Collection of Personal Information

Date

January 12, 1998

Revision Date

Number

I 10.05

Revision No.

Purpose

  • To ensure compliance with the privacy rules in B.C.'s Freedom of Information and Protection of Privacy Act.
  • To ensure that the University collects personal information using an appