If you work for a Canadian provincial or territorial public institution, you’ve likely come across the Freedom of Information and Protection of Privacy Act (FIPPA) and its implications for compliance.
But what exactly does FIPPA involve, and how can your organization meet its obligations?
In this article, you’ll learn:
- What FIPPA is and how it works across Canadian jurisdictions
- What types of personal information and records are covered
- How to make access requests and how public bodies must respond
- How to ensure FIPPA compliance, including records and data archiving best practices
What Is the Meaning of FIPPA?
FIPPA, or the Freedom of Information and Protection of Privacy Act, refers to legislation enacted at the provincial or territorial level in Canada.
However, different provinces and territories have their own versions of this legislation, which serve the same general purpose of ensuring access to information and the protection of personal privacy.
Below is a breakdown of the key laws in different jurisdictions:
- Ontario: Freedom of Information and Protection of Privacy Act (FIPPA)
- British Columbia: Freedom of Information and Protection of Privacy Act (FIPPA)
- Alberta: Freedom of Information and Protection of Privacy (FOIP)
- New Brunswick: The Right to Information and Protection of Privacy Act (RTIPPA)
- Quebec: Act respecting Access to documents held by public bodies and the Protection of personal information (a different framework from FIPPA)
- Saskatchewan (local authorities): Local Authority Freedom of Information and Protection of Privacy Act (LAFOIP)
- Saskatchewan (provincial government bodies): Freedom of Information and Protection of Privacy Act (FOIP)
- Northwest Territories, Yukon, and Nunavut: Access to Information and Protection of Privacy Act (ATIPPA)
Regardless of the name, these laws share two core objectives:
- To give individuals the right to access records held by public bodies
- To establish rules for the collection, use, disclosure, and protection of personal information
This law applies to public-sector organizations like provincial ministries, municipalities, school boards, universities, and health authorities. The law promotes transparency in public institutions while protecting individual privacy.
FIPPA differs by jurisdiction, so it’s important to consult the specific law that applies to your province or territory.
The federal level: ATIP and PIPEDA
Before looking at the provinces, it is important to note the federal framework, often called ATIP (Access to Information and Privacy):
- Access to Information Act: Grants the public the right to access records under the control of federal institutions (e.g., the CRA or RCMP).
- Privacy Act: Governs how federal institutions handle your personal information.
- PIPEDA (Personal Information Protection and Electronic Documents Act): The federal law for the private sector, governing how businesses, like banks, airlines, and telecommunication companies, collect and use personal data during commercial activities.
What Data Is Recorded Under FIPPA?
While the definition can vary a bit depending on the territory, generally, under FIPPA regulations, a record is considered the following:
“Information in any form and includes information that is written, photographed, recorded or stored in any manner on any storage medium or by any means, including graphic, electronic or mechanical means.”
This means records could include:
- Emails, SMS messages, social media and written correspondence
- Audio or video recordings
- Databases and spreadsheets
- Photos, maps, or diagrams
When it comes to personal information, FIPPA generally regulates:
- Name, address, phone number, or other identifying contact details
- Date of birth, sex, marital or family status
- Employment and educational history
- Health, medical, or financial information
- Personal views or opinions of or about an identifiable individual
Public bodies may only collect personal information if it’s directly related to an operating program or activity and is authorized by law. The scope of what can be collected and retained varies slightly by province or territory, but all versions of FIPPA aim to restrict unnecessary or intrusive data collection.
Proper handling of these records is a legal obligation for public institutions, especially in contexts where individuals may request access or corrections under FIPPA.
Note on health records: In provinces like Ontario or Alberta, personal health information is often governed by separate, stricter legislation — the Personal Health Information Protection Act (PHIPA) and the Health Information Act (HIA), respectively. If you handle clinical patient data, ensure you consult your province’s health privacy act in addition to FIPPA.
What Is a FIPPA Request?
In case an individual’s data isn’t available publicly, they can file a FIPPA request for specific information. The process varies by province.
To submit a FIPPA request, individuals must:
- Complete a formal request form (province-specific)
- Provide sufficient detail to identify the records
- Include their contact information
- Submit the form to the relevant institution, often with a nominal application fee
Each public body has designated staff to handle access requests, search for responsive records, and provide the requested information in accordance with the applicable law.
What Government Agencies Are Subject to FIPPA?
Most provincial and territorial public institutions are subject to FIPPA, including:
- Educational institutions: schools, school boards, colleges, and universities
- Healthcare organizations: hospitals, regional health authorities, long-term care facilities
- Government bodies: ministries, agencies, commissions, and other designated institutions
These institutions must follow FIPPA requirements to collect, manage, and protect personal information, and to respond to access requests within the legal timelines.
Protect your organization from compliance fines and penalties.
Explore secure, next-generation data archiving solutions from Jatheon.
What Are FIPPA Requirements?
FIPPA requirements are a set of regulations that dictate how public bodies have to handle and manage personal information.
