Procedure 20-7

Handling Privacy Complaints

Date and Instance of Approval:

2018-04-10
Secretary-General of the University

Amendments:

2024-10-23
Responsible Service: Access to Information and Privacy Office 

PURPOSE

  1. The purpose of this Procedure is to describe the basics steps in handling a Privacy Complaint as defined in clause 4 of this Procedure. 

INTERPRETATION

  1. This Procedure shall be read in a manner that is consistent with the University’s obligations under the Freedom of Information and Protection of Privacy Act (FIPPA), Policy 90 – Access to Information and Protection of Privacy as well as any other Applicable Access and Privacy Legislation and internal policies.
  2. Capitalized words or expressions used in this Procedure are defined in Policy 90 or in this Procedure.

PROCESSING PRIVACY COMPLAINTS

  1. If a person believes that the University wrongfully collected, used or disclosed his or her Personal Information the person may file a written complaint with the Chief Privacy Officer (CPO) (“Privacy Complaint”). The Privacy Complaint must include a description of the nature and extent of the circumstances affecting the person’s privacy; the academic or administrative unit or office associated with the purported wrongful collection, use or disclosure; the name(s) of any person(s) involved; the date or time period on or within which the purported wrongful collection, use or disclosure occurred; and the person’s expectations regarding the outcome of the Privacy Complaint.
  2. The Privacy Complaint shall be filed within 30 consecutive days from the date the person knew or ought to have known of the purported wrongful collection, use or disclosure.  
  3. The steps and time required to process a Privacy Complaint may vary depending on the nature, circumstances and complexity of the complaint. Generally, the steps in processing a Privacy Complaint are as follows: 
    1. Acknowledgment of receipt of the Privacy Complaint, sent to the person who filed it.
    2. Communication with the person who filed the Privacy Complaint in order to obtain clarification or additional information as required.
    3. Communication with the academic or administrative unit or office and person(s) involved with the subject-matter of the Privacy Complaint or who may have knowledge of the circumstances surrounding the Privacy Complaint.
    4. Consultation with other appropriate authorities within the University, including without limitation Legal Services, Protection Services, the Office of the Chief Risk Officer, and/or Information Technology (IT).
    5. Communication with the person who filed the Privacy Complaint to review the matter, inform them of any steps taken to address the Privacy Complaint, and resolve any outstanding concerns.
    6. Follow-up with the academic or administrative unit or office and person(s) involved with the Privacy Complaint to ensure implementation of corrective or remedial measures, as required. 

CONFIDENTIALITY

  1. The identity of the complainant will remain confidential when possible. Depending on the nature of the complaint, it may be necessary for the CPO to disclose the complainant's identity and/or complaint-related Personal Information to individuals who need access to this information to effectively respond to and address the Privacy Complaint.