Securing Personal Information

Subsection 7(11) of the ARA requires PSOs to take reasonable steps to secure personal information throughout its life cycle; for example, during transmission, storage and disposal (transportation, handling and destruction or transfer to an archive).

Standard 18. Secure Personal Information and Manage Privacy Breaches

PSOs must document and have in place reasonable measures to ensure that:

  • Personal information is protected against theft, loss, unauthorized access or use, tampering, disclosure, or destruction; and
  • Records (hard copy and electronic) containing personal information are protected against unauthorized copying, modification, or disposal.

PSOs must have in place a privacy breach management and response protocol that documents:

  • The steps needed to identify, assess, contain, manage and respond to known or suspected privacy breaches;
  • Requirements for third party service providers;
  • When it is appropriate to notify affected individuals; and
  • When it is appropriate to report a breach to the IPC .

Rationale

Maintaining the confidentiality, integrity, and availability of personal information is necessary to carry out requirements of the ARA , the regulations and the Standards.

This includes protecting against privacy breaches resulting from theft, loss, unauthorized access, use, or disclosure, and unauthorized copying, modification, or disposal. Having clear privacy breach management and response protocols is essential for mitigating harm arising from such incidents.

Guidance

PSOs should develop, document, implement, and maintain security policies and procedures that address obligations under the ARA , the regulations and the Standards, and other relevant legislation, including FIPPA /MFIPPA . This should be done in consultation with the organization’s privacy officer or FIPPA /MFIPPA coordinator and security professionals.

PSOs' security measures should include administrative, technical and physical safeguards (see Appendix B). These measures should cover people, processes and technology and protect the confidentiality, integrity, and availability of information. In addition, PSOs should identify and address security risks presented by remote access (e.g. use of mobile devices), internet/web applications, and electronic transmission of personal information.

PSOs should also make sure that security measures are appropriate and proportional to the nature of the personal information to be protected by considering the following:

  • Sensitivity and amount of personal information;
  • Number and nature of people with access to the personal information; and
  • Threats and risks associated with the personal information.

Organizations should have protocols for employees, officers, consultants and agents of organizations to identify and report security issues to an accountable manager. They should also implement routine maintenance and updates of database management systems used to store, retrieve, and manage records.

Detailed guidance on security safeguards may be found in the Government of Ontario Information Technology Standards (GO-ITS) related to security.

Privacy breaches can have significant impacts on the individual to whom the information relates. Upon learning about a privacy breach, PSOs should take the following immediate action:

  • Implement the organization’s privacy breach protocols;
  • Identify the scope of the breach and take action to contain it;
  • Identify the individuals whose privacy was breached, and when appropriate, notify them accordingly;
  • Inform the IPC of the breach when appropriate, including information about the circumstances; and
  • Investigate the causes and take steps to address deficiencies and avoid breaches in the future.

The IPC's guidelines on Preventing and Managing Breaches is a helpful resource.

Secure Storage in Databases

Standard 19. Storage of Personal Information in Electronic Format

PSOs must maintain all personal information collected under the ARA in a secure database that is part of, or can be linked to administrative records.

If the personal information is collected for both the purpose of the ARA and another lawful purpose, it must be maintained in accordance with the privacy and security requirements under applicable legislation (e.g. FIPPA or MFIPPA ).

Rationale

Storage of personal information in a secure database enables the analysis of individual outcomes and long-term trends in order to identify potential systemic racial inequalities.

Guidance

PSOs should make sure that their security measures related to the storage of personal information (including hard copy and electronic, on-site and off-site, third-party service providers) are appropriate and proportional to the nature and sensitivity of the personal information and records to be protected.

If personal information collected under the ARA is kept in a data set that is separate from the administrative data set, a unique pseudonym or identification number can be assigned to each record so that only a designated manager is able to link the data sets as necessary to facilitate analyses.

Limiting Access to Personal Information

Subsection 7(13) of the ARA requires organizations to limit access to personal information to only those individuals who need it in the performance of their duties, in connection with requirements under the ARA , the regulations and the Standards. The ARA prohibits the use of personal information if other information could meet the purpose, and requires that no more personal information be used than is reasonably necessary to meet that purpose (s. 7(8)).

Standard 20. Limit Access on a Need-to-Know Basis

PSOs must determine the level of access to personal information that their employees, officers, consultants, and agents require in the performance of their duties under the ARA , the regulations and the Standards. Access to personal information must be limited according to the determination.

Rationale

To protect personal privacy and confidentiality, access to specific personal information is limited to those who need it to do their jobs. They should have access to no more than is necessary for the purpose. This reduces the risk of privacy breaches caused by unauthorized access and therefore helps protect privacy.

Guidance

Employees, officers, consultants, and agents of the PSO should not have access to personal information collected under the authority of the ARA unless it is needed for the performance of their duties. For example, frontline staff do not have access to individuals’ Indigenous identity or race information unless they need that information to perform their job responsibilities.

In addition, PSOs should define role-based access by each data element rather than by entire databases (i.e. avoid broad or blanket access unless such access is necessary). Access should not be allowed to:

  • Personal information if access to other information will meet the same purpose; or
  • More personal information than is reasonably necessary to meet the purpose.

In conducting analyses, organizations should extract from original datasets only the personal information required for the analysis at hand. Remove any personal information that directly identifies specific individuals (e.g. names, addresses, telephone numbers) and/or replace direct identifiers with pseudonymous or encrypted information (“masking”).

Accuracy

Subsection 7(12) of the ARA requires that, before using personal information, PSOs take reasonable steps to ensure that the information is as accurate as is needed for the use.

Standard 21. Accuracy of Personal Information

PSOs must document and have policies and procedures in place to monitor and maintain the accuracy of personal information collected, stored, used, and disclosed for the purposes of the ARA .

PSOs must take reasonable steps to enter personal information accurately into electronic records (“databases”).

Variables related to Indigenous identity and race must be coded in electronic records as specified below. PSOs must assign and enter codes for religion and ethnic origin variables using values that correspond with how personal information is collected under Standards 16 and 17.

Coding of Indigenous Identity Information

Where PSOs collect information using discretionary options, such as “Another Indigenous identity” as an open text field, then additional fields and codes may be created as appropriate.

Data element: Indigenous Identity

Description: Indicates if a person identifies as First Nations, Métis and/or Inuit

Field Names: There are separate fields for each Indigenous identity category under this data element, and labelled as follows:

  • Non-Indigenous only
  • First Nations
  • Metis
  • Inuit
  • Prefer not to answer (Where this is a valid option)

Field type and format: Field type is discrete, and format is numeric (1)

Code set (Valid values): Binary, e.g. 0= Not indicated, 1= Yes

Missing data (Null value): Blank or “.” (period) for null value, if no valid response is provided i.e. both no and yes are selected, unknown/value not provided for all categories

Default values: Blank or “.” (null value)

Multiplicity: A person may change their Indigenous group identification over time or change their response from one collection point to another. Systems may need to consider and take into account how to record changes or deal with different responses recorded for the same individual if collected from a number of sources.

Coding of Race Information

See Section 7 for separate data entry rules for participant observer information data (POI).

Data element: Race

Description: Indicates an individual’s race(s) as a social category or descriptor

Field Names: There are separate fields for each race category and labelled as follows:

  • Black
  • East/Southeast Asian (may be two fields if collected separately)
  • Indigenous
  • Latino
  • Middle Eastern
  • South Asian
  • White
  • Another Race
  • Prefer not to answer (Where this is a valid option)

Field type and format: Field type is discrete, and format is numeric (1)

Exception: If “Another race category,” is open text, then the field type is qualitative and format is alphanumeric (25).

Code set (Valid values):

For numeric fields: Binary, e.g. 0= not indicated and 1= yes

For alphanumeric field: (i.e. Another Race) any character string.

Missing data (Null value): Blank or “.” (period) for null value, if Race is unknown/value not provided.

Default values: n/a

Multiplicity: A person may change their perception of their race over time or change their response from one collection point to another. Systems may need to consider and take into account how to record changes or deal with different responses recorded for the same individual if collected from a number of sources.

Rationale

To promote the integrity of analyses, continuous efforts are necessary to ensure that personal information is accurate, complete, and up to date.

Quality assurance protocols help to ensure accuracy. They also increase public confidence and trust in the integrity of the personal information collected, used, and disclosed, as well as in the information published and reported.

Guidance

PSOs' quality assurance plan should set out their policies and practices to check accuracy including the following:

  • Documented methods, processes, data dictionaries and codebooks, and protocols for information management; and
  • Systematic data quality assurance checks to monitor and maintain data quality (accuracy, reliability, validity, consistency, timeliness, and completeness of personal information), such as verifying the accuracy of personal information, data entry, output tables, and analyses.

PSOs should take reasonable steps to check for accuracy, including errors or omissions, according to a quality assurance plan. They should do so at the point when personal information is collected and when it is processed and entered into databases. The coding rules above are minimum requirements for consistently entering information into databases. Where PSOs collect information using discretionary options such as “another Indigenous identity” as an open text field, then additional fields may be created, as appropriate.

Before using or disclosing personal information, PSOs should assess and document its quality, such as whether and to what degree:

  • The accuracy of the information has been verified;
  • The information is current (e.g. individuals had appropriate opportunities to update their personal information); and
  • The information is complete (e.g. the information that is collected represents the population of all eligible individuals).

PSOs should take reasonable steps to make sure that they do not use personal information unless it is accurate and up to date. Before use, PSOs should also check to see if the personal information has been corrected or if there is a statement of disagreement attached to the record. In the limited instances where personal information collected under the ARA may be disclosed (e.g. for research purposes) PSOs should also take reasonable steps to make sure they only disclose accurate and up to date information.

PSOs regulated under the ARA are required to report on the quality of information used (see Standard 36).

If the collection is done using hard copy and then entered into electronic systems, PSOs should conduct random audits to assess the accuracy, validity, completeness, and timeliness of the electronic information.

Access to, and Correction and Removal of Information

The ARA (s. 7(17)) and Standards do not limit the rights of individuals under any Act (e.g. FIPPA or MFIPPA ) to access and correct their own personal information.

Standard 22. Access to and Correction of Personal Information

PSOs must document and have procedures in place to allow individuals to request access to or correction of their own personal information in the custody or control of the organization.

These procedures must provide and ensure that individuals can

  1. Request correction of the personal information where the individual believes there is an error or omission; and
  2. Require that a statement of disagreement be attached to the information reflecting any correction that was requested but not made; and
  3. Require that any person or body to whom the personal information has been disclosed within the year before the time a correction is requested or a statement of disagreement is required be notified of the correction or statement of disagreement.

Rationale

The ability of individuals to access and correct their personal information is important to respect individual dignity and to support the accuracy of the personal information. It also enhances the transparency of PSOs' practices under the ARA .

Guidance

This Standard does not apply to POI (see Standard 43).

PSOs should provide clear, plain language instructions on how individuals can request access to and correction of their personal information. The instructions should be included in notices to individuals and posted on PSOs' websites. PSOs should allow individuals to make written or oral requests to access their personal information or to correct a record. They should also verify the requester’s identity before responding to a request.

For both access and correction requests, PSOs should document the following:

  • Who was given access, when and how access was provided, and who was the authorizing decision maker; and
  • What correction was made and why; or
  • The reason(s) for denying access or correction, and how and when this decision was communicated to the requestor.

Information technology systems should be able to record statements of disagreement to be attached to the personal information if a request for correction is not accommodated.

Corrections to personal information do not require organizations to redo analysis that has already been conducted.

Standard 23. Removal of Personal Information

PSOs must document and have procedures in place to remove personal information when an individual to whom the information relates withdraws their consent for its continued use and disclosure and requests the removal of their personal information.

Rationale

An important aspect of voluntary express consent and respect for individual dignity is that individuals must be able to withdraw their consent and effect the removal of their personal information.

Guidance

This Standard does not apply to POI (see Standard 43).

If the personal information was collected under the authority of the ARA , withdrawal of consent means that the personal information is removed and can no longer be used for ARA purposes.

Removal of personal information may mean deletion, sequestering, or suppressing the personal information so that it can no longer be used or disclosed. In some circumstances, a withdrawal of consent may not require destruction or deletion of the information. For example, the PSO may have a duty to document decision-making associated with the information. The removal of personal information should take effect within a reasonable time after the request is made.

The PSO should provide clear information to individuals, at the time of collection, that they may withdraw their consent at any time. Individuals should also receive clear instructions on the procedures to request removal of personal information should they wish to do so. This information should be given in the notice as well as posted on the PSO ’s website.

PSOs should verify the individual’s identity before responding to an oral or written request to remove personal information. PSOs should maintain a record of removal requests that includes the date of request, the response, the action taken, and the person who authorized the action.

Removal of personal information does not require PSOs to redo analysis conducted using the personal information that has been removed.

Retention of Personal Information

The ARA s. 7(10) requires PSOs to retain personal information for the period specified in the Standards or, if there is no such specified period, for at least one year after the day it was last used by the organization.

Standard 24. Five-year Retention Period

PSOs must retain personal information that is stored in electronic databases for at least five years after the day it was last used, or for as long as reasonable and necessary for the purposes of identifying systemic racism and advancing racial equity unless an individual requests removal of their personal information.

Rationale

Retaining personal information in databases for at least five years allows analysis of long-term trends and longitudinal analysis that requires personal information. It also enables the review and re-analysis of historical information based on issues that may arise over time.

Defined retention periods help PSOs ensure that they do not hold on to personal information for longer than is needed for the purposes of the ARA . Indefinite retention could be expensive and administratively burdensome and could create an increased risk of privacy breaches.

Guidance

The retention period defined in this Standard applies to POI entered into an electronic record in accordance with Standard 42.

However, this retention period does not apply to personal information kept in transitory records, such as paper or online forms used to collect the information. Transitory records are records of temporary usefulness in any format or medium, created or received by PSOs to carry out information collection activities.

Once personal information is transferred into a database for secure storage, the transitory records should be destroyed in a secure manner, following the organization’s records disposal schedule and protocols, or disposed of according to the ARA default retention period (at least one year after last use).

Hard copy records that are not transitory and have been entered into an electronic database should be retained according to the organization’s records retention schedules, where the organization is subject to the Archives and Recordkeeping Act, 2006 , or otherwise in accordance the organization’s recordkeeping policies or any other legal requirement..

Public sector organizations may need to update their retention schedules for electronic records to comply with the Standards. If planning to conduct longitudinal analysis over a period greater than five years, PSOs should define reasonable retention periods for the personal information and should not retain it indefinitely.

PSOs should consult with their information management staff, as well as their privacy officer or FIPPA /MFIPPA coordinator, to determine if there are other operational or legal obligations that may require longer retention of personal information.

When personal information is updated or corrected, the outdated information may be retained in some form so that it is available for the retention period defined in the Standard.

If withdrawal of consent results in removal of personal information before the approved retention period expires, PSOs should to document the action taken.

Disposal of Personal Information

Standard 25. Secure Disposal

PSOs must take reasonable steps to securely dispose of personal information maintained in records (hard copy or electronic), including:

  • Protecting the security and confidentiality of personal information that is to be destroyed or transferred to an archive, including protecting its security and confidentiality during storage, transportation, handling, and destruction;
  • Ensuring that personal information is securely destroyed in such a way that it cannot be reconstructed or retrieved; and
  • Securely disposing of devices with memory capabilities (e.g. computers, phones, photocopiers, fax machines).

Where a PSO is subject to the Archives and Recordkeeping Act , 2006 the personal information kept in records must be disposed of either by transferring it to the Archives of Ontario (if such transfer is required by an approved records retention schedule) or by securely destroying it.

PSOs must maintain a disposal record that sets out the authority for the disposal, the personal information disposed of, who approved disposal, how it was disposed of, and the date of the disposal. This disposal record must not contain personal information.

Rationale

Secure disposal of personal information protects privacy and reduces the risk of privacy breaches.

Guidance

PSOs should implement a protocol and schedule for the systematic permanent destruction of hard copy and electronic records, and maintain a disposal record.

PSOs should work with a records and information management and privacy professional to create schedules for records series that contain personal information collected under the ARA . The schedules should specify disposition requirements, including disposal or transfer to the Archives of Ontario, subject to the approval of the Archivist of Ontario, for those organizations subject to the Archives and Recordkeeping Act , 2006.

Organizations not subject to any legal requirements related to the destruction of personal information should follow the provisions of the related FIPPA regulation (O.Reg.459) Disposal of Personal Information , in order to implement Standard 25.

Methods for the destruction of personal information should be appropriate to the level of sensitivity of the information and the type of storage medium.

Where the disposal is undertaken by a third party service supplier, the PSO should require the supplier to provide a “certification of destruction” signed by an officer of the company. This certificate should be linked to the disposal record maintained by the PSO .

Limits on Use

According to subsection 7(6) of the ARA , personal information collected may only be used for the purpose of eliminating systemic racism and advancing racial equity as defined in subsection 7(2). In addition, subsections 7(8) and 9(3) of the ARA provide that PSOs shall not use the personal information if other information would meet the same purpose (if de-identified information may serve the purpose, personal information should not be used).

Section 9 of the ARA permits a PSO to use personal information it has already lawfully collected for the purpose of eliminating systemic racism and advancing racial equity, subject to requirements specified in the ARA , the regulations and the Standards.

This enables organizations to use personal information collected for another lawful purpose for the analysis of racial impacts and outcomes of a program, service, or function. For example, an organization that is already collecting personal information about individuals (e.g. age and sex) or tracking individual outcomes (e.g. performance measures) within a program, service, or function may use this information for the purpose of identifying and monitoring systemic racism and racial disparities.

Standard 26. Limiting Use of Personal Information

PSOs must only use personal information collected under the authority of the ARA to the extent that it is needed to eliminate systemic racism and advance racial equity in its services, programs or functions.

PSOs must only use personal information collected under the authority of the ARA in the least identifiable form required to fulfill the purpose of the use, including the purpose of conducting analyses.

Rationale

Minimizing the amount of personal information used to the meet the purposes of the ARA protects privacy and reduces the risk of privacy breaches (i.e. unauthorized use of personal information).

Guidance

PSOs should not use personal information collected under the ARA for any purpose that are not directly related to eliminating systemic racism and advancing racial equity.

Under the ARA , analysis is a core use (see Section 4: Analyses of Information Collected).

Before using personal information for any authorized purpose, PSOs should first determine whether personal information is needed for the activity or analysis. For example, they should consider whether the analysis could be done with de-identified information. If personal information is required, then PSOs should minimize the identifiability of the personal information by using appropriate de-identification techniques (see Appendix C). The data should only be used in the least identifiable form required to fulfill the purpose.

PSOs should assess the appropriate level of de-identification required for the use according to a spectrum ranging from fully identifiable personal information to de-identified data:

Fully identified personal information: Data containing direct and indirect identifiers.

Pseudonymous data: Data from which direct identifiers have been removed or replaced with a confidential code or pseudonym.

De-identified data: Data that has been transformed or modified so that there is no reasonable expectation in the circumstances that the information could be used, either alone or with other information, to identify an individual.

Where direct and indirect identifiers are not required in the analysis of a program, service, or function, remove any information that directly identifies a specific individual and assign a unique pseudonym or identification number to the record (masking) so that it can be linked back to databases containing administrative records by a designated decision maker.

De-identification is contextual. What is considered de-identified data in one context may not be considered de-identified data in another. For example, when names, addresses, and telephone numbers are removed from a data set (pseudonymous data), but case numbers are left in, that data set is considered de-identified only if it is accessed by authorized individuals without access to clients’ case file information. However, that same data set is not considered de-identified if it is accessed by authorized individuals who also have access to data sets containing case numbers and clients’ names, addresses, and other personal information.

The need to de-identify personal information prior to public release and reporting is defined in Standards 33 and 34.

Limits on Disclosure

Subsection 7(14) of the ARA restricts disclosure of personal information to the following circumstances:

  • The individual to whom the information relates consents to the disclosure;
  • It is required by law, including as required under section 31 of the Code ;
  • It is for the purpose of a legal proceeding, or contemplated proceeding;
  • It is for research purposes, in accordance with section 8 of the ARA ; or
  • It is being disclosed to the IPC .

Subsections 7(15) and 7(16) establish exemptions to these disclosure rules. In this respect, if personal information has been collected for a lawful purpose in addition to the ARA purpose that information may be disclosed subject to the permissions and limits on disclosure under any other applicable law.

Section 8 of the ARA sets out the circumstances under which a PSO may disclose personal information for research purposes. This includes approval of a research plan by a research ethics board as well as justification that the research cannot be reasonably accomplished with information in de-identified form. The ARA and regulations define the requirements PSOs and researchers must follow.