Your Privacy Rights

Approved by: City Clerk

Category: General Administration

Approval date: November 7, 2022Effective date: November 7, 2022

Revision approved by: Revision / review date: Policy statement

The City of Ottawa is committed to being open, accessible and transparent in its actions while safeguarding the privacy of individuals by protecting the personal information in the City’s custody or control. The City is required to handle information according to responsibilities and requirements set out under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and other applicable access and privacy legislation.

Purpose

Through the course of its operations, the City collects, stores, generates and handles a range of information that may be considered personal information, which may include highly sensitive information pertaining to an individual’s health or finances. The purpose of this policy is to support departments and staff in the handling of such information in a manner that respects the privacy rights of individuals and is consistent with the City’s statutory obligations.

Application

This policy applies to all City of Ottawa employees, including, but not limited to, full-time, part-time, casual, contract, volunteer and student/co-op placement employees. This policy applies to vendors acting on behalf of the City. This policy applies to all personal information collected, used, retained and disclosed by the City of Ottawa. Personally identifiable information that pertains to the Transit Services Department employees may be subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).This policy does not apply to personally identifiable information that is maintained for the purpose of creating a record that is available to the general public. This policy does not apply to City of Ottawa employment files, including employee performance management records, and labour relations records. Although MFIPPA does not apply to certain employment and/or labour relations records, the City must still handle such information in a privacy protective manner, with consideration to the sensitivity of the information. This policy does not apply to personal health information in the custody or control of the City of Ottawa Health Information Custodians that are subject to the Personal Health Information Protection Act, 2004 (PHIPA). The Medical Officer of Health (Ottawa Public Health), the Ottawa Paramedic Service and the City of Ottawa Long-Term Care Homes have adopted Information Practice Statements that provide a general description for the handling of personal health information in compliance with PHIPA. This policy does not apply to Elected Officials or their staff. Section 5 of the Code of Conduct for Members of Council governs the use of confidential information, including confidential personal information, by Elected Officials. The Integrity Commissioner investigates complaints regarding Elected Officials’ alleged misuse of such information. This policy does not apply to the Integrity Commissioner, Lobbyist Registrar, Meetings Investigator and Auditor General, or to any employee acting under their instruction. The Integrity Commissioner, Lobbyist Registrar, Meetings Investigator and Auditor General are officers who report, and are directly accountable, to City Council. The Municipal Act, 2001 requires that these officers perform their duties in an independent manner and establishes confidentiality requirements of their information. There may be situations in which other legislation overrides the privacy provisions of MFIPPA. Staff should contact the Access to Information and Privacy (ATIP) Office with any questions on the application of this policy.

Policy requirements

The City of Ottawa is obligated under MFIPPA to protect all personal information that is in its custody or control.

What is personal information

As set out in Subsection 2(1) of MFIPPA, personal information is recorded information about an identifiable individual including, but not limited to:• Race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual;• Education, medical, psychiatric, psychological, criminal or employment history of the individual;• Information relating to financial transactions in which the individual has been involved;• Any identifying number, symbol or other particular assigned to the individual;• Address, email address, telephone number, fingerprints, or other biometric data of the individual;• Personal opinions or views of the individual except if they relate to another individual;• Correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence;• The views or opinions of another individual about the individual; and• The individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.To qualify as personal information:• It must be about an individual in a personal capacity; and• It must be reasonable to expect the individual may be identified if the information is disclosed.

What is not personal information

Information associated with an individual in a professional, business or official capacity is not personal information. Business and professional information includes position title, business telephone number, business address, business email address, and opinions and recommendations expressed in a professional capacity. Business information is not protected from disclosure under this Policy.

