The Freedom of Information and Protection of Privacy (FOIP) Act requires Seniors, Community and Social Services to protect the personal information it manages. In Fall 2001, Seniors, Community and Social Services adopted a Privacy Policy to provide guidance on the Department’s expectations for handling personal information.

Collection of Personal Information

Staff must only collect personal information directly related to and necessary for the programs and services that they are responsible for. This is the information collected on Seniors, Community and Social Services paper and electronic forms in its information systems. Personal information not related to decision criteria of the particular benefit or service is not required and must not be collected without the appropriate authority, even though the information might be potentially useful to other programs in Seniors, Community and Social Services.

Unsolicited personal information that is not necessary for program operation is not authorized for collection. If received, this information should be returned to the client.

Staff must be able to explain to the client:

• The reason(s) the personal information is needed;
• The purpose the personal information will be used for;
• Client options regarding the provision of the personal information and the consequences that may result from not providing it, including any limitations on services; and
• The name and contact information of a person in Seniors, Community and Social Services who can answer the client’s questions about the collection of their information.

Use of Personal Information

Personal information may only be used for the purpose for which it was collected; for example, to administer a program, provide a service or determine eligibility for a benefit under the Income and Employment Supports Act (IESA).

Section 39 of the FOIP Act lists the only circumstances under which Seniors, Community and Social Services may use personal information.

Staff Responsibility to Protect Personal Information

Staff must recognize that given the necessity to handle personal information:

• They must be aware of the relevant policies (e.g. Privacy and Security Policies) and program requirements for protecting personal information.
• Appropriate use of personal information means information must only be accessed in “need to know” circumstances.

Disclosure of Personal Information

FOIP Act

Section 40 of the FOIP Act lists the only circumstances under which Seniors, Community and Social Services may disclose personal information. It enables but does not require the disclosure of personal information in the course of various administrative processes and in response to informal access requests.

The authority to disclose personal information is delegated as per the FOIP Delegation Matrix. For example, personal information may be disclosed to an individual’s lawyer with the individual’s written consent. If in doubt about disclosing personal information, staff should consult with their supervisor. The link to the delegation matrix is via the intranet so would not be accessible by the public.

IESA

Workers can also disclose information only as specified in IESA section 49:

• Where the disclosure is necessary for the administration of the IESA, or
• To any person employed in the administration of a similar Act in another province or territory of Canada, or
• To any person with the written consent of the Zone Executive Director.

The Minister has the power under IESA sec 49(2)(c) to disclose information to any person where he deems it to be in the client’s best interests. This authority is delegated by the Minister to the Zone Executive Director.

Specific policies for disclosing information under IESA and the FOIP Act are described below.

Disclosure of Client Information by Oral Consent

Under Seniors, Community and Social Services Oral Consent Policy and Procedures, oral consent can be accepted from a client allowing a third party to act on behalf of that client with the department. The consent is only valid for 48 hours and all criteria outlined in the Oral Consent Policy and Procedures must be followed.

Disclosure of Client Information to a Third Party by Written Consent

Under the FOIP Act, the department may disclose personal information to a third party if the individual the information is about has identified the information and consented to the disclosure in the manner outlined in the FOIP Regulation. The consent must specify to whom the personal information may be disclosed, how the personal information may be used, must be in writing, and must be signed and dated by the applicant, client or legal guardian. This can be in the form of a letter written by the client or applicant, or the AAS13391 Consent to Release Information form. To revoke their consent after submitting the letter or the completed form, the client must submit a written request to do so.
An exception to the above is made if a legal guardian or other person with legal authority (e.g., via a court order or written authorization from the client) to act on that person’s behalf (e.g., for an individual with a cognitive disability) requests the disclosure of the client’s or applicant’s personal information to a third party. In these circumstances, a copy of the guardianship order or written authorization must be provided prior to disclosure.

Note

Consent does not mean the Worker must share the information with the third party. If the client does not understand the potential implications of the disclosure, has otherwise been coerced or misled, or is not aware of the extent of the sensitive nature of some of the information which may be disclosed, the Worker may refuse to provide the information to the third party. Instead, the Worker may disclose the information directly to the client, applicant or legal guardian to give to the third party.

Requests for information related to psychological evaluations, medical reviews, third party information, or Action Requests must be reviewed by FOIP Operations or Privacy Services. If the Worker has concerns about the legality or ethics of a disclosure, they should discuss the request with their Supervisor. If necessary, the request may be discussed with Delivery Supports or reviewed by FOIP Operations or Privacy Services (formerly known as the Information and Privacy Office).

Note

The Information and Privacy Office has evolved into two distinct business units: Privacy Services and FOIP Operations. Contact information for both is within these procedures.

Disclosure to Members of the Legislative Assembly (MLAS)

Under the FOIP Act, personal information may be disclosed to an MLA who has been requested by the individual the information is about, to assist in resolving a problem. Under the FOIP Delegation Matrix this is delegated to the supervisor or a higher authority level. The supervisor must be confident that the individual has asked the MLA to assist them in resolving a problem and that the disclosure of the personal information is related to that resolution. The person requesting the information should be the MLA or the MLA’s official designate. The disclosure must be documented in Compass Comments.

