Frequently Asked Questions

Freedom of Information

What should I do if I receive a request for access to University records that may be confidential (e.g. reports or meeting minutes)?

Make sure the request is in writing. Forward the request to the Archives and Records Management Department as soon as possible. You can contact us at archives@sfu.ca.

If I record my opinion of another individual, is that my personal information or theirs?

It is the personal information of both you and them.

Will my records be released if the University receives an FOI request?

It depends. If the University receives an FOI request, responsive records must be sent to the Archives and Records Management Department. We will review and decide which records must be released. Just because the University has received a request, it doesn’t mean that all the information will be released. Exceptions to an applicant's right of access may apply.

Staff Specific FIPPA Information

As a staff member, are my salary and expenses my own personal information, and therefore protected from disclosure?

Yes, they are your personal information. However, under FIPPA, public employees’ job title, function and remuneration can be disclosed to the public. SFU publishes employee salary and expenses annually in the Statement of Financial Information.

The only information about you that isn’t personal information is your work contact information as it appears on your business card.

If I’m on an academic interview panel, how should I manage the information created during the interview process?

Contact privacy@sfu.ca for guidance on how to manage this information.

I am a researcher. Does FIPPA require me to disclose information about my research projects?

No, FIPPA does not apply to faculty research information.

Am I allowed to delete emails that include personal information?

It depends. According to Section 31 of FIPPA, if that information is being used to make a decision that affects the individual in question, it needs to be retained for at least a year after the decision is made. If in doubt, don’t delete. Visit the Directory of University records for guidance on retention.

Will my records be released if the University receives an FOI request?

It depends. If the University receives an FOI request, responsive records must be sent to the Archives and Records Management Department. We will review and decide which records must be released. Just because the University has received a request, it doesn’t mean that all the information will be released. Exceptions to an applicant's right of access may apply.

Protection of Privacy

What does SFU do to protect privacy?

All University Employees are required to abide by SFU policies regarding protection of privacy. Our office is here to provide SFU staff advice and education related to freedom of information and protection of privacy, to manage privacy breaches and to oversee Privacy Impact Assessments (PIAs).

What is considered personal information?

According to the Information & Privacy Commissioner of BC, personal information is “any recorded information that uniquely identifies you, such as your name, address, telephone number, age, sex, race, religion, sexual orientation, disability, fingerprints, or blood type. It includes information about your health care, educational, financial, criminal or employment history. It also includes anyone else's opinions about you and your own views or opinions.”

What personal information is not considered private under FIPPA?

Public employees are entitled to less privacy than private individuals like students. For example, your name, title and remuneration along with contact information that would likely be included on your business card (office address, phone number and email) are subject to disclosure.

What are the rules related to storing and/or accessing personal information outside of Canada?

According to FIPPA, SFU and other public bodies in British Columbia are subject to restrictions on the storage of or access to personal information outside Canada.

If you have questions about the storage of or access to personal information outside of Canada and/or what exceptions apply, please contact the Archives and Records Management Department or privacy@sfu.ca.

Requesting/Accessing Personal Information

Is there a cost associated with requesting records?

Sometimes. According to FIPPA, you cannot be charged fees for requesting your own personal information, but you may be charged fees if you are requesting other types of records. A public body also cannot charge fees for the first three hours spent locating and retrieving the records you request, nor for the time spent reviewing and/or severing the records (which means redacting confidential information).

However, a public body can charge you for:

• Locating, retrieving and producing the records after the first three hours of searching;

• Preparing the records for release;

• Making a copy of the records and

• Shipping and handling of the records.

Those charges cannot exceed the Maximum Fees as outlined in Schedule 1 of FIPPA

How long does SFU have to disclose the information I’ve requested?

Under FIPPA, SFU has 30 business days to respond to your request. In certain circumstances, we may require an extension of an additional 30 days.

These rules are laid out in the sections 7 and 10 of FIPPA.

Reporting & Responding to Breaches, Making Complaints

What do I do if I think my information has been disclosed inappropriately?

If you believe the University has collected, used or disclosed your personal information inappropriately, you have the right to complain. You can file a complaint using the process described here.

As a university employee, what steps should I take if I believe there’s been a privacy breach?

A privacy breach is a serious matter that requires immediate action. You can find our step-by-step process for addressing a privacy breach here.

Privacy Impact Assessments

What is a PIA?

A Privacy Impact Assessment (PIA) is a compliance and risk management tool used to identify and address potential privacy and security concerns before they become a problem for the University.

When is a PIA required?

A PIA is needed each time a new system, project, activity, program or policy is initiated or revised at SFU.

Why is a PIA required and what happens if I don’t complete one?

A PIA allows for the identification and construction of privacy and security requirements in advance, which aids in avoiding costly redesigns of systems, projects, activities, programs and policies. Since a PIA is a legal requirement of British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA), not completing one is a violation of legal and regulatory requirements. In other words, it isn’t optional.

What kinds of information does a PIA include?

The following kinds of information are included in a PIA: a description of the software used by the program/initiative and a list of the elements of personal information collected or managed by the software; identification of any personal information that will be accessed or stored outside Canada; legal authorities for collection, use, access, disclosure, retention and disposal of the personal information; identification of privacy risks and a description of the mitigations that have been or will be implemented; descriptions of the physical and technical security measures related to the software; explanation of procedures to ensure accuracy, correction and retention of personal information and identification of any systematic disclosures of personal information.

Essentially, we’re taking an inventory of the personal information you plan to collect and how you will collect it, plus how it will be managed, stored and disposed of.

What is considered personal information?

FIPPA considers any recorded information about an identifiable individual to be personal information. This may include a person's name, birthdate, address, citizenship, educational, employment or medical history, identifying personal numbers, opinions etc.

How can I confirm whether I need a PIA?

The Pre-assessment Questionnaire is a good place to start. If you need any assistance, contact us at privacy@sfu.ca.

How do I begin the PIA process?

Start by scheduling a meeting with an Information and Privacy Archivist to discuss your needs. You can then download and complete the Privacy Impact Assessment Form. Once you've filled in the necessary information, email the form to privacy@sfu.ca. An Information and Privacy Archivist will get in touch with next steps.

Who is involved in the PIA process, and what are their responsibilities?

The PIA is a shared responsibility between:

  • The Coordinator of Information and Privacy or designated Information and Privacy Archivist, who advise on and reviews the PIA prior to recommending it for approval;
  • The relevant departmental administrator, who ensures adequate lead time to complete the PIA form before preparing and submitting it to the Information and Privacy Archivist;
  • Vendors and/or IT Services, who assist the administrator with gathering information needed to ensure the accuracy of the form's contents; and
  • A member of SFU's executive team, who grants final approval.

What is needed to approve a PIA?

To be approved, a PIA needs to be in compliance with FIPPA and its regulations and to obtain high-level approval at SFU (see Policy I10.02 Schedule A Delegation of Authority Under the Freedom of Information and Protection of Privacy Act).

Once approved, the system, project, activity, program or policy outlined in the PIA must proceed exactly as described in the assessment. If there is to be any deviation, the PIA needs to be updated or redone for modified use.

Where can I find summaries of PIAs completed in the past?

SFU employees can find completed PIA summaries here.

Who can I contact for more information about PIAs?

Send us an email at privacy@sfu.ca if you have any questions or concerns.

Need more information about PIAs?

Contact us