Frequently Asked Questions About FIPPA: Government and Other Public Bodies



Who is the head of the public body under FIPPA and what is the role of the head?

Under FIPPA, the head of a public body depends on the type of public body. According to the definition of head in Section 1, the head is as follows:

  • for a government department, the head is the minister of the department.
  • for an incorporated government agency, the head is the chief executive officer.
  • for an unincorporated government agency, the head is the minister responsible for the agency.
  • for a local public body, the head is the individual or group of people designated by by-law or resolution of the local public body.

FIPPA gives the head of the public body the responsibility for all of the public body's decisions and actions under the act. The head may delegate any of their powers or duties to any individual on the public body's staff. It is suggested that the delegation be made to positions, rather than specific individuals. For recommended delegation documents, see Forms.

 

back to top

What are the responsibilities of an access and privacy officer and how is the officer appointed?

An access and privacy officer is an individual the head of the body has delegated a duty or power to under FIPPA. This delegation should be in writing.

In practice, the access and privacy officer is an important decision-maker under FIPPA and should be a senior staff person. Each officer should have a backup, who will act when the officer is away.

In government departments, it is recommended that access and privacy officers be at the executive level. It is also suggested that each department should have a lead officer with divisional officers as appropriate. Frequently, the head of the central administration division will be the lead officer.

The main duties of an Access and Privacy Officer are to:

  • Make decisions about granting or denying access requests and sign response letters.
  • Decide when extensions to response time are necessary.
  • Give formal notice for third parties and hearing responses.
  • Monitor the overall FIPPA performance of the public body.
  • Ensure that the public body manages personal information as required under FIPPA.
  • Deal with the ombudsman's office on complaint investigations and during any privacy investigations and audits.

 

back to top

What are the responsibilities of an access and privacy coordinator?

Each public body is requested, under the Access and Privacy Regulation, to appoint an employee as an access and privacy coordinator. This individual is responsible for receiving applications for access and for day-to-day administration of the act.
 
The access and privacy coordinator manages responses to access requests and helps program areas to comply with the requirements around collecting, using, disclosing, correcting and protecting personal information. In large organizations that receive many requests, this will probably be a full-time position. Because the coordinator works closely with the lead access and privacy officer, it is recommended that there be a direct reporting relationship between these two positions.

The main duties of the Access and Privacy Coordinator are to:

  • A Help applicants by explaining the FIPPA process and answering questions.
  • Receive applications and coordinate the response process.
  • Contact applicants for clarification or more information if necessary.
  • Ensure time limits and notification requirements are met.
  • Assemble records for the Officer's review and decision-making.
  • Estimate and collect fees, and if this duty is delegated to someone else, sign the Estimate of Cost form.
  • Draft response letters.
  • Prepare quarterly statistical reports.
  • Ensure ministerial delegated authority documents are up-to-date.
  • Ensure program directors understand the requirements for protecting personal information.
  • Receive requests to correct personal information and forward them to the program area.

 

back to top

What information should be included in a response to a FIPPA request?

FIPPA Section 12(1) states that a public body must inform the applicant in writing of the following:

  • whether access to the record (or part of the record) is granted or refused
  • if access to the record (or part of the record) is granted, how it will be given
  • if access to the record (or part of the record) is refused:
    • the reasons for the refusal and the exceptions in FIPPA the refusal is based on, or
    • that the record does not exist or cannot be located

When access is refused, the public body must also provide contact information for an employee who can answer the applicant's questions about the refusal. The written response must also say that the applicant can complain to the ombudsman about the refusal.

These links outline what the Manitoba Ombudsman's Office looks for in FIPPA responses:

Sample response letters are included at: Model Letters and notices

 

back to top

What do I do if the 45th day falls on a Sunday or statutory holiday?

FIPPA Section 9 states that public bodies must make every reasonable effort to respond to an applicant as quickly as possible. If you cannot respond until the 45th calendar day and that day falls on a weekend or a holiday, you can send the response on the next business day.

 

back to top

When and how do I transfer a request to another department or public body?

FIPPA Section 16 states that, within seven calendar days after a public body receives an access request, the head may transfer it to another public body if:

  • the record was produced by or for the other public body,
  • the other public body was the first to obtain the record, or
  • the record is in the custody or under the control of the other public body.

Examples:

  • Manitoba Families receives a request from an Employment and Income Assistance client for access to their records about a specific training program. Although the training program was originally delivered through Manitoba Families, these programs and their records are now the responsibility of Economic Development, Investment, Trade and Natural Resources. Families transfers the application to Economic Development, Investment, Trade and Natural Resources.
  • Executive Council receives a request for a Cabinet Submission about a farm support program. Because Manitoba Agriculture prepared the document, Executive Council can transfer the application to that department.

Before transferring an application, the Access and Privacy Coordinator should contact the Coordinator of the other public body to confirm that it has the requested record and agrees to the transfer. 

If an application is transferred to another public body, the coordinator of the body that originally received the request must notify the applicant of the transfer in writing as soon as possible. A sample notification letter is included at: Model Letters and notices.

The public body that the application is transferred to must make every reasonable effort to respond to the request within 45 calendar days of receiving it, unless there is a time extension under Section 15 or third-party notification under Section 33.

 

back to top

What fees can a public body charge under FIPPA?

There is no fee for submitting a FIPPA application or for the first two hours a public body spends searching for or preparing the information.
 
The following are services a public body can charge for under FIPPA:

  • Search and Preparation Fees

    $15 per half hour (after two free hours)
    Applies to time spent: locating the records, making working copies, doing any required severing. Does not apply to time spent deciding what information will not be disclosed and will be severed, arranging to transfer an application to another public body, or preparing a fee estimate.

  • Computer Programming and Data Processing Fees

    $10 for each 15 minutes of in-house programming or data processing, or the actual cost of having it done externally

  • Copying Records (if the applicant requests a copy)

    Photocopies and computer printouts: 20 cents per page;
    Prints from microfilm: 50 cents per page;
    Any other copying method: actual cost

    Note: applicants requesting copies of their own personal information are not required to pay for the copies if the total copying charge is less than $10.

  • Delivery Fees

    Regular mail: no charge;
    Courier delivery: actual cost

 

back to top

What activities can be charged for as search and preparation?

The following are search and preparation activities that can be charged to an applicant:

  • finding the requested records in the office or in storage
  • examining the file(s) to find the specific items that are part of the request
  • copying and physical severing of the records to avoid disclosing information that falls within a FIPPA exception

 

back to top

What activities cannot be charged for as search and preparation?

The Regulation Section 4 (3) states that the following activities are not part of search and
preparation and cannot be charged to an applicant:

  • transferring a request to another public body
  • preparing a fee estimate
  • reviewingthe records to see if any exceptions to access apply
  • copying a record for an applicant
  • preparing an explanation of the records
  • time consulting within the public body, other public bodies, third parties and legal counsel

 

back to top

What is a privacy impact assessment and how do I know if I need one?

A Privacy Impact Assessment (PIA) is the process of considering a project from a privacy perspective. Completing a PIA allows an organization to think about how they will safeguard the public's personal or personal health information as part of an existing or proposed program or activity. Common reasons for completing a PIA include, you are:

  • designing a new program or service
  • making significant changes to a program or service, such as converting from a conventional service delivery model to an electronic service delivery model
  • changing the way you collect, use or disclose personal information
  • anticipating that the public may have privacy concerns about a new or modified program or service
  • making changes to the business systems or infrastructure that affect the physical or logical (e.g. partitioned hard drive) separation of personal information or the security methods used to manage and control access to personal information

The Manitoba Ombudsman has developed a tool to support departments and agencies of the Manitoba government and public bodies in completing PIAs. You can find the tool at this link:

Privacy Impact Assessment - Manitoba Ombudsman

 

back to top

What are cookies and what do I need to disclose about the way I use them?

A cookie is a small text file that is stored on your computer or other device, when a website is loaded on your browser.

A cookie is often used to remember you and your preferences. Cookies cannot access any information on your computer and most web browsers automatically accept cookies.

Cookies may help you provide your visitors with a better website, by enabling you to monitor which pages or features they find or don't find useful.

Cookies can also collect non-personal information about a user's visit to your website, based on their browsing (click stream) activities. This information includes pages browsed, projects viewed, tools used and other analytical data. You might use these details to improve how your website functions and to understand how users interact with them.

Many organizations also make use of different third-party applications and services to enhance the experience for their website visitors. These include social media platforms such as Facebook, LinkedIn and X (through the use of sharing buttons), or embedded content from YouTube and Vimeo. As a result, cookies may be set by these third parties, and used by them to track users' online activity. You will have no direct control over the information these cookies collect.

 

back to top

What should I do if I suspect a privacy breach?

most common privacy breaches happen when personal information about clients, customers or employees is stolen, lost or mistakenly disclosed. Some examples of these situations are when a laptop computer is stolen from an office, a mobile device is left behind in a taxi or a document is faxed to the wrong number.

The Manitoba Ombudsman has identified five key steps for public bodies to respond to a breach:

  • Contain the breach.
  • Evaluate the risks associated with the breach.
  • Decide who to notify about the breach (this may include affected individuals,
    police, technology providers, regulatory bodies or the ombudsman's Office).
  • If the breach has reached the threshold of risk of significant harm under FIPPA, notify the affected individuals and the ombudsman.
  • Take steps to prevent future breaches.

