Frequently Asked Questions

Freedom of Information

What should I do if I receive a request for access to University records that may be confidential (e.g. reports or meeting minutes)?

Make sure the request is in writing. Forward the request to the Archives and Records Management Department as soon as possible. You can contact us at

If I record my opinion of another individual, is that my personal information or theirs?

It is the personal information of both you and them.

Will my records be released if the University receives an FOI request?

It depends. If the University receives an FOI request, responsive records must be sent to the Archives and Records Management Department. We will review and decide which records must be released. Just because the University has received a request, it doesn’t mean that all the information will be released. Exceptions to an applicant's right of access may apply.

Staff Specific FIPPA Information

As a staff member, are my salary and expenses my own personal information, and therefore protected from disclosure?

Yes, they are your personal information. However, under FIPPA, public employees’ job title, function and remuneration can be disclosed to the public. SFU publishes employee salary and expenses annually in the Statement of Financial Information.

The only information about you that isn’t personal information is your work contact information as it appears on your business card.

If I’m on an academic interview panel, how should I manage the information created during the interview process?

Contact for guidance on how to manage this information.

I am a researcher. Does FIPPA require me to disclose information about my research projects?

No, FIPPA does not apply to faculty research information.

Am I allowed to delete emails that include personal information?

It depends. According to Section 31 of FIPPA, if that information is being used to make a decision that affects the individual in question, it needs to be retained for at least a year after the decision is made. If in doubt, don’t delete. Visit the Directory of University records for guidance on retention.

Will my records be released if the University receives an FOI request?

It depends. If the University receives an FOI request, responsive records must be sent to the Archives and Records Management Department. We will review and decide which records must be released. Just because the University has received a request, it doesn’t mean that all the information will be released. Exceptions to an applicant's right of access may apply.

Protection of Privacy

What does SFU do to protect privacy?

All University Employees are required to abide by SFU policies regarding protection of privacy. Our office is here to provide SFU staff advice and education related to freedom of information and protection of privacy, to manage privacy breaches and to oversee Privacy Impact Assessments (PIAs).

What is considered personal information?

According to the Information & Privacy Commissioner of BC, personal information is “any recorded information that uniquely identifies you, such as your name, address, telephone number, age, sex, race, religion, sexual orientation, disability, fingerprints, or blood type. It includes information about your health care, educational, financial, criminal or employment history. It also includes anyone else's opinions about you and your own views or opinions.”

What personal information is not considered private under FIPPA?

Public employees are entitled to less privacy than private individuals like students. For example, your name, title and remuneration along with contact information that would likely be included on your business card (office address, phone number and email) are subject to disclosure.

What are the rules related to storing and/or accessing personal information outside of Canada?

According to FIPPA, SFU and other public bodies in British Columbia are subject to restrictions on the storage of or access to personal information outside Canada.

If you have questions about the storage of or access to personal information outside of Canada and/or what exceptions apply, please contact a member of the Access and Privacy Program or

Requesting/Accessing Personal Information

Is there a cost associated with requesting records?

Sometimes. You cannot be charged fees for requesting your own personal information, but you may be charged fees if you are requesting other types of records. A public body also cannot charge fees for the first three hours spent locating and retrieving the records you request, nor for the time spent reviewing and/or severing the records (which means redacting confidential information).

However, a public body can charge for the following:

  • Making an FOI request for non-personal information;
  • Locating, retrieving and producing the records after the first three hours of searching;
  • Preparing the records for release;
  • Making a copy of the records; and
  • Shipping and handling of the records.

Those charges cannot exceed the Maximum Fees as outlined in s.13 and Schedule 1 of FIPPA Regulation.

How long does SFU have to disclose the information I’ve requested?

Under FIPPA, SFU has 30 business days to respond to your request. In certain circumstances, we may require an extension of an additional 30 days. Additional extensions require approval from the Office of the Information and Privacy Commissioner. 

These rules are laid out in the sections 7 and 10 of FIPPA.

