Procedure Number: HR 500 | Procedure Title: Access to Information and Protection of Privacy |
Supersedes Existing Procedure? Y | Procedure Owner: Executive Director, Human Resources Services |
Associated Policy: Y | Date Last Approved by CET: October 16, 2019 |
1. Purpose
This procedure outlines the general rules regarding the use, collection, disclosure, retention and disposal of personal information in the custody or under the control of Loyalist College. Loyalist College recognizes that an individual’s right to privacy includes the right to know how his/her personal information is being used.
All Loyalist College employees who handle personal information on behalf of the College have a responsibility to ensure that the information remains confidential and secure. This procedure is intended to comply with the requirements of the Freedom of Information and Protection of Privacy Act (FIPPA).
2. Application
This procedure applies to all members of the College community, including, but not limited to students, employees, former employees, third parties, and members of committees who have access to records under the custody and control of Loyalist College. This procedure is intended to complement, not detract from Provincial or Federal legislation or any collective agreements in place at the College adopted under the authority of the Board of Governors.
Where this procedure conflicts with legislation, or collective or other existing agreements, the legislation and agreements will take precedence over this procedure
3. Roles and Responsibilities
- 3.1 The President is responsible for:
- ensuring compliance with the Act as delegated by the Chair of Loyalist’s Board of Governors. The President may delegate that authority and responsibility to the Freedom of Information and Privacy Coordinator to be appointed by the College.
- 3.2 The Executive Director of Human Resources and Deans are responsible for:
- communicating this policy to all employees in their department/school(s) and to create an awareness of their responsibilities;
- establishing and maintain policies and procedures within their department/school(s) to:
- provide access to/and disseminate public information as a normal part of operations;
- ensure that personal information is protected in accordance with the Act at all times,
- including collection, use, disclosure, retention and disposal;
- direct all formal requests for information made under the Act to the Freedom of Information and Privacy Coordinator;
- ensure that the Freedom of Information and Privacy Coordinator has access to all information, records, systems, property and personnel in a timely manner as necessary to perform his/her duties;
- co-operate with the Freedom of Information and Privacy Coordinator to address all formal requests on a timely basis.
- 3.3 Employees who have access to records are responsible for:
- providing access to/and disseminate public information as a normal part of operations;
- follow established policies and procedures to ensure that personal information is protected at all times, including collection, use, disclosure, retention and disposal;
- following established policies and procedures to ensure the correction of personal information;
- directing all formal requests for information to the Freedom of Information and Privacy Coordinator;
- co-operating with the Freedom of Information and Privacy Coordinator to address all formal requests on a timely basis.
- Failure of employees to adhere to the Access to Information and Protection of Privacy policy and procedure could result in the misuse of information and potentially a breach of confidentiality. In such cases, the individual may be subject to disciplinary action. Employees are encouraged to contact the Freedom of Information and Privacy Coordinator if they have any questions about this policy or the Act.
- Any existing practice(s) for the release of information that is not personal in nature may continue at the discretion of the responsible Vice President.
4. Use, Collection, Disclosure, Retention and Disposal of Personal Information
- 4.1 Collection of Personal Information
- Collect the minimum amount of personal information necessary in order to fulfill the purpose for which the information was collected.
- Personal information is to be collected directly from the individual whom the information is about, with few exceptions. This ensures that the information collected is up-to-date, complete and accurate.
- Personal information includes activities where individuals respond through interviews, questionnaires, surveys, polls, or by completing forms in order to provide information to the College.
- There is no restriction on how personal information is collected. The means of collection may be writing, audio-or videotaping, electronic data entry or by other means.
- All personal information, as defined above, must remain confidential.
- Employees of the College are permitted access to the information contained in student records if they need to know the information to perform their official duties. As a general rule, only employees involved in some aspects of academic administration or student affairs are given access to the contents of student records.
- When collecting personal information from an individual Loyalist College is required to notify individuals that:
- The Ontario Colleges of Applied Arts and Technology Act, 2002, S.O. 2002, Chapter 8, Schedule F provides the legal authority to collect personal information.
