How to make your consent forms FIPPA compliant

high school girls playing volleyball, looking happy

So, you want to work with a company that prints in the US or China. There are good reasons to! Our competitors all have some attractive options.

Because the nature of printing outside of Canada breaches FIPPA (Section 30.1), it requires consent. And because consent is laborious and complicated in parts, this post has a lot of info. We don’t want the impact to feel like we are saying that you have to do alllllllll these things. We’re saying the opposite: You don’t have to do ANY of this! You can get an affordable, beautiful, high-tech video-linked yearbook right here, locally, that is so darn FIPPA compliant that you don’t have to lift a finger. We are happy to jump through all of the hoops for you, including negotiating entirely new ways of operating with third parties so that they can be in compliance for us, or so that they can let us host their technology on our local servers.

Nevertheless, here’s now to work with another company, and be totally FIPPA compliant. We know you want to know because, “the Office of the Information and Privacy Commissioner is responsible for overseeing FIPPA, [and] the Commissioner has the power under FIPPA to investigate a public body even if no one has complained. Following an investigation, the Commissioner could ask or order a public body to comply with FIPPA.” [Source.] This could happen at any point in the school year.

Here is how the Office of the Information and Privacy Commissioner—the ruling body—has interpreted the legislation:

“Under s. 30.1(a) of FIPPA, public bodies can store or access personal information outside of Canada if the individual the personal information is about has given consent to the public body to do so. The consent must be in the prescribed manner. The regulations to FIPPA set out the requirements for consent under s. 30.1(a). According to the regulations, an individual’s consent must be in writing and must specify the personal information for which the individual is providing consent, the date on which the consent is effective and, if applicable, what date the individual’s consent expires. The consent must also specify who may store or access the personal information from outside of Canada, and if it is practicable, which jurisdiction the personal information may be stored in or accessed from. The consent must also specify the purpose of storing or accessing the personal information.

One challenge with consent is that recorded information often contains the personal information of multiple individuals. For example, if a public body wanted consent to store a student’s email about her parents’ divorce on a server located outside of Canada, the public body would have to obtain the consent of both the student and each of her parents. If the student’s next email contained the personal information of the friends she made during spring break, the public body would have to get their consent too.”

So, the consent form must:

  • be in writing
  • it must be voluntary and informed
  • must specify that personal information includes their photo, their name, their class information (teacher/homeroom/year, as applicable), the activities in which they were involved (all of this is specific personal info which can be used to track a person down)
  • the date the consent starts and ends
  • who will get access to the info outside of Canada (including subcontractors, we were told by the OIPC)
  • the purpose for storing the information

Additionally, the act itself states that the public body collecting the personal information must state:

  • the legal authority for collecting it, and
  • the title, business address and business telephone number of an officer or employee of the public body who can answer the individual’s questions about the collection. [Source. Section 27.2]

Based on the requirements and that this is the only prescribed way to obtain consent, unfortunately, if a school is opting people into consent and requiring them to opt out, they are in breech of the legislation. And what surprised us was that the consent needs to come from the students. As parents, we hope that the schools choose to get our consent as well, even though FIPPA does not require it.

If a consent form merely states that information will be on a cloud and students can obscure their identities with aliases, this isn’t a consent form for the yearbook (and it doesn’t sound like it’s meeting the requirements for cloud computing, either). Students can’t conceal anything in the yearbook.

So, let’s say that you do all of this the right way and you have some students who don’t consent. Will you be able to make sure that none of them appear in group photos? Is there anything about your experience with another company that makes this trouble and exclusionary treatment of students worthwhile? If so, please let us know so that we can see if we can fill that need for you!

Leave a Reply