Disclosure Related to Law Enforcement

If a Seniors, Community and Social Services Alberta Supports Centre receives a request to disclose personal information related to a law enforcement matter, form EMP 2941 Request to Disclose Personal Information must be completed.

Penalties for Breach of Confidentiality

Seniors, Community and Social Services is committed to the appropriate management of the personal information of its clients. Inappropriate collection and use may result in disciplinary action, up to and including, termination of employment.

In addition, under section 92 of the FOIP Act, persons who willfully collect, use or disclose personal information in contravention of the FOIP Act are guilty of an offence and liable to a fine of not more than $10,000.

Reports to Child and Family Services

The confidentiality requirements of the IESA and the protection requirements under the FOIP Act do not release IS staff from the obligation to report to Child and Family Services when there are any potential child protection concerns.

Procedures for Disclosure

Under the FOIP Delegation Matrix authority to disclose certain information is delegated beyond an Alberta Supports Centre level. If an Alberta Supports Centre receives a request to disclose personal information, the Alberta Supports Centre will:

1. Complete the EMP 2941 Request to Disclose Personal Information.
2. Fax the completed form to the Zone Executive Director for review.

In situations of law enforcement requests to disclose information, the requesting Alberta Supports Centre completes section 3 of EMP 2941 Request to Disclose Personal Information and faxes to the Zone Executive Director for review.

When the EMP 2941 Request to Disclose Personal Information is received, the Zone Executive Director’s office will:

1. Review the request in accordance with section 40 of the FOIP Act.
   
   Note
   The Zone Executive Director may disclose information about a client only in accordance with section 40(1) and 41 of the FOIP Act. 
   
   
2. Provide verbal consent or refusal for the request.
3. Complete section 4 of EMP 2941 Request to Disclose Personal Information within 10 working days, and forward to the appropriate Alberta Supports Centre.

Consent to Release

The Alberta Supports Centre will:

1. Enter the decision by the Zone Executive Director in Compass Comments.
2. Provide the information to the person requesting the information.

Refusal to Release

The Alberta Supports Centre will:

1. Enter the decision by the Zone Executive Director in Compass Comments.
2. Notify the person requesting the information that the information cannot be disclosed and provide the reason(s) why.

The Alberta Supports Centre and/or Zone Executive Director’s office may consult with FOIP Operations or Privacy Services as required.

Request for IS file

Requests for access to individual documents or a few records from the IS file can be disclosed by the IS program in accordance with the authorities outlined in this policy.

Requests for a complete copy of an IS file, multiple sections, or large sections of an IS file must be made in writing and presented to FOIP Operations. This can be submitted by an applicant, client or authorized representative one of two ways:

1. Complete the online request form found on the Submit a FOIP request website, or
2. Send a letter to the AISH program or FOIP Operations (address below).

If the IS program receives such a request, they must forward it to FOIP Operations immediately (via regular mail or email at sa.foip-centralintake@gov.ab.ca ).

If a client submits a written request into the office, the following must be included with the request from the client:

• The client’s and authorized representative’s (if applicable) name, address, and a telephone number including any previous alias,
• Be as specific as possible in describing the records they want to access,
• Include the date range of the records they want to access,
• Copy of their photo ID,
• Be signed and dated.

The AISH office forwards the written request from the client to FOIP Operations via email at sa.foip-centralintake@gov.ab.ca or by regular mail to the address below.

FOIP Operations
4th Floor, Standard Life Centre (SLC)
10405 Jasper Avenue
Edmonton, AB T5J 4R7

Note
FOIP Operations does not accept verbal requests.

If an applicant, client or authorized representative has questions about their access request, they can contact FOIP Operations at (780) 643-6713 or toll free by dialing 310-0000 followed by the number.

Privacy Breach

A privacy breach occurs when there is misuse of an individual’s personal information through improper collection, use, disclosure, destruction and loss of personal information. This disclosure could include an individual receiving another individual’s personal information due to mailing errors, faxing errors, or other methods of unauthorized disclosure. This activity is in contravention of the FOIP Act. Additional information can be found in the Privacy Breach Procedure.

Persons who willfully contravene rules governing confidentiality in the FOIP Act may be guilty of an offence under section 92 and could be liable to a fine of up to $10,000. Disciplinary action, including termination of employment, may also apply. Cases involving financial penalties are rare but are possible depending on the circumstances of the situation and the impact.

1. If an IS staff member becomes aware of a confidentiality breach, they must inform their Supervisor and Manager immediately. If their Supervisor or Manager is not directly available, the IS staff member contacts the Privacy Manager as identified in the following step.
2. The IS Manager must immediately report the incident to the Privacy Manager of Privacy Services by emailing privacy@gov.ab.ca. Privacy Services will contact the IS Manager or assigned staff to review and discuss the situation and the seriousness of the event. Privacy Services helps guide the IS Manager or assigned staff member through any necessary steps (e.g. notifying the Office of the Information and Privacy Commissioner, Security Office, Communications or other executive personnel) and will provide direction and guidance in completing the Breach Report Form.
3. The IS Manager takes immediate steps to recover any personal information that was disclosed.
4. The IS Manager immediately reports the incident to the Zone Executive Director. The Zone Executive Director will assess whether to report the breach to the Assistant Deputy Minister.
5. The IS Manager or assigned staff member completes all actions recommended by Privacy Services.