Procedure 20-12

Handling Confidential and Internal Information

Adoption
Date: October 23, 2024
Instance of approval : University Secretary-General
Originating/Responsible Department : Access to Information and Privacy Office

PURPOSE

  1. This Procedure establishes the minimum responsibilities that apply to Information Users who are authorized to receive or gain access to Confidential and Internal information for the purposes of carrying out their employment duties with the University of Ottawa or otherwise carrying out their mandate or engagement with the University (referred to as “Purpose”). 

NTERPRETATION

  1. Capitalized words or expressions used in this Procedure are defined in Policy 117 – Information Classification and Handling (“Policy 117”) or this Procedure.

SCOPE

  1. This Procedure applies to all Information Users.

RESPONSIBILITIES

  1. Information Users are responsible for safeguarding Confidential and Internal information during and after their relationship with the University ends and at a minimum, Information Users must:
    1. use Confidential and Internal information only for the Purpose and not for any other purpose;
    2. use such precautions as are necessary to prevent unauthorised use, access to and disclosure of Confidential and Internal information;
    3. apply the appropriate information security safeguards in accordance with Policy 116 – Use and Security of Information Technology Assets and Policy 117;
    4. not disclose Confidential and Internal information to any person except,
      1. in the case of personal information, where the person to whom the information relates has identified that information in particular and consented to its disclosure;
      2. for the purpose for which it was obtained or compiled or for a consistent purpose;
      3. where disclosure is made to an officer, employee, consultant, or agent who needs the record to perform their duties and it is necessary for the University’s functions;
      4. as permitted by University policies and Applicable Access and Privacy Legislation.
    5. Information Users shall notify the Information Owner or to the person they report to at the University (referred to as “University Representative”), the IT Self-Service Centre and follow Procedure 20-8 – Privacy Breach Response Protocol (if applicable) if Confidential or Internal information is:
      1. Stolen, lost, used without authorization or disclosed to unauthorized parties; or
      2. Suspected of being stolen, lost, used without authorization or disclosed to unauthorized parties.
    6. return any materials in their possession to the use that contain Confidential and Internal information when their relationship with the University ends or follow the direction given to securely destroy such materials; and  
    7. Maintain the confidentiality of any Confidential and Internal information that cannot be returned or destroyed after the termination of their relationship with the University.
  2. If the Information User is a third-party individual, organisation or entity (such as vendor or service provider to the University), then in addition to the responsibilities in Section 4 of this Procedure, the Information User must:
    1. take appropriate measures, such as signing a confidentiality agreement or a data protection agreement as applicable, to ensure that their directors, officers, employees, subcontractors, agents, advisors, or other representatives bound by the same responsibilities outlined Policy 117 and this Procedure;
    2. take such action, to the extent necessary, to cause those referred to in section 5(a) to comply and prevent any unauthorized disclosure of the Confidential and Internal information, including actions that the Information User would take to protect its own confidential information;
    3. notify the University Representative if the Information User is required or requested to disclose Confidential and Internal information in connection with a legal proceeding or administrative proceeding and cooperate with the University if the University decides to take steps to seek a protective order or other remedy.  If such protective order or other remedy is not obtained, then the Information User must limit disclosure to that portion of the Confidential and Internal information that is legally required to be disclosed.  
  3. If an Information User does not respect the responsibilities set out in this Procedure it can result in consequences appropriate to their relationship with the University.  For example, if the Information User is an employee, then consequences such as the imposition of disciplinary measures, including termination of employment, in accordance with any applicable collective agreements, terms and conditions of employment other contractual relationships, or policies. If the Information User is a third-party individual, organisation or entity (such as vendor or service provider to the University), then consequences could include early termination of their engagement with the University, or such other consequence as may be available under the terms of the engagement.