Privacy and Confidentiality at Mohawk College Good afternoon: Now I know that you have been waiting for this topic, but I would ask that you keep your excitement in check! As an employee you have given the college a lot of your personal information I’m sure that you want the college to protect your privacy and the confidentiality of that personal information The college is committed, legally and ethically to protecting not only your information but that of our students, clients and donors.

FOI FIPPA MFIPPA PHIPA PIPEDA IPC PIA TRA

Definition of Privacy “The right to be let alone” Judge Thomas Cooley “The right to exercise control over your personal information.” Ann Cavoukian, IPC Comissioner Let’s start with simple definitions of Privacy The second is from Anne Cavoukian, the information and Privacy Commissioner of Canada

Definition of Confidentiality Ensuring that information is accessible only to those authorized to have access I know other speakers joke about a quiz later I’m not going to do that I’m going to give you a quiz now

How well do you know our rights to privacy? A quiz …

Question 1 My name, job title and work phone number is personal information. TRUE? FALSE? Show of hands?

Question 1 My name, job title and work phone number is personal information. TRUE FALSE

False Personal information (PI) is: Factual or subjective Recorded or not …about an identifiable individual Simple guideline If it’s on your business card it’s not personal information

Personal information includes: Home address Home phone number Home email Photo ID SIN Income Marital status Employment history Employee number Performance appraisals Financial information Educational credentials Medical records Fund raising records Opinions or views on the person This is a partial list of categories of personal information

…and of course, the “A” word “… they even know my age!” Pat Macdonald Associate Dean, Continuing Education

Question 2 A man phones you asking if his wife is attending your class. You are allowed to tell him. TRUE? FALSE? A frequent question to instructors and the receptionists at the Front Desk

Question 2 A man phones you asking if his wife is attending your class. You are allowed to tell him. TRUE FALSE

Question 3 A police officer conducting an investigation phones you asking if a graduate was registered in a C.E. course. You are allowed to tell her. TRUE? FALSE?

Question 3 A police officer conducting an investigation phones you asking if a graduate was registered in a C.E. course. You are allowed to tell her. TRUE FALSE

Question 4 A student about to write an exam does not have an ID card, so the instructor asks for his SIN card as ID. This is illegal. TRUE? FALSE?

Question 4 A student about to write an exam does not have an ID card, so the instructor asks for his SIN card as ID. This is illegal. TRUE FALSE

Question 5 A new student does not yet have her student ID number, or a driver’s licence, and so you note her health card number as proof of identity. You just broke the law. TRUE? FALSE?

Question 5 A new student does not yet have her student ID card, or a driver’s licence, and so you note her health card number as proof of identity. You just broke the law. TRUE FALSE It is illegal to record the health card number unless you are a health care provider. The college cannot even pass on this number to an agency.

Question 6 Someone hit your car in the parking lot and you ask Security if you can view the recording to see the incident. Security tells you that is illegal. TRUE? FALSE?

Question 6 Someone hit your car in the parking lot and you ask Security if you can view the recording to see the incident. Security tells you that is illegal. TRUE FALSE Comment on severing images Hiding the TV monitor in the Front Lobby

Question 7 A family member arrives at the Front Desk saying that there has been a death in the family. They want to know what classroom their father is in so that they can inform him. The receptionist cannot give them that information. TRUE? FALSE?

Question 7 A family member arrives at the Front Desk saying that there has been a death in the family. They want to know what classroom their father is in so that they can inform him. The receptionist cannot give them that information. TRUE FALSE

Question 8 Sears Security department phones the Associate Dean of your department and says that they suspect that one of your students has been stalking an employee. They ask if the college can provide a photo to confirm this. The Associate Dean could email an ID photo to help in the investigation. TRUE? FALSE?

Question 8 Sears Security department phones the Associate Dean of your department and says that they suspect that one of your students has been stalking an employee. They ask if the college can provide a photo to confirm this. The Associate Dean could email an ID photo to help in the investigation. TRUE FALSE

Question 9 An employer sponsoring one of your students asks if the student passed the course, so that they can reimburse him. It’s OK to confirm. TRUE? FALSE?

Question 9 An employer sponsoring one of your students asks if the student passed the course, so that they can reimburse him. It’s OK to confirm. TRUE FALSE

How did you do?

Our privacy is protected by Federal and Provincial legislation

The Acts … Legislation Sector Date Fed/Prov Fed Access to Privacy Gov. Institutions 1980 Fed FIPPA Provincial 1987 Prov MFIPPA Municipal 1991 PIPEDA Commerce 1999 PHIPA Health 2004 The original is the Federal Access to Privacy Act, known as The Act It regulates the transfer of personal information between levels of government and government institutions PIPEDA The Personal Information Protection and Electronic Documents Act Businesses sharing/selling/bartering your info. Does not apply yet to colleges except in the areas of the Book Store, Fund raising, The Fitness Centre, parking, etc. but it is good practice to follow it PHIPA the Personal Health Information Protection Act protects your Health records So this would apply if you use our Health Services Clinic We also collect PHI about our students - absence due to illness, WSIB injuries, health tests for placements, etc. And it will apply to your students if they are Health Sciences or Human Services students on clinical placement. They will be asked to sign a Confidentiality Agreement regarding clients’/patients’ PHI (Personal Health Information). Or if you go for a check up in Health Services and they passed that information on to the Fitness Centre

Freedom of Information and Protection of Privacy Act (FIPPA) Safety & Corrections WSIB Community & Social Services District Health Councils Consumer & Business Affairs Ontario Human Rights Colleges and universities We are primarily regulated by FIPPA

Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) Municipalities Boards of Education Boards of Health Police Services Public utilities (2,500 in total) For our students in C&Y, ECE, Educational Assistant, Public Safety & Security programs this will apply to your students on work placement They will usually be asked to sign a confidentiality agreement at their field placement

The College gathers personal information from… Students Staff Donors and clients and is committed to protecting that information

Information is collected by … Human Resources Payroll Financial Services OH&S Health Services Registrar Continuing Education These are just some of the departments gathering personal information about you

So, what is a record? Any record of information, however recorded, whether in printed form, on film, by electronic means or otherwise.

Records include … Application forms Registration forms OSAP forms Section lists Class lists Exams Address books Memos Draft memos Agendas Comment on draft memos - a Blast o gram

Plus … files on your hard drive files on your iPhone files on your Blackberry your email your voice mail How long does the college retain your email? How many copies are there out there? Use the cc for emailing to students! You can re-save your voice mail indefinitely

and even …

Privacy Laws & College policies dictate how information is: Collected Used Disclosed Retained Destroyed At the departmental level, staff should be instructed the correct methods of gathering, storing and securing personal information We are all issued with User names and Passwords to protect information Our IT system is protected by firewalls and security systems The hard copy, personal Information of our staff and students should be locked away Our facilities are protected by security patrols and CCTV systems

Collection: We must have legal authority to collect collect it directly from the person provide a notice of collection, stating the above and provide the title, business address and telephone number of a college official.

So what do we have to do? Safeguard our User Name and Passwords Access records only relevant to our duties Do not disclose personal information to any unauthorized person Protect personal information of staff and students Each year as staff you are able to access more information on-line. You can check class and section lists, you will have your students’ phone numbers, email addresses. The faculty are starting to submit their grades on-line

Specifically: Do Protect students’ (and employees’) information Phone numbers Addresses SIN numbers Employee number Student number Grades and marks Ask students if they want their phone numbers used in a phone tree. If they do not you will have to phone them.

Specifically: email/voice mail Don’t leave PI on voice mail - call back Email should be called epostcard! Assume additional copies exist Assume it will be forwarded

There was a privacy breach… 3/31/2017 There was a privacy breach… What do I do?

What is a privacy breach? 3/31/2017 What is a privacy breach? A privacy breach occurs when personal information (PI) is: Collected Retained Used Disclosed in ways that are not in accordance with FIPPA.

3/31/2017 Most common breaches: Unauthorized disclosure of personal information, contrary to Sect. 42, for example: a file is misplaced a USB flash drive is lost a form is mailed to the wrong person a document is left in the photocopier a fax is sent to the wrong number an email is sent to the wrong address a document is not disposed of correctly a laptop is stolen Lost USB = 603 records Kim Hill case = 400 records We tend not to delete outdated files On a fax machine, reprint will print the last document?? Photocopiers store documents in memory?? Dept. of Veterans Affairs = 23,000,000 City of Toronto, Court Services sent out Notices of Conviction with names, address, charge, drivers license # readable through cellophane window Sept 12, 2001 international student organization requested and got plans for Toronto City Hall, Waste water treatment plants and other buildings, a manager drove out and retrieved them. Oct 2005, 3 boxes of patient records scattered on street for movie of 911 set in Toronto

Privacy breach protocol 3/31/2017 Privacy breach protocol Prevention Scope Containment Notification Investigation Remediation

Prevention 1 Know your department’s procedures on; Collection 3/31/2017 Prevention 1 Know your department’s procedures on; Collection Retention Use Disclosure Security Disposal Collection notices How long does your department retain records? How does it use them? Who are they disclosed to? How are they protected, locks, passwords, “clean desk” How are they disposed of? Shred it? Diagonal cut shredders.

Prevention 2 Know that you are accountable for the PI in your custody 3/31/2017 Prevention 2 Know that you are accountable for the PI in your custody Do not discuss PI in public places Do not leave documents where they can be seen by the public Do not disclose PI to those who do not need to know it Turn your monitor away from the public Public places: Customer Service Windows (Financial Aid, Accounting), cafeteria, hallways “Clean desk” Use strong passwords: 8 characters, upper/lower, numbers/, not in any dictionary

Prevention 3 Get written consents before disclosing PI 3/31/2017 Prevention 3 Get written consents before disclosing PI Know the consequences of a privacy breach Ensure that documents are shredded when no longer in use Password protect and/or encrypt data on your laptop, PDA, Flash drive Students do not sign consents at Mohawk Many departments have releases Some use hand written notes Privacy breaches are serious = bad publicity, legal action

Notification Immediately inform Your boss 3/31/2017 Emphasis on “Immediately” FOIC = Me I should inform IPC! And possibly our legal counsel

Consequences … Compliance orders from IPC Penal offences Fines ($250K) Possible personal liability ($50K!) Civil liability Loss of Trust

In summary … As a new College employee, you are expected to protect the privacy of individuals and the confidentiality of Personal Information under your control!

Have you any questions, additional examples, comments? Q & A Have you any questions, additional examples, comments? Any questions?

Director, Corporate Services John Guilfoyle Director, Corporate Services Ext. 2174