A Minister’s Guide to Protecting Personal Information 4 WHAT IS DISCLOSURE OF PERSONAL INFORMATION? Disclosure is the exposure of personal information to a separate entity, not a division or branch of the Ministers’ office in possession or control of that information. Subsection 29(1) of FOIP provides: 29(1) No government institution shall disclose personal information in its possession or under its control without the consent, given in the prescribed manner, of the individual to whom the information relates except in accordance with this section or section 30. Ministers’ offices should only disclose personal information in three circumstances: 1) If it has the consent of the subject individual. See the section on consent below. 2) For the purpose it was collected or a use consistent with that purpose. As mentioned in the section on the collection of personal information, Ministers’ offices must have identified an authorized purpose for collecting personal information before it is collected. (See subsection 29(2)(a) of FOIP.) 3) In circumstances described in subsections 29(2), section 30 of FOIP or the Regulations. Disclosure of personal information for any other purpose would be an unauthorized disclosure. Sharing personal information between different Ministers’ offices or with MLA offices would constitute a disclosure of personal information and must be authorized by the individual’s consent, sections 29 or 30 of FOIP or the Regulations. WHAT SHOULD I DO IF THERE HAS BEEN AN UNAUTHORIZED COLLECTION, USE OR DISCLOSURE OF PERSONAL INFORMATION? An unauthorized collection, use or disclosure of personal information is a privacy breach. For more information on how to investigate a privacy breach, see the Office of the Information and Privacy Commissioner’s (IPC) resource: Privacy Breach Guidelines for Government Institutions and Local Authorities. In instances where there is an unauthorized use or disclosure in a Minster’s office, there may be an obligation to report that unauthorized use or disclosure to the person whose personal information was used or disclosed. Section 29.1 of FOIP provides as follows: 29.1 A government institution shall take all reasonable steps to notify an individual of an unauthorized use or disclosure of that individual’s personal information by the government institution if it is reasonable in the circumstances to believe that the incident creates a real risk of significant harm to the individual.
RkJQdWJsaXNoZXIy MTgwMjYzOA==