BC Regional Information Governance Centre Privacy Policy

1. Definitions

Control: having the authority and responsibility to make decisions about First Nations Data.

Custody: having physical possession and Control of information or First Nations Data.

First Nations Data: means any information or data, including without limitation documents, text, graphics, images, design, trademarks including logos, audio, video, software, data compilations and any other form of information capable of being stored in a computer: (a) that have been uploaded by a First Nation to the Site; and/or (b) are identified as specific to the citizens or territories of a First Nation.

Freedom of Information and Protection of Privacy Act (FIPPA): means the BC Freedom of Information and Protection of Privacy Act, as amended from time to time.

Personal Information: Personal information is any recorded information about an identifiable individual other than their business contact information. Personal information includes information that can be used to identify an individual through association or inference.

Privacy Breach(es): the loss of, unauthorized access to, or unauthorized disclosure of Personal Information resulting from a breach of an organization’s security safeguards.

Privacy Impact Assessment (PIA): means the assessment of a current or proposed initiative (a system, project, program, or activity) to evaluate privacy impacts, including evaluating compliance with this Policy and with BCFNRIGC privacy responsibilities under FIPPA.

Services: the data platform and associated services of the BC First Nations Regional Information Governance Centre.

Staff: all members of the BC First Nations Regional Information Governance Centre project team, such as employees, researchers, contractors, consultants, and other service providers engaged by BC First Nations Regional Information Governance Centre.

User(s): Entity or individual agreeing to the data platform’s Terms of Service.

2. Introduction

2.1. BC First Nations Regional Information Governance Centre (BCFNRIGC), housed by the First Nations Summit Society, is committed to supporting the data needs of First Nations governments and organizations in British Columbia (BC) through the development of data-related knowledge, skills, and infrastructure. Advancing this objective may necessitate BCFNRIGC to access, collect, manage, use, disclose, and retain Personal Information through its Services from time to time.

2.2. BCFNRIGC is committed to protecting individuals’ privacy by ensuring that all Personal Information under its Custody or Control is handled securely and in compliance with applicable federal and provincial privacy laws.

2.3. BCFNRIGC is committed to uphold the First Nations principles of OCAP® (Ownership, Control, Access, and Possession).

3. Purpose

3.1. The purpose of this policy is to describe ethical, consistent, and transparent practices for the collection, management, access, use, disclosure, retention, and destruction of Personal Information in the Custody or under the Control of BCFNRIGC.

3.2. This policy aims to uphold personal privacy and respect individuals’ choices regarding their Personal Information while making every reasonable effort to align with the First Nations principles of OCAP®.

4. Scope

4.1. This policy applies to all Personal Information, regardless of format or how it is stored or recorded, that is in the Control of BCFNRIGC, recognizing that in certain circumstances, Personal Information may be in the Custody but not Control of BCFNRIGC.

4.2. This policy applies to all Staff of BCFNRIGC in working with Personal Information in the Custody or Control of BCFNRIGC. For the purposes of this policy, Staff includes all members of the BCFNRIGC project team, such as employees, researchers, contractors, consultants, and/or other service providers engaged by BCFNRIGC.

4.3. This policy applies to all BCFNRIGC Services.

4.4. Users of BCFNRIGC Services are responsible for conducting themselves in a manner consistent with this policy, their internal policies, and applicable federal and provincial privacy laws.

5. Policy

5.1. BCFNRIGC enables OCAP® principles in practice by enabling greater choice and wherever possible Control over how their data are treated.

5.2. BCFNRIGC upholds personal privacy by keeping Personal Information private by default.

5.3.All Staff must ensure that their practices in collecting, managing, accessing, using, disclosing, retaining, and sharing of Personal Information in the Custody or Control of BCFNRIGC comply with this policy as well as:

The British Columbia Freedom of Information and Protection of Privacy Act (FIPPA).
Any other applicable laws, professional codes of ethics, standards of practice, and contractual obligations.

5.4. These obligations for ensuring privacy and confidentiality continue after the employment, contract, or other affiliation between BCFNRIGC and its Staff comes to an end.

5.5. BCFNRIGC will remain transparent with First Nations, Users, Staff, funders, partners, and the public regarding how it collects, manages, accesses, uses, discloses, retains, and disposes of Personal Information in connection with its Services in order to develop and maintain trust-based relationships.

Collection of Personal Information

5.6. Staff may collect Personal Information as needed to offer Services and will not collect more Personal Information than is required to fulfill those purposes as stated at the time of consent or as required by federal and provincial legislation and regulations. Personal Information will be collected directly from the individual the information pertains to wherever possible. At the time of collection, the individual will be informed of:

the purpose for the collection
the legal authority for the collection; and
the contact person if the individual has any questions about the collection.

5.7. BCFNRIGC may assume Custody of Personal Information in specific circumstances:

Repatriating or facilitating access to historical or archival data from third-party institutions on behalf of First Nations in British Columbia (BC): These datasets, which may from time to time include Personal Information, will be optionally available to Users. Any associated constraints or obligations from the original data sources, including with respect to Personal Information, will be communicated to Users.
Storing data uploaded by Users into BCFNRIGC Services: Users are responsible for ensuring appropriate protection of that Personal Information in accordance with the Terms of Service for the Services, their policies, and applicable federal and provincial privacy laws.

