Internal Privacy Policy
Internal Privacy Policy
Approval Date: January 20, 2021
Effective Date: January 21, 2021
Date Reviewed: June 2020
Replaces: Version 2006
Purpose
Cambrian College (‘the College’) is subject to the requirements of Freedom of Information and Protection of Privacy Act (FIPPA). In summary, FIPPA has two purposes –
- It gives individuals access to recorded information held by the College.
- It regulates Personal Information in the possession of the College.
This policy describes the obligations of the College and its staff under FIPPA.
Scope
All College employees.
Definitions
Cambrian College Foundation: refers to the organization responsible for the management of the philanthropic activities of the College.
Consistent Purpose: defined as one the requestor might have reasonably expected. For example, if an individual is given notice that their address is being collected to send a magazine subscription, it would likely be reasonable to use the address to send a subscription renewal form.
Direct Collection: refers to the collection of information from the individual to whom the personal information relates
Indirect Collection: refers to the collection of information from a source other than the individual to whom the personal information relates
Personal Information: is information ‘about an identifiable individual’. It includes but is not limited to the following:
- Information on race, national or ethnic origin, colour, religion, age, sex, sexual orientation, marital or family status
- information relating to medical, criminal, employment history or education or to the individual’s financial transactions;
- identifying numbers and symbols;
- address, telephone number, fingerprints, blood type;
- personal views or opinions except as they relate to another individual;
- an individual’s name where it appears with other personal information or where disclosure of the name would reveal personal information;
- views or opinions expressed about an individual; and correspondence that is sent to an institution by an individual where that correspondence is implicitly or explicitly of a confidential nature, as well as replies which would reveal the contents of the original letter
Policy Statements
- Collection
- The College can only collect Personal Information (whether directly or indirectly) in one of the following three circumstances:
- Where collection is expressly authorized by statute;
- Where the information is used for the purposes of law enforcement;
- Or where, the information is necessary for the proper administration of a lawfully authorized activity.
- Direct Collection
- The College is required to notify affected individuals of the following:
- The legal authority for the collection;
- The purpose or purposes for which the information is intended to be used; and
- The title, business address and telephone number of the College official who can answer questions about the collection.
- FIPPA does not require the College to obtain consent for the collection of personal information so long as the information is collected directly from the individuals.
- Notice of the collection must be given to the individual except under circumstances where access to the information can be denied under certain law enforcement sections of FIPPA (i.e., where the information is being collected for certain law enforcement proceedings or anticipated proceedings).
- The College is required to notify affected individuals of the following:
- Indirect Collection on
- FIPPA permits Indirect Collection of personal information only in limited circumstances. These include the following:
- Where consent to Indirect Collection is provided;
- Where a disclosure to the College is otherwise permissible under the disclosure provisions of FIPPA;
- Where the Ontario Privacy Commissioner authorizes the collection;
- If the information is in a report from a report agency in accordance with the Consumer Reporting Act;
- If it is collected for a proceeding or a possible proceeding before a court of tribunal;
- If another manner of collection is authorized under another statute.
- FIPPA permits Indirect Collection of personal information only in limited circumstances. These include the following:
- The College can only collect Personal Information (whether directly or indirectly) in one of the following three circumstances:
- Access
- General
- FIPPA allows individuals access to recorded information in the custody or control of the College. For the general purposes of staff should be aware of the following:
- the access right only applies to recorded information;
- the information must be in the custody of or under the control of the College;
- not all information is subject to access requests – FIPPA contains a number of exclusions which exclude certain categories of information from the application of the FIPPA and the access rights therein;
- some recorded information that is subject to access requests may be withheld in accordance with a number of exemptions which will authorize (and in some cases require) the College to deny access to information.
- access requests must be in writing and must be accompanied by a payment to the College of $5 to be valid; and
- access requests must normally be responded to within thirty (30) days unless an extension is warranted.
- As the College is under strict time limits, staff who receive access of information requests must immediately forward the same to the Director, Human Resources.
- FIPPA allows individuals access to recorded information in the custody or control of the College. For the general purposes of staff should be aware of the following:
- Personal
- FIPPA allows individuals access to recorded information about themselves that is in the custody or control of the College. For the general purposes, staff should be aware of the following:
- The access right only applies to recorded information;
- The information must be in the custody or, or under, the control of the College;
- Not all information is subject to access requests – FIPPA contains a number of exclusions which exclude certain categories of information from the application of the FIPPA and the access rights therein;
- Some recorded information that is subject to access requests may be withheld in accordance with a number of exemptions which will authorize (and in some cases require) the College to deny access to information, though some exemptions do not apply to requests for one’s own personal information’
- access requests must be in writing and must be accompanied by a payment to the College of $5 to be valid; and
- access requests must normally be responded to within thirty (30) days unless an extension is warranted.
- FIPPA allows individuals access to recorded information about themselves that is in the custody or control of the College. For the general purposes, staff should be aware of the following:
- General
- Use
- The College, and its employees and agents, may only use Personal Information in its custody or control in limited circumstances.
