Frequently Asked Questions About FIPPA: Government and Other Public Bodies
- Who is the head of the public body under FIPPA and what is the role of the head?
- What are the responsibilities of an Access and Privacy Officer?
- What are the responsibilities of an Access and Privacy Coordinator?
- What information should be included in a response to a FIPPA request?
- What do I do if the 30th day falls on a Sunday or statutory holiday?
- When and how do I transfer a request to another department or public body?
- What fees may a public body charge under FIPPA?
- What functions can be charged for as “Search and Preparation”?
- What functions cannot be charged for as “Search and Preparation”?
- Does the Manitoba government have a privacy impact assessment tool?
- What do I need to include in a privacy statement for my departmental website?
- What should I do if I suspect a privacy breach?
- When is the collection of personal information authorized?
- When is indirect collection of personal information authorized?
- What kind of notification statement do I need to provide when I collect personal information?
- How can a public body use the personal information it collects?
- How can a public body disclose information?
Who is the head of the public body under FIPPA and what is the role of the head?
Under FIPPA, the head of a public body depends upon the type of public body. According to the definition of “head” in s.1, the head is as follows:
- for a government department: the head is the minister of the department
- for an incorporated government agency: the head is the chief executive officer
- for an unincorporated government agency: the head is the minister responsible for the agency
- for a local public body: the head is the person or group of persons designated by by-law or resolution of the local public body.
FIPPA gives the head of the public body the responsibility for all decisions and actions of the public body under the Act. The head may delegate to any person on the staff of the public body any duty or power of the head. It is suggested that the delegation be made to positions, rather than specific individuals. For recommended delegation documents, see Forms.
What are the responsibilities of an Access and Privacy Officer and how is the Officer appointed?
The Access and Privacy Officer is a person to whom the head body has delegated a duty or power under FIPPA. This delegation should be in writing.
In practice, the Access and Privacy Officer is an important decision-maker under FIPPA and should be a senior staff person. Each Officer should have a backup, who will act when the Officer is absent.
In government departments, it is recommended that Access and Privacy Officers be at the executive level. It is also suggested that each department should have a lead Officer with divisional officers as appropriate for the departmental. Frequently, the head of the central administration division will be the lead Officer.
The main duties of an Access and Privacy Officer are to:
- make decisions about granting or denying access requests and sign response letters
- decide when extensions to response time are necessary
- provide formal notice to third parties and hearing responses
- monitor the overall FIPPA performance of the public body
- ensure that the public body manages personal information as required under FIPPA
- deal with the Ombudsman’s Office on complaint investigations and during the conduct of any privacy investigations and audits
What are the responsibilities of an Access and Privacy Coordinator?
Each public body is requested, under the Access and Privacy Regulation, to appoint an employee as an Access and Privacy Coordinator who is responsible for receiving applications for access and for day-to-day administration of the Act.
The Access and Privacy Coordinator manages responses to access requests and assists program areas to comply with the requirements respecting collection, use, disclosure, correction and protection of personal information. In large organizations which receive many requests, this will probably be a full-time function. As the Coordinator works closely with the lead Access and Privacy Officer, it is recommended that there be a direct reporting relationship between these two positions.
The main duties of the Access and Privacy Coordinator are to:
- assist applicants by explaining FIPPA process and answering questions
- receive applications and coordinate the response process
- contact applicants for clarification or more information if necessary
- ensure time limits and notification requirements are met
- assemble records for the Officer’s review and decision-making
- estimate and collect fees and if this function is delegated by the head, sign the Estimate of Cost form
- draft response letters
- prepare quarterly statistical reports
- ensure ministerial delegated authority documents are up-to-date
- ensure that program directors understand the requirements respecting protection of personal information
- receive requests for correction of personal information and forward them to the program area
What information should be included in a response to a FIPPA request?
FIPPA s.12 (1) provides that the public body shall inform the applicant in writing of the following:
- whether access to the record (or part of the record) is granted or refused;
- if access to the record (or part of the record ) is granted, how access will be given; and
- if access to the record (or part of the record) is refused,
- the reasons for the refusal and the exceptions in FIPPA on which the refusal is based, or
- that the record does not exist or cannot be located.
In addition, when access is refused, the public body must provide contact information for an employee of the public body who can answer the applicant’s questions about the refusal. The response must also inform the applicant that he or she may complain to the Ombudsman about the refusal.
The following Manitoba Ombudsman Practice Notes outline what that Office looks for in FIPPA responses:
- Checklist: Contents of a Complete Response Under the Freedom of Information and Protection of Privacy Act(FIPPA)
- Providing Reasons to an Applicant when Refusing Access under the Freedom of Information and Protection of Privacy Act(FIPPA)
Sample response letters are included at: Model Letters and notices
What do I do if the 30th day falls on a Sunday or statutory holiday?