Management of Personal Information

5.8. BCFNRIGC will abide by known data standards and take all reasonable steps to ensure the accuracy and completeness of any Personal Information collected or recorded and be diligent to protect against making any errors due to carelessness or other oversights.

5.9.BCFNRIGC will take reasonable measures to safeguard Personal Information in its Services by implementing industry-standard security protocols to prevent unauthorized access, use, or disclosure. These measures include:

Protecting physical access to BCFNRIGC information and systems, based on the level of acceptable risk for loss, damage, theft, or compromise;
Ensuring secure operations of all BCFNRIGC systems in order to maintain the confidentiality, integrity, and availability of systems and information; and
Restricting and monitoring access to BCFNRIGC systems and data.

Access and Use of Personal Information

5.10. Staff may access and use Personal Information and non-personal information only for legitimate purposes on a “need-to-know” basis, as required to perform their job functions and responsibilities.

Primary Use: BCFNRIGC primarily collects Personal Information to provide Users with access to the Services. Staff may use Personal Information for the provision of Services and for administrative and other support functions related to Services.
Secondary Use: Staff may use Personal Information for purposes related to the provision of Services only if the purpose has a reasonable and direct connection to the provision of Services. Where possible, personal identifiers (e.g. name, birth date, home address, postal code, personal phone number, SIN, employee ID number, etc.) will be removed from records and documents.

5.11.BCFNRIGC acknowledges an individual’s right to their Personal Information and will assist individuals who request access to their Personal Information to the degree that providing access does not negatively impact others.

5.12.Personal Information that Users upload to BCFNRIGC Services are subject to configurable settings. These settings offer flexibility, enabling Users to define how their data can be accessed and shared. By default, BCFNRIGC ensures that all datasets remain private unless the User specifies otherwise.

Disclosure of Personal Information

5.13.BCFNRIGC will only disclose Personal Information in its Control for the purpose for which it was originally collected, except in cases when compliance is required due to a court or an authoritative body issuing an order, subpoena, or warrant directly related to the Personal Information.

5.14. BCFNRIGC will take reasonable efforts to only use or disclose Personal Information in its Control when necessary, and must consider the use of de-identified or anonymous data where possible.

5.15. BCFNRIGC may disclose Personal Information to Users when repatriating historical or archival data from third-party institutions in accordance with applicable law and any governing agreements with respect to those historical or archival data.

Retention and Destruction of Personal Information

5.16. Personal Information will be retained until the specific purpose for which it was collected has been fulfilled, or until BCFNRIGC has been instructed to dispose of this Personal Information by those responsible for its Control.

Reporting Privacy Breaches

5.17.Staff must immediately report any actual or suspected privacy breaches or violations of this policy, including the theft, loss, or attempted theft of Personal Information, devices, or paper records, to the Executive Lead. This could include unauthorized access to or use of the Services in breach of the Terms of Service.

5.18. The Executive Lead will outline measures to identify, contain, and investigate Privacy Breaches and notify affected individuals when legally required or if substantial business or personal risks are identified. Actions to be taken will be determined by the Executive Lead according to the nature of the breach and parties involved.

Privacy Impact Assessment

5.19. A Privacy Impact Assessment (PIA) must be completed before implementing or significantly changing any Services that involve the collection, management, use, access, disclosure, or retention, or sharing of Personal Information.

5.20.Staff should contact the Executive Lead who will determine if a PIA is required and, if so, will hold accountability for ensuring its completion.

6. Responsibilities

6.1. The protection of privacy and confidentiality of Personal Information is a responsibility shared by BCFNRIGC and its Staff.

Executive Lead

6.2. The Executive Lead is responsible for:

Oversight and compliance with this policy;
Responding to questions from Staff and Users concerning collection, management, access, use, disclosure, retention, and sharing of Personal Information;
Investigating potential and actual breaches of this policy brought to its attention and reporting breaches in accordance with this policy; and
Supporting the completion of PIAs.

Staff

6.3. Staff are responsible for:

Taking appropriate steps to ensure that all Personal Information is protected against unauthorized collection, management, access, use, disclosure, retention, destruction, or sharing;
Being familiar with, maintaining, and enforcing the physical and technical security measures applicable to their own project work and being aware of and adhering to applicable policies, including this policy as well as any guidelines for protection of Personal Information;
Ensuring that access to and disclosure of Personal Information is only made by or to authorized individuals; and
Reporting to the Executive Lead any actual or suspected Privacy Breaches and cooperating with any related investigations.

6.4.The obligations for ensuring privacy and confidentiality set out in this policy continue after the employment, contract, or other affiliation between BCFNRIGC and its Staff ends.

7. Compliance

7.1. Any violations of this policy may result in disciplinary action, up to and including removal from BCFNRIGC projects, termination of employment, or other measures as deemed necessary to ensure compliance.