How to Ensure FIPPA Compliance (Updated for 2020)

May 07, 2020 by Jatheon

FIPPA (Freedom of Information and Protection of Privacy Act) is a piece of Canadian legislation that applies to provinces of Ontario, Manitoba, Nova Scotia, and Alberta.

Today, we’ll walk you through a FIPPA compliance checklist so that you know what your rights and obligations are under this legislation, as well as how to prepare for information disclosure requests.

What is the purpose of FIPPA?

In short, FIPPA:

  • gives people the right to access records held by public bodies
  • prescribes how these public bodies manage personal information
  • grants an independent review process to people who don’t agree with the decisions on access and privacy made by public bodies

Generally speaking, this means that you may get access and copies of records from government agencies, local authorities, schools, universities, regional health authorities, and other public bodies.

Plus, FIPPA aims to protect the citizens by prescribing rules that public bodies need to abide by when using, collecting, and disclosing personal information. This means that in case you can access and correct any information that public bodies possess about you.

Is FIPPA federal or provincial?

FIPPA is a provincial piece of legislation that applies to four Canadian provinces, including Manitoba, Alberta, Nova Scotia, and Ontario.

What is a FIPPA request?

If you want to request access to information held by a public body, you should first check whether that information is already available to the public. In case it’s not, you can file a FIPPA request. Some provinces already have well-established processes, so it’s best you first check how your province handles FIPPA requests.

In case you determine that you do need to submit a FIPPA request to obtain some information, you first need to fill out a FIPPA form. Here you can check what the FIPPA request looks like in the province of Manitoba.

When filing a FIPPA request, you’re advised to be as specific as possible in order to make the process speedier: state the information clearly and specifically, include your contact information, sign the form, and then mail the application to the designated department in your province.

As a rule of thumb, the public body can take up to 30 days to reply to your request. In some cases, such as requests with insufficient information, this deadline may be extended. In case you need to pay for the services of retrieving your information, the public body will let you know before they start processing your request.

What is considered a record under FIPPA?

According to the FIPPA text in the province of Manitoba, a record is ‘information in any form and includes information that is written, photographed, recorded or stored in any manner on any storage medium or by any means including graphic, electronic or mechanical means.’

Who is subject to FIPPA?

Here are some public bodies that are subject to FIPPA:

  • schools, universities, and colleges (these can include charter schools, polytechnic communities, comprehensive community college, education boards, etc.
  • healthcare bodies, such as nursing homes, hospitals, regional health authorities, boards of hospital districts)
  • government agencies, such as boards, associations, or commission, or any organization designated as a government agency.

Again, this is just to illustrate the scope of FIPPA. We advise that you check the regulations in your province.

What is personal information under FIPPA?

Under Ontario’s FIPPA legislation, personal information is meant to include information such as:

  • Name, address and telephone numbers
  • Race, color, beliefs
  • Age, sex, family status
  • Biometric information such as blood type and fingerprints
  • Information about health care history
  • Information on education, financial or criminal history, or work history

FIPPA and Records Management in Healthcare

FIPPA applies to all data records that are held or are under control of hospitals. In the context of healthcare, it came into force as of 2012, but it applies retrospectively back to January 2007.

Under FIPPA, members of the general public have the right of access to hospital administration, financial and other records, except of course if they are under an exemption from FIPPA, for example in the case of patients’ personal health information.

In FIPPA, the right of access to records is about every person, not just records about the person himself.

So this legislation allows anyone to access any record that is held or controlled by an institution on any issue and is subject to the exclusions and exceptions set out in the act.

Data records can be anything, including communications about procurement, employees, finances and budgets. Of course, a lot of these communications take place through email.

What does FIPPA mean for email?

Under FIPPA, email has to be archived using an email archiving appliance in order to be compliant.

Email archiving is the most effective way to ensure that compliance is taken care of, as an automated appliance takes all the human error and handling out of the equation.

Email is archived securely on the appliance and cannot be mishandled. In addition, eDiscovery ensures that records can be found when requested, without the need for search teams and delays.

How to be FIPPA compliant?

The first step is to evaluate the email archiving needs of your organization. Various appliances exist with space to manage small health firms to large hospitals email archiving requirements. Here’s what to do:

1. Write down your archiving policy. Note all communication channels that your staff use in their everyday communication. What do they use these channels for? This will help you understand what kind of information you need to capture and archive.

For more questions you need to ask, check out our guide to Five Questions to Ask Before Buying an Archiving Solution.

2. Raise awareness among your staff about your archiving policy and best practices. Explain the importance of using official communication channels and tools.

3. Once you have a list of all the requirements your archiving software needs to meet, look for a vendor that can support archiving those channels.

In case you want to learn more about archiving for your industry, here’s a list of resources to help you get started:

Top 5 Trends in Enterprise Data Archiving and eDiscovery for 2020

Why You Need to Archive and Monitor Social Media for Complete Compliance

Email Archiving Benefits for All Your Departments: Management, IT, Legal and End Users

Schedule Your Personal Demo

Look inside Jatheon’s solution to see how to better manage your corporate email and messaging data. Leave us your contact details and we’ll get in touch and show you around.

Join over five thousand happy businesses using Jatheon.