Privacy policy
Classification: Information Management
Approval Authority: General Counsel
Implementation Authority: Access and Privacy Coordinator
Effective Date: May 1, 2007
Latest Revision: March 15, 2011
Table of Contents
Purpose……………………….1
Scope………………………….2
Definitions…………………..3
Policy Statement…………4
Responsibilities…………..5
Appendices…………………6
Procedure……………………7
Instructions/Forms……..8
Parent Policy……………….9
Related Information……10
References………………….11
History…………………………12
1 Purpose
The University of Calgary is committed to protecting the privacy of individuals who work and study at the University or who otherwise interact with the University in accordance with the
standards set out in the Freedom of Information and Protection of Privacy Act.
The purpose of this policy is to tell individuals how the University fulfills that commitment.
2 Scope
This policy applies to Personal Information in the custody or under the control of the University of Calgary.
3 Definitions
In this policy:
a) “Collection” means the act of gathering, acquiring, recording, or obtaining Personal Information from any source and by any means.
b) “Consent” means a voluntary agreement to a Collection, use, and/or Disclosure of Personal Information for defined purposes.
c) “Disclosure” means making Personal Information available to a Third Party.
d) “FOIP” refers to the Freedom of Information and Protection of Privacy Act.
e) “Formal Access Request” refers to a request for access to information which cannot be answered through existing or established processes. A Formal Access Request is processed under terms and conditions set out in FOIP.
f) “Personal Information” means information about an identifiable individual including but not limited to: i. name ii. home address iii. SIN iv. gender v. income vi. family status vii. student grades Personal Information does not include work product information, that is, information that is prepared or collected by an employee as part of the employee’s work responsibilities.
g) “Third Party” means a person, a group of persons, or an organization other than the individual the information is about. An employee of the University, acting in his or her official capacity, is not considered a third party.
h) “University Official” refers to an individual who has authority to act in an administrative capacity at the University.
4 Policy Statement
Accountability
4.1 Responsibility for ensuring compliance with the provisions of FOIP rests with the University’s General Counsel.
4.2 The General Counsel may delegate responsibility for managing activities relating to the Collection, accuracy, protection, use, Disclosure and retention of Personal Information. This delegation will be detailed in the Delegation of Authority which is attached as an appendix to this policy.
4.3 The General Counsel will appoint an Access and Privacy Coordinator to:
a) coordinate the development and implementation of policies and procedures to manage the University’s compliance with Part 2 of FOIP; and
b) provide support services to University officials on matters pertaining to the protection of Personal Information.
Collection of Personal Information
4.4 The University will collect Personal Information only for the following purposes:
a) the information relates directly to and is necessary for an operating program or activity of the University;
b) the Collection of information is expressly authorized by an enactment of Alberta or Canada; or
c) the information is collected for the purposes of law enforcement
4.5 The University will collect Personal Information directly from the individual the information is about unless there is a reasonable requirement to collect from another source and the indirect Collection is permitted under FOIP.
4.6 Details relating to the purpose for the Collection of Personal Information will be provided to the individual when Personal Information is collected directly from the individual.
Use of Personal Information
4.7 Personal Information will not be used for a purpose other than the purpose for which it was collected or for a use consistent with that purpose except with the Consent of the individual or as permitted under FOIP.
Disclosure of Personal Information
4.8 Personal Information will only be made public or disclosed to a Third Party under the following circumstances:
a) the Disclosure is for the purpose identified at the time of collection or for a purpose consistent with the original purpose,
b) the individual the Personal Information is about has consented to the Disclosure,
c) the Disclosure is not considered to be an unreasonable invasion of privacy, or
d) the Disclosure is required, permitted or authorized under FOIP.
4.9 It is not considered to be an unreasonable invasion of a student’s privacy to release the following information to a Third Party:
a) dates of registration at the University of Calgary;
b) faculty/department or program of registration at the University of Calgary;
c) degree(s)/diploma(s) awarded from the University of Calgary;
d) convocation dates;
e) attendance at or participation in a public event or activity related to the institution (e.g. graduation, sporting or cultural event); or
f) Personal Information already in the public domain.
NOTE: this information may be restricted in specific cases for security reasons. Any restrictions on disclosure will be noted as a “Negative Service Indicator”. These service indicators are displayed and can be accessed from the main components in the PeopleSoft Student system.
4.10 It is not considered to be an unreasonable invasion of an employee’s privacy to release the following information to a Third Party:
a) employment status;
b) business address, telephone number, e-mail address;
c) job title;
d) job profile; The electronic version is the official version of this policy. Page 4 of 6
e) rank, job family;
f) salary range;
g) discretionary benefits;
h) relevant educational qualifications;
i) attendance at or participation in a public event or activity related to the institution (e.g. sporting or cultural event);
j) Personal Information already in the public domain; or
k) publications listed in an academic staff member’s annual report.