FIPPA s.9 requires that public bodies make every reasonable effort to respond to an applicant as quickly as possible. If you cannot respond until the 30th calendar day and that day falls on a weekend or a holiday, the response may be sent on the next business day.
When and how do I transfer a request to another department or public body?
FIPPA s.16 provides that, within seven calendar days after the public body receives an access request, the head may transfer it to another public body if:
- the record was produced by or for the other public body,
- the other public body was the first to obtain the record, or
- the record is in the custody or under the control of the other public body.
Examples:
- Family Services receives a request from a Social Allowance client for access to his or her records regarding a specific training program. Although the training program was originally delivered through Family Services, such programs and their records are now the responsibility of Jobs and the Economy. Family Services transfers the application to Jobs and the Economy.
- Executive Council receives a request for a Cabinet Submission about a farm support program. As Agriculture, Food and Rural Development prepared the document, Executive Council may transfer the application to Agriculture, Food and Rural Development.
Before transferring an application, the Access and Privacy Coordinator should contact the Coordinator of the other public body to confirm that it has the requested record and agrees to the transfer.
If an application is transferred to another public body, the Coordinator of the public body that originally received the request must notify the applicant of the transfer in writing as soon as possible. A sample notification letter is included at: Model Letters and notices.
The public body to which the application is transferred must make every reasonable effort to respond to the request within 30 calendar days of receiving it, unless there is a time extension under section 15 or third party notification under section 33.
What fees may a public body charge under FIPPA?
There is no fee for making a FIPPA application or for the first 2 hours spent by the public body searching or preparing the information.
The following are chargeable services under FIPPA:
- Search and Preparation Fees
$15 per half hour (after 2 free hours)
Applies to time spent: locating the records, making working copies, doing any required severing. Does not apply to time spent: deciding what information will not be disclosed and will be severed, arranging to transfer an application to another public body, preparing a fee estimate.
- Computer Programming and Data Processing Fees
$10 for each 15 minutes of in-house programming or data processing, or the actual cost of having it done externally
- Copying Records (If Applicant Requests a Copy)
Photocopies and computer printouts: 20 cents per page;
Prints from microfilm: 50 cents per page;
Any other copying method: actual cost
Note: applicants requesting copies of their own personal information are not required to pay for the copies if the total copying charge is less than $10.
- Delivery Fees
Regular mail: no charge;
Courier delivery: actual cost
What functions can be charged for as “Search and Preparation”?
The following functions are search and preparation functions which may be charged to an applicant:
- identifying the location of the requested records in the office or in storage
- examining the file(s) to locate the specific items that are responsive to the request
- copying and physical severing of the records to protect from disclosure information which falls within an exception.
What functions cannot be charged for as “Search and Preparation”?
The Regulation s.4(3) provides that the following functions are not part of “search and
preparation” and cannot be charged to an applicant:
- transferring a request to another public body
- preparing a fee estimate
- reviewing the records to determine if any exceptions to access apply
- copying a record for an applicant
- preparing an explanation of the records
- time consulting within the public body, other public bodies, third parties and legal counsel.
Does the Manitoba government have a privacy impact assessment?
Access to Information and Privacy staff have developed a process for supporting departments and agencies of the Manitoba Government through a Privacy Impact Assessment. Please contact fippa@gov.mb.ca to discuss whether you need to complete a PIA. Common reasons to complete a Privacy Impact Assessment include:
- designing a new program or service.
- making significant changes to a program or service such as converting from a conventional service delivery mode to electronic service delivery mode.
- changing the way you collect, use or disclose personal information.
- anticipating that the public may have privacy concerns regarding a new or modified program or service
- introducing changes to the business systems or infrastructure architecture that affect the physical or logical separation of personal information or the security mechanisms used to manage and control access to personal information.
What do I need to include in a privacy statement for my departmental website?
The privacy statement should include:
- what information is automatically collected by the web server (and why it’s needed), as well as contact information for someone who can answer questions about it
- what personal information is collected to provide services and why it’s required (for example, to mail a requested brochure)
- what information (if any) is disclosed to other public bodies or individuals
- the authority for collecting personal information under your program legislation or FIPPA
- contact information for someone who can answer questions
The privacy statement may also include:
- what links exist to other sites (and notice that you are not responsible for the content or privacy practices of other sites)
- information about cookies
- information about security policies
What should I do if I suspect a privacy breach?
The most common privacy breaches happen when personal information about clients, customers or employees is stolen, lost or mistakenly disclosed. For example, when a laptop computer is stolen from an office, a mobile device is left behind in a taxi, or a document is faxed to the wrong number.
The Manitoba Ombudsman has identified four key steps for public bodies responding to a breach:
- Contain the breach.
- Evaluate the risks associated with the breach.
- Decide who to notify about the breach (this may include affected individuals breach,
police, technology providers, regulatory bodies, Ombudsman’s Office). - Take steps to prevent future breaches.