Below is an example based on Ontario’s FIPPA:
- Personal information can only be collected if authorized by law and directly related to the institution’s programs or activities
- Use of personal information must be limited to the purpose for which it was collected or with the individual’s consent
- Disclosure is permitted only under specific conditions, such as:
- With the individual’s consent
- For a consistent or compatible purpose
- As required by another law or legal order
- Public bodies must take reasonable steps to ensure the accuracy and security of personal information
- Records must be retained for at least one year after use to allow individuals time to request access or correction
- Individuals have the right to request corrections to factual inaccuracies in their personal information
- Institutions must safeguard personal information from unauthorized access, use, or disclosure
- Public bodies must respond to access requests within 30 calendar days (subject to legal extensions)
- Breaches involving unauthorized disclosure must be addressed and may require notification to affected individuals
How Does FIPPA Impact Compliance?
FIPPA influences how public institutions manage records and personal data.
Each institution must retain records for a period that complies with its jurisdiction’s legislation and records retention schedules. These rules apply not only to structured data but also to unstructured communication, like social media or emails.
FIPPA compliance requires that institutions maintain access to relevant records to fulfill legal obligations and respond to FIPPA requests. This means proper systems must be in place to capture, archive, and retrieve communication efficiently.
Email is a common communication method in public institutions, and under FIPPA, relevant email records must be properly stored and made accessible. To achieve this, institutions often implement secure email archiving systems that support long-term storage, search, and ediscovery.
Struggling with FIPPA requests?
Check out the best email and social media archiving solutions for government agencies.
How to Ensure FIPPA Compliance?
To stay compliant with FIPPA, your organization needs to implement effective data archiving and records management practices across all communication channels.
Start by reviewing your current policies and systems:
- Identify every communication method your institution uses, such as email, collaboration platforms (e.g., Microsoft Teams, Slack), instant messaging apps, SMS, and social media.
- Document how records are currently stored and retained
- Assess how many information requests your agency handles each year and how quickly you’re able to respond
This evaluation will help you understand what kind of archiving solution best fits your operational and compliance needs.
A comprehensive archiving solution should offer:
- Automatic indexing and capture of SMS, email, chat, and social media records
- Customizable retention schedules based on policy or legal requirements
- Powerful search and filtering tools to support ediscovery and audits
- Fast and secure export capabilities to respond to access requests
- Centralized management of all archived content
By archiving all communication records, not just email, you’ll be better prepared to meet FIPPA obligations, improve transparency, and streamline the request process.
| Related: 7 Features to Look for in a Cloud Email Archiving Solution |
Summary of the Main Points
- FIPPA is a provincial or territorial law in Canada that governs how public institutions manage access to information and protect personal data.
- The name and structure of the law vary by province (e.g., FIPPA in Ontario/BC, FOIP in Alberta, RTIA in New Brunswick), but all versions aim to ensure transparency and privacy.
- FIPPA defines a “record” broadly to include written, electronic, audio, and visual formats, and it regulates how personal information like names, contact details, and health or employment history is handled.
- Public institutions can only collect personal information when it’s legally authorized and directly tied to a specific program or service.
- Individuals have the right to file access requests under FIPPA, which must be detailed, submitted through formal procedures, and processed within legally mandated timeframes.
- Agencies subject to FIPPA include educational institutions, healthcare organizations, and a wide range of government bodies at the provincial or municipal level.
- FIPPA requirements include strict rules on collection, use, disclosure, correction, retention, and safeguarding of personal information, with specific timelines for responding to access requests.
- Institutions must store both structured and unstructured data, such as email, chat, SMS, and social media, in a way that enables fast, secure retrieval.
- To comply with FIPPA, organizations should implement archiving solutions that support automated data capture, customizable retention policies, advanced search, and secure exports.
- Managing records across all communication channels, not just email, is essential to meeting FIPPA obligations and ensuring operational transparency.
If your public institution needs to strengthen FIPPA compliance and streamline access to records, contact us at sales@jatheon.com or book a demo to see how Jatheon’s data archiving solutions can help you manage communication records, simplify ediscovery, and respond to access requests with confidence.
FAQ
What is FIPPA?
FIPPA stands for the Freedom of Information and Protection of Privacy Act. It exists at the provincial or territorial level and governs how public bodies handle access to information and protect personal data.
Is FIPPA federal or territorial?
FIPPA is provincial or territorial. Each province and territory in Canada has its own FIPPA or equivalent legislation. Federal government institutions are covered by separate laws, such as the Access to Information Act and the Privacy Act.
Who does FIPPA apply to?
FIPPA applies to public institutions like provincial ministries, school boards, hospitals, municipalities, and other government agencies, depending on the province or territory.
What is the main difference between FIPPA and PIPEDA?
FIPPA (and provincial versions like FOIP) applies to the public sector, such as government ministries, universities, and hospitals. PIPEDA is federal legislation that applies to the private sector for commercial activities, such as retail businesses, banks, and telecommunications companies.
How long do public bodies need to keep personal information under FIPPA?
Retention requirements vary by jurisdiction and are often outlined in records retention schedules. In Ontario, records must be kept for at least one year after use.
Are emails subject to FIPPA requests?
Yes. Emails that meet the definition of a record and are relevant to a request must be provided unless an exemption applies.
Do all provinces have the same FIPPA law?
No. Each province and territory has its own legislation. While the principles are similar, the specific provisions, processes, and exemptions can differ.
Read Next:Data Retention Policy Explained: A Comprehensive Overview How to Choose the Right Social Media Archiving Software What Is Data Archiving? Definition, Benefits, and Best Practices |
