FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments



Similar documents
Instant Messaging and Personal Accounts: Meeting Your Access and Privacy Obligations

Brian Beamish. Commissioner (Acting) Ontario Information and Privacy Commission. Cyber Risk National Conference February 9, 2015

BOARD POLICY POLICY TITLE. Records and Information Management 1.0 PURPOSE

Privacy Breach Protocol

Submission to the Standing Committee on Industry. Bill C-54, Personal Information Protection and Electronic Documents Act. Information and Privacy

BPS ACCOUNTABILITY LEGISLATION PASSES WITH SIGNIFICANT AMENDMENTS

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

2 Bloor Street East Suite 1400 Toronto, Ontario M4W 1A8

FINAL May Guideline on Security Systems for Safeguarding Customer Information

What s New in Access, Privacy and Health Care. Brian Beamish Commissioner. Ontario Connections May 21, 2015

Data Compliance. And. Your Obligations

Information and Privacy Commissioner of Ontario. Guidelines for the Use of Video Surveillance Cameras in Public Places

A Guide to Ontario Legislation Covering the Release of Students

Strengthening Public Sector Transparency and Privacy

Ann Cavoukian, Ph.D.

Information and Privacy Commissioner of Ontario. Guidelines for Using Video Surveillance Cameras in Schools

Personal Information Protection and Electronic Documents Act

ORDER MO Appeal MA Toronto Police Services Board. May 27, 2015

Electronic Records: Maximizing Best Practices

How To Manage Records And Information Management In Alberta

LONDON PUBLIC LIBRARY POLICY

The Journey to Create Document Standards and Guidelines for Occupational Therapists. Christine Fleming Legislation and Bylaws Committee

ORDER MO Appeal MA The Regional Municipality of Niagara

Policy Document RECORDS MANAGEMENT POLICY

Data Security and Extranet

Backgrounder IN YOUR INSTITUTION

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

Records Management - Department of Health

How To Ensure Health Information Is Protected

Privacy Investigation: The Toronto Police Service s use of Mobile Licence Plate Recognition Technology to find stolen vehicles

Moving Information: Privacy & Security Guidelines

Personal Health Information Privacy Policy

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Credit Union Code for the Protection of Personal Information

Bill 8 Public Sector and MPP Accountability and Transparency Act, 2014

PLEASE NOTE. For more information concerning the history of this Act, please see the Table of Public Acts.

RECORD AND INFORMATION MANAGEMENT FRAMEWORK FOR ONTARIO SCHOOL BOARDS/AUTHORITIES

OHA BACKGROUNDER Bill 8, Public Sector and MPP Accountability and Transparency Act, 2014

Association of Professional Geoscientists of Ontario Records Management Policy

Rainy River District School Board SECTION 2

CORK INSTITUTE OF TECHNOLOGY

Order F14-46 UNIVERSITY OF BRITISH COLUMBIA. Hamish Flanagan Adjudicator. November 4, 2014

Public records. Division: Employment & Social Services. Introduction

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

The Archives and Public Records Management Act

University of Limerick Data Protection Compliance Regulations June 2015

INSTITUTE OF TECHNOLOGY TALLAGHT RECORD MANAGEMENT & RETENTION POLICY

What is involved if you are asked to provide a Police Background Check?

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

SAFEGUARDING PRIVACY IN A MOBILE WORKPLACE

LONDON DOWNTOWN CLOSED CIRCUIT TELEVISION (CCTV) PROGRAM CODE OF PRACTICE CITY OF LONDON, ONTARIO

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Metadata, Electronic File Management and File Destruction

PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004: AN OVERVIEW FOR HEALTH INFORMATION CUSTODIANS

University of Louisiana System

Administrative Procedures Memorandum A2005

COUNCIL POLICY R180 RECORDS MANAGEMENT

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

Non-Profit Records Management Tool Kit

BODY ARMOUR CONTROL ACT

Guidelines on Facsimile Transmission Security

Table of Contents. Acknowledgement

WHEREAS, the City of Shavano Park wishes to clarify the procedures for the organization, maintenance, disposition and destruction of City Records;

FOIP: A Guide. Revised November 2006 (updated to reflect A.R. 186/2008)

9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4

A Resource for Parents, Teachers, and Administrators

Document Management in the FIPPA Era

Taking care of what s important to you

Ownership, Storage, Security and Destruction of Records of Personal Health Information STANDARD OF PRACTICE S-022 INTENT DESCRIPTION OF STANDARD