- The purpose for which the information is collected.
- A contact person who can answer questions about the collection.
- A standard Collection Notice (see example below) must be included on the bottom of each form (hard copy or electronic) originating from the department where personal information is collected.
- Collection Notice:
- Loyalist College protects your privacy and your personal information. The personal information requested on this form is collected under the authority of the Ontario Colleges of Applied Arts and Technology Act, 2002, S.O. 2002, Chapter 8, Schedule F, and in accordance with the Freedom of Information and Protection of Privacy Act (FIPPA) for the administration of the College and its programs and services. Direct any questions about this collection to the Freedom of Information and Privacy Coordinator, Loyalist College, at fippa@loyalistcollege.com or 613-969-1913 Ext. 2331.
- Collection Notice:
- Departments must ensure that all departmental forms have a Collection Notice when collecting personal information from employees, students, alumni, clients, and members of the general public
- 4.2 Use of Personal Information
- Take reasonable steps to ensure the personal information collected is accurate, up to date and secure.
- Only use personal information for the purpose for which it was obtained or for a consistent purpose. A consistent purpose means that the individual could reasonably expect this use/disclosure of his/her personal information. Where personal information is collected other than directly from the individual, a consistent purpose is determined by considering whether Loyalist’s proposed use/disclosure of this information is reasonably compatible with the purpose for which it was collected.
- Employees and third parties whom Loyalist College authorizes to handle personal information must protect the personal information and records they use by following appropriate security arrangements. This will help to ensure there is no unauthorized access, collection, use, disclosure, correction, retention or disposal of personal information and records.
- Departments are responsible to self-monitor compliance with security standards to ensure that physical and procedural security precautions are established and maintained.
- Only use personal information where the individual to whom the information relates has consented to the use proposed by Loyalist. When personal information is to be used for a new purpose that is not consistent with the Collection Notice at the time of collection, then an individual consent needs to be obtained.
- Individual consents should be in writing and indicate:
- the particular personal information to be used;
- the use for which consent is given;
- the date of the consent; and
- that consent has been given to Loyalist College.
- 4.3 Disclosure of Personal Information
- Individuals have a right to ask to review or obtain a copy of their own personal information and to request a correction of the record containing their personal information. The Act outlines some exemptions and exclusions whereby individuals will not be given access to personal information.
- Student records are only to be disclosed by the Office of the Registrar where appropriate.
- Records regarding faculty, staff, and other members of the College community should not be disclosed unless such a disclosure is in keeping with the college-wide Access to Information and Protection of Privacy Policy.
- An individual has the right to make a formal request for information, if the information requested is not provided through the above routine processes. All formal requests for information are to be in writing and addressed to the Freedom of Information and Privacy Coordinator.
- 4.4 Retention of Personal Information
- The Act requires that personal information that is used is to be kept for a minimum of one year. There may also be internal and legal considerations that require a longer retention period.
- When information is updated the outdated information must be retained in some form so that it is available for the prescribed retention period of one year. The outdated documentation does not necessarily need to be stored in the same location as the current information.
- 4.5 Disposal of Personal Information
- Ensure material for shredding has completed its scheduled retention according to FIPPA and the department’s records retention schedule.
- Check with the dean/manager to confirm that there is no active legal investigation, freedom of information reviews or audits relating to the records that are scheduled for disposal.
- Personal information is to be destroyed in such a way that it cannot be reconstructed or retrieved. Paper and other hard copy records should be burned, pulped, or shredded rather than disposed of as garbage.
- Personal information on magnetic media such as tape or disk should be disposed of by magnetic erasure or by destruction of the medium. When the medium is retained and re-used within a secure environment, reformat or clear prior to re-using. For further information, contact the Loyalist College IT Department.
- Take all reasonable steps to protect the security and confidentiality of the personal information that is to be disposed.
