Duty to Protect
This new provision explicitly requires the university to have policies and procedures in place to maintain administrative, technical and physical safeguards that will protect personal information.
Administrative safeguards are controls that focus on internal organization, policies, procedures and maintenance of security measures that protect personal information. Technical safeguards are the technology and policy and procedures for its use that protect personal information and control access to it. Physical safeguards are physical measures, policies, and procedures to protect personal information and related buildings and equipment from unauthorized intrusion and natural and environmental hazards.
The OIPC Guide to HIPA contains detailed examples of safeguards at Appendix B. The Health Information Protection Act (HIPA) has always contained an express provision to protect personal health information and this guide will be useful in considering the new LA FOIP provision. Please survey your operations and consider whether you have policies and procedures regarding adminsitrative, technical and physical safeguards that will protect the personal information under your purview.
Outsourcing - Information Management Service Providers
The university is increasingly outsourcing services. Amendments to LA FOIP include provisions regarding the use of information management service providers (a person or body that processes, stores, archives or destroys records containing personal information or provides information management or IT services with respect to records containing personal information) which require that the university enter into an appropriate written agreement with the service provider that governs access, use, disclosure, storage, and destruction of personal information, and provides for the protection of personal information.
Survey your operations. If you are using a provider of a service that impacts personal information, including Software as a Service (SaaS) please consider whether you have an appropriate written agreement in place. The Access and Privacy Officer can assist in reviewing contractual provisions; a contractual provision checklist has been developed and can be obtained from the Access and Privacy Officer. It should be noted that the use of cloud service providers is not prohibited so long as appropriate due diligence is conducted and appropriate agreements are in place.
Mandatory Breach Notification
We are required to take all reasonable steps to notify an individual of an unauthorized use or disclosure of that individual’s personal information if it is reasonable in the circumstances to believe that the incident creates a real risk of significant harm to the individual. If you are aware of a privacy breach, please notify the Access and Privacy Officer who can assist with the response, including determining whether notification is necessary.
Penalties for Snooping
In addition to potential institutional penalties increasing from three months to one year in prison, and from $1,000 to $50,000, there are new penalties for individual employees who wilfully access or use personal information that is not reasonably required to carry out an authorized purpose. Employees can be imprisoned up to one year and fined up to $50,000.
This new provision is meant to address snooping - accessing personal information for reasons not directly related to the carrying out of one's job duties.