For further information about responding to a privacy breach, please see the following guidance documents developed by the Manitoba Ombudsman:
- Key Steps in Responding to Privacy Breaches under The Freedom of Information and Protection of Privacy Act (FIPPA) and The Personal Health Information Act (PHIA)
- Reporting a Privacy Breach to Manitoba Ombudsman
When is the collection of personal information authorized?
Public bodies often need to collect personal information to provide benefits and services to individuals. However, you cannot collect personal information unless you have legal authority. Legal authority may be provided by FIPPA or program specific legislation.
Collection of personal information is permitted if:
- the collection is expressly authorized by an Act or regulation of Manitoba or Canada
- it is directly related to and necessary for an existing program or activity of the public body, or
- it relates to law enforcement or crime prevention
Consent does not authorize the collection of personal information under FIPPA. The public body must collect information for one of the reasons listed above.
When is indirect collection of personal information authorized?
Generally, public bodies must collect personal information directly from the individuals that the information is about (e.g. through an interview or by completing an application form).
However, FIPPA also allows public bodies to collect personal information indirectly from someone other than the individual that the information is about (e.g. from another department to verify eligibility to participate in a program).
Some examples include:
- program legislation authorizes the public body to collect financial information from the federal taxation department
- information confirming employment status is collected from the federal employment and immigration department, if collecting this information directly from individuals could reasonably be expected to result in inaccurate information
For a complete list of when personal information may be collected indirectly (s.37(1) FIPPA)
What kind of notification statement do I need to provide when I collect personal information?
When collecting personal information directly from an individual, public bodies must notify the individual of:
- the purpose for collection
- the specific legal authority for the collection, and
- the title, business address and business telephone number of an officer or employee who can answer the individual's questions about the collection
All three parts of the notice must be provided to the individual at the time that the information is collected, and in a manner that is appropriate to the circumstances
- if personal information is collected on a form, the notice may be part of the document, attached to the form or provided in a brochure
- if service is provided by telephone, verbal notice would be appropriate
- if service is provided at a counter, signage or brochures would be appropriate
Here is an example of notice that could be included in a form:
The personal information collected is necessary for the administration of the ______Program. It is used to assess and verify your eligibility and suitability for the _____Program. If you have any questions about the collection of this information, please contact the Director, 123 Office Building, Winnipeg Manitoba, R3C 1Z1 or 945-1234.
How can a public body use the personal information it collects?
Public bodies are permitted to use personal information only:
- for same reason that it was collected, or for a consistent purpose
- with the consent of the individual, or
- for the same reasons that it was disclosed to you by another public body under FIPPA
For example, if a municipality collects names and addresses to compile tax assessment rolls, it may also use this information for operating the municipality. This could include using the information to send out utility bills to homeowners.
For a complete list of when personal information may be disclosed (s.43 and s.44(1) FIPPA)
Even if public bodies are permitted to use personal information for a particular purpose, FIPPA limits the use to the minimum amount necessary to carry out their purposes in a reasonable manner. This limit applies to the amount and type of information that is used.
The use of personal information is also limited to those employees of the public body who need to know the information to do their jobs.
For example, a supervisor receives an email from an employee saying that she will not be at work on Monday because she has a medical appointment. The email also contains details about her appointment, including the name of the physician and her medical condition. The supervisor forwards the e-mail to the receptionist who keeps track of absences.
In this case, the receptionist does not need to know all the information in order to track the employee’s absence. The supervisor should have written a new email regarding the employee's absence, or removed the unnecessary information before forwarding it.
How can a public body disclose personal information?
Public bodies are permitted to disclose personal information only:
- for same reason that it was collected, or for a consistent purpose
- with the consent of the individual, or
- for a limited number of reasons that are authorized under FIPPA
For example, if the federal government is providing part of the funding for a Manitoba employment program, and the federal government requests a report on outcomes for participants, the Manitoba program would look at s.44 of FIPPA to see if it is allowed to disclose this information. Under s.44 (1)(i), a public body may disclose personal information to the government of Canada to facilitate the monitoring and evaluation of a shared cost program. If this is the reason that the information is being requested, the public body would be authorized to disclose it.
For a complete list of when personal information may be disclosed (s.44(1) FIPPA)
Even if public bodies are permitted to disclose personal information for a particular purpose, FIPPA limits the disclosure to the minimum amount necessary to carry out their purposes in a reasonable manner. This limit applies to the amount and type of information that is disclosed.
The disclosure of personal information is also limited to those employees of the public body who need to know the information to do their jobs.
For example, a supervisor receives an email from an employee saying that she will not be at work for six weeks due to a medical condition. She attaches a copy of a report from her physician. The supervisor forwards the e-mail to a receptionist in the human resources department who keeps track of absences.
In this case, the receptionist does not need to know all the information in order to track the employee’s absence. The supervisor should have written a new email regarding the employee's absence, and removed the attachment before forwarding it.