Information Protection and Providing Access to Restricted Information Procedure (Privacy Procedure)
- Related Documents: Information Protection and Access - Restricted Information Policy (Privacy Policy), Employee Confidentiality Agreement (external link)
- Owner: General Counsel and Secretary of the Board of Governors
- Approval Dates: October 2008, March 2011
- Currently under review
This document outlines in detail how Toronto Metropolitan University (the "University") will comply with its legal obligations to protect restricted types of information, such as personal information, and respond to access-to-information requests, privacy breaches and privacy complaints. The authority for these procedures derives from theInformation Protection and Access Policy – Restricted Information. These procedures fall under the jurisdiction of the General Counsel.
I. Objectives
a. To manage and reduce the risk of collection, misuse, destruction or loss of restricted information without limiting academic freedom or complicating access to information for which the University has a legitimate and specific need;
b. To define the roles and responsibilities of University employees regarding restricted information in the custody and control of the University, as well as procedures to protect against unauthorized disclosure of restricted information;
c. To communicate the authorized procedures for receiving and responding to requests for access to restricted information or complaints about the University’s collection, use and/or disclosure of restricted information; and,
d. To communicate the authorized procedure for responding to a suspected privacy breach.
II. Definitions
"Custody and control" has the same meaning as under FIPPA and for the University’s purposes is established by evaluating the University’s role in the creation, use, retention and destruction of records. Importantly, establishing custody or control of records determines whether access and privacy protection legislation applies to University records. For example, the University does not have custody or control over records of the Ombudsperson or the students’ unions because the University does not create the records, determine retention periods or have control over destruction of these records. The University does have custody and control over records in the various administrative and academic areas. The University's official Records Retention Schedule listed under the Records Management Policy clarifies custody and control for records in the University.
"FIPPA" means the Freedom of Informtion and Protection of Privacy Act (Ontario).
"I&P Officer" means the Information and Privacy Officer for the University.
"I&P Contact" means persons appointed within their administrative or academic unit to liaise between the I&P Officer and their unit for the purposes of responding to an access to information request made under FIPPA.
"Personal information" has the same meaning as under FIPPA and means recorded information about an identifiable individual, including:
a. information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
b. information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
c. any identifying number, symbol or other particular assigned to the individual,
d. the personal address, personal telephone number, fingerprints or blood type of the individual,
e. the personal opinions or views of the individual except where they relate to another individual,
f. correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
g. the views or opinions of another individual about the individual, and
h. the individual's name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.
It does not include business contact information which is defined as name, title and contact information (e-mail, telephone number, fax number and address) utilized in a place of work.
"Record" has the same meaning as under FIPPA and means any record of information however recorded, whether in printed form, on film, by electronic means or otherwise, and includes, (a) correspondence, a memorandum, a book, a plan, a map, a drawing, a diagram, a pictorial or graphic work, a photograph, a film, a microfilm, a sound recording, a videotape, a machine readable record, any other documentary material, regardless of physical form or characteristics, and any copy thereof, and (b) subject to the regulations in FIPPA, any record that is capable of being produced from a machine readable record under the control of the University by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the University.
"Toronto Metropolitan University Act" means the Toronto Metropolitan University Act, 1977 (amended) (Ontario).
