Accountability

Published Date: April 11, 2018
Bookmark this page

Obligations & Expectations

Training and Service Providers

Collection, Use & Disclosure of Individual Information

AUTHORITY

Freedom of Information and Protection of Privacy Act, Sections 33 to 42
Income and Employment Supports Act, Sections 6, 8, 10, 14, 18-21, 26, 29 and 49
Training Provider Regulations, Section 4

INTENT

Legislative Authority

  1. Freedom of Information Protection of Privacy Act

    The Freedom of Information and Protection of Privacy (FOIP) Act protects the privacy of individuals by controlling the manner in which the Government of Alberta (GOA) collects, uses and discloses personal information.

    The GOA is responsible for ensuring that its responsibilities under the FOIP Act are clearly communicated to, and are understood and adopted by its employees.

    Throughout this section, each reference to ‘employee’ or ‘GOA’ should be understood to include persons who perform a service for the GOA under a contract or agency relationship, or as an appointee, volunteer or Learner.

    Even a person who is not directly employed by the GOA is responsible for protecting an individual’s personal information if that personal information is collected, used or disclosed as a direct result of a contract with the GOA to provide services to the individual.

     

  2. Income and Employment Supports Act

    The sections of the Income and Employment Supports Act (IESA) listed under the Authorities" section of this document provide legal authority for the GOA to collect, use or disclose individuals’ personal information. Section 49 enables the GOA to disclose personal information to contracted service providers.

What is Personal Information?

Personal information is defined in the FOIP Act, Section 1(n) as recorded information about an identifiable individual including, but not limited to:

  • the individual’s name, home or business address or home or business telephone number
  • the individual’s race, national or ethnic origin, colour, or religious or political beliefs or associations
  • the individual’s age, sex, marital status or family status
  • an identifying number, symbol or other particular assigned to the individual
  • the individual’s fingerprints, other biometric information, blood type, genetic information or inheritable characteristics
  • information about the individual’s health and health care history, including information about a physical or mental disability
  • information about the individual’s educational, financial, employment or criminal history, including criminal records where a pardon has been given
  • anyone else’s opinions about the individual, and 
  • the individual’s personal views or opinions, except if they are about someone else

POLICY

Appropriate Use of Individual’s Personal Information

The FOIP Act provides authority for the GOA to use an individual’s personal information:

  • for the purpose(s) for which it was collected or compiled, or
  • for a use consistent with that purpose, or
  • if the individual the information is about has consented to the use

Appropriate use of personal information means employing it to accomplish the purposes for which it was collected e.g. to provide a service or to determine eligibility for a benefit under the IESA and associated Regulations.

It should be possible to link the use of an individual’s personal information to the service being provided to the individual, or to a closely related (consistent) use.

Each employee who accesses an individual’s information has a responsibility to use this information appropriately. Personal information should be accessed only on a ‘need to know’ basis related to the employee’s job responsibilities.

Viewing information for ‘non-work’ purposes is an inappropriate use of the information and is a breach of the individual’s privacy (see Reporting a Breach of Privacy).

Disclosure of Personal Information

Disclose means to release, transmit, reveal, expose, show, provide copies of, tell the contents of, or intentionally or unintentionally give personal information to someone by any means.

Disclose includes oral transmission of information by telephone or in person, provision of personal information on paper, by facsimile copy, or in any other format and/or electronic transmission through electronic mail, data transfer, or the Internet.

Requests to Disclose Information
Routine requests from the individual for their own personal information and related to services being provided by, or on behalf of, the GOA may be handled by consultants or external providers with appropriate verification of the individual’s identity (see Verifying a Requestor’s Identity).

Requests for personal information from someone other than the individual, or any other non-routine request should be referred to the Learner Income Support Office at 780-644-1348 or toll free at 1-800-222-6485 or via email at CSS.LISO@gov.ab.ca.

Non-routine requests include, but are not limited to, a:

  • request from someone other than the individual e.g. individual’s spouse/partner, individual’s parent
  • request from an individual for a printed copy of their complete file on Mobius
  • request from an individual for a copy of their information held by the GOA

If a request for personal information is received in circumstances other than those described above, the individual’s personal information CANNOT be disclosed at any time. (As an added caution, the existence of a record of the individual’s personal information should not be confirmed or denied.)

In some instances, a formal FOIP request would be required to obtain the requested information. In other instances, the FOIP Act and/or other applicable legislation would not allow disclosure of the requested information.

Disclosure of an Individual’s Personal Information
An individual’s personal information may only be disclosed to:

  • an individual,
  • an employee or external provider who is authorized to access information about the individual on a ‘need to know’ basis for the purpose of carrying out his/her job responsibilities, 
  • an individual authorized in writing by the individual to receive the individual's personal information,

    • the individual must submit written consent to the Learner Income Support Office identifying:

      • the name of the individual(s) authorized to receive the individual’s personal information
      • the relationship of the individual to the authorized individual(s)
      • the personal information the GOA is authorized to disclose to the individual(s)
      • the time frame the consent is in effect
      • details of the written consent must be recorded on the comments .

     

  • an individual authorized verbally by the individual to receive the individual’s personal information

Verbal authorization must be given at the time the information is to be disclosed, and does NOT authorize disclosure of information at any time in the future.

  • the identity of the individual must be confirmed (see Verifying a Requestor’s Identity), and 
  • the individual must give verbal authorization for disclosure of their personal information.

Disclosure of the individual’s personal information must be documented on Mobius indicating that the identity of the individual was confirmed and the individual gave verbal authorization for disclosure of the information.

Handling of Personal Information

Reasonable security precautions must be taken to protect personal information about individuals from unauthorized access, use, disclosure or disposal, including:

  • storing hard copy records in locked filing cabinets and in secure areas where they cannot be accessed by unauthorized persons

     

  • storing electronic records in a secure manner so that they cannot be accessed or tampered with by unauthorized persons

     

  • keeping hard copy and electronic records containing personal information about individuals segregated from other records. For electronic records, segregation based on systems design and password protection is allowable as long as there is no interference with the Government of Alberta's access capability or the training provider’s disposal capability

The Information and Privacy Office will be notified immediately of any unauthorized access, use, disclosure or disposal of personal information about individuals or of any theft or loss of or damage to such information, and shall take all reasonable steps to prevent a recurrence.

Data Security Controls

Each office (GOA or external provider) must establish internal controls to ensure the security of their computer system. Only personnel with the proper security clearance level should have access to the system.

Each office (GOA or external provider) has responsibility for securing records for the required length of time and preventing the loss of learner records in the event of catastrophe.

Specific measures must be taken to guarantee the ability to reproduce unaltered records if the originals are destroyed. These measures must include the ability to reproduce such records at any point during the required record retention period.

A data recovery plan with acceptable backup strategies should be in place in the event a disaster occurs. This plan should be documented and available for examination by auditors as part of the check of internal controls.

Resources

Each office (GOA or external provider) that provides services to individuals should identify an employee, either on site or readily available, who can provide guidance to other employees and can answer questions from individuals regarding the collection, use, disclosure, and handling of individuals’ personal information.

If the resource person for an external provider’s office cannot provide guidance, the Contract Services Coordinator (CSC) may be consulted. If necessary, the CSC may refer the enquiry to the Information and Privacy Office.

Information and advice about the FOIP Act is available from Service Alberta at 780-427-5848 .

PROCEDURE

Collection of Individual’s Personal Information

The onus is on GOA to collect only the personal information that is necessary to carry out its mandate to provide income and employment programs and services.

Personal information about an individual usually is collected using the Person Registration Form, Income Support Application for Learners (EMP 5569), Change in Circumstances for Learners (EMP 5589), and applicable schedules. Personal information may be collected directly from the individual through assessment and on-going Service Management activities and recorded in Mobius and/or the individual’s paper file.

Sometimes individuals will provide more information than is required. Information that is not required for the programs and services being offered to the individual should be returned to the individual, or destroyed according to program practices.

When personal information is collected about an individual, employees must tell the individual:

  • the reason(s) the personal information is needed,
  • how their personal information will be used,
  • their options regarding the provision of the personal information, and consequences of not providing it including any limitations on services that may result, and
  • contact information of a person or office in the Government of Alberta who can answer their questions about collection of their information.

Access to an Individual’s Personal Information

An individual’s personal information can be accessed on Mobius and/or the individual’s paper file.

Verifying a Requestor’s Identity

Prior to disclosing an individual’s personal information to any person, the identity of the person asking for the information must be confirmed. The following are sample questions that may be used for this purpose:

  • if the request for personal information is made by the individual:

    • what were your earnings on line 150 of your tax form?
    • what is your Social Insurance Number?
    • what is your current postal code?
    • what is your date of birth?
    • what was your maiden name?
    • what was the amount of your most recent disbursement?
    • what year of studies are you in?

     

  • if the request for personal information is made by an employee or external provider):

    • who do you work for?
    • what is your phone number?

      • call them back at this phone number, or
      • check the number on the telephone’s call display, if available

       

    • why do you require this information?

     

  • if the request for personal information is made by a person authorized in writing by the individual:

    • ask for the name and/or Social Insurance Number (SIN) of the individual, and
    • verify the person’s relationship to the individual.

Reporting a Breach of Privacy

The Government of Alberta is committed to the appropriate management of the personal information of Albertans. Inadvertent disclosures are best dealt with in an open manner.

Any loss of personal information or breach of personal privacy is considered to be a sensitive breach. The breach must be reported immediately to the designated senior official and to the Director, Information and Privacy Office. The report should outline:

  • circumstances that led to the inadvertent loss or disclosure,
  • steps taken to recover the information, and
  • if appropriate, recommendations to prevent the circumstances being repeated.