The purpose of this policy is to establish how the Justice Institute of British Columbia (“JIBC” or the “Institute”) complies with its protection of privacy and access to information requirements under British Columbia’s Freedom of Information and Protection of Privacy Act (the “Act”). This policy, its underlying procedures, and any internal materials that support this policy and procedures form JIBC’s privacy management program as required under the Act.
Members of the JIBC Community entrust their Personal Information to the care of the Institute. As such, the Institute has an ethical and legal obligation to protect the privacy of individuals whose information it manages. Furthermore, the Institute supports the public’s right of access to information held by the Institute where the Institute has custody and control of the information.
This policy applies to all general and Personal Information in JIBC’s custody or control and to all members of the JIBC Community who have access to Personal Information.
Administrator – an individual engaged in directing or overseeing a distinct program, unit, office, or department of the Institute, and for the purposes of this policy, includes vice-presidents, deans, directors, and program directors, as well as any other individuals responsible for directing or overseeing such a program, unit, office, or department.
Business Contact Information – information to enable an individual at a place of business to be contacted and includes the name, position, name or title, business telephone, business address, business email and business fax number of the individual.
Board – The Board of Governors of the Institute.
Consent – a voluntary agreement by an individual in the possession and exercise of sufficient mental capacity to make an intelligent choice to do something proposed by another. It supposes a physical power to act, a moral power of acting and a serious, determined, and free use of these powers.
Employee – a person who is employed by the Institute and is remunerated for their work. The Act defines Employee as including a Volunteer and a Service Provider. Therefore, when “Employee” is used in this policy and its procedures, the term includes Volunteers and Service Providers.
FOIPPA Foundations – a privacy and access fundamentals course provided free of charge by the Province of British Columbia.
General Counsel – the position designated as the head of the institution for the purposes of administering the Institute’s compliance with the Act.
JIBC Community – all Institute employees, students, Board members, and any other person who is contractually obligated to comply with this policy.
OIPC – the Office of the Information and Privacy Commissioner of British Columbia.
Personal Information – recorded information about an identifiable individual other than Business Contact Information. Please see below for examples of Personal Information.
Personal Information Bank – a collection of Personal Information that is organized and capable of being retrieved using an individual’s name or an identifying number.
Privacy Breach – access to or collection, storage, retention, disposal, use or disclosure of Personal Information that is not authorized by the Act.
Privacy Complaint – a complaint with respect to improper access to, collection, storage, retention, disposal, use or disclosure of Personal Information.
Privacy Impact Assessment – a compliance and risk-based assessment conducted by the Institute to determine if a current or proposed system, project, program, or activity meets or will meet the protection of privacy requirements of the Act. It is a risk management and compliance tool used to identify and correct or mitigate potential privacy and security issues, thus avoiding costly program, process or service redesign, Privacy Breaches, and harm to institutional reputation. Conducting Privacy Impact Assessments is a legal requirement under the Act.
Service Provider – an individual or organization retained under contract to perform services for the Institute.
Volunteer – an individual who does work for the Institute without being paid.
Protection of Privacy
JIBC will manage all Personal Information in compliance with the Act. JIBC will limit the collection, access, use, disclosure, and retention of Personal Information to that which is directly related to and necessary for its operations.
Collection of Personal Information
The Institute will collect Personal Information only as provided for under Part 3 of the Act, ensuring that at all times it uses appropriate notice and methods of collection. The Institute will limit collection of Personal Information to the minimum amount necessary to carry out the Institute’s activities.
Access and Use of Personal Information
The Institute will grant Employees access only to Personal Information necessary for the performance of their duties. The Institute will use Personal Information only:
- for the purpose for which that Personal Information was obtained or compiled;
- for a use consistent with that purpose;
- for the purpose for which the information was disclosed to the Institute;
- with written Consent of the individual the Personal Information is about; or
- for any other purpose permitted under the Act.
Disclosure of Personal Information
The Institute will not disclose Personal Information of students, employees, alumni, retirees, clients or donors in its custody or under its control to any third party, unless doing so is provided for under the Act.
It is an offence under the Act to disclose Personal Information in contravention of the Act. Any member of the JIBC Community who becomes aware of an unauthorized disclosure of Personal Information, or who suspects there has been an unauthorized disclosure of Personal Information, must immediately notify the General Counsel.
Retention and Disposal of Personal Information
The Institute will retain for at least one year an individual’s Personal Information when it is used to make a decision that directly affects the individual. The Institute will dispose of Personal Information in accordance with its obligations under the Information Management Act (British Columbia).
Accuracy and Correction of Personal Information
The Institute will make every reasonable effort to ensure the Personal Information it uses to make decisions that directly affect individuals is accurate and complete. Upon request by an individual to whom the Personal Information relates, the Institute will correct, make additions to, or annotate the information with a correction when documentary evidence satisfactory to the Institute is provided to substantiate the correction.
Protection of Personal Information
The Institute will protect Personal Information by making reasonable policy, procedural, physical and technical security arrangements against such risks as unauthorized access, collection, disclosure or disposal. The Institute will ensure that protection of Personal Information is a core consideration in planning, implementing, and maintaining new and existing systems, projects, programs and activities by completing Privacy Impact Assessments in accordance with the Act. The Institute will manage Privacy Breaches in an effective and timely manner in accordance with the Privacy Complaints and Privacy Breaches Procedure.
Storage of Personal Information
The Institute will store all Personal Information in its custody or control only inside Canada unless the storage is permitted under the Act.
Access to Information
JIBC supports the public’s right to access to information. JIBC will provide routine access to information informally upon request. JIBC may actively disseminate information if it determines it is reasonable to do so.
A person has a right of access to any record in the custody or under the control of the Institute, including a record containing Personal Information about the requester. The right of access does not extend to information excepted from disclosure under sections 12 to 22.1 of the Act. However, if that information can reasonably be severed from a record, an applicant has a right of access to the remainder of the record.
The right of access to a record may be subject to the payment of any fee required under section 75 of the Act. The Institute will use the Schedule of Maximum Fees as set out in the regulations under the Act when processing access requests under the Act. Fees will not be charged when the request is for access to the individual’s own Personal Information.
Roles and Responsibilities
The General Counsel is responsible for:
- providing advisory services to the JIBC Community with respect to how this policy and the Act apply to Institute operations, including advising on whether a department’s activities are in compliance with the privacy principles articulated in this policy;
- advising on, reviewing, and recommending for approval Privacy Impact Assessments;
- coordinating responses to Privacy Complaints and Privacy Breaches, advising, and assisting departments in investigating and responding to Privacy Complaints and Privacy Breaches, and reporting to the Board, from time to time and as appropriate, with respect to Privacy Complaints and Privacy Breaches;
- providing and coordinating education on matters related to the protection of privacy; and
- maintaining a public listing of any Personal Information Banks in the custody or control of the Institute.
Administrators are responsible for:
- ensuring that the activities of their departments are in compliance with the privacy principles articulated in this policy;
- contacting the General Counsel prior to undertaking a new system, project, program or activity, or prior to amending a previously approved system, project, program or activity, to determine whether a Privacy Impact Assessment is required;
- preparing a Privacy Impact Assessment, if the General Counsel determines one is required, and submitting it to the General Counsel for review and approval;
- ensuring there is adequate lead time available to complete a required Privacy Impact Assessment in related to other project deadlines;
- abiding by the requirements of a completed Privacy Impact Assessment, including taking steps to correct or mitigate any privacy issues or foregoing the implementation of a new system, project, program, or activity if implementation is in violation of the Act, this policy, or associated procedures;
- ensuring that Service Providers are aware of and comply with their privacy and security obligations under the Act;
- ensuring that policies and procedures over which they have authority abide by this policy, and recognizing that in the event of a conflict between another policy or procedure and this policy, that this policy will prevail; and
- ensuring collection of Personal Information is limited to what is necessary to fulfill legitimate Institute operations.
Employees are responsible for:
- handling all Personal Information to which they receive access in accordance with the Act and this policy;
- accessing Personal Information only as necessary for the performance of their duties;
- consulting, as needed, with the General Counsel about the disclosure of confidential information and Personal Information; and
- reporting any suspected or actual breaches of the Act, this policy, or its associated procedures in accordance with the procedures underlying this policy.
Monitoring of the Privacy Management Program
The Act requires public bodies to have a process for regularly monitoring the privacy management program and updating it as required to ensure it remains appropriate to the public body’s activities and is compliant with the Act. As such, this policy and its underlying procedures will be reviewed on a three (3) year cycle instead of a five (5) year cycle, which is the standard review cycle for JIBC policies and procedures in the absence of other legislative or regulatory obligations.
Employees are required to make themselves aware of all JIBC policies and procedures. Lack of awareness of this or any other JIBC policy does not excuse an employee from responsibility for their actions.