"Restricted information" means a record which the University has a responsibility to protect from unauthorized disclosure, and a record that is under the University’s custody or control and is subject to exclusions or exemptions under FIPPA. In the event of an unauthorized disclosure, such a record carries with it an expectation of harm to the University, a third party, or the administration of justice. Restricted has the same meaning as in FIPPA under sections dealing with exemptions and exclusions, and examples relevant to the University context include:
a. teaching records means teaching materials collected, prepared or maintained by an employee of the University or by a person associated with the University for use at the University (FIPPA Section 65 (8.1));
b. research records means information respecting or associated with research conducted or proposed by an employee of the University, or by a person associated with the University (FIPPA Sections 65 (8.1) and 18(1)(b));
c. economic records means records relating to trade secrets, financial, commercial, scientific or technical information that has monetary value or is related to the competitive position of the University (FIPPA Section 18 (1) (a) and (c));
d. labour relations records means:
i. proceedings or anticipated proceedings before a court, tribunal or other entity relating to labour relations or to the employment of a person by the University,
ii. negotiations or anticipated negotiations relating to labour relations or to the employment of a person by the University between the University and a person, bargaining agent or party to a proceeding or an anticipated proceeding,
iii. meetings, consultations, discussions or communications about labour relations or employment-related matters in which the University has an interest, (FIPPA Section 65 (6) and (7));
f. records of institutional plans means records relating to the management of personnel or administration of the University that have not yet been put in to operation or made public, and information including proposed plans, policies, or projects of the University (FIPPA Section 18 (1)(e-g));
g. records containing advice or recommendations means information that outlines course of action that will be accepted or rejected by the person being advised. It is not background, factual, analytical or evaluative information, nor is it a draft, report, survey, cost estimate, or final plan (FIPPA Section 13);
h. third party records means trade secret, scientific, technical, commercial, financial or labour-relations information supplied in confidence implicitly or explicitly and under FIPPA this definition is expressly limited to circumstances where the unauthorized disclosure carries a reasonable expectation of harm (FIPPA Section 17(1));
i. government-relations records means information received by the University in confidence from a government or government agency (FIPPA Section 15);
j. solicitor-client records means records subject to solicitor-client privilege or records prepared by or for use by legal counsel employed or retained by the University for use in giving legal advice or in contemplation of or for use in litigation (FIPPA Section 19);
k. law enforcement records means:
i. records used or expected to be used in a law-enforcement proceeding,
ii. records containing investigative techniques or procedures currently in use or likely to be used,
iii. records containing information that would disclose the identity of the confidential source of information in respect of a law-enforcement matter,
iv. law enforcement intelligence information respecting organizations or persons,
v. records that have been confiscated by a peace officer in accordance with an Act or regulation,
vi. records containing information related to building security, vehicle security, or systems or procedures for protecting sensitive items,
vii. records containing information that would facilitate the commission of an unlawful act or hamper the control of crime,
viii. records that are reports prepared in the course of law enforcement, inspections or investigations by law enforcement (FIPPA Section 14(1) and (2));
l. closed-meetings records means records that reveal the substance of deliberations of a meeting or the subject matter of a meeting of the Board of Governors or the Senate or a committee of the Board of Governors or the Senate (FIPPA Section 18.1 (1); and
m. personal information records are defined above (FIPPA Section 49).
"Third party" means a person, contractor, union, association, organization or corporation other than the University.
III. Roles and Responsibilities
1. University employees have a duty to provide access to information which is not considered restricted or personal upon request. This duty is in line with the University’s commitment to accountability and transparency.
2. University employees have a duty to (i) protect restricted and personal information that is used, collected, retained or disclosed in the course of University activities and (ii) notify their manager in the event of a suspected privacy breach in accordance with the University’s privacy incident notification process, details about which are available on the General Counsel’s website.
3. The person with authority for each university administrative policy, procedure, practice or guideline is responsible for ensuring that these comply with relevant privacy-protection legislation, which in most cases is FIPPA.
4. The University’s senior directors and deans are responsible for the establishment of practices and procedures that ensure compliance with privacy-protection obligations under law. They are responsible for ensuring areas under their supervision are able to respond to access to information requests within legislated timelines.
5. The University’s managers, directors, chairs, and supervisors are accountable for implementing practices and procedures designed to ensure compliance with relevant legislation, and with the University’s privacy incident notification process. They are responsible for (i) contacting the I&P Officer in the event of a suspected privacy breach; (ii) appointing an employee within their unit as an I&P Contact person and another employee as a back-up; (iii) communicating this information to the University’s I&P Officer; and, (iv) the accuracy, disposal, and security of personal information and personal information banks within their units including encryption of personal information on mobile devices, and the provision of notices of collection to academic departments and/or operational units under their supervision where personal information is collected, used, retained, and/or disclosed.
6. Under FIPPA, the President of the University may delegate responsibility for responding to requests for access to information, to privacy complaints and to privacy breaches, as well as for gathering personal information into personal information banks. At the University, these responsibilities are delegated to the General Counsel. The I&P Officer provides direct support to General Counsel in these matters. General Counsel also responds to requests by an individual for access or corrections to his or her personal information.