Responsibilities of Custodians and Health Information Act Administration Checklist

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

DATA PROTECTION POLICY

4.10 Information Management Policy

RUTGERS POLICY. Approval Authority: Executive Vice President for Academic Affairs and Senior Vice President for Administration

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Cloud Computing Contracts. October 11, 2012

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual

Record Keeping. Guide to the Standard for Professional Practice College of Physiotherapists of Ontario

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

Information Governance Management Framework

ORDER MO-2114 Appeal MA York Regional Police Services Board

Ministry of Children and Family Development (MCFD) Contractor s Information Management Guidelines

Scotland s Commissioner for Children and Young People Records Management Policy

The 7 Foundational Principles. Implementation and Mapping of Fair Information Practices. Ann Cavoukian, Ph.D.

Corporate Policy and Procedure

Access and Privacy Manual

Chapter RECORDS MANAGEMENT Sections:

Crimes (Computer Hacking)

RECORDS MANAGEMENT POLICY

DELAWARE PUBLIC ARCHIVES POLICY STATEMENT AND GUIDELINES MODEL GUIDELINES FOR ELECTRONIC RECORDS

RECORDS MANAGEMENT POLICY

Somerset County Council - Data Protection Policy - Final

Records Management. 1. Introduction. 2. Strategic Plan Desired Outcomes

DATA PROTECTION ACT 1998 COUNCIL POLICY

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Privacy Management Program Toolkit Health Custodians Personal Health Information Act

Student Records. 4. Data Security: Upper Yarra Community House Inc. will protect the personal information it

CHAPTER 9 RECORDS MANAGEMENT (Revised April 18, 2006)

Transcription:

FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments December 2015

CONTENTS Introduction...1 The Amendments What s New?...1 Is My Institution Required to Comply With These Provisions?...2 What are Records?...2 What are the Requirements?...3 What are Reasonable Measures?...3 Implementation Strategies...4 Information Management Strategies...5 Duty to Document...6 The Offence for Intentional Destruction or Alteration of Records...6

INTRODUCTION The public s ability to scrutinize the activities and decisions of its government in an informed manner is a cornerstone of democracy. The right to access information held by the government is essential to this ability and forms the basis of the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). This right of access depends on the appropriate management and preservation of records. In 2013, the Information and Privacy Commissioner of Ontario (IPC) investigated allegations of inappropriate destruction of email records. Following the investigation, the IPC made a number of recommendations in its special investigation report titled Deleting Accountability: Records Management Practices of Political Staff. These recommendations included a number of proposed amendments to FIPPA and MFIPPA that are reflected in the Public Sector and MPP Accountability and Transparency Act, 2014. The Act received Royal Assent on December 11, 2014, and is effective as of January 1, 2016. Schedule 6 of the Act amends FIPPA and MFIPPA to include requirements for institutions to ensure the preservation of records (amendments). As a result of the amendments, heads of institutions will be required to take reasonable measures to preserve records in their custody or control. The amendments apply to all stages of the information life cycle including when records are developed, maintained, retained, destroyed or archived in accordance with recordkeeping or record retention requirements, rules or policies. In addition, the recordkeeping amendments make it an offence to alter, conceal or destroy a record, or cause any other person to do so, with the intention of denying a right under FIPPA or MFIPPA to access the record or the information contained in the record. If convicted of this offence, a person could be fined up to $5,000. As the body that oversees compliance with FIPPA and MFIPPA, the IPC strongly supports the amendments because they will bring increased transparency and accountability to Ontario institutions. This paper has been prepared to help institutions understand their responsibilities under the recordkeeping amendments to FIPPA and MFIPPA, as well as to develop and implement plans to address these provisions. THE AMENDMENTS WHAT S NEW? The Act includes the following amendments to FIPPA and MFIPPA: 1. Measures to ensure the preservation of records (section 10.1 of FIPPA and section 4.1 of MFIPPA): Every head of an institution shall ensure that reasonable measures respecting the records in the custody or under the control of the institution are developed, FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments 1

