- Records Management
- Digital preservation
Policies & Guidelines
About Personal Information Privacy
University employees who are responsible for personal information need to ensure that they are working within the privacy rules that govern its:
- Protection and storage
- Retention and disposal
Carefully following the seven privacy rules will help ensure that the university is fulfilling its legal obligations. By familiarizing yourself with these rules and applying it to how you handle personal information, you will minimize the risk of a privacy complaint or a privacy breach incident.
1. Collecting personal information
When personal information is collected, it must be accompanied by a notice of collection, which explains:
- why the information is required by those collecting it,
- how it will be used and disclosed,
- the legal authority for collecting it and
- whom to contact with any questions about the collection.
When collecting personal information, it’s important to collect only the minimum personal information related directly to and necessary for the purpose for which it’s being collected. It must be collected directly from the person it is about—except in very limited and prescribed circumstances.
Please refer to the following template when collecting personal information.
2. Ensuring the accuracy of personal information
Information collected by the university is often used to make decisions that affect the individual the information is about. Because using outdated information may result in serious consequences for the individual and the university, it’s important to ensure any information being used to make decisions is accurate and up-to-date.
3. Correcting errors in personal information
If and when errors in personal information are identified, the university is responsible for making the appropriate corrections. If the incorrect information was made available to a third party, the university is also responsible for providing the corrected information to that third party.
Learn more about making corrections to your personal information.
4. Protecting and storing personal information
To ensure the privacy of our students, staff and alumni, among others, it’s critical that the university protect the personal information it collects to prevent unauthorized access, collection, use, disclosure and disposal.
When deciding what reasonable security measures are necessary to adequately protect personal information, it’s important to consider the format of the information (e.g., whether the records are paper or electronic).
5. Using personal information
Information must only be used for the purpose for which it was originally collected. It’s also important to consider the difference between “use” (using information within the University office that collected it) and “disclosure” (making information available to anyone else, inside or outside the university).
6. Disclosing personal information
Disclosure is the process by which personal information is released to another person, whether that’s by telling, showing, exposing, selling, providing copies—or any other way you might reveal information to someone else.
The circumstances under which personal information can be disclosed are prescribed in very specific and limited terms, so it’s important to confirm that you have legal authority to disclose personal information before doing so. If in doubt, don’t share the information.
7. Retaining and disposing of personal information
Collected information isn’t kept forever. To ensure that personal information is disposed of appropriately, employees should follow the Records Retention Schedule and Disposal Authority (RRSDA) for different types of information.
SFU’s Personal Information Directory describes the different types of Personal Information Banks kept by the university and its departments, and provides links to the correct RRSDA governing its approved retention period and disposition.