7. I&P Officer liaises with General Counsel and all I&P Contacts. The I&P Officer is responsible for managing requests for access to information, requests to correct personal information, resolving privacy incidents and privacy complaints regarding records in the University’s custody or control and this also includes the responsibility for creating procedures and best practices related to these matters, all of which are on the General Counsel’s website.
8. The I&P Officer also disseminates information throughout the University pertaining to the protection of privacy and promotion of public access to unrestricted records.
9. I&P Contacts coordinate their unit’s response to a request for access to information and liaise directly with the I&P Officer.
IV. Information and Privacy Legislation Highlights
1. Collection and Use of Personal Information
The University limits the collection and use of personal information to that necessary to perform operations essential to its educational mandate, as authorized by the Toronto Metropolitan University Act, or as consistent with FIPPA Sections 41-43. The University must identify the uses for which personal information is collected, at or before the time the information is collected, by posting a notice of collection, by modifying information collection forms, or by other means as appropriate in the circumstances. The University will not use or disclose personal information for purposes other than those for which the information was collected or those that are reasonably consistent with the original collection purpose, except with the direct consent of the individual or unless required or authorized by law. Use or disclosure of personal information not covered by a notice of collection, or without the consent of affected individuals, or that is not used or shared for what would be considered a consistent purpose, or that is not necessary to the legitimate functions of the University is considered a breach of personal privacy.
It is the University’s responsibility to ensure that its practices and procedures for using personal information comply with relevant legislation. It is each administrative unit’s and academic department’s responsibility to ensure that a current notice of collection covering all necessary uses of personal information is in place before the use is required. Staff should consult with the I&P Officer to ensure that their area’s notices are sufficient.
2. Consent
An individual’s consent must be obtained in order to collect, use or disclose their personal information, unless required or authorized by law. The University obtains consent from individuals through notices of collection on information-gathering forms. The University obtains indirect consent under limited circumstances, such as when a notice is posted in a publicly-available space to inform individuals that their image is being captured on video surveillance tapes or to inform individuals that their photo may be taken at an event and used for promotional purposes. By choosing to enter the space, individuals imply their consent.
Personal information that is otherwise publicly available may not require consent prior to its collection, use or disclosure.
3. Research using Personal Information in University Records
Under FIPPA, an individual must provide direct consent for the University to use their personal information for research purposes. University records cannot be utilized for research unless the information is made anonymous or appears in the form of aggregate data.
The University's Research Ethics Board will assist researchers with proposals and research agreements involving restricted information and records, including those that contain personal information that may or may not be under the University's custody or control. When University records are the subject material, the Research Ethics Board is responsible for ensuring that proposals comply with relevant legislation regarding collection, use, disclosure and destruction. Research agreements will cover the University's right to audit the researcher’s records to ensure compliance with privacy requirements including adequate security, minimum retention periods, secure destruction, and the researcher’s responsibility to notify affected individuals and the University in the event of a privacy breach. This Office will direct questions regarding the legislation to the I&P Officer.
4. Fundraising using Personal Information
Upon graduation, the Registrar transfers limited amounts of graduates’ personal information to University Advancement for the purpose of building a relationship with alumni, which includes fundraising. University Advancement also collects, uses and retains personal information about prospective donors, current donors, former employees, and friends of the University for purposes consistent with advancing the University's educational mission. University Advancement is responsible for ensuring that uses of personal information for fundraising are in accordance with relevant legislation. University Advancement will provide the above mentioned groups with notice of their right to request that their information cease to be used for fundraising purposes when they are first contacted and periodically thereafter.
When University Advancement uses a third-party service provider, such as an affinity partner or bonded mailing house, the University will enter into a written agreement that includes a privacy protection schedule (available from General Counsel) which covers the limited use, disclosure and retention requirements and ensures the complete destruction of personal information.
Direct questions about use of personal information by University Advancement to the Executive Director, Alumni Relations who will consult with the I&P Officer.
