Understanding FOIP IT Requirements

How to bring your network and data into compliance with Freedom of Information Protection of Privacy Act

Background

The Freedom of Information and Protection of Privacy Act (FOIP) legislates access to information held by Alberta Canada public institutions/ bodies in an effort to safeguard individual’s personal information. More specifically, FOIP allows:

  • Individuals a right of access to their personal records
  • The manner in which a public body may collect personal information from individuals
  • How a public body may make use and discloses personal information
  • Individuals a right to request corrections to personal information about themselves
  • Independent reviews of decisions made by public bodies under this Act

Who Needs to Comply

FOIP pertains to public bodies including all provincial government departments, agencies, boards and commissions. It also includes local public bodies such as municipalities, universities, school boards and others. For the complete list, click here.

The FOIP Act does not apply to private businesses, non-profit organizations, or professional regulatory organizations operating in Alberta.

Key IT Requirements

The following is a table containing sections of the FOIP and an explanation describing how Varonis solutions can help control how a public body make use and disclose personal information:

Requirement Description Varonis Product/Feature
Division 2Exceptions to Disclosure Disclosure harmful to business interests of a third party Disclosure harmful to personal privacy Disclosure harmful to individual or public safety Disclosure harmful to law enforcement Disclosure harmful to intergovernmental relations Disclosure harmful to economic and other interests of a public body Privileged information Disclosure harmful to the conservation of heritage sites, etc. Disclosure harmful to business interests of a third party16(1) The head of a public body must refuse to disclose to an applicant information(a) that would reveal(i) trade secrets of a third party, or(ii) commercial, financial, labour relations, scientific or technical information of a third party,(b) that is supplied, explicitly or implicitly, in confidence, and(c) the disclosure of which could reasonably be expected to(i) harm significantly the competitive position or interfere significantly with the negotiating position of the third party,(ii) result in similar information no longer being supplied to the public body when it is in the public interest that similar information continue to be supplied,(iii) result in undue financial loss or gain to any person or organization, or(iv) reveal information supplied to, or the report of, an arbitrator, mediator, labour relations officer or other person or body appointed to resolve or inquire into a labour relations dispute.Disclosure harmful to personal privacy17(1) The head of a public body must refuse to disclose personal information to an applicant if the disclosure would be an unreasonable invasion of a third party’s personal privacy.(2) A disclosure of personal information is not an unreasonable invasion of a third party’s personal privacy if(a) the third party has, in the prescribed manner, consented to or requested the disclosure,(b) there are compelling circumstances affecting anyone’s health or safety and written notice of the disclosure is given to the third party,(c) an Act of Alberta or Canada authorizes or requires the DisclosureContinue reading “Exceptions to disclosure” – starting page 21 of the Act or page 23 of the pdf Preventing Harmful DisclosuresWith an efficient, incremental data classification and indexing engine like Varonis’ IDU Classification Framework and Varonis DatAnswers, you’ll be able to locate and retrieve all relevant information and records to prevent harmful disclosures. DatAnswers maintains an index so that electronic information containing specific terms can be found at any time. The IDU Classification Framework can automatically locate information, records and other sensitive data based on a multitude of criteria: keywords, patterns, date created, date last accessed, date modified, user access, owner, and many more.Once you have a high level overview of where relevant information and records are stored, there are additional steps that you can take to automate and prevent harmful disclosure. Varonis Data Transport Engine provides the flexibility to configure rules, based on your criteria, and then automatically move or copy relevant records to a secure folder or SharePoint site.
Division 2Use and Disclosure of PersonalInformation by Public Bodies 39(1) A public body may use personal information only(a) for the purpose for which the information was collected or compiled or for a use consistent with that purpose,(b) if the individual the information is about has identified the information and consented, in the prescribed manner, to the use, or(c) for a purpose for which that information may be disclosed to that public body under section 40, 42 or 43. Internal Controls Pertaining to Use of Personal InformationVaronis provides a comprehensive system for meeting internal control objectives. Control Environment Varonis DatAdvantage can recommend the revocation of permissions to data for users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege. Information & Communication Varonis DatAdvantage provides data stewards with detailed reports, including: data use (i.e. every user’s every file-touch), user activity on sensitive data, permission changes that affect the access of a given file or folder, a detailed record of permission revocations including the users and the data for which permissions were revoked. Control Activities Varonis DataPrivilege is a web-based application that controls, monitors and administers a user’s requests to unstructured data (files, emails, SharePoint, etc.) Monitoring Varonis DatAdvantage monitors every user’s file touch and stores in a searchable format, all aspects of data use for information stored on file servers and Network Attached Storage (NAS) devices.

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767