ÎçÒ¹av

Home > About ÎçÒ¹av > Office of the President > AI and PPI Policy

Access to Information and Protection of Personal Information Policy


1. BACKGROUND

1.1 On January 31, 2005, the ÎçÒ¹av created its policy in relation to the protection of personal information and electronic documents. The policy recognized the commitment made by the ÎçÒ¹av to protect privacy while, at the same time, providing procedures for the collection, use, and disclosure of information by the ÎçÒ¹av.

1.2 The ÎçÒ¹av is a special member of the community. While it is created by statute and delivers a variety of services to the public, the ÎçÒ¹av is an autonomous institution that has its own governing body, manages its own affairs, allocates its own funds, develops its own relationships with private individuals, businesses and industries, and offers its own diverse range of academic, vocational, and professional programs. This Policy is a reflection of the unique position of the ÎçÒ¹av in the community and must be interpreted with these principles in mind.


2. PURPOSE

2.1 The purpose of this Policy is to enhance the ÎçÒ¹av’s continued commitments to:

  1. a) providing access to information;
  2. b) protecting personal information and privacy; and
  3. c) setting out the processes for handling access to information requests (“access requests”) and breach of privacy complaints (“privacy complaints”).

3. SCOPE

3.1 This Policy applies to

  1. a) all requests for access to information maintained by the ÎçÒ¹av; and
  2. b) all members of the ÎçÒ¹av community with access to information maintained by the ÎçÒ¹av.

4. EFFECTIVE DATE

4.1 This Policy is effective May 1, 2017 and shall apply to all information created by the ÎçÒ¹av after the effective date of the Policy.

4.2 All requests for information before the effective date of this Policy shall be determined in accordance with the policies and practices in effect at the ÎçÒ¹av at the applicable time.


5. ACCESS TO INFORMATION

5.1 The ÎçÒ¹av routinely makes large amounts of institutional and other information available to the public on its website. The ÎçÒ¹av is committed to continuing this online practice. If information is not available on the ÎçÒ¹av’s website, an access request may be filed with the Office of the Chief Privacy Officer (the “Privacy Office”) in accordance with this Policy.


6. PRIVACY

6.1 The ÎçÒ¹av is committed to maintaining and protecting the integrity of personal and other confidential information. If a person believes his or her privacy rights have been breached, the person may file a privacy complaint with the Privacy Office in accordance with this Policy.


7. OFFICE OF THE CHIEF PRIVACY OFFICER

7.1 The Privacy Office handles access requests and privacy complaints made to the ÎçÒ¹av. The Privacy Office also carries out other associated duties, such as:

  1. a) educating ÎçÒ¹av staff on access to information and privacy;
  2. b) assisting ÎçÒ¹av staff members in conducting searches and addressing complaints;
  3. c) clarifying and responding to access requests;
  4. d) preparing fee estimates;
  5. e) investigating and remedying complaints;
  6. f) reporting on the number of access requests and complaints; and
  7. g) representing the ÎçÒ¹av in interactions following an access request or privacy complaint.

8. PROCESS FOR HANDLING ACCESS REQUESTS

8.1 Basic Steps

8.1.1 The steps in processing an access request may vary depending on the nature of the request. Generally, the Privacy Office follows these basic steps:

  1. a) An access request means a request for access to institutional or personal information. An access request shall be submitted in writing, addressed to the ÎçÒ¹av’s Chief Privacy Officer (the “Privacy Officer”), and must provide sufficient detail to enable the Privacy Office to identify the record(s) sought. The person making the request (the “Requester”) must also pay the initial fee and complete the Access Request Form (QF175). In exceptional situations, the Privacy Officer may authorize an access request to be accepted in some other format for the purpose of accommodating the personal circumstances of the Requester;
  2. b) The Privacy Officer shall consider the access request and determine whether it would be appropriate to conduct a search for responsive records;
  3. c) If appropriate, the Privacy Office contacts staff responsible at the faculty, administrative office, or service to conduct a search for records responsive to the access request;
  4. d) The records located as a result of the search are sent to the Privacy Office. The Privacy Officer reviews the records to determine whether exemptions and/or exclusions apply;
  5. e) The Privacy Office notifies the requester about the Privacy Officer’s decision whether to release the records in part or in their entirety and provides an estimate of the fees associated with the release of the records; and
  6. f) Once the Requester pays the fees associated with the access request, the Privacy Office sends copies of the responsive records to the Requester.8.2. Exemptions and Exceptions

8.2.1 There are certain types of records that are exempt from disclosure to protect institutional interests, the privacy of others, confidentiality, ongoing operations of the ÎçÒ¹av, and other interests important to the ÎçÒ¹av. For example, exemptions and exceptions include, but are not limited, to any information that:

  1. a) is an invasion of privacy;
  2. b) may be harmful to the interests of the ÎçÒ¹av, a third party, or an individual;
  3. c) may negatively affect a relationship important to the ÎçÒ¹av;
  4. d) may affect public safety or the health or safety of an individual;
  5. e) is confidential or is shared in confidence with the ÎçÒ¹av;
  6. f) relates to a policy, project, or other matter under consideration by the ÎçÒ¹av;
  7. g) relates to employees, labour relations, or student relations at the ÎçÒ¹av;
  8. h) relates to an investigation;
  9. i) relates to a legal or administrative proceeding;
  10. j) relates to a disciplinary matter;
  11. k) is protected by any form of privilege;
  12. l) relates to legal advice given to the ÎçÒ¹av; or
  13. m) relates to a request that is frivolous, vexatious, and an abuse of the Policy.

