Acts and Regulations

2018-24 - Right to Information and Protection of Privacy Act

Table of contents
Full text
NEW BRUNSWICK
REGULATION 2018-24
under the
Right to Information and Protection of Privacy Act
(O.C. 2018-100)
Filed March 26, 2018
1New Brunswick Regulation 2010-111 under the Right to Information and Protection of Privacy Act is amended by adding after section 4 the following:
Agreements for common or integrated services, programs or activities
4.1(1)For the purposes of paragraph 46.2(2)(b) of the Act, a written agreement entered into for the provision of a common or integrated service, program or activity shall contain the following information:
(a) a description of the service, program or activity;
(b) a description of the purposes or expected outcomes or benefits of the service, program or activity;
(c) a description of the respective roles and responsibilities of each party to the agreement;
(d) a description of the types of personal information that are to be collected, used or disclosed by each party in the course of providing the service, program or activity;
(e) a summary of the security arrangements with respect to personal information made by each party under subsection 48.1(1) of the Act; and
(f) the date on which the service, program or activity will start and, if applicable, the date on which the service, program or activity will end.
4.1(2)When a party to a written agreement withdraws from the agreement, the party
(a) shall not use or disclose personal information obtained under the agreement, except
(i) with the prior consent of the person to whom the personal information relates, or
(ii) when required or authorized by law, and
(b) shall comply with the information practices in effect immediately before it withdrew from the agreement for as long as the personal information obtained under the agreement is in its custody or under its control.
Information practices
4.2(1)The following definitions apply in this section.
“privacy breach” means any incident of unauthorized access, use, disclosure or disposal of personal information in the custody of or under the control of a public body.(atteinte à la vie privée)
“significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property.(préjudice grave)
4.2(2)A public body shall make the following security arrangements with respect to personal information in its custody or under its control:
(a) identify
(i) the names or categories of its officers, directors, employees or agents who are authorized to access the personal information,
(ii) the categories of personal information to which those persons or any category of those persons have access, and
(iii) the types of access permitted to the personal information by those persons or any category of those persons;
(b) only allow access to the personal information to persons or categories of persons authorized under paragraph (a);
(c) when responding to requests for disclosure of personal information under the Act, ensure that the request contains sufficient detail to uniquely identify the individual to whom the information relates;
(d) provide for the following procedures, appropriate in each case for the level of risk of unauthorized access, use, disclosure or disposal of the personal information and to the degree of harm that might arise from any unauthorized access, use, disclosure or disposal of the personal information:
(i) with respect to a person seeking access to personal information, verifying the identity of the person seeking access, the categories of personal information to which the person has access and the type of access permitted under paragraph (a);
(ii) recording and monitoring access to the personal information; and
(iii) protecting the personal information while the information is stored or being transferred.
4.2(3)With respect to the security arrangements made by a public body under subsection (2) of this Regulation or subsection 48.1(1) of the Act, the public body shall
(a) require that its officers, directors, employees and agents comply with the security arrangements, and
(b) periodically test and evaluate the effectiveness of the security arrangements.
4.2(4)With respect to a privacy breach, a public body shall take the following measures:
(a) investigate every reported privacy breach, actual or suspected;
(b) maintain a registry of every actual privacy breach reported and any corrective measure taken in relation to the privacy breach to diminish the likelihood of a similar occurrence;
(c) notify a person as soon as possible of any privacy breach involving the person’s personal information if it is reasonable in the circumstances to believe that the privacy breach creates a risk of significant harm to that person; and
(d) notify the Commissioner as soon as possible of any privacy breach under paragraph (c).
4.2(5)The factors that are relevant to determining whether a privacy breach creates a risk of significant harm to the person include
(a) the sensitivity of the personal information involved in the breach, and
(b) the probability that the personal information has been, is being, or will be misused.
4.2(6)For greater certainty, a public body shall retain and dispose of personal information in its custody in accordance with the record schedules established by the Provincial Archivist under the Archives Act, except the following educational bodies:
(a) The University of New Brunswick;
(b) Université de Moncton;
(c) St. Thomas University; and
(d) Mount Allison University.
2This Regulation comes into force on April 1, 2018.