This information is generally available in public or published sources such as the telephone directory, the calendar, or the collective agreement. Requests for the personal information of an employee that is not readily available will be referred to the employee’s supervisor or to Human Resources
4.11 Teaching material and research information of employees may be disclosed to University Officials for administrative purposes.
Acuracy
4.12 The University will take reasonable steps to ensure that Personal Information in its custody or under its control is as accurate and complete as is necessary for the purposes for which it is to be used.
4.13 Individuals will normally be able to correct or update certain categories of Personal Information, such as contact information, on their own. To request a correction of other types of Personal Information, individuals may contact the data custodian.
4.14 If the data custodian is unable to make the correction for any reason, the individual may file a request, in writing, for correction with the Access and Privacy Coordinator.
4.15 If the University is satisfied that the individual’s request for correction is reasonable, the correction will be made as soon as possible.
4.16 The University will also send the corrected Personal Information to any organization to which it was disclosed during the year before the correction was made if the information could have been used to make a decision about the individual.
Retention
4.17 The University will retain Personal Information only as long as necessary for the fulfillment of its purposes as defined in its retention rules.
Security
4.18 The University will take reasonable steps to protect information from unauthorized access, collection, use, disclosure or destruction.
4.19 When the University retains an external organization to undertake work on its behalf that involves the disclosure of Personal Information, the The electronic version is the official version of this policy. Page 5 of 6 University will enter into an information sharing agreement with that organization. The information sharing agreement will set out conditions that ensure that the University’s responsibility for the protection of Personal Information will be fulfilled by the external organization on its behalf.
Access
4.20 Individuals have a right of access to Personal Information about themselves in the custody or under the control of the University subject to specific and limited exceptions as provided in FOIP.
4.21 Employment or academic references will only be disclosed to the subject with the consent of the referee.
4.22 A request by an individual for access to his/her own Personal Information should initially be directed to the data custodian or by following existing procedures for access to the information. If there is no process in place and/or the data custodian is unable to provide access for any reason, the applicant may file a Formal Access Request with the Access and Privacy Coordinator. A Formal Access Request must be made in writing.
4.23 A request by one individual for access to the Personal Information of another individual should initially be directed to the data custodian. If the data custodian is unable to provide access for any reason, the applicant may file a Formal Access Request with the Access and Privacy Coordinator. A Formal Access Request must be made in writing and must be accompanied by a $25 application fee.
4.24 A request by a University Official for access to the Personal Information of an employee or student should be directed to the data custodian. Access will be provided when the University Official needs the information in order to do his/her job or when the University Official is operating within his/her mandated authority.
4.25 The Access and Privacy Coordinator will establish and maintain the procedure for responding to Formal Access Request.
4.26 Fees for producing records in response to a Formal Access Request for your own personal information may be charged if the total fee is estimated to be greater than $10. Fees will be assessed in accordance with the Fees Schedule (Schedule 2) attached to the FOIP Regulation (Alberta Regulation 200/95).
4.27 Fees for producing records in response to a Formal Access Request for the Personal Information of another individual will be assessed in accordance with the Fees Schedule (Schedule 2) attached to the FOIP Regulation (Alberta Regulation 200/95).
Questions, Complaints
4.28 The Access and Privacy Coordinator will respond to questions or concerns about the University’s management or treatment of personal information.
Violations
4.29 Violators of this policy may be subject to penalties under University regulations, collective agreements, and under provincial and federal law.
5 Responsibilities
5.1 Approval Authority
a) ensure appropriate rigour and due diligence in the development or revision of this policy.
5.2 Implementation Authority
a) ensure that University staff are aware of and understand the implications of this policy and related procedures;
b) monitor compliance with the policy and related procedures;
c) regularly review the policy and related procedures to ensure consistency in practice;
d) sponsor the revision of this policy and related procedures when necessary;
e) appoint a Policy Advisor to administer and manage these activities.
6 Appendices
7 Procedure
Formal Access Request Procedures
8 Instructions/Forms
Request to Access Information Form
Request to Correct Personal Information Form
Reference Consent Form
9 Parent Policy
Acceptable use of Information Assets Policy
10 Related Information
Collection Notices
Dealing with Confidential Records
Disclosing Personal Information of Employees to Third Parties
Disclosing Personal Information of Students to Third Parties
Disclosing Personal Information of Employees to the Subject
Disclosing Personal Information of Students to the Subject
Duty to Assist
Recruitment and Selection
11 References
Freedom of Information and Protection of Privacy Act (RSA 2000, Chapter F-25)
12 History
Approved: April 15, 2007
Effective: April 15, 2007
Revised: s. 4.9(b) revised to include the terms ‘department’ and ‘program’; February 24, 2010.
Revised: s. 4.29 added, March 15, 2011.