Personal Information Privacy

University employees who are responsible for personal information need to ensure that they are working within the privacy rules that govern its:

  1. Collection
  2. Accuracy
  3. Correction
  4. Protection and storage
  5. Use
  6. Disclosure
  7. Retention and disposal

Carefully following the Code of Fair Information Practices will help ensure that the University is fulfilling its legal obligations. By familiarizing yourself with this Code and applying it to how you handle personal information, you will minimize the risk of a privacy complaint or a privacy breach incident.

See the sections below for forms and resources relating to these specific areas of protecting personal information privacy.

Code of Fair Information Practices 

Download and read the Code of Fair Information Practices, and review the rules regularily to ensure your department is complying with the law.

Protection of Privacy Guideline

This detailed guideline provides more specific references to the Sections of the Act and how they apply to University business.

1. Collecting personal information

When personal information is collected, it must be accompanied by a notice of collection, which explains why the information is being collected, how it will be used and disclosed, the legal authority for collecting it and who to contact with any questions about the collection. It is important to collect only the minimum personal information related directly to and necessary for the particular purpose and it must be collected directly from the person it is about except in very limited and prescribed circumstances. Use the following resources when collecting personal information.

Collection Notice Templates
Consent to Collect Personal Information Indirectly from a Third Party
Notice to Referees - Confidentiality and Collection Notice

2. Ensuring the accuracy of personal information

Information collected by the University is often used for purposes that involve making decisions affecting the individual the information is about. It is important to ensure this information is accurate because using outdated information may result in serious consequences for the individual and the University. SFU is responsible for ensuring that the personal information it relies upon to make decisions and take actions is correct.

3. Correcting errors in personal information

Where factual errors in personal information are identified, the University is responsible for making the appropriate corrections upon request. If the incorrect information was made available to a third party, the University is responsible for providing the corrected information to that third party.

Requesting a Correction to Your Personal Information in University Records

4. Protecting and storing personal information

Personal information can be misused. It is very important that the University protect the personal information it collects to prevent unauthorized access, collection, use, disclosure and disposal. The format of the information (paper or electronic records) must be considered when deciding what reasonable physical, procedural and technical security measures are necessary to adequately protect and store personal information.

Information and Privacy Record-Keeping Tips
General Privacy and Confidentiality Agreement
Access to and Storage of Personal Information Outside of Canada
Advice for Online Web Survey Tool Users

5. Using personal information

Employees need to consider information privacy before using personal information. Information can only be used for the purpose for which it was originally collected. It is also important to consider the difference between “use” (within the University office that collected) and “disclosure” (making information available to anyone else inside or outside the University).

Consent to Use Personal Information

6. Disclosing personal information

Disclosure means to reveal, show, expose, provide copies of, sell, give or tell personal information.  It is the process by which personal information is released to another person. The circumstances under which personal information may be disclosed are prescribed in very specific and limited terms, therefore, it is important to confirm that one has legal authority to disclose personal information before doing so. 

Consent to Disclose Personal Information

7. Retaining and disposing of personal information

Collected information should be retained for a finite period of time. Following the appropriate Records Retention Schedule and Disposal Authority (RRSDA) for different types of information will ensure that personal information is disposed of appropriately. The Personal Information Directory describes the different types of Personal Information Banks and provides links to the correct RRSDA governing its approved retention period and disposition.

Personal Information Directory