Date and Instance of Approval:
2004-07-13
Executive Committee of the Board of Governors
Amendments:
2024-10-23
2018-03-28
2012-02-21
Responsible Service: Office of the Secretary-General
PURPOSE
- The purpose of this Policy is to confirm the University of Ottawa’s continued commitment to the principles of access to information (whether personal or institutional) and protection of privacy in light of access to information or protection of privacy statutes and regulations that may apply to the University (“Applicable Access and Privacy Legislation”).
APPLICATION
- This Policy and of any procedures established pursuant to it applies to all Members of the University Community. “Members of the University Community” includes but is not limited to:
- Employees, including all unionized and non-unionized academic and support staff as well as those whose salary is paid through sources other than the University’s operating funds, such as grants, research grants and external contracts;
- Students and learners;
- Clinicians and physicians with an academic appointment; adjunct, visiting and emeritus professors; post-doctoral or clinical fellows; research trainees; and medical residents;
- Contractors, consultants, suppliers or other entities engaged by the University to provide services or goods when on University property or while acting in a capacity defined by their relationship to the University;
- Members of the Board of Governors, of the Senate and any of their respective committees, as well as members of any advisory committee formed to help the University achieve its goals;
- Employees of both unionized and non-unionized employee and student groups when on University property or while acting in a capacity defined by their relationship to the University; and
- Visitors, volunteers or persons who serve on advisory or other committees.
INTERPRETATION
- The University of Ottawa is subject to Ontario’s Freedom of Information and Protection of Privacy Act (“FIPPA”) and regulations thereunder. This Policy is not intended to restate the provisions of FIPPA or any other Applicable Access and Privacy Legislation. However, the provisions of this Policy and any procedures established pursuant to it shall be read in a manner that is consistent with the University’s obligations under Applicable Access and Privacy Legislation.
- This Policy shall be read in conjunction with Procedure 20-5 – Handling Access to Information Requests, Procedure 20-7 – Handling Privacy Complaints, Procedure 20-8 – Privacy Breach Response Protocol, Procedure 20-9 – Handling Personal Health Information and Procedure 20-13 Notice of Collection of Personal Information.
- This Policy shall also be read in conjunction with other instruments that may, in certain circumstances, govern access to information and protection of privacy matters including collective agreements; Policy 14a - Student Records; Policy 23 – Policy on Information Management, Policy 116 - Use and Security of Information Technology Assets; and Policy 117 - Information Classification and Handling.
- In the event of a conflict between this Policy or other University policies and FIPPA, FIPPA shall supersede this policy.
DEFINITIONS
For the purposes of this Policy and of any procedures established pursuant to it:
“Privacy Breach” means the loss of, unauthorized access to, or unauthorized disclosure of, Personal Information under the University’s custody or control. Situations that may result in a Privacy Breach include the theft or loss of a computing device including mobile devices containing Personal Information or accessing Personal Information that is not required for performance of one’s work duties.
“Personal Information” means recorded information about an identifiable individual, including the individual’s address, sex, age, education, medical or employment history and other information about the individual under the University’s custody or control as provided in FIPPA.
- Any other capitalized words or expressions used in this Policy are defined for the purposes of this Policy and any procedures established pursuant to it.
ACCESS TO INFORMATION
- The University routinely makes large amounts of its institutional information available to the public on the University's website. If desired information is not available on the University’s website, a request for information may be made to the University’s Access to Information and Privacy Office (“AIPO”) to the attention to the Chief Privacy Officer (“CPO”), in accordance with Procedure 20-5 – Handling Access to Information Requests.
PRIVACY
- The University is committed to maintaining and protecting the integrity of Personal Information and confidential information in its custody or control.
- If a person believes his or her privacy rights have been violated, the person may file a written Privacy Complaint with the CPO , who, in turn, shall investigate the Privacy Complaint in accordance with Procedure 20-7 – Handling Privacy Complaints.
- Members of the University Community shall report a Privacy Breach (whether confirmed or suspected) to AIPO and the Privacy Breach shall be handled in accordance with Procedure 20-8 – Privacy Breach Response Protocol.
- Employees (including faculty, staff, and students employed by the University) shall handle personal health information on behalf of the University for a health care purpose in accordance with Procedure 20-9 – Handling Personal Health Information.
RESPONSIBILITIES AND DELEGATION OF POWERS
- The Secretary-General of the University shall be responsible for oversight of access to information and privacy matters at the University.
- For the purposes of FIPPA, the “head” or individual responsible for compliance with the requirements of FIPPA is the President of the University. The President delegates to the Secretary-General of the University and to the CPO all powers and duties related to the University’s compliance with the requirements of FIPPA. The President may appoint an alternate delegate in case the Secretary-General of the University and/or the CPO are unable to exercise powers or carry out duties so delegated. All such delegations are pursuant to FIPPA and do not in any way limit the authority of the President as the designated “head” under FIPPA from exercising any of the powers or carrying out any of the duties so delegated.
- Reporting to the Secretary-General of the University, the CPO, handles access to information requests and investigates and responds to Privacy Complaints and Privacy Breaches. The CPO also carries out the following associated duties:
- ensure the University’s compliance with FIPPA, its regulations and other Applicable Access and Privacy Legislation;
- oversee the operational responsibilities of AIPO;
- develop and deliver awareness and training sessions on access to information and privacy;
- exercise delegated powers and duties under FIPPA;
- provide legal advice on all matters related to access to information and privacy; ;
- establish and review privacy policies, notices, guidelines, and processes across the University;
- conduct privacy impact assessments, or review privacy impact assessments developed by project managers;
- lead the response of a Privacy Breach pursuant to Procedure 20-8 – Privacy Breach Response Protocol;
- report on activities and statistics relevant to the access to information and privacy to the Administration Committee;
- prepare and submit the University’s annual report as required under FIPPA;
- maintain a directory of Personal Information banks; and
- represent the University in interactions with the Information and Privacy Commissioner of Ontario.