- Normally, the uses must be restricted to those for which the affected party has previously been given notice before, or at the time, of collection or for a Consistent Purpose.
- Personal Information may only be used for other purposes if one of the following exceptions applies:
- Where the individual identifies the particular information and consents to its use;
- For a purpose for which it may be disclosed under the disclosure provisions of FIPPA.
- The College may use alumni records for the purposes of its own fundraising activities if the Personal Information is reasonably necessary for the fundraising activities and provided that certain steps are followed.
- These steps include the following:
- Giving notice to the contacted person, upon first contact, of their right to request that solicitation cease;
- Providing similar notices periodically thereafter when making additional solicitation approaches to the individual; and,
- Periodically publishing a general notice of an individual’s right to request that fundraising solicitation cease.
- If asked to cease soliciting for fundraising, the College must stop approaching this individual.
- These steps include the following:
- Disclosure
- FIPPA regulates personal information in the custody or control of the College. Specifically, it places restrictions on how the College collects, uses and discloses personal information. It also imposes rules on how long the College must keep personal information, and how it is to be kept secure.
- FIPPA contains a number of exclusions that exclude certain categories of information from the rules regarding the College’s collection, use or disclosure of personal information. For example, personal information relating to an individual’s employment with the College is generally excluded from the application of FIPPA’s rules.
- Institutions may only disclose Personal Information in their custody or control under certain circumstances, including the following:
- where an access request is made and the Act permits granting of access;
- where the individual identifies the information and consents to its use;
- for the purpose for which it was collected or for a consistent purpose (i.e., one which the individual might have reasonably expected);
- for the purpose of complying with a federal or Ontario law or with a treaty, agreement or arrangement under such authority;
- where disclosure is to an institution or law enforcement agency in Canada to aid in an investigation with a view to a law enforcement proceeding or from which such a proceeding is likely to result;
- in compassionate circumstances to contact next of kin or a friend of an ill, injured or deceased person;
- in compelling circumstances affecting the health or safety of an individual;
- to an MPP who has been authorized by the affected person to make inquiry on the person’s behalf (or by the next of kin where the affected person is incapacitated);
- to a bargaining agent who has been authorized by the affected person to make inquiry on the person’s behalf (or by the next of kin where the affected person is incapacitated);
- to the responsible Minister of the Ontario Government;
- to the Ontario Privacy Commissioner;
- to the federal government to facilitate the auditing of a shared cost program; or
- where permitted or required by a federal or provincial law.
- The College may also disclose Personal Information to a third-party for the purposes of facilitating fundraising activities if the information is reasonably necessary for fundraising and the College enters a written agreement with the receiving party which meets certain requirements. These agreement requirements include the following:
- Compliance with the requirement to give initial and periodic notice to individuals regarding their right to request that discloser for fundraising cease;
- Granting access to an individual’s Personal Information held by the Cambrian Foundation or other recipient if requested by the individual;
- Providing individuals with notice that they may have the College and receiving party cease contacting them for fundraising activities; and,
- Ceasing the use of Personal Information for fundraising purposes if requested by the individual.
- Record Retention
- Personal Information must be retained for a period of at least one year from its use unless the affected individual consents to a shorter period.
- This one-year period starts from when the purpose for which the information was used has been satisfied. The one-year period exists to provide individuals with time to request access to, or correction of, that information.
- Personal Information should not be destroyed prior to this time and may be subject to longer retention periods under the College’s Retention Schedule.
- Security
- Staff members are required to prevent unauthorized access to records and to define, document and put in place specific security measures. Each department is expected to do so.
- Security safeguards generally fall into three categories: administrative (policies to be followed to safeguard information), physical (physical barriers and locks to prevent unauthorized access to paper records) and technological (electronic and network safeguards to prevent unauthorized access to digital records).
- Security measures to be considered should include, but are not limited to, the following: computer use policies (e.g., password restrictions, shutting off computers while not in use etc.), firewalls, physical security (e.g., locking cabinets and offices) and administrative protocols (e.g., limiting staff access to certain files).
- Disposal
- When disposing of Personal Information, the College is required to use reasonable steps to ensure information cannot be reconstructed or retrieved.
- A disposal record must be maintained identifying which information has been destroyed or transferred to the Archives of Ontario.
- In addition, FIPPA requires that measures be taken to ensure security and confidentiality during storage, transportation, handling and destruction.
Responsibilities and Accountability
Associate Vice President, Human Resources and Student Services is responsible for:
- Ensuring accessibility and communication of this policy and any associated procedures.
College Administrators are responsible for:
- Familiarizing themselves with the requirements of this policy and any associated procedures.
- Communicating the policy requirements and any associated procedures to employees.
- Ensuring compliancy with the terms set out in this policy.
Staff are responsible for:
- Being familiar with the policy and its requirements.
- Complying with the requirements of the policy.
Procedures/Forms
None
Related Policies
References
Freedom of Information and Protection of Privacy Act (FIPPA)
Recovery of College Records and Resource Materials
Record Retention Schedule