Personal Information Privacy
University employees who are responsible for personal information need to ensure that they are working within the privacy rules that govern its:
- Protection and storage
- Retention and disposal
Carefully following the Code of Fair Information Practices will help ensure that the University is fulfilling its legal obligations. By familiarizing yourself with this Code and applying it to how you handle personal information, you will minimize the risk of a privacy complaint or a privacy breach incident.
See the sections below for forms and resources relating to these specific areas of protecting personal information privacy.
Download and read the Code of Fair Information Practices, and review the rules regularily to ensure your department is complying with the law.
This detailed guideline provides more specific references to the Sections of the Act and how they apply to University business.
1. Collecting personal information
When personal information is collected, it must be accompanied by a notice of collection, which explains why the information is being collected, how it will be used and disclosed, the legal authority for collecting it and who to contact with any questions about the collection. It is important to collect only the minimum personal information related directly to and necessary for the particular purpose and it must be collected directly from the person it is about except in very limited and prescribed circumstances. Use the following resources when collecting personal information.
2. Ensuring the accuracy of personal information
Information collected by the University is often used for purposes that involve making decisions affecting the individual the information is about. It is important to ensure this information is accurate because using outdated information may result in serious consequences for the individual and the University. SFU is responsible for ensuring that the personal information it relies upon to make decisions and take actions is correct.
3. Correcting errors in personal information
Where factual errors in personal information are identified, the University is responsible for making the appropriate corrections upon request. If the incorrect information was made available to a third party, the University is responsible for providing the corrected information to that third party.
4. Protecting and storing personal information
Personal information can be misused. It is very important that the University protect the personal information it collects to prevent unauthorized access, collection, use, disclosure and disposal. The format of the information (paper or electronic records) must be considered when deciding what reasonable physical, procedural and technical security measures are necessary to adequately protect and store personal information.
5. Using personal information
Employees need to consider information privacy before using personal information. Information can only be used for the purpose for which it was originally collected. It is also important to consider the difference between “use” (within the University office that collected) and “disclosure” (making information available to anyone else inside or outside the University).
6. Disclosing personal information
Disclosure means to reveal, show, expose, provide copies of, sell, give or tell personal information. It is the process by which personal information is released to another person. The circumstances under which personal information may be disclosed are prescribed in very specific and limited terms, therefore, it is important to confirm that one has legal authority to disclose personal information before doing so.
7. Retaining and disposing of personal information
Collected information should be retained for a finite period of time. Following the appropriate Records Retention Schedule and Disposal Authority (RRSDA) for different types of information will ensure that personal information is disposed of appropriately. The Personal Information Directory describes the different types of Personal Information Banks and provides links to the correct RRSDA governing its approved retention period and disposition.