- Members of the University Community shall take all reasonable measures to prevent the occurrence of a Privacy Breach.
- Members of the University Community must cooperate and assist AIPO as required in the fulfillment of the University’s obligations under this Policy, related procedures and Applicable Access and Privacy Legislation.
DISCLOSURE
- The University shall not disclose Personal Information to external individuals or organizations unless:
- otherwise provided by the Notice of Collection of Personal Information in this Policy;
- the individual is notified of such potential disclosure when the Personal Information is collected;
- the individual has consented to the disclosure;
- for the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information or for the purpose of complying with rules of court relating to the production of information;
- to assist with a law enforcement investigation; or
- permitted under Applicable Access and Privacy Legislation or by law.
- Any court order requiring the University to release records or disclose personal information within its custody and control must be sent without delay to the AIPO for review.
PROTECTING PRIVACY WHEN DISCLOSING INFORMATION ABOUT A SMALL NUMBER OF INDIVIDUALS
- When disclosing aggregate data about a small number of individuals, the "cell size of five" rule is applied to protect the privacy of those individuals. The "cell size of five" rule means that aggregate data can only be disclosed if each group or cell contains data from more than five individuals. The purpose of this rule is to prevent the identification of individuals from small datasets. If the risk of re-identification remains high despite applying the "cell size of five rule", due to either the sensitivity of the data or the small number of individuals in the dataset, the minimum cell size may be increased.
INFORMATION COLLECTED FOR PUBLIC PURPOSE
- The University considers the following information as information collected and maintained for the purpose of creating a record that is available to the public and that may be published in print, electronic format or on the Internet:
- the degree or degrees conferred by the University and the date received; and
- the recipient of excellence scholarships or other prizes or honours awarded by the University or a third party.
ACCESS TO AND CORRECTION OF PERSONAL INFORMATION
- Individuals have a right to request access to, and correction of, their own Personal Information. Requests for access to, or correction of, an individual’s own Personal Information shall be directed in the first instance to the faculty, administrative office or service that is likely to have the information. In circumstances where such a request does not yield satisfactory results, a further request for access or correction may be directed to the CPO.
PRIVACY OF USERS OF IT RESOURCE
- For the purposes of this Policy, “IT Resource” includes, but is not limited to, the following that are owned by and/or operated or managed by the University, or that are licensed to the University or operated by an external organization on behalf of the University: software, systems, networks, computers, any other computing resource or hardware, servers (physical or virtual), data storage devices, telephone systems, magnetic or network media and any other communication devices.
- A user of a University IT Resource cannot reasonably expect that when using it, such use is entirely private and/or confidential. Information stored on a University IT Resource may be subject to FIPPA or Applicable Access and Privacy Legislation. Users who choose to store their own personal information on a University IT Resource for personal matters or activities that are wholly unrelated to the University’s mandate do so at their own risk.
- The University does not monitor the content of information stored on, within or passing through a University IT Resource as a routine course of business or practice. However, the University reserves the right to access and use the content stored on a University IT Resource to investigate instances or complaints of non-compliance with University policies, procedures, standards, or academic regulations, to comply with applicable laws or a legal requirement to produce records, to maintain control over and for the proper operation of University business processes and continuity, or to protect the security of persons; to guard against threats of misconduct or attacks on the University’s IT assets and IT resources; and equipment and property.
- The right to access user information as described in section 26 requires the written approval of the administrative head of the organizational unit (e.g. department chair, dean, director, etc.) or the next highest managerial level of authority in the case the user reports directly to the administrative head of the organizational unit. The CPO must be consulted to ensure that the request complies with Applicable Access and Privacy Legislation and University policies before disclosing the requested information.
PERSONAL INFORMATION BANKS
- As required by FIPPA, AIPO maintains an index of Personal Information banks which outlines all faculties, administrative offices or services that create and maintain Personal Information banks for purposes of carrying out University services or functions. The index of Personal Information banks shall be published on AIPO’s website.
RETENTION AND DISPOSAL OF PERSONAL INFORMATION
- The University’s Records Retention Schedule established by the University’s Information and Archives Management sets out the University’s practices regarding the retention and disposal of records. Personal Information that has been used by the University is retained for a minimum of one year after use unless the individual to whom the information relates consents to its earlier disposal.
APPROVAL AND AMENDMENTS
- The Secretary-General is responsible for periodic review of this policy and for recommending to the Administration Committee any amendments to it.
- Amendments to this policy require the approval of the Administration Committee.
- The Secretary-General of the University may establish, amend or abrogate procedures for purposes of the effective implementation of this policy, provided that such procedures are consistent with the provisions of this Policy.
- Notwithstanding section 31, the Secretary-General may amend this Policy without the need to submit such amendment to the Administration Committee for approval if such amendment is required to:
- update or correct the name or title of a position, unit, law, bylaw, policy, procedure or authority; or
- correct punctuation, grammar, typographical errors, revisions to format and other technical revisions, where appropriate, if the correction does not change the meaning of a provision, or make such other correction if it is clear both that an error has been made and what the correction should be; or
- correct the form of expression of a provision in French or in English to be more compatible with its form of expression in the other language; or
- make consequential amendments to conform with or arising from another University bylaw, resolution, policy or procedure.