1. University Wide Policy Library
  2. Administration and Operations
  3. Access to Information and Protection of Privacy Policy

Access to Information and Protection of Privacy Policy

Category: Administration and Operations

Approval: Vice-Principals’ Operations Committee

Responsibility: University Secretariat and Legal Counsel

Date initially approved:  9 July 2018

Definitions:

Access: means the right granted by FIPPA and other applicable legislation for any person to obtain access to a record of information that is in the university’s custody or under its control.

Agent: means a person, with the authorization of the university, acting for or on behalf of the university for the purposes of the university and not the agent’s own purposes, whether or not the agent has the authority to bind the university, whether or not the agent is employed by the university and whether or not the agent is being remunerated.  For the purposes of this policy, a consultant is considered to be an agent.

Business Identity Information: information, including the name, title, contact information or designation of an individual that identifies the individual in a business, professional or official capacity.  Business identity information is not considered to be personal information.

Data Classification Scheme: the university’s schema for classifying data and information to ensure the level of information protection and privacy is commensurate with the sensitivity and value of that data.

Directory of Records (DoR): means a list of the general classes or types of records prepared by or in the custody or control of the university.

FIPPA: the Freedom of Information and Protection of Privacy Act, Revised Statutes of Ontario 1990, chapter F.31.

Information Custodian: a unit head or individual assigned responsibility by the Information Steward for collecting, storing or enabling access to information, and for maintaining appropriate controls to guard against unauthorized access or modification, and inappropriate use or disclosure, whether intentional or unintended.

Information Steward: the university officer or employee having primary responsibility for establishing local policies and procedures, in alignment with university policies, relating to access, use, retention and destruction of information, and for ensuring that it is protected from unauthorized access or modification, and inappropriate use or disclosure, whether intentional or unintended.

Non-University Records: records created or received as a result of personal activities and usually including such items as research and study notes, teaching materials, publications and personal communications of individual faculty, staff and students.  Non-university records include:

  • records placed in the University Archives by or on behalf of a person or organization other than the university;
  • a record respecting or associated with research conducted or proposed by an employee of the university or by a person associated with the university, subject to exceptions pursuant to FIPPA; and
  • a record of teaching materials collected, prepared or maintained by an employee or by a person associated with the university for use at the university, subject to exceptions pursuant to FIPPA.

Personal Health Information (PHI): identifying information about an individual, in oral or recorded form, if that information relates to the physical or mental health of the individual and relates to the provision of healthcare to the individual, or includes the individual’s health card number.

Personal Information (PI): recorded information about an identifiable individual.  Personal Information does not include Business Identity Information.  See Schedule A for the full FIPPA definition. 

Personal Information Bank (PIB): means a collection of personal information that is organized and capable of being retrieved using an individual’s name or an identifying number or particular assigned to the individual.

Record: as defined in FIPPA, any record of information however recorded, whether in printed form, on film, by electronic means or otherwise, and includes,

  • correspondence (including email), a memorandum, a book, a plan, a map, a drawing, a diagram, a pictorial or graphic work, a photograph, a film, a microfilm, a sound recording, a videotape, a machine readable record, any other documentary material, regardless of physical form or characteristics, and any copy thereof, and
  • subject to the regulations, any record that is capable of being produced from a machine readable record by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the institution

Privacy Impact Assessment (PIA): means an organizational risk management tool used to identify the effects of a given process or other activity on an individual’s privacy.

Service Provider: any third-party entity that provides services to the university, whether for compensation or for free.

University Records: records, in any media or format, within the university’s custody or under its control that are created or received, and maintained as evidence or information in the administration and operation of the activities of the university.

Purpose/Reason for Policy:

The purpose of this policy is to:

  • set out the responsibilities of the university community regarding the right of access to records and information and the protection of privacy of personal information in accordance with the Freedom of Information and Protection of Privacy Act (“FIPPA”); and
  • ensure that personal information in the university’s custody or control, including personal information that has been transferred to an agent or service provider, is handled and protected in accordance with FIPPA and other applicable legislation.

Scope of this Policy:

This policy applies to all university employees (including faculty, staff, and students employed by ʹ’s), as well as members of the Board of Trustees, volunteers, service providers and agents,  and any other individuals who collect, use, disclose, or otherwise handle records and information under the custody or in the control of ʹ’s University.  

This policy applies to all university records in all media and formats, including but not limited to paper, electronic documents and files, email, photographs, film, audio and video, and drawings.     

This policy does not apply to non-university records.

For records of personal health information, see the policy on the Handling of Personal Health Information.

Policy Statement:

ʹ’s University affirms the importance of conducting its operations in ways that are open to public scrutiny.  ʹ’s University is also committed to the protection of privacy and personal information of individuals who work and study at the university, or who participate in the university community.