Ten Privacy Principles
Legal Aid Ontario and the Ten Privacy Principles
The Canadian Standards Association has developed a Model Code for the Protection of Personal Information, which was recognized as a national standard in 1996. The provisions of this Code have been incorporated in the Federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Legal Aid Ontario is subject to the provisions of the Freedom of Information and Protection of Privacy Act (FIPPA) and as such LAO is not subject to PIPEDA. Nevertheless, staff of LAO should be aware of the ten principles of privacy and how they apply to LAO, because of their importance as part of a recognized standard for privacy protection. Community legal clinics are subject to the provisions of PIDEDA, as are lawyers in private practice, including those who are retained through a legal aid certificate.
The code's 10 principles are:
- Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
- Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except when inappropriate.
- Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfilment of those purposes.
- Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
- Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization's compliance.
How do these principles apply to LAO?
- Accountability: LAO has designated a FIPPA Co-ordinator who manages privacy issues. Linda Hall, Director, Appeals & FOI acts as the FIPPA Co-ordinator at LAO. You may contact her at 416-979-1446.
- Identifying Purposes: LAO identified the purposes for which information is collected through the FIPPA statement in the legal aid application, the contribution agreement and other documents which collect personal information.
- Consent: The provisions of FIPPA do not require LAO to have consent to all collection, use and disclosure of personal information, provided appropriate notification is provided in the FIPPA notification statement. Nevertheless, LAO does collect the consent of the legal aid applicant to the disclosures which are made to third parties in the financial eligibility process. In addition, LAO limits the disclosure of personal information to disclosures which can properly be made, in accordance with the provisions of FIPPA and the Legal Aid Services Act (LASA).
- Limiting Collection: LAO limits collection of personal information to information required for a business purpose, necessary to the proper functioning of LAO. In addition, LAO has committed to a review of the collection of all personal information following the implementation of TSN. That review will look at all of the information collected and analyze the business purpose for which it is collected, to ensure that LAO limits its collection to what is necessary.
- Limiting Use, Disclosure and Retention: LAO may only disclose personal information in accordance with the provisions of LASA and FIPPA. Although consent is not required in all circumstances, the disclosure is limited by the purposes set out in the FIPPA statement. Use and disclosure must be for a purpose specified or a consistent purpose, which must be reasonably foreseeable. Because much of the information collected by LAO is subject to solicitor and client privilege, in practical terms, little disclosure is possible without the consent of the individual.
- Accuracy: The implementation of new computer technology in May 2004 (TSN) will allow LAO to have more consistent information across the organization. Where new or corrected personal information is received in one area or department, that information will be immediately available to all staff in LAO.
- Safeguards: LAO has recently undertaken a Threat Risk Assessment to review its security of electronic records. As a result of that study, LAO is taking steps to upgrade its technological safeguards to ensure an appropriate level of security. LAO also has a security policy for its offices, which protects paper records.
- Openness: LAO's policies regarding personal information are available to the public on request. Some information on privacy is available on LAO's website.
- Individual Access: LAO follows the provisions of FIPPA when requests for access are received. It is the policy of LAO that, generally, legal aid applicants shall have access to their own records, subject only to exceptions in accordance with FIPPA and LASA. Under FIPPA, an individual has the right to request that a correction be made to the persona information held by LAO. Where LAO does not comply with the request, a statement of disagreement will be attached to the file, using the notes and attachments section of the client file in TSN.
- Challenging Compliance: LAO has a complaints policy which deals with complaints in all matters. Staff have been instructed that complaints about privacy should be brought to the attention of the FIPPA Co-ordinator who has expertise in the area of privacy and can advise staff of the appropriate method of dealing with the complaint.
LAO staff are encouraged to apply these principles in dealing with personal information. If you have any questions or concerns, contact the FIPPA Co-ordinator.