The report outlines five sets of recommendations below, one set for clients, one set for ICSOs, and one set for the provincial Government. We have included them on this page for easy reference.
Recommendations to government
1. Refer to the BC Supreme Court
The BC government should draft a constitutional question regarding the proposed ICM system and refer the matter to the BC Supreme Court pursuant to the Constitutional Question Act, RSBC 1996, c. 68, for an opinion on its constitutionality.
2. Conduct social policy research
The government should conduct social policy research, including public opinion surveys, to determine the impact of the ICM system on citizens’ willingness to seek out the services they need.
3. Carry out a privacy impact assessment
The government must carry out a privacy impact assessment and refer the ICM project to the Information and Privacy Commissioner to ensure that the ICM system is developed in accordance with existing laws and that protection of individual privacy is built into any system at the outset.
4. Make appropriate resources available
If a final decision is made to proceed with the ICM system, the government must immediately assess the resources available to the independent community service sector to ensure that proposed clients and users of the system have the necessary resources, education and training necessary to implement it. The government must ensure that proper resources and training are available prior to implementation.
Recommendations to clients
5. Expect commitment to ethical/legal standards
Clients must be informed of their privacy rights in a manner appropriate to their circumstances that permits and encourages them to exercise those rights. They must expect and demand the highest legal and ethical standards regarding privacy, confidentiality and consent from ICSOs.
• Privacy standards need to be clearly delineated, explained and enforced.
• Clients must be able to expect that confidential relationships with staff will remain confidential within the law.
6. Expect systems that respond to client needs
Working in the interest of clients means going beyond the default positions related to privacy:
- Clients must be in a position to request referrals and transfers of personal information in order to achieve best results for themselves, rather than being put in the position of having to deny consent for information sharing.
- Clients must have the right to ‘opt in’ to information sharing on an as-required basis rather than having to ‘opt out’ of pre-ordained information sharing regimes with which they disagree.
- Clients must be able to understand and approve information-sharing arrangements at the commencement of services. When service is provided by a team or multiple providers who work together, information sharing should be limited to “need to know” and the client must have the right, within the law, to impose additional limitations.
- Where service providers are using client information for evaluation or research purposes, clients must be able to expect that strict controls have been established to ensure that data is stripped of individual identification, and that appropriate ethics reviews are conducted and approvals are obtained.
Recommendations to Colleagues in the Community Service Sector
7. Obligations under Law/Obligations under Contracts
The primary legal obligations of ICSOs as defined under PIPA cannot be circumvented in consequence of actions or decisions by any external source, including government. ICSOs contracted to perform work for a government are not “agents” of the crown, and the FIPPA requirements faced by government are not somehow transferable to ICSOs in such a way that they vitiate or obviate PIPA requirements. For government to attempt to impose FIPPA requirements onto community organizations through contract language is legally problematic, especially if and where the government seeks to impose FIPPA requirements as a means of “trumping” and thus avoiding the PIPA requirements to which the organizations are subject.
The basic premises must be that:
- ICSOs must not share personal information held by the organization without appropriate consent, no matter what is provided in their contracts with government funders. The only exception to this position ought to be where disclosure is required by law or court order;
- Where there is such a legal requirement to share information, it should only be shared to the extent permitted by the relevant applicable statutes.
- Contracts should be vetted to ensure compliance with PIPA.
8. New information framework required
A new framework and consequent basic set of policies and procedures need to be developed that ensures the protection of clients, staff and the officers and directors of ICSOs.
a. The framework needs to provide clarity, in common language, regarding the application of PIPA and the requirements it imposes on community organizations (as distinct from the FIPPA requirements for governments and public bodies) and the limitations of clauses related to information sharing imposed through contracts with external sources.
b. The framework needs to identify and clarify any overlaps in legislation and related legal issues and support best practices so that community organizations can be fully accountable to clients, communities, legal authorities and the public for their protection, and appropriate sharing, of private personal information.
c. The framework needs to ensure that the highest standards of privacy protection are maintained throughout organizations, that control over information is centred first with the client and secondly with the organization, and that processes of acquiring consent from clients to share information should be on an “opt in” basis. The framework needs to protect the confidentiality essential to therapeutic relationships.
Recommendations to government
9. Arms-length relationship
An arms-length relationship between ICSOs and government is the proper relationship. This relationship needs to be affirmed and supported through contractual agreements and procedural arrangements.
- Current contract language is over-broad and needs revision.
- Much of the contractual language and current procedures were developed when FIPPA was the only applicable privacy-related legislation. With the implementation of PIPA new language and procedures are required.
10. Need for a simple and shared approach to information management
There needs to be a shared and straightforward view and approach to client information and information management based on the mutual understanding that FIPPA applies to government and PIPA applies to ICSOs, including those organizations that undertake contractual work for government ministries and authorities.
- This approach needs to be incorporated across government rather than on a ministry by ministry basis.
- ICSOs must be invited to participate in the development of policy.
- Any such policy being developed by government must be shared with the community service sector prior to consultation, negotiation and adoption.
Recommendations to colleagues and to government
11. Exceptions to the General Rules
It is acknowledged the there will be exceptions to the general procedures recommended above to allow the provincial government to carry out its legitimate legal obligations such as those imposed under the Youth Criminal Justice Act and the Family Child and Community Services Act.
• There may be instances where PIPA and other statutes conflict. In these situations, there must be protocols clearly defining the treatment of the information involved, and the degree to which exceptions from PIPA are allowable must be made clear.
• In addition, it may be necessary in some rare and well-defined circumstances to have additional protocols related to
- Transfers of personal information from the province to an external organization
- Transfers of personal information from an external organization to the province
- Transfers of personal information amongst several organizations where:
- Team-delivered services are offered
- Inter-organizational case conferencing is occurring
- Integrated case management practices are in place
Where such protocols do not adhere completely to the recommended general procedures, exceptions must be kept to a minimum, and any concerned party should be able to the Information and Privacy Commissioner for adjudication.