- 4.6 Access Procedure
- A person seeking access to a record shall,
- make a request in writing to the College’s Freedom of Information and Privacy Co-ordinator;
- provide sufficient detail to enable the Co-ordinator, upon a reasonable effort, to identify the record; and
- at the time of making the request, pay the fee prescribed
- If the Co-ordinator is of the opinion on reasonable grounds that the request is frivolous or vexatious, or if the request does not sufficiently describe the record sought, the Co-ordinator shall inform the applicant of the defect and shall offer assistance in reformulating the request.
- The applicant may indicate in the request that it shall, if granted, continue to be in effect for a specified period of up to two years.
- When a request that is to continue to be in effect is granted, the institution shall provide the applicant with,
- a schedule showing dates in the specified period on which the request shall be deemed to have been received again, and explaining why those dates were chosen; and
- a statement that the applicant may ask the Privacy Commissioner to review the schedule.
- This section applies as if a new request were being made on each of the dates shown in the
- schedule.
- a) Where the Co-ordinator receives a request for access to a record that the College does not have in its custody or under its control, the Co-ordinator shall make all necessary inquiries to determine whether another institution has custody or control of the record. The Co- ordinator shall within fifteen days after the request is received,
- forward the request to the other institution; and• give written notice to the person who made the request that it has been forwarded to the other institution.
- b) Where the College receives a request for access to a record and the Co-ordinator considers that another institution has a greater interest in the record, the Co-ordinator may transfer the request and, if necessary, the record to the other institution, within fifteen days after the request is received.
- c) Where the Co-ordinator refuses to give access to a record or a part of a record because (s)he is of the opinion that the request for access is frivolous or vexatious, the Co-ordinator shall in writing, advise the applicant:
- that the request is refused because of the opinion that the request is frivolous or vexatious;
- the reasons for the opinion that the request is frivolous or vexatious; and
- that the person who made the request may appeal to the Privacy Commissioner under subsection 50 (1) for a review of the decision.
- d) Before the Co-ordinator grants a request for access to a record,
- that the Co-ordinator has reason to believe might contain information that affects the interest of a person other than the person requesting information; or
- that is personal information that the Co-ordinator has reason to believe might constitute an unjustified invasion of personal privacy the Co-ordinator shall give written notice to the person to whom the information relates.
- e) The notice shall contain,
- a statement that the Co-ordinator intends to release a record or part thereof that may affect the interests of the person;
- a description of the contents of the record or part thereof that relate to the person; and
- a statement that the person may, within twenty days after the notice is given, make representations to the Co-ordinator as to why the record or part thereof should not be disclosed.
- f) Where the Co-ordinator gives notice to a person under 4.6 section (e), the Co-ordinator shall also give the person who made the request written a notice of delay, setting out,
- that the record or part thereof may affect the interests of another party;
- that the other party is being given an opportunity to make representations concerning disclosure; and
- that the Co-ordinator will within thirty days decide whether or not to disclose the record
- g) Where a notice is given under 4.6 section (e), the person to whom the information relates may, within twenty days after the notice is given, make representations as to why the record or the part thereof should not be disclosed
- h) Representations under 4.6 section (g) shall be made in writing
- i) The Co-ordinator shall, within thirty days after the notice under 4.6 section (e) is given, but not before the earlier of,
- the day the response to the notice from the person to whom the information relates is received; or
- twenty-one days after the notice is given, decide whether or not to disclose the record or the part thereof and give written notice of the decision to the person to whom the information relates and the person who made the request.
- j) Where the Co-ordinator decides to disclose a record or part thereof under 4.6 section (i), the Co-ordinator shall state in the notice that,
- the person to whom the information relates may appeal the decision to the Privacy Commissioner within thirty days after the notice is given; and
- the person who made the request will be given access to the record or a part thereof unless an appeal of the decision is commenced within thirty days after the notice is given.
- k) Where, under 4.6 section (i), the Co-ordinator decides to disclose the record or a part thereof, the Co-ordinator shall give the person who made the request access to the record or part thereof within thirty days after notice is given under 3.10 section (j), unless the person to whom the information relates asks the Privacy Commissioner to review the decision
- l) In the case of a request by the spouse or a close relative of a deceased individual for disclosure of personal information about the deceased individual, the person making the request shall give the Co-ordinator all information that the person has regarding whether the deceased individual has a personal representative and how to contact the personal representative.