Collection of personal information

A municipality can only collect personal information that is expressly authorized by statute, or that is necessary for the administration of a lawfully authorized activity such as delivery of a municipal service. Subject to limited exceptions, a municipality must provide a notice of collection when collecting personal information. Collecting additional personal information that is not necessary is known as “over-collection” and can be considered a deemed privacy breach. This practice is not permitted. The following practices shall be adhered to when collecting personal information:• Personal information shall only be collected directly from the individual to whom it relates unless otherwise authorized by statute, or if the individual expressly authorizes another manner of collection; o If the individual authorizes another manner of collection, for example the individual requests City staff contact a family member to obtain information, this authorization should be noted in writing in the individual’s file.• Personal information collected by or on behalf of the City shall be limited to only that which is expressly authorized by statute or necessary to administer the programs and services of the City;• Where possible, staff shall verify personal information and keep a record of verification rather than retaining a record of the information. For example, note that an individual’s driver’s license was viewed by staff, rather than photocopying and keeping a copy of the licence; and• When recording personal information, employees shall notify individuals of the purpose of the collection, use and disclosure of their personal information in accordance with Subsection 29(2) of MFIPPA. This may be done by use of a Notice of Collection.Notice of CollectionSubject to limited exceptions provided for under MFIPPA, the City must give notice to an individual when personal information is collected. The notice must be provided at time of collection and shall clearly include the following:• The legal authority for the collection;• The reason for the collection;• How the information will be used; and• Whom to contact for more information pertaining to the handling of their personal information.Sample collection statements are set out under Appendix A: Personal Information Collection Statement Templates.Use of personal informationOnce the City is in possession of personal information, it can only be used (including stored, copied, disseminated, reported on and accessed) for the purposes for which it was collected or for a consistent purpose. A consistent purpose is one that the individual might reasonably have expected at the time the personal information was collected.The following practices shall be adhered to when using and handling personal information:• Personal information collected by the City shall only be used for the purpose(s) for which it was originally collected or for a consistent purpose;• No secondary use or disclosure of personal information is permitted unless the City receives the specific consent of the individual to whom the information relates;• Access to personal information ought to be limited to only those persons who require access in order to perform their job duties. Authorized persons who have been granted access to personal information are responsible for protecting the confidentiality of that information and the privacy of the individuals who are the subject of the information. They are also required to use the information in accordance with all applicable legislation, regulations and policies as set out under Appendix B: Accessing Personal Information Procedures. Authorized persons shall only be granted access to personal information on a “need to know” basis in order to fulfill their job responsibilities; and• Secondary use or analysis of data collected for other purposes may occur only if the data is first sufficiently anonymized to remove all personal identifiers such that it is not reasonably possible to re-identify individuals. Staff may contact the ATIP Office for support and guidance.Disclosure of personal information outside the CityDisclosure of personal information beyond the employees and department responsible for the initial collection and use of the personal information is not permitted, except where it is necessary for the performance of job duties, or where specific consent has been received from the individual to whom the information pertains.Disclosure of personal information to any external individual or organization must be in accordance with Section 32 of MFIPPA, which sets out specific circumstances in which the City may disclose personal information to other individuals or organizations including, but not limited to:• If the person to whom the information relates has identified that information in particular and consented to its disclosure;• For the purpose for which it was obtained or compiled or for a consistent purpose;• For the purpose of complying with another Act of Legislature or an Act of Parliament;• If the disclosure is required for an active law enforcement investigation, from which a proceeding is likely to result; and• In compassionate circumstances, to facilitate contact with the spouse, a close relative or a friend of an individual who is injured, ill or deceased.Staff should consult with the ATIP Office if they are uncertain as to whether, under the circumstances, disclosure is permitted as described in Section 32 of MFIPPA.Protection of personal informationPersonal information shall be secured against loss through misplacement, deterioration, accidental destruction, theft and unauthorized or inappropriate access, retention or disposal. Each department and/or its Service Areas shall establish security measures that include administrative, technical and physical safeguards that are appropriate to the information’s sensitivity, the format in which it is held, and the related privacy risks.Security measures shall include de-identification for all data where appropriate. When personal information must be retained, the department