8.2.2. A record may contain information about an individual other than the Requester. Generally, information related to another individual is not disclosed.

8.2.3. A record may contain information that reveals commercial, financial, confidential or other information belonging to an external person, entity or organization. Generally, information related to another party is not disclosed.8. 3. Fees

8.3.1. The ÎçÒ¹av charges fees for the processing of access requests. Responding to an access request requires the ÎçÒ¹av to expend both human and financial resources. An initial and non-refundable fee must therefore be paid to the ÎçÒ¹av before the Privacy Office begins to process the access request and records shall not be released until the Privacy Office receives payment in full of all fees associated with request. All costs incurred by the ÎçÒ¹av will be the responsibility of the Requester and vary depending upon the size and complexity of the access request. Information on fees is found in the Fee Schedule attached in Appendix A, which forms part of this Policy.


9. PROCESS FOR HANDLING PRIVACY COMPLAINTS

9.1 Complaint

9.1.1 For the purpose of this Policy, a privacy breach occurs when there is unauthorized disclosure of personal information or someone has obtained unauthorized access to personal information. If a person believes his or her privacy rights have been breached, the person may file a privacy complaint in writing, addressed to the Privacy Officer, with the Privacy Office. The person making the complaint must complete the Privacy Complaint Form (QF176). In exceptional situations, the Privacy Officer may authorize a privacy complaint to be accepted in some other format for the purpose of accommodating the personal circumstances of the individual.

9.2 Basic Steps

9.2.1 The steps in processing a privacy complaint may vary depending on the nature, circumstances, and complexity of the complaint. Generally, the Privacy Office follows these steps:

  1. a) receipt of the privacy complaint;
  2. b) communication with the faculty, administrative office or service, and person(s) involved with the complaint or who may have knowledge of the circumstances;
  3. c) consultation with other appropriate authorities and/or external entities, if necessary; and
  4. d) notification of the individual who filed the complaint as to the outcome of the complaint and informing them of any steps taken to resolve the complaint.

10. PROTECTION OF PERSONAL INFORMATION

10.1 Personal Information

10.1.1 Personal information is regularly collected by the ÎçÒ¹av from students, employees, alumni, donors and other individuals, and this information is intended to be used for the purpose of administering programs and activities at the ÎçÒ¹av, delivering services at the ÎçÒ¹av and carrying out the operations of the ÎçÒ¹av, including:

  1. a) recruitment, admission, registration, evaluation, and/or graduation in an academic and non-academic program;
  2. b) student associations and organizations, including the alumni association;
  3. c) financial assistance and awards;
  4. d) development and fundraising activities;
  5. e) institutional planning and statistics;
  6. f) reporting to government agencies and/or professional organizations;
  7. g) employment;
  8. h) safety and security; and
  9. i) print, electronic, and internet publications.10.2. Disclosure

10.2.1 It is the general policy of the ÎçÒ¹av not to disclose personal information to external individuals or organizations unless:

  1. a) the individual was notified of the disclosure when the personal information was collected;
  2. b) the individual has consented to the disclosure or the disclosure is consistent with the purpose for which the information was collected;
  3. c) disclosure is permitted or required by law;
  4. d) the information is public information; or
  5. d) disclosure is authorized under this Policy.10.3 Correction

10.3.1 Individuals have a right to request access to their own personal information and to request the correction of their personal information. Those who wish to obtain access to their personal information or to request a correction should begin by contacting the faculty, administrative office, or service that has possession of the information at the ÎçÒ¹av. Depending on the nature of the request, it may require a written request addressed to the Privacy Officer.


11. RECONSIDERATION

11.1 If an individual disagrees with a decision made by the Privacy Officer under this Policy, the individual may submit a written request for reconsideration to the ÎçÒ¹av’s Vice-President Corporate Services within thirty (30) days of the date of the decision. The decision of the Privacy Officer shall be reconsidered by the Vice-President Corporate Services within thirty (30) days and his/her decision shall be final. In the event that the decision under reconsideration relates to the Vice-President Corporate Services or a conflict of interest exists, then the Vice-President Corporate Services shall designate another Vice-President at the ÎçÒ¹av to hear and decide the request for reconsideration.


12. RESPONSIBILITIES

12.1 The development and maintenance of this Policy is the responsibility of the President of the ÎçÒ¹av.

12.2 The administration of this Policy is the responsibility of the Privacy Office as set out above.


Resources

These are PDFs and will open in a new window.