

er to

rece

ive

heal

th s

ervi

ces.

The

in

form

atio

n is

pri

mar

ily u

sed

to d

eter

min

e el

igib

ility

and

for b

illin

g pu

rpos

es. T

his

info

rmat

ion

wou

ld in

clud

e:

• D

emog

raph

ic in

form

atio

n, in

clud

ing

the

indi

vidu

al’s

per

sona

l hea

lth n

umbe

r; •

Loca

tion

info

rmat

ion;

•

Tele

com

mun

icat

ions

and

info

rmat

ion;

•

Res

iden

cy in

form

atio

n;

• H

ealth

ser

vice

s el

igib

ility

info

rmat

ion;

and

•

Billi

ng in

form

atio

n, in

clud

ing

an in

divi

dual

’s a

ccou

nt n

umbe

r.

109POLICYWISE

Tab

le 5

. Cop

yrig

ht L

icen

se p

artic

ular

s fo

r Sta

tistic

s C

anad

a

o

As

of F

ebru

ary

1, 2

012,

info

rmat

ion

publ

ishe

d by

Sta

tistic

s Can

ada

(SC)

aut

omat

ical

ly c

over

ed b

y th

e O

pen

Lice

nse

with

the

exce

ptio

n of

Sta

tistic

s Can

ada’

s pos

tal p

rodu

cts a

nd P

ublic

Use

Mic

roda

ta F

iles (

PUM

Fs).

o

Lice

nse

agre

emen

t can

use

SC

info

rmat

ion

with

out r

estr

ictio

ns o

n sh

arin

g an

d re

dist

ribu

tion,

for c

omm

erci

al a

nd n

on-c

omm

erci

al

purp

oses

. Mus

t alw

ays a

ckno

wle

dge

SC a

s sou

rce

of d

ata

and

adhe

re to

con

ditio

ns o

f SC

Ope

n Li

cens

e.

§ By

usi

ng d

ata,

one

acc

epts

all

term

s and

con

ditio

ns o

f Ope

n Li

cens

e.

§ G

ive

full

cred

it to

SC

if us

ed o

r ref

erre

d to

in st

udy,

art

icle

s, p

aper

s or o

ther

rese

arch

wor

ks.

o

Aggr

egat

e da

ta a

vaila

ble

thro

ugh

CAN

SIM

and

Cen

sus w

ebsi

te =

Ope

n D

ata,

gov

erne

d by

SC

Ope

n Li

cens

e Ag

reem

ent

§ W

orld

wid

e, ro

yalty

-fre

e, n

on-e

xclu

sive

lice

nse

to u

se/r

epro

duce

/pub

lish/

free

ly-d

istr

ibut

e/se

ll th

e in

form

atio

n/va

lue-

adde

d pr

oduc

ts, a

nd su

blic

ense

. o

PU

MFs

subj

ect t

o D

ata

liber

atio

n In

itiat

ive

(DLI

) Lic

ense

(pos

sibl

y id

entif

iabl

e da

ta),

whi

ch h

as fo

llow

ing

key

term

s of l

icen

se su

ch

that

Mic

roda

ta fi

les:

§

Shal

l be

used

for s

tatis

tical

and

rese

arch

pur

pose

s. N

o ot

her p

urpo

se u

nles

s pri

or w

ritt

en c

onse

nt o

f SC

§ Sh

all b

e us

ed b

y ed

ucat

ors,

stud

ents

and

staf

f. Sh

all n

ot b

e re

prod

uced

and

tran

smitt

ed to

out

side

per

son

or o

rgan

izat

ion.

§

Shal

l NO

T be

mer

ged

or li

nked

with

oth

er d

atab

ases

for p

urpo

se o

f att

empt

ing

to id

entif

y an

indi

vidu

al p

erso

n, b

usin

ess o

r or

gani

zatio

n §

Shal

l not

be

pres

ente

d in

a m

anne

r tha

t giv

es a

ppea

ranc

e th

at u

ser m

ay h

ave

rece

ived

, or h

ad a

cces

s to,

info

rmat

ion

held

by

SC a

bout

any

iden

tifia

ble

pers

on, b

usin

ess o

r org

aniz

atio

n.