For more information about responding to a privacy breach, please see the following guides developed by the Manitoba Ombudsman:

 

back to top

When is the collection of personal information authorized?

Public bodies often need to collect personal information to provide benefits and services to people. However, you cannot collect personal information unless you have legal authority.

Legal authority may be provided by FIPPA or program-specific legislation. Collecting personal information is allowed if:

  • the collection is authorized by an act or regulation of Manitoba or Canada
  • it is directly related to and necessary for a public body's existing program or activity, or
  • it relates to law enforcement or crime prevention

Just because an individual gives consent, this does not authorize the collection of personal information under FIPPA. The public body must collect information for one of the reasons listed above.

back to top

When is indirect collection of personal information authorized?

Generally, public bodies must collect personal information directly from the source, specifically from the people that the information is about (e.g. through an interview or by completing an application form).

However, FIPPA also allows public bodies to collect personal information indirectly from someone other than the individual the information is about (e.g. from another department to verify if they are eligible to participate in a program).

Some examples include:

  • program legislation authorizes a public body to collect financial information from the federal taxation department.
  • information confirming employment status is collected from the federal employment and immigration department, if collecting this information directly from people could reasonably be expected to result in inaccurate information.

For a complete list of when personal information can be collected indirectly, see Section 37(1) of FIPPA

 

back to top

What kind of collection notice do I need to provide when I collect personal information?

When collecting personal information directly from an individual, public bodies must notify the individual of:

  • the purpose for collection
  • the specific legal authority for the collection, and
  • the title and contact information of an officer or employee of the public body who can answer the individual's questions about the collection

    • They must do this by giving the individual a collection notice. All three parts of the notice must be given to the individual at the time the information is collected, and in a way that is appropriate to the circumstances.

  • if personal information is collected on a form, the notice can be part of the document, attached to the form or provided in a brochure.
  • if service is provided by telephone, verbal notice is appropriate.
  • if service is provided at a counter, signage or a brochure is appropriate.

Here is an example of a collection notice that could be included in a form:

The personal information collected is necessary to administer the______Program. It is used to assess and verify your eligibility for the_____Program. . If you have any questions about the collection of this information, please contact the Director, 123 Office Building, Winnipeg Manitoba, R3C 1Z1 or 204-945-1234.

 

back to top

How can a public body use the personal information it collects?

Public bodies are allowed to use personal information only:

  • for the same reason that it was collected, or for a consistent purpose
  • with the consent of the person, or
  • for the same reasons that it was disclosed to you by another public body under FIPPA

For example, if a municipality collects names and addresses to compile tax assessment rolls, it may also use this information for operating the municipality. This could include using the information to send out utility bills to homeowners.

For a complete list of when personal information can be disclosed, see Section 43 and 44(1) of FIPPA

Even if public bodies are allowed to use personal information for a particular purpose, FIPPA limits the use to the minimum amount necessary to fulfill that purpose in a reasonable way. This limit applies to the amount and type of information that is used.

The use of personal information is also limited to the employees of the public body who need to know the information to do their jobs.

For example, an employee submits an application for a long-term disability claim to the designated office in the public body where they work. To process the claim, the office needs to send the application to the insurance company that decides if the employee gets the money. There is personal information on the application, but the insurance company needs this information to make their decision or to keep as part of their records.

 

back to top

When should a public body disclose personal information?

Public bodies can disclose personal information only:

  • for the same reason that it was collected, or for a consistent purpose
  • with the consent of the individual, or
  • for a limited number of reasons that are authorized under FIPPA

For example, if the federal government is providing part of the funding for a Manitoba employment program, and the federal government requests a report on outcomes for participants, the Manitoba program would look at Section 44 of FIPPA to see if it is allowed to disclose this information. Under Section 44(1)(i), a public body may disclose personal information to the government of Canada to allow them to monitor and evaluate a shared cost program. If this is the reason the information is being requested, the public body would be authorized to disclose it.

For a complete list of when personal information can be disclosed, see Section 44(1) of FIPPA

Even if public bodies are allowed to disclose personal information for a particular purpose, FIPPA limits the disclosure to the minimum amount necessary to fulfill that purpose in a reasonable way. This limit applies to the amount and type of information that is disclosed.

The disclosure of personal information is also limited to the employees of the public body who need to know the information to do their jobs.

For example, an employee submits an application for a long-term disability claim to the designated office in the public body where they work. To process the claim, the office sends the application to the insurance company who decides whether the employee gets the money. There is personal information on the application, but the insurance company needs this information to make their decision or for their records.

 

back to top