- m) Notice of refusal to give access to a record or a part thereof shall set out,
- where there is no such record,
- that there is no such record, and
- that the person who made the request may appeal to the Privacy Commissioner the question of whether such a record exists; or
- where there is such a record,
- the specific provision of this Act under which access is refused,
- the reason the provision applies to the record,
- the name and position of the person responsible for making the decision, and
- that the person who made the request may appeal to the Privacy Commissioner for a review of the decision
- Where Co-ordinator refuses to confirm or deny the existence of a record as provided in subsection 14 (3) (law enforcement), section 14.1 (Civil Remedies Act, 2001), section 14.2 (Prohibiting Profiting from Recounting Crimes Act, 2002) or subsection 21 (5) (unjustified invasion of personal privacy) of FIPPA, the Co-ordinator shall state in the notice given under section 26,o that the Co-ordinator refuses to confirm or deny the existence of the record;
- the provision of this Act on which the refusal is based;
- the name and office of the person responsible for making the decision; and
- that the person who made the request may appeal to the Privacy Commissioner for a review of the decision.
- Where a person examines a record or a part thereof and wishes to have portions of it copied, the person shall be given a copy of those portions unless it would not be reasonably practicable to reproduce them by reason of their length or nature.
- where there is no such record,
- a) Where the Co-ordinator receives a request for access to a record that the College does not have in its custody or under its control, the Co-ordinator shall make all necessary inquiries to determine whether another institution has custody or control of the record. The Co- ordinator shall within fifteen days after the request is received,
- A person seeking access to a record shall,
5. Appeals
A person who has made a request to
- access to a record;
- access to personal information); or
- correct personal information; or a person who is given notice of a request may appeal any decision of a Co-ordinator under this Act to the Privacy Commissioner.
A person who files an appeal shall pay the fee prescribed by the regulations for that purpose.
An appeal shall be made within thirty days after the notice was given of the decision appealed from by filing with the Privacy Commissioner written notice of appeal.
6. Fees
- a) The following are the fees that shall be charged for access to a record:
- For photocopies and computer printouts, 20 cents per page.
- For records provided on CD-ROMs, $10 for each CD-ROM.
- For manually searching a record, $7.50 for each 15 minutes spent by any person.
- For preparing a record for disclosure, including severing a part of the record, $7.50 for each 15 minutes spent by any person.
- For developing a computer program or other method of producing a record from machine readable record, $15 for each 15 minutes spent by any person.
- b) The costs, including computer costs that the institution incurs in locating, retrieving, processing and copying the record if those costs are specified in an invoice that the institution has received.
- c) The following are the fees that shall be charged for access to personal information about the individual making the request for access:
- For photocopies and computer printouts, 20 cents per page.
- For records provided on CD-ROMs, $10 for each CD-ROM.• For developing a computer program or other method of producing the personal information requested from machine readable record, $15 for each 15 minutes spent by any person.
- d) The costs, including computer costs that the institution incurs in locating, retrieving, processing and copying the personal information requested if those costs are specified in an invoice that the institution has received.
- e) If the Co-ordinator gives a person an estimate of an amount payable under the Act and this Policy and the estimate is $100 or more, the Co-ordinator may require the person to pay a deposit equal to 50 per cent of the estimate before the Co-ordinator takes any further steps to respond to the request.
- f) For more information about the application of these procedures, please contact the Freedom of Information and Privacy Coordinator at 613-969-1913 Ext. 2331.
7. Privacy Breach Response Protocol
The College’s breach response protocol involves a number of elements that overlap and support one another. While every privacy breach incident will require a tailored response, the steps set out under each of the following elements will help guide the College through an effective privacy breach response.
- a) Assessment
- The assessment of a suspected privacy breach is a key element that ought to begin as soon as possible and continue throughout the privacy breach response process. Some of the key objectives of the assessment are to:
- Confirm that a breach occurred;
- Determine how the breach occurred;
- Assess what personal information may have been affected;
- Identify the individuals to whom the affected personal information relates;
- Evaluate any risks that may arise from the breach.
