Collection/Disclosure; A Two-Step Analysis (updated)
When personal information or personal health information (information) is shared by one public body with another, the issue arises as to who has the authority to disclose and who has the authority to collect. Many collections of information happen when you or I visit a public body, apply for a service or benefit and fill out a form or answer questions orally. By giving the information to the public body, we are consenting to their collection of it. We have expectations that they will use it for the purpose collected, that they will protect it and not disclose it to others without consent unless legislative authority to disclose otherwise exists.
So, when it comes to the sharing of information by one public body with another, my office has to ask two questions: Does one body have the authority to collect? Does another body have the authority to disclose? For an authorized sharing to occur, the answer to both questions has to be yes. If one of the answers is no, then the sharing is unauthorized.
If the sharing will only occur once, then the public bodies are wise to reduce their understanding to emails, but probably don’t need a formal data sharing agreement.
If the data sharing will occur often, it is then best practice that the public bodies enter into a written data sharing agreement. That agreement should set out the legislative provisions that allow collection and disclosure and it should set out the obligations of the receiving public body regarding the safeguarding of that information and the rights of the sending public body to review and audit the actions of the receiving body.
The existence of a data sharing agreement itself does not authorize the sharing; it is the provisions in statutes or regulations, authorizing collection and disclosure that make the sharing authorized.
As a final note, any authorized sharing should be looked at with the data minimization principle in mind. The public body collecting the information should collect the least amount possible and the disclosing public body should disclose the least amount possible. Of course, there may have to be discussions between the two bodies to ensure that the least amount of information gets shared.
Another situation where the two-step analysis must be applied is when a public body has the power to investigate. Implied in the power to investigate is the authority to collect information. When an investigator approaches someone in another public body and asks for information, the other public body needs to decide whether they have the authority to disclose under The Freedom of Information and Protection of Privacy Act, The Local Authority Freedom of Information and Protection of Privacy Act or The Health Information Protection Act (i.e., where the disclosure is permitted pursuant to another Act or Regulation). Now for general information or de-identified information, they can always disclose that as no privacy interests are engaged. For personal health information, they should attempt to determine whether the personal health information is reasonably necessary for the investigation. The data minimization principle always suggests that the least amount of information be disclosed. Collection and disclosure are like two sides of the same coin. You can’t have one without the other. It is always necessary to analyze the authority to collect and the authority to disclose before sharing the information in question.