VIU Workshop: Creating a Culture of Privacy Awareness

VIU Workshop:Creating a Culture of Privacy Awareness

June 12, 2013By Justin Hodkinson

OIPC Policy Analyst/Investigator

Office of theInformation &

PrivacyCommissioner

for British Columbia

Protecting privacy. Promoting transparency.

Agenda

Protection of Privacy 60 minutesPrivacy Quiz 5 minutesCoffee/Tea Break 10 minutesFIPPA Basics 25 minutesQuestion Period 20 minutesExam 20 minutes

Office of the Information & Privacy Commissioner


VIU Privacy Policies

Arriving Soon!



Privacy Breaches

Not a question of IF But a question of WHEN & HOW BIG



Common Privacy BreachesStolen laptops or local hard drives

Lost or stolen documentsBlowing out of garbage trucksLost, stolen or misplaced recycling binsFiles on car roofs

Inappropriate or unauthorized behaviourBrowsing databaseBlogs

Inadvertent disclosuresMailing system errorsFaxing errors



Protecting PI Outside off Campus



F12-02U of Vic Investigation Report

Importance of a Privacy Management Framework

& Encryption



Layering Approach to Security



Social Media Background Checks



Issues with Social Media Background Checks

• Accuracy• Collecting irrelevant or too

much information• Overreliance on consent• Third party information



Before you check…remember Personal information you collect is subject to FIPPA

Consider less intrusive ways to meet your purpose

Assess the risks

Ensure you have authority to collect

Develop policies and procedures to address risks

Be prepared to respond to requests for access, correction or for withdrawal of consent



… don’t

x Wait until after you check to assess the risks

x Assume you are only collecting information about one person

x Assume that the information will be accurate

x Use a personal account to perform the check

x Ask a 3rd party to do the check

x Think the person will not find out



What is Cloud Computing?



Weighing Your Options



Cloud Computing: Issues



What should you ask your prospective cloud provider?



What should you ask yourself?



Privacy Emergency Kit

• What data can VIU share during an emergency?



VIU Alumni Association’s Use of PI



Sharing PI between VIU Departments



Sharing Health Information



PIAs & Self-Generated Research



S. 35 of FIPPA Research Agreements



Sharing Students’ Email Addresses



Privacy Quiz Time!

Office of theInformation &

PrivacyCommissioner


Protecting privacy. Promoting transparency.

Presented by: Justin Hodkinson, Investigator



1. What does P.I.A. really mean?



2. Where can you store personal information?



3. Retention



4. Who are you gonna call?

5. Speed Round

The Dean of the Business Department approaches you, the Registrar, & asks for a student’s home address. The Dean explains that she has reason to believe that the student is about to commit suicide & she wants to warn the student’s older sister, who still lives with their parents.

How would you respond to this request for student information?



Web Cam &Video Surveillance



More InformationVideo Surveillance:http://www.oipc.bc.ca/news/rlsgen/Video_Surveillance_Guidelines(March2008).pdf

Social Media Background checks:http://www.oipc.bc.ca/pdfs/private/Guidelines-SocialMediaBackgroundChecks.pdf

Cloud Computing: http://www.oipc.bc.ca/pdfs/private/Cloud_computing_for_SMEs_guidance_document.pdf



FOI ACCESS



10 Principles for Privacy Compliance

Be accountableIdentify the purpose

Obtain consentLimit collection, use, disclosure

Limit retentionBe accurate

Use appropriate safeguardsBe open

Give accessChallenging compliance



About the OIPC…• Independent office of the Legislature

• Oversees privacy and access issues in the public (FIPPA) and private sector (PIPA)

• Power to investigate, mediate & adjudicate

• Guidelines, public education & reports

Role of the OIPC





What is “personal information” ?

Information that can identify an individual: name, address, phone number, ID number.

Information about an identifiable individual: physical description, educational qualifications, blood type.



Access basics• Anyone can ask for their own personal information• Student can ask for exam questions but VIU will not

disclose them• Must remove certain information• May remove other information

What is purpose of FIPPA?FIPPA passed in 1992 -

Purposes of this Act

2 (1) The purposes of this Act are to make public bodies more accountable to the public and to protect personal privacy by

(a) giving the public a right of access to records,

(b) giving individuals a right of access to, and a right to request correction of, personal information about themselves,

(c) specifying limited exceptions to the rights of access(d) Preventing the unauthorized collection, use or disclosure of

personal information by public bodies, …





Duty to Assist Applicants



Access Request Basics

Employee Records & Investigations





Time Limits

Reasons for Extensions





Safeguarding basics

Security Practices

Retention Practices

Disposal Practices

Custody & Control



Clarify Requests & Talk with Applicants



Fees



Fee Estimates



Questions?





Thank you

Office of the Information and PrivacyCommissioner for British Columbia Telephone: (250) 387-5629 (general) (250) 387-0035 (my direct line)

Toll-free access call Enquiry BC at one of the numbers listed below and request a transfer to (250) 387-5629: Vancouver: (604) 660-2421 Elsewhere in BC: (800) 663-7867

Email: [email protected] or [email protected]: (250) 387-1696

mailto:[email protected]

Documents

VIU Workshop: Creating a Culture of Privacy Awareness