§ Pr

ovid

ed so

ftwar

e sh

all N

OT

be d

isas

sem

bled

, dec

ompi

led

or in

any

way

reve

rse

engi

neer

ed.

o

Publ

icat

ions

of a

ny in

form

atio

n ba

sed

on P

UM

Fs m

ust u

se st

ipul

ated

acc

redi

tatio

n.

Fo

und

at h

ttp:

//lib

guid

es.u

sask

.ca/

copy

righ

t/st

ats.


111POLICYWISE

1. Committee on Transborder Flow of Scientific Data NRC. Bits of power: Issues in global access to scientific data. 1997.

2. Alberta Go. Information Sharing Strategy - Supporting Social-Based Service Delivery. 2016 November 1, 2016. Report No.

3. Idealware. The State of Nonprofit Data. Portland, OR: 2012.

4. Cave J. A shifting sector: emerging trends for Canada’s nonprofits in 2016. The Philanthropist. 2016.

5. Lenczner MP, S.;. From Stories to Evidence: How Mining Data Can Promote Innovation in the Nonprofit Sector. Technology Innovation Management Review. 2012:10-5.

6. Network ON. Towards a Data Strategy for the Ontario Nonprofit Sector. Toronto, ON: 2015.

7. Companies Act, Stat. C-21 (2000).

8. Societies Act, Stat. S-14 (2000).

9. Charitable Fund-raising Act, Stat. c. C-9 (2000).

10. Center IK. Data Sharing Concepts and Terminology. 1990, 2014. In: z/OS MVS Programming: Sysplex Services Guide [Internet]. IBM Corporation.

11. Council; MR. Data Sharing Glossary London, UK: Medical Research Council.

12. Van Ymeren J. An Open Future: Data priorities for the not-for-profit sector. Toronto, ON: The Mowat Centre’s Not-For-Profit Research Hub, 2015 February, 2015. Report No.: Contract No.: Mowat Re search #107.

13. Personal Information Protection Act, Stat. P-6.5 (2003).

14. Personal Information Protection and Electronic Documents Act, Stat. c. 5 (2000).

15. McLeod Grant HC, L.R.;. Creating High-Impact Nonprofits. Stanford Social Innovation Review. 2007;Fall 2007:32-41.

16. de Las Casas LG, T.; Pritchard, D.;. The Power of Data: Is the Charity Sector Ready to Plug In? London, UK: 2013.

17. Warren SDB, L.D.;. The Right to Privacy. Harvard Law Review. 1890;4(5):193-220.

18. Solove DJ. A Taxonomy of Privacy. University of Pennsylvania Law Review. 2006;154(3):477-560.

19. Freedom of Information and Protection of Privacy Act, Stat. F-25 (2000).

R E F E R E N C E S


20. Health Information Act, Stat. c. H-5 (2000).

21. A Guide for Businesses and Organizations on the Personal Information and Privacy Acti. Edmonton, AB: Service Alberta, 2008.

22. McKinley A. The Effect of Privacy and Anti-Spam Legislation on Charities and Non-Profits. Advising Charities, Not-for-Profits and Social Enterprises 2013/2014 (Seminar); December 4, 2013; Calgary, AB: Legal Education Society of Alberta; 2013.

23. Development TOfEC-oa. Thirty Years After: The OECD Privacy Guidelines. Paris: 2011.

24. Ohm P. Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. UCLA Law Review. 2010;57:1701-77.

25. El Emam K, Buckeridge D, Tamblyn R, Neisa A, Jonker E, Verma A. The re-identification risk of Canadians from longitudinal demographics. BMC medical informatics and decision making. 2011;11:46. Epub 2011/06/24. doi: 10.1186/1472-6947-11-46. PubMed PMID: 21696636; PubMed Central PMCID: PMCPMC3151203.

26. Malin BA, Emam KE, O’Keefe CM. Biomedical data privacy: problems, perspectives, and recent advances. Journal of the American Medical Informatics Association : JAMIA. 2013;20(1):2-6. Epub 2012/12/12. doi: 10.1136/amiajnl-2012-001509. PubMed PMID: 23221359; PubMed Central PM CID: PMCPMC3555341.

27. Legal Aid Society of Alberta. Office of the Information & Privacy Commissioner of Alberta: Office of the Information & Privacy Commissioner of Alberta; 2013.