Reporting & Responding to Breaches, Making Complaints

What do I do if I think my information has been disclosed inappropriately?

If you believe the University has collected, used or disclosed your personal information inappropriately, you have the right to complain. You can file a complaint using the process described here.

As a university employee, what steps should I take if I believe there’s been a privacy breach?

A privacy breach is a serious matter that requires immediate action. You can find our step-by-step process for addressing a privacy breach here.

Privacy Impact Assessments (PIA)

What is a PIA?

A Privacy Impact Assessment (PIA) is a compliance and risk management tool used to identify and address potential privacy and security concerns before they become a problem for the University.

When is a PIA required?

A PIA is needed each time a new system, project, activity, program or policy is initiated or revised at SFU.

Why is a PIA required and what happens if I don’t complete one?

A PIA allows for the identification and construction of privacy and security requirements in advance, which aids in avoiding costly redesigns of systems, projects, activities, programs and policies. Since a PIA is a legal requirement of British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA), not completing one is a violation of legal and regulatory requirements. In other words, it isn’t optional.

What kinds of information does a PIA include?

The following kinds of information are included in a PIA: a description of the the program/initiative and a list of the elements of personal information collected; identification of any sensitive personal information that will be accessed or stored outside Canada; legal authorities for collection, use, access, and disclosure of the personal information; identification of privacy risks and a description of the mitigation strategies that have been or will be implemented; descriptions of the physical and technical security measures; an explanation of procedures to ensure accuracy, correction and retention of personal information and identification of any systematic disclosures of personal information.

Essentially, we’re taking an inventory of the personal information you plan to collect and how you will collect it, plus how it will be managed, stored and disposed of.

What is considered personal information?

FIPPA considers any recorded information about an identifiable individual to be personal information. This may include a person's name, birthdate, address, citizenship, educational, employment or medical history, identifying personal numbers, opinions, etc. Personal information includes information that can be used to identify an individual through association or reference. For example, an original essay or artwork would not be personal information if names and identifiers were removed so that others were unable to determine who created the work.

What personal information is "sensitive"?

“Sensitive” is not defined. What information is sensitive may depend on the context. Examples can include medical information, unique government issued identifiers (passport number, driver’s license, PHN, SIN), financial information, or disciplinary or complaint history. You may need help from the Access and Privacy Program to determine whether the personal information involved in an initiative is “sensitive”.

How can I confirm whether I need a PIA?

All new and substantially changed initiatives (systems, projects, programs, policies, or activities) must undergo a PIA. Please complete he Pre-assessment Questionnaire or contact a member of the Access and Privacy Program to discuss.

How do I begin the PIA process?

Start by scheduling a meeting with a member of the Access and Privacy Program to discuss your needs. You can then download and complete the Privacy Impact Assessment Form. Once you've filled in the necessary information, email the form to

Who is involved in the PIA process, and what are their responsibilities?

The PIA is a shared responsibility between:

  • The Access and Privacy Program, who advise on and review the PIA;
  • The relevant departmental administrator, who ensures adequate lead time to complete the PIA form before preparing and submitting it to the Access and Privacy Program;
  • Vendors and/or IT Services, who assist the administrator with gathering information needed to ensure the accuracy of the form's contents; and
  • An SFU member designated accountable for the PIA, as determined by the Access and Privacy Program, based on the level of risk associated with the initiative.

What is needed to finalize a PIA?

To be finalized, a PIA needs to be in compliance with FIPPA and its regulations and approved by a delegated authority at SFU (see Policy I10.02 Schedule A Delegation of Authority Under the Freedom of Information and Protection of Privacy Act).

Once approved, the system, project, activity, program or policy outlined in the PIA must proceed exactly as described in the assessment. If there is to be any deviation, the PIA needs to be updated or redone for modified use.

Who can I contact for more information about PIAs?

The Access and Privacy Program currently consists of:

You can also send us an email to the role account

Need more information about PIAs?

Contact us