A Minister's Guide to Protecting Personal Information

A Minister’s Guide to Protecting Personal Information 7 Confidentiality implies a trust relationship between the person supplying information and the individual or organization collecting or using it. Subsection 24.1(b) of FOIP Subsection 24.1(b) of FOIP indicates that a Ministers’ office must protect against any reasonably anticipated:  threat or hazard to the security or integrity of the personal information in its possession or under its control;  loss of the personal information in its possession or under its control; or  unauthorized access to or use, disclosure or modification of the personal information in its possession or under its control. Threat means a sign or cause of possible harm. Hazard means a risk, peril or danger. Security means a condition of safety or freedom from fear or danger. Unauthorized access occurs when individuals access personal information that they do not need-to-know, either by accident or on purpose. This would also qualify as either an unauthorized use or unauthorized disclosure depending on the circumstances. A need-to-know is the principle that an office should only collect, use or disclose personal information needed for the purposes for which it is was collected. Personal information should only be available to those employees in an organization that have a legitimate need-to-know that information for fulfilling the purpose for which it was collected. Subsection 24.1(c) of FOIP Subsection 24.1(c) of FOIP indicates that a Minister’s office should have education programs in place for their employees. In this case, training which addresses the Ministers’ office’s duties under FOIP, the safeguards the office has established, the need-to-know and consequences for violating FOIP is best practice. Further, the IPC has indicated that annual training is also best practice. Information Management Service Providers IMSP is defined in subsection 2(1)(e.1) of FOIP as follows: 2(1) In this Act: … (e.1)“information management service provider” means a person who or body that: (i) processes, stores, archives or destroys records of a government institution containing personal information; or

RkJQdWJsaXNoZXIy MTgwMjYzOA==