must establish administrative, technical and physical safeguards that take into account the information’s sensitivity, the format in which it is held, and the related privacy risks.Examples of administrative safeguards are privacy and security training; technical safeguards include measures such as strong passwords and encryption; and physical safeguards include controlled access to locations where personal information is stored and supervision of visitors.Retention and Disposition of personal informationThe City shall not retain records containing any personal information for longer than is required for the provision of City programs and services, in accordance with the Records Retention and Disposition By-law or applicable legislation.When no longer required, temporary hard copy records containing personal information shall be destroyed by placing them in a secure shredding console or bin. Electronic records and systems must establish lifecycle time periods, processes for destruction and confirmation of disposal. This applies to a vendor’s activities as well to ensure that records are not retained beyond the vendor’s services.Official business records containing personal information will be disposed of by Information Management according to the Records Management Procedures. Staff who have questions about retention and disposition of records containing personal information should consult the Information Management Branch.Rights of access and Correction of own personal informationIndividuals are entitled to access their own personal information with limited exceptions. This includes notes that City staff have made about the individual. These records can often be released to the individual directly by the department holding the information.Section 38 of MFIPPA sets out limited circumstances where individuals may be denied access to their own personal information. Staff should consult with the ATIP Office if they have any questions about the applicability of Section 38.If the department does not release requested personal information directly to the individual, the individual has a right under MFIPPA to file a formal request for the information with the ATIP Office.Every individual has a right under MFIPPA to request correction of their personal information. Requests to correct personal information may be processed informally by City staff or be directed to the ATIP Office. The correction of personal information in a file does not necessarily entail the deletion or erasure of the original record. Rather, it may result in adding a note to a record at the request of the individual. The ATIP Office can assist if the department is not in agreement with the correction being requested.Privacy BreachesA privacy breach occurs when personal information is collected, retained, used or disclosed in ways that are not in accordance with MFIPPA or PHIPA.Not all circumstances reported to the ATIP Office constitute a privacy breach. However, all suspected privacy breaches must be investigated. Where a privacy breach has occurred, immediate steps must be taken to ensure that the breach is contained to limit the potential harm to an affected individual(s) and/or to the City of Ottawa.When any apparent or suspected privacy breach occurs, staff shall notify their manager immediately. The ATIP Office shall also be notified immediately by completing a Privacy Breach Incident Report Form.The ATIP Office’s Privacy Unit will investigate all reported breaches and provide support in the response, containment, and remediation of breaches. The ATIP Office will assist the department with notification to affected individuals and preventative measures. The Privacy Unit will also advise on whether the breach should be reported to the Information and Privacy Commissioner of Ontario (IPC).Privacy Impact AssessmentsA Privacy Impact Assessment (PIA) is a risk management tool that supports project planning and execution. It identifies the potential effects a project may have on an individual's privacy and is essential for assessing compliance with MFIPPA. A PIA assists in determining the appropriate collection, use, retention, disclosure, security and disposal of personal information, in accordance with MFIPPA.If staff are developing a new service, acquiring new technology, or modifying an existing service or technology, that involves a new collection, use, disclosure, or retention, of personal information, they must complete a Privacy Impact Assessment – Intake Form.The ATIP Office’s Privacy Unit will review the Intake Form to determine whether a PIA must be undertaken. The PIA may result in recommendations pertaining to the collection, use, disclosure and retention of personal information in accordance with MFIPPA. If required, a project team will be necessary to support the PIA. Depending on the nature of the service or technology, the project team will include the Business Owner, a Privacy Analyst, and representatives from IT Security and Information Management.Application of Personal Information Protection and Electronic Documents Act (PIPEDA)The federal privacy legislation, PIPEDA, applies only to personal information pertaining to OC Transpo employees. For the purposes of PIPEDA, the City Clerk is designated as the person who is accountable for OC Transpo’s compliance with the privacy principles under PIPEDA. The City Clerk may further delegate responsibility to respond to any inquiries of OC Transpo employees or the federal Office of the Privacy Commissioner (OPC) to the Access to Information and Privacy Office.ResponsibilitiesMFIPPA applies to personal information in the custody or control of the City of Ottawa. The City and all of its employees, according to their role, are responsible for ensuring personal information is handled in accordance with the requirements of applicable access and privacy laws and the guidance of the Information and Privacy Commissioner of Ontario (IPC). In addition, City employees are required to abide by the requirements under the Employee Code of Conduct.Departments are the experts regarding their service area. Each