5. Retention of Restricted Information
The University will retain restricted information as long as necessary for the fulfillment of its purposes and in accordance with the University's Records Retention Schedule, and possibly other regulatory requirements. In accordance with FIPPA, records that contain personal information and that are in the custody or control of the University must be retained for a minimum of one year after the date of last use. University operational areas and academic departments that hold these types of records are responsible for taking necessary security precautions to prevent the unauthorized disclosure of this information while it remains in their custody or control. This includes encryption of personal information on mobile devices, such as laptop computers, portable memory devices and mobile phones.
Direct questions about information security to the University's Information Systems Security Officer, Communication and Computer Services, or the I&P Officer. Direct questions about records management to the Records Management Coordinator.
6. Destruction of Restricted Information
Upon completion of the minimum required retention period, operational areas and academic departments which have records containing restricted information are responsible for the secure destruction of the records or transmittal to the University Archives, as required by the official records retention schedule in Records Management Policy. Secure destruction methods protect this information from unauthorized disclosure.
Should the University receive a request for access to information in records that have passed their retention date but are still in the University’s custody or control (in other words these records were not destroyed as mandated), the University is obliged to consider releasing them and to comply with statutory obligations surrounding the access and privacy of such records.
Direct questions about secure destruction methods to the University's Information Systems Security Officer, Communication and Computer Services, or the I&P Officer. Direct questions about the University’s records retention schedule to the Records Management Coordinator.
7. Disclosure of Restricted Information
The University will comply with relevant legislation and will not disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or unless required or authorized by law. Disclosure of personal information for a purpose consistent with the original use, and disclosure to a University employee, consultant, or agent who needs personal information for the performance of their role in legitimate university functions is permitted by FIPPA (Section 42).
For law enforcement records, there are additional considerations around disclosure in the university context beyond what our obligations are under relevant legislation. The University has its own security procedures that operate in conjunction with FIPPA. These fall under the responsibility of Community Safety and Security. Contact them before sharing any student’s, employee’s, alumni’s or donor’s personal information with outside law enforcement agencies (416-979-5040). This is not to hinder any investigation or emergency response, but rather to ensure the overall security and safety of all persons on the University campus.
In accordance with Section 14(3) of FIPPA, the University may refuse to confirm or deny the existence of a record that contains personal or sensitive information in law enforcement records.
Notwithstanding this, upon request the University will disclose restricted information, other than personal information, when there is no element of associated harm or with the consent of affected individuals and third parties as appropriate, or as required or authorized by law. If the disclosure is part of a request for access to information under FIPPA or other relevant legislation, the University will comply with its statutory obligations and will exercise discretion in the application of legislated exemptions and exclusions to achieve a balance between transparency and the protection of personal privacy and restricted information.
The University will comply with its statutory obligations regarding an individual’s right of access and correction to records about themselves as well as the limited exemptions to these circumstances (FIPPA Sections 47, 48, 49).
8. Disclosure of Restricted Information to Third Parties and Third-Party Disclosures to the University
It is a necessary part of university operations for the University to work with third parties such as service providers or external consultants. As part of such transactions, it may be necessary that restricted information is disclosed by the University to the third party or by the third party to the University. Before disclosing restricted information to a third party, the University will review the information to be shared to ensure that only those elements necessary to accomplish the task are shared. The University will prepare a written contract with the third party, which outlines limitations on use, access, and disclosure in place to protect personal and other forms of restricted information. For this purpose, General Counsel has developed a Privacy Protection Schedule which is available upon request. This schedule addresses collection, use, access, retention, disclosure and destruction of personal information and provides the University with authority to audit the third party for compliance with the schedule’s provisions.
It is the University’s responsibility to make third parties aware of how the information related to a contract with the University is affected by privacy-protection legislation.
University departments in relationships with third parties are responsible for (i) performing risk assessments on disclosures that involve restricted information, with particular attention to transactions involving personal information, (ii) ensuring that the contracts contain the appropriate privacy provisions, (iii) developing an appropriate information protection plan, and (iv) contacting the I&P Officer for information about how the contract may be affected by relevant privacy-protection legislation.
V. Jurisdiction
The interpretation of these procedures falls under the jurisdiction of the General Counsel.