28. Lindsay Park Sports Society. Office of the Information and Privacy Commissioner of Alberta; 2007.

29. Canadian Skin Cancer Foundation. Office of the Information and Privacy Commissioner of Alberta; 2008.

30. Fairways Villa South Homeowners’ Association. Office of the Information and Privacy Commissioner of Alberta; 2011.

31. Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner). ABCA; 2011. p. 94.

32. Alberta Go. Health Information Act: Guidelines and Practices Manual. Edmonton, AB: 2011.

33. Health Information Regulation, Stat. 70/2001 (2001).

34. Carroll MW. Sharing Research Data and Intellectual Property Law: A Primer. PLoS biology. 2015;13(8):1-11. doi: 10.1371/journal.pbio.1002235.

35. Canada; CIoHRNSaERCoCSSaHRCo. Tri-Council Policy Statement: Ethical Conduct of Research Involving Humans. 2010.

113POLICYWISE

36. Board; CHRE. Comparison of the Characteristics of Research and Quality Improvement/Quality Assurance/Program Evaluation Activities. 2017 January 30, 2017. Report No.

37. Solutions AI-H. A pRoject Ethics Community Consensus Initiative (ARECCI). Edmonton, AB: 2015.

38. Guidelines for differentiating among Research, Program Evaluation and Quality Improvement: Dalhousie University; [February 22, 2017].

39. Berens JM, U.; Verhulst, S.;. Mapping and Comparing Responsible Data Approaches. GovLab and Centre for Innovation, Leiden University, 2016 June 2016. Report No.

40. Karunakara U. Data Sharing in a Humanitarian Organization: The Experience of Médecins Sans Frontières. PLoS medicine. 2013;10(12):e1001562. doi: 10.1371/journal.pmed.1001562.

41. Folkes C. Understanding Nonprofit Data Governance LinkedIn2013 [cited 2017 May 15, 2017]. Available from: https://www.slideshare.net/CathyFolkesCFRE/understanding-nonprofit-data- governance.

42. Network; ON. Data Strategy Toronto: Ontario Nonprofit Network; 2016 [cited 2017 March 24, 2017]. Available from: http://theonn.ca/our-work/our-partnerships/data-strategy/ #1467045087069-8c6d1de7-a236.

43. Foundation; V. Open Licensing Initiative Vancouver: Vancouver Foundation; 2015 [cited 2017 Mar 22, 2017]. Available from: https://www.vancouverfoundation.ca/our-work/initiatives/open- licensing-initiative.

44. McCort K. Open Policies Unlock Our Full Potential Vancouver: Vancouver Foundation; 2015 [cited 2017 March 22, 2017]. Available from: https://www.vancouverfoundation.ca/whats-new/open- policies-unlock-our-full-potential.

S U G G E S T E D C I TAT I O N

Manhas, Kiran Pohar. Law & Governance of Secondary Data Use: Obligations of Not-for-Profit Organiza-

tions in Alberta. Edmonton, AB: PolicyWise for Children & Families, 2017.

Released: August 22nd, 2017

[email protected]

(780) 944 8630

www.policywise.com

601, 9925-109 Street

Edmonton, AB, Canada T5K 2J8

C O N TA C T U S

P O L I C Y W I S E

PolicyWise for Children & Families exists to improve well-being by leading, creating, enabling and mobi-

lizing research and evaluation for evidence-informed policy and practice.

PolicyWise was established as a not-for-profit corporation in 2003 and is a partnership between Alberta’s

universities, the community and the Government of Alberta. We are a provincial organization, governed

by a Board of Directors, managed by a President and CEO and supported by a team of individuals with

expertise in applied research, data science, knowledge mobilization, communications and administration.

PolicyWise distinguishes itself through its focus on mobilizing evidence to inform social policy, collabo-

rative approach and organizational structure: a formal bridge between government, academia, and the

community.

S A G E

SAGE (Secondary Analysis to Generate Evidence) is a collaborative data repository platform that aims to

connect stakeholders through secondary use of data. Research data, community service data, and admin-

istrative data related to health and social well-being is managed and shared through SAGE. SAGE increases

the value of data by providing the infrastructure, processes and governance to bring stakeholders together

to use data in new ways and inform social policy and practice.