- The assessment of a suspected privacy breach is a key element that ought to begin as soon as possible and continue throughout the privacy breach response process. Some of the key objectives of the assessment are to:
- b) Containment
- The steps taken to contain a breach will vary depending on the circumstances, but may include steps taken to achieve the following objectives:
- Coordinating with relevant personnel;
- Stopping any unauthorized practices;
- Shutting down or fettering any electronic system that was breached;
- Revoking or changing digital credentials;
- Correcting weaknesses in physical or electronic security;
- Taking steps to recover any lost personal information.
- The steps taken to contain a breach will vary depending on the circumstances, but may include steps taken to achieve the following objectives:
- c) Documentation
- The Freedom of Information and Privacy Coordinator is responsible for documenting all relevant details of the privacy breach event. Individuals who report or have knowledge of apotential privacy breach ought to report all information relevant to the assessment and containment of the suspected breach to Freedom of Information and Privacy Coordinator.
- d) Notification
- If a privacy breach is confirmed, the College may need to take some or all of the following steps:
- Review the assessment process to identify the individuals who were affected by the breach, as well as the personal information that lost, misdirected, or accessed without authorization.
- Determine which, if any, statutory breach response regime applies.
- Identify the most appropriate way to notify affected individuals who must be notified of the privacy breach in light of the quantity and sensitivity of the information.
- Prepare an appropriate notification that includes some or all of the following:
- Details of the circumstances of the privacy breach, including the personal information elements that were subject to the privacy breach;
- Steps or measures that have and/or will be taken to address the breach;
- Contact information that affected individuals can use to ask further questions.
- If a privacy breach is confirmed, the College may need to take some or all of the following steps:
- e) Remediation
- If a privacy breach incident is confirmed, the College will take steps to remediate the situation that led to the incident. The remediation steps taken may vary significantly depending on the circumstances and nature of the information at issue, and may include some or all of the following:
- The Freedom of Information and Privacy Coordinator may delegate the authority and responsibility to conduct an investigation into the matter, which may include:
- Reviewing and continuing the assessment that began at the onset of the privacy breach response protocol;
- Ensuring that the privacy breach is adequately contained;
- Reviewing the adequacy of existing policies and procedures in place to protect personal information;
- Assessing any risks that may result from the privacy breach
- Advise the Freedom of Information and Privacy Coordinator of the findings of the investigation;
- Ensure staff are adequately educated and trained with respect to security safeguards for the protection of personal information.
- Where appropriate, determine the appropriate recourse if a malicious actor was involved in the privacy breach incident.
- Where appropriate, determine any measures that may need to be implemented to mitigate security risks resulting from the privacy breach.
- Where applicable, cooperate and assist in any further investigation into the incident.
- If a privacy breach incident is confirmed, the College will take steps to remediate the situation that led to the incident. The remediation steps taken may vary significantly depending on the circumstances and nature of the information at issue, and may include some or all of the following:
8. Student Counselling Services
- The College recognizes that the information you provide is private and we are committed to keeping that information confidential.
- As a Counselling Service, we are required to keep a record of each of your interactions with anyone in our service. That record will be retained for 10 years after your last contact with us. All members of Loyalist’s Counselling Services will have access to your counselling record.
- Please note that your counselling record will only be accessed by the Counselling Service and its agents for the purposes of providing counselling service, or where required or permitted by law.
- You may request access to personal health information in the custody or control of Counselling Services in accordance with the access procedure set out in section 4.6. Due to the nature of personal information held by Counselling Services, please note that there may be circumstances where the College may need to vary the access procedure in accordance with applicable law.
9. Health Centre
- Please be advised that personal information, including personal health information that is held by the Health Centre is not in the custody or control of the College. The Health Centre operates under a memorandum of understanding for the provision of health care in association with the College.
- A request for access to information held by the Health Centre ought to be directed to the Health Centre.
10. References
- Freedom of Information and Protection of Privacy Act (FIPPA), R.S.O. 1990, c.F.31