What you need to know as Western prepares for the Freedom of Information and Protection of Privacy Act (FIPPA)
When the provincial Freedom of Information and Protection of Privacy Act (FIPPA) comes into effect for Ontario universities on June 10, the impact at Western will vary. Several new obligations will be imposed on the University and a number of existing practices will need to change. At the same time, many day-to-day activities across campus will continue much as they have for years.
The following article was written by Western’s University Archivist, Robin Keirstead, to outline what this legislation means for members of our campus community.
- Paul Davenport
FIPPA is a complex piece of legislation. Its main purposes, however, are straightforward: to provide a general right of access to the records of institutions to which it applies, subject to certain limited and specific exemptions; to protect the privacy of individuals whose personal information is held by those institutions; and to give those individuals access to that information.
The purposes underpinning FIPPA – and some of its specific provisions – are not new to Western. The legislation formed the basis for Western’s Guidelines on Access to Information and Protection of Privacy, approved in 1996 by the Board of Governors. Under these Guidelines, Western has generally operated in an open fashion, while at the same time protecting the privacy of individuals. When disagreements about access have arisen or privacy incidents have occurred steps have been taken to address the issues and mitigate the impact on those affected.
There are some differences between Western’s Guidelines and FIPPA, given that the former is an internal University policy and the latter is provincial legislation. Probably the most significant is that, under FIPPA, decisions on access requests or concerns about privacy issues are subject to review by Ontario’s Information and Privacy Commissioner. The Commissioner has a number of powers, including the ability to order the release of records or the stoppage of certain personal information collection practices.
Nonetheless, while FIPPA represents a new statutory framework, the general expectations are not much different from those Western has already been operating under.
FIPPA’s introduction should not have a dramatic impact on how access to information is provided across campus. There is no automatic requirement to invoke its provisions to obtain information. In keeping with past practice, informal inquiries are welcomed and will continue to be dealt with by appropriate department heads. Indeed, FIPPA requires that, with the exception of records containing personal information, access routinely provided in the past must be maintained. Thus, faculty and staff are encouraged to continue to release general information, respond to routine inquiries, and provide copies of records as they have always done, albeit with heightened awareness of the need to protect privacy.
If a person chooses to exercise his or her formal rights under FIPPA, there is a defined process to be followed. It involves submission of a written access request and payment of a prescribed $5 application fee. While responsibility for informal inquiries is decentralized, the processing of all formal requests will be coordinated centrally through Western’s Freedom of Information and Privacy (FOIP) Office, located in the University Secretariat, to ensure all statutory obligations, including response deadlines, are met. As well, the final decision to allow or deny access in response to a formal access request has been delegated to the Vice Presidents.
While FIPPA will apply to most records in Western’s custody or control, the access right is not absolute. There are some mandatory and discretionary exemptions by which the public’s right of access is balanced with the University’s legitimate right to protect certain information and with individual’s privacy rights. There are also a few categories of records to which FIPPA does not apply at all. These include research and teaching materials, most employment and labour relations records, and privately donated archives.
Unlike the access provisions of FIPPA, which apply only when a formal request is initiated, the privacy protection requirements are in effect at all times. FIPPA provides a detailed set of rules addressing the collection, use, disclosure, security, retention and disposal of personal information about identifiable individuals. Personal information is defined very broadly, although some information about faculty and staff employment responsibilities is not considered sensitive.
The main requirements include collecting personal information only when it is authorized and necessary to administer University programs and operations; using and disclosing it only for the purpose for which it was collected, for a consistent purpose, or with consent, and; maintaining it securely and disposing of it appropriately. In most situations, personal information is to be collected directly from the person to whom it relates.
FIPPA requires notice to be given to individuals when their personal information is collected. This “notice of collection” must explain why the personal information is being collected, under what authority, and to whom questions about the collection can be addressed. This will require posting notices and changing some forms, work that is now underway.
It is important to understand that, while formal responsibility for administering the policies and procedures required under FIPPA generally lies with Deans, Budget Unit Heads, Directors, and Department Chairs, all members of the University community have a shared responsibility for ensuring personal information is properly protected. Thus, all faculty and staff need to be aware of their obligations with respect to the collection, use, and disclosure of personal information.
Preparing for FIPPA, and who can help
Many staff members have been working for several months to address the various administrative requirements of FIPPA, while minimizing the overall impact on faculty, staff and students. Some of these activities have been carried out in concert with colleagues at other universities through the Council of Ontario Universities.
Responsibility for the day-to-day administration of FIPPA rests with the University Secretariat, reflecting the University-wide scope of Secretariat activities. Theresa Morrissey, Associate University Secretary, is the FOIP Coordinator. Irene Birrell, University Secretary, chairs the FOIP Advisory Committee, a small committee formed to assist the FOIP Coordinator with the task of implementation. Other members of the Advisory Committee are Stephen Jarrett, University Legal Counsel; Sharon Farnell, Internal Auditor; Robin Keirstead, University Archivist; Krys Chelchowski, representing the Office of the Registrar; and Marilyn Mason, representing the Affiliated University Colleges.
Each major academic and administrative unit has designated a Liaison Officer to assist with implementation. Liaison Officers will oversee implementation measures at the local level, act as a primary contact with the FOIP Coordinator, and assist Deans and Budget Unit heads to carry out their delegated responsibilities. Liaison Officer training is underway and meetings with other groups have been held to address particular needs and concerns.
This administrative structure has been put in place based on a preliminary assessment of FIPPA’s impact at Western. A review of its appropriateness and effectiveness will take place after FIPPA has been in force for one year. At that time, any needed changes will be implemented.
More information about FIPPA and its impact on Western, as well as a list of unit Liaison Officers and alternates, is available at the FOIP Office website www.uwo.ca/privacy/index.html.