documented and put into place to preserve the records in accordance with any recordkeeping or records retention requirements, rules or policies, whether established under an Act or otherwise, that apply to the institution. 2. New offence for the intentional destruction or alteration of records (section 61(1)(c.1) of FIPPA and section 48(1)(c.1) of MFIPPA): No person shall, alter, conceal or destroy a record, or cause any other person to do so, with the intention of denying a right under this Act to access the record or the information contained in the record; 1 IS MY INSTITUTION REQUIRED TO COMPLY WITH THESE PROVISIONS? The heads of institutions subject to FIPPA or MFIPPA must comply with these new provisions. WHAT ARE RECORDS? A record is defined in section 2 of both FIPPA and MFIPPA as: any record of information however recorded, whether in printed form, on film, by electronic means or otherwise, and includes, (a) correspondence, a memorandum, a book, a plan, a map, a drawing, a diagram, a pictorial or graphic work, a photograph, a film, a microfilm, a sound recording, a videotape, a machine readable record, any other documentary material, regardless of physical form or characteristics, and any copy thereof, and (b) subject to the regulations, any record that is capable of being produced from a machine readable record under the control of an institution by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the institution; Previous IPC orders have found that while the types of documents listed in the definition are not exhaustive, 2 the information must be recorded. 3 1 For more information on the prosecution of offences, please see sections 61(3) and (4) of FIPPA and sections 48(4) and (5) of MFIPPA. 2 See IPC Order M-893. 3 See IPC Order MO-1989. 2 FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments

WHAT ARE THE REQUIREMENTS? The recordkeeping amendments require that heads of institutions implement reasonable measures to ensure that records are preserved in accordance with recordkeeping or record retention requirements, rules or policies (rules). Most institutions will already have rules in place. They may appear in by-laws, policies, procedures or legislation. Institutions with rules in place are responsible for ensuring that reasonable measures are implemented to preserve records in accordance with those rules. Institutions that do not yet have rules in place should develop and implement such rules. WHAT ARE REASONABLE MEASURES? The recordkeeping amendments do not specify the precise measures that should be taken to preserve an institution s records. Rather, the adequacy of an institution s measures will be evaluated on an objective basis against a standard of reasonableness. The reasonableness of the measures will be assessed having regard to all of the relevant circumstances, which may include (but are not limited to): 1. SIZE OF INSTITUTION AND AVAILABLE RESOURCES How large is your institution? How many records are accumulated on an annual basis and what is the nature of these records? What human, financial and technical resources are available to your institution? Records management plans should consider matters such as on- and off-site storage, security for storage facilities (locks on cabinets or doors), secure electronic storage, access privileges and even protections in the case of fire or water damage. The approach that your institution adopts may require investments in storage solutions or staff time. However, it is important to remember that there are many ways to approach record retention practices. It may not be necessary to purchase expensive software to organize and maintain your institution s records. You should review your institution s existing record retention practices and resources to determine if improvements can be made that will allow existing resources to be reused. 2. FORMAT OF RECORDS Many institutions retain information in a variety of formats, such as emails, videos and photographs, or unique data collections, such as geospatial data. It is important to remember that FIPPA and MFIPPA define records broadly. Consequently, you must ensure that you consider all formats of records when determining what measures are appropriate for preserving them. FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments 3

That being said, some formats are not well suited for documenting your institution s business affairs. For example, accessing information contained in internal instant messaging programs may be more difficult and costly than producing information contained in email records. As such, if your institution has not already implemented the means to retain text or instant messages, we recommend that these media be avoided when discussing or corresponding about your institution s business affairs. IMPLEMENTATION STRATEGIES Implementing new recordkeeping practices within your institution may require a significant cultural shift, and as a result, the commitment of leadership to support change is key. The following tips can help your institution develop implementation plans: 1. UNDERSTAND YOUR REQUIREMENTS It is crucial that you understand the recordkeeping rules that apply to your institution. For example, the ministries and designated agencies, boards and commissions of the Ontario Public Service are required to meet the obligations of the Archives and Recordkeeping Act, 2006 and record retention schedules approved under that statute. Many municipalities have by-laws that address record retention or management. Before developing your plan to address compliance with the recordkeeping amendments to FIPPA and MFIPPA, consult with your legal, policy and administrative teams to ensure that your plans address all existing legislative or policy requirements. 2. GET BUY IN EARLY To effectively implement new recordkeeping practices within your institution, there must be strong buy in and commitment from senior management, as well as front line staff. Virtually all staff create or handle records on a daily basis. It is imperative that both senior management and front line staff understand the importance of implementing any new recordkeeping practices and the potential consequences of failing to comply with the new requirements. 3. DEVELOP DOCUMENTATION Develop clearly written, plain language policies that incorporate practical examples that explain the measures to be taken to preserve records. Your policies should address physical security, technological security and administrative controls to ensure the security of your records. 4 Physical security measures could include locked filing cabinets and restricted access. Technological security measures could include the use of passwords, user IDs, encryption and firewalls. Finally, administrative controls could include staff training and confidentiality agreements. 4 See IPC Fact Sheet: Safeguarding Personal Health Information. 4 FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments

Clearly define the categories of records created by your institution and set out the requirements to maintain the records based on their contents, rather than their format. Document all components of your information management strategy, and in particular, the requirement to preserve records throughout their lifecycle. 4. INVEST IN TRAINING The success of your plan for compliance with the new recordkeeping requirements is in the hands of your staff. Ensure that your staff fully understand their roles and responsibilities with regard to records management and how to apply the principles to their work. Initial training is important, but ongoing and refresher training programs will help maintain changes to records management practices over time and take into account staffing changes. To ensure staff have continuous support after initial training is complete, engage your records management staff and designate a local champion (or group) who can answer records management questions. 5. AUDIT AND REVIEW Ensure that your approach includes processes for regular reviews to ensure compliance over time. Audits, spot checks and other regular reviews of practices will help ensure that staff maintain the records management practices to ensure compliance with the recordkeeping amendments to FIPPA and MFIPPA. Regular reviews or audits will also help you identify any gaps in your practices and give you the opportunity to address them before they become a problem. INFORMATION MANAGEMENT STRATEGIES Some institutions may already have information management strategies, policies and procedures in place that will enable compliance with the recordkeeping amendments. Institutions that do not have these strategies, policies and procedures in place should consider implementing an institution-wide strategy. Consider the benefits of file plans, file naming conventions, clean-up efforts and records retention schedules. There are a number of benefits to implementing strong information management practices, such as the potential reduction in time and resources required to respond to freedom of information requests and an improved institutional ability to access and reuse resources. As you proceed, consult with information management specialists and consider the approaches taken by other institutions. FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments 5

DUTY TO DOCUMENT As heads of institutions proceed with implementing measures to improve record retention, the IPC recommends developing a broad and effective duty to document business-related activities, including a duty to accurately document key decisions. This duty must be accompanied by effective oversight and enforcement provisions to ensure the right of access to public records remains meaningful and effective. Business and policy decisions are sometimes made in meetings, over the phone and in other settings that do not involve the creation of a lasting record. Part of being accountable to the public is ensuring that institutional decisions can be scrutinized by the public. When records of decisions are not created, the opportunity for transparency, accountability and public engagement is lost. THE OFFENCE FOR INTENTIONAL DESTRUCTION OR ALTERATION OF RECORDS As noted above, the recordkeeping amendments include an offence provision which states that intentional alteration, concealment or destruction of records for the purpose of denying a right of access to a record or information in a record is an offence that can result in a penalty, upon conviction, of up to $5,000. Prosecution can only commence with the consent of the Attorney General, and within two years of the day evidence of the offence was discovered. The IPC does not conduct the prosecutions under FIPPA and MFIPPA. FOR MORE INFORMATION Deleting Accountability: Records Management Practices of Political Staff - A Special Investigation Report A Policy is Not Enough: It Must be Reflected in Concrete Practices Recordkeeping Amendments to FIPPA and MFIPPA, Information Sheet, Ministry of Government and Consumer Services 6 FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments

ABOUT THE INFORMATION AND PRIVACY COMMISSIONER OF ONTARIO The role of the Information and Privacy Commissioner of Ontario is set out in three statutes: the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act and the Personal Health Information Protection Act. The Commissioner acts independently of government to uphold and promote open government and the protection of personal privacy. Under the three Acts, the Commissioner: Resolves access to information appeals and complaints when government or health care practitioners and organizations refuse to grant requests for access or correction Investigates complaints with respect to personal information held by government or health care practitioners and organizations Conducts research into access and privacy issues Comments on proposed government legislation and programs and Educates the public about Ontario s access and privacy laws.

Information and Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario Canada M4W 1A8 Web site: www.ipc.on.ca Telephone: 416-326-3333 Email: info@ipc.on.ca December 2015

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information