Privacy
The Freedom of Information and Protection of Privacy Act (FOIPPA) outlines the circumstances in which public bodies, such as BCER, can collect, use and disclose personal information. FOIPPA requires that all public servants protect the personal information that we hold. Privacy is a complex topic. This course supports BCER employees with an understanding of how to handle personal information responsibly and lawfully.
What is personal information?
Personal information is recorded information about an identifiable individual other than their business contact information. Personal information can include things like someone’s name, home address and home email. It also includes their educational history, employment history, and even their personal opinions.
Some types of personal information can be considered sensitive because there is a higher risk of harm to individuals if the information is improperly collected, used or disclosed. Sensitive personal information is not defined in FOIPPA. Some examples of what may be considered sensitive personal information include: DNA, personal health history, information about sexual orientation, gender identity, religious or political beliefs, and race or ethnicity.
All personal information must be treated as confidential information.
Business contact information
The mosaic effect
The mosaic effect occurs when information that appears to be non-identifiable is combined in a way that can reveal the identity of an individual. For example, an email address may not contain an individual’s name but when you can see information that email address is associated with (e.g., website user accounts set up by that email), you might be able to identify the email address’s owner. If you can combine information about an individual’s hobbies and hometown you may not be able to identify anyone if they are an avid foodie from Vancouver but an elite trampolinist from Oliver, B.C. might be more easily identified.
Think about the mosaic effect when seeking to understand privacy implications. While medical records, dates of birth and home addresses are easily recognizable as personal information, individuals can often be identified within data that has been de-identified.
Consider the mosaic effect in this conversation about a hiring competition that Drew is managing.
Freedom of Information and Protection of Privacy Act
As employees of a public body bound by FOIPPA, we are all responsible for ensuring that our work is carried out in accordance with B.C.’s privacy legislation.
You may have access to personal information that your program area has collected for an authorized purpose. B.C. public servants can only access, use or disclose personal information where required and authorized to do so for work; we cannot do so for our own purposes. Accessing information without the appropriate authority may result in an information incident that would need to be reported.
FOIPPA also requires that public bodies protect personal information. The BCER does this by using reasonable security controls, ensuring that individuals who handle personal information are aware of their responsibilities, and completing privacy impact assessments.
Privacy principles at work
As B.C. public servants, we need to handle personal information appropriately. When you access personal or other confidential information, consider how your plans for the information align with privacy principles.
You can find out more about privacy principles here: Ten Privacy Principles
Privacy impact assessments
Privacy impact assessments (PIAs) are tools to evaluate the privacy implications of new and existing enactments, systems, projects, programs or activities. PIAs must be started early in the development process for new initiatives that the BCER introduces and any changes that are to be implemented. Complete PIAs before the program is launched and always before any personal information is collected, used or disclosed.
PIAs promote transparency, accountability, and contribute to continued public confidence in the way the government manages personal information.
Information incidents
An information incident is a single or a series of events involving the collection, storage, access, use, disclosure or disposal of government information that threaten privacy or information security and or contravene law or policy. Information incidents can involve confidential or personal information. A privacy breach is a type of information incident.
Reporting information incidents
If you discover or suspect an information incident, report it immediately by calling the BCER Privacy Officer, or email PrivacyOfficer@bc-er.ca.
Notify your supervisor
Keep your supervisor informed of the incident. They can support you as you work with an investigator to respond to the incident.
Next steps
Once an information incident has been reported, the Privacy Officer will contact you to assess the incident and provide recommendations on the steps to take.
The investigator will work with you to:
- Report to the appropriate stakeholders
- Contain the incident and recover any information that was inappropriately disclosed
- Remediate including determining whether notifying impacted parties is necessary
- Create strategies to prevent a future incident (for example, privacy training).
Information Sharing Agreements
Public bodies enter Information Sharing Agreements (ISAs) when there’s a regular and systematic exchange of personal information between public sector organizations or between a public sector organization and an external agency. ISAs document the terms and conditions of the exchange of personal information in compliance with the provisions of the Act and any other applicable legislation. Contact RIS if you are considering entering into or initiating an ISA.
Privacy resources
There are privacy resources on the Energy Exchange, which will help you make informed decisions about handling personal information.
We encourage you to contact PrivacyOfficer@bc-er.ca if you have any questions.