department is accountable for its handling of personal information, including understanding privacy responsibilities and risks. Departments shall have clear protocols in place to ensure privacy is protected and records are managed in accordance with this PolicyThe ATIP Office supports employees and departments in understanding the legal requirements of protection and handling of personal information, to identify areas of privacy risks, suggest solutions and best practices.The City Clerk shall: • Act as the Head under MFIPPA who is responsible for making many of the decisions under MFIPPA, pursuant to delegated authority; • Be accountable for overseeing the administration of MFIPPA within the municipality and for decisions made under the above legislation; • Be accountable for OC Transpo’s compliance with the privacy principles of PIPEDA; • Ensure oversight and compliance with this policy; and• Investigate and respond to privacy complaints received from the IPC.The ATIP Office shall:• Provide advice and establish privacy standards to support this policy; • Review departmental policies and procedures with respect to privacy upon request from a department; • Review and make recommendations regarding the privacy impact of new and existing City services, programs, systems and technologies upon request from a department (i.e. privacy impact assessments);• Develop and make available training for City staff to improve privacy awareness; and• Investigate reports of privacy breaches and complaints of the misuse of personal information.Management within each department shall: • Promote a culture and business practices that ensure the principles for responsible collection, use, protection and disclosure of personal information set out in this policy are followed; • Ensure the collection, use and disclosure of personal information is consistent with obligations of MFIPPA and guidance of the IPC;• Ensure clear governance policies, procedures and reporting exist to prevent unauthorized use or disclosure of personal information;• Ensure that the retention of personal information under the custody or control of the City is in keeping with this policy and the Records Retention and Disposition By-law; • Ensure vendor contracts and performance comply with all privacy requirements, including mandatory breach response and reporting to the City;• When introducing new services, programs, systems and technologies that collect, use or retain personal information, request a PIA from the ATIP office in compliance with the principles set out in this policy;• Report apparent and suspected breaches of privacy to the ATIP Office immediately by completing a Privacy Breach Incident Report Form; and• Ensure list of personal information banks remains current and newly established personal information banks are registered with the Clerk.Employees shall: • Protect privacy in executing their operational duties and ensure personal information is handled with care and confidentiality in all City activities;• Ensure information is collected and accessed only as required to carry out individual role and specified service delivery;• Follow departmental procedures for the collection, use, protection and disclosure of personal information by City employees and third parties (e.g. vendors, contractors); and• Report a potential breach to a supervisor/manager immediately if unauthorized access, collection, or dissemination of personal information is suspected.Monitoring/ContraventionsThe City Clerk shall be responsible for receiving complaints or concerns related to this policy. City employees who fail to comply with this policy may be subject to disciplinary and/or legal action, as deemed appropriate.ReferencesAccountability and Transparency PolicyEmployee Code of ConductRecords Management PolicyRecords Management ProceduresRoutine Disclosure and Active Dissemination PolicyLegislative and administrative authoritiesCity of Ottawa Records Retention and Disposition By-lawMunicipal Act, 2001Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)Personal Health Information Protection Act, 2004 (PHIPA)Personal Information and Electronic Documents ActDefinitionsCollection – The acquisition of personal information from or about the individual to whom the information relates, including unintended or unprompted receipt.Consistent purpose – a purpose the individual might reasonably have expected at the time personal information was collected.De-identification – The process of removing personal information from a record or data set to such an extent that re-identification would be unlikely.Disclosure – The release of personal information by any method (e.g. sharing information by any means such as verbal exchange, sending an email, posting online) to any person.Personal information – Recorded information about an identifiable individual as defined in Subsection 2(1) of MFIPPA.Personal information bank – A collection of personal information that is organized and capable of being retrieved using an individual’s name or an identifying number of particular assigned to the individual.Privacy breach – The improper or unauthorized collection, use, disclosure, retention or disposition of personal information. This includes unsuccessful de-identification of information/data sets.Privacy Impact Assessment (PIA) – A PIA is a risk management tool that supports project planning and execution. It identifies the potential effects a project may have on an individual's privacy and is essential for assessing compliance with MFIPPA. A PIA assists in determining the appropriate collection, use, disclosure, retention, security and disposal of personal information, in accordance with MFIPPA.Privacy risk – The potential for loss or breach of personal information that is collected, used, disclosed, or retained. Re-identification – Any process that re-establishes the link between information and an identifiable individual.EnquiriesFor more information on this policy, contact:Kiel AndersonManager, Policy and Business OperationsOffice of the City ClerkCity of Ottawa(613) 580-2424 extension 13430