Are You FIPPA Compliant? [8 Things You Need to Know]
Governmental agencies and organizations in many of Canada’s provinces are subject to the Freedom of Information and Protection of Privacy Act (FIPPA), which legislates both access to government records and the collection, use and disclosure of the personal information of Canadian citizens by public institutions.
From healthcare facilities to educational institutions, a wide range of public bodies are subject to FIPPA’s requirements and could face penalties for non-compliance, so it’s important to understand this regulation’s key terms and provisions. Keep reading for more information on how public bodies can maintain FIPPA compliance.
What Is the Freedom of Information and Protection of Privacy Act?
The Freedom of Information and Protection of Privacy Act — also known as FIPPA, FOIPPA, FOIP or FOIPOP — is a piece of Canadian provincial legislation that regulates how public-sector bodies collect, use and manage the personal information of public citizens. FIPPA also grants citizens the right to request access to any records held by public bodies, to request corrections to personal information held by public bodies and to file complaints if they believe that their personal information is being improperly stored or mishandled.
FIPPA applies to the provinces of Alberta, British Columbia, Manitoba, Nova Scotia and Ontario and is enforced by each province’s respective Office of the Information and Privacy Commissioner (OIPC). Should a citizen file a complaint against a public body or should a public body violate FIPPA provisions, the OIPC is responsible for conducting a full investigation and taking appropriate action.
What Are FIPPA’s Requirements?
Barring slight variations in language, FIPPA’s provisions are fairly consistent across all provinces. Let’s take a look at FIPPA’s requirements in Alberta for a helpful overview:
- Public bodies are only permitted to collect personal information if it is authorized by an Act or regulation of either Alberta or Canada; if it relates to law enforcement; or if it is directly related to and necessary for an operating program or activity of the public body.
- Public bodies may only use personal information for the express purpose for which it was collected or with the consent of the individual.
- Public bodies may not disclose personal information unless:
- The information is disclosed for the purpose it was collected, or for a use consistent with that purpose
- The individual consents to the disclosure
- Another Act or regulation of either Alberta or Canada requires the disclosure
- The disclosure complies with a court order from a court with jurisdiction in Alberta
- The disclosure is to the relative of a deceased individual
- The disclosure is to an officer or employee of the public body or to a member of Executive Council, pursuant to their duties
- Public bodies are required to ensure, to the best of their abilities, that any personal information collected is accurate and complete, especially if that personal information is used for decision-making purposes about that individual. As such, public bodies must implement quality assurance measures to verify the accuracy of personal information.
- Public bodies are required to hold onto personal information for at least one full year after its use in order to give individuals adequate time to request access to those records and, if necessary, make corrections to them.
- Public bodies are expected to make corrections to factual information, such as an individual’s age, date of birth, income information or qualifications, upon request, but may not make corrections to professional or expert opinions.
- Public bodies may retain personal information for longer than a year after its use — especially if required to do so by other Acts or regulations — however, they should not retain information for any longer than is necessary, as this increases the risk of unauthorized disclosures and FIPPA violations.
- Public bodies are required to implement physical, administrative and technical safeguards to protect personal information against unauthorized access, collection, use, disclosure or destruction.
- Public bodies are required to respond to all FIPPA requests — both corrections to personal information and records requests — in 30 days or less.
- Public bodies must report the unauthorized collection, use or disclosure of personal information and notify the affected individuals without unreasonable delay.
Which Organizations Are Subject to FIPPA?
FIPPA law broadly applies to all public bodies — that is, any governmental agency or organization — including:
- All departments, offices and branches of provincial government agencies
- Boards, associations and commissions as designated by each province’s OIPC
- Healthcare facilities, including hospitals, hospital boards, nursing homes and regional health authorities
- Public educational institutions and agencies, including charter schools, publicly funded universities, community colleges, polytechnic schools and education boards
- Law enforcement agencies and commissions
- Public libraries
- Crown corporations
Please note that this is by no means an exhaustive list. For the full scope of FIPPA in your province, please refer to your province’s documentation.
What Is Considered Personal Information Under FIPPA?
The language different provinces use to define what constitutes “personal information” under FIPPA is similar, but varies slightly. British Columbia provides a good illustrative example, stating that “personal information” is “any recorded information about an identifiable individual other than their business contact information,” including (but not limited to):
- Name, age, sex, weight, height
- Home address and phone number
- Race, ethnic origin, sexual orientation
- Medical information
- Health care history, including physical or mental disability
- Number or symbol assigned to the individual
- Income, purchases and spending habits
- Blood type, DNA code, fingerprints
- Marital or family status
- Financial information
- Criminal information
- Employment information
- Personal views or opinions, except if they are about someone else
What Is Considered a Record Under FIPPA?
Much like “personal information,” each province has a slightly different definition of a “record.”
For example, Manitoba defines a record as “any form [that] includes information that is written, photographed, recorded or stored in any manner on any storage medium or by any means including graphic, electronic or mechanical means.” Ontario’s definition is more succinct, stating that a record is “any record of information however recorded, whether in printed form, on film, by electronic means or otherwise.”
The key takeaway from these varying definitions is that a record can be stored by either physical or digital means, which means that — provided they contain the personal information of a public citizen — electronic communications such as emails, text messages and direct messages could all be subject to FIPPA compliance.
Which Records Are Subject to FIPPA (& Which Ones Aren’t)?
FIPPA applies to all records within the custody of a public body, including:
- General records related to the operation of a public body, including policies, procedures and guidelines
- Communications between a public body and an individual or a public body and another organization
- Any records related to contracts or agreements between a public body and a third party
- Records related to the financial operations of a public body, including budgets, invoices and financial statements
- Records related to research conducted by a public body
However, certain documents are exempt from FIPPA compliance — according to Manitoba, these include:
- Constituency records of elected officials of local public bodies
- Teaching materials or research information of employees of school divisions or districts, community colleges or universities
- Questions that are be used on an examination or test, now or in the future
- Information in court records, records of a judge or magistrate and judicial administration records
- Notes or draft decisions of a person acting in a judicial or quasi judicial capacity
- Records relating to a prosecution or an inquest under The Fatalities Inquiry Act if all proceedings have not been completed
Additionally, FIPPA does not apply to the transfer, storage or destruction of records by a public body.
How Does FIPPA Apply to Email?
Given that FIPPA applies to 1) to both physical and digital records and 2) communications between a public body and an individual or other organization, it’s safe to say that emails are well within the realm of FIPPA compliance. As a result, it’s imperative that public bodies retain email and other electronic communications for no less than a year and that they take care to apply the appropriate physical, administrative and technical safeguards to archived emails.
How Can Organizations Maintain FIPPA Compliance?
To stay on the right side of the OIPC, public bodies should:
- Obtain the proper authorization and consent before collecting or disclosing any individual’s personal information
- Implement policies for verifying individuals’ personal information to ensure accuracy and reduce the total volume of correction requests
- Research additional regulations that may apply to their organization and that might affect their data retention and protection requirements
- Define data retention policies based on FIPPA and other relevant laws and regulations, as well as organizational requirements
- Implement an electronic archiving platform to automate data retention and strengthen data security
- Implement administrative safeguards, including privacy and security policies and procedures, for all personal information and records
- Implement physical safeguards, including access cards, identification keys, computer screen privacy protectors and locked file cabinets and restrict access to physical document storage
- Implement technical safeguards, including strong passwords, two-factor or multi-factor authentication, custom access controls, data encryption, monitoring and auditing software, firewalls and anti-virus and anti-malware software
- Ensure that all policies and procedures are carefully reviewed and approved by their internal compliance team
- Conduct thorough staff training on data retention and protection policies and procedures
Build a strong, FIPPA-compliant data retention policy for your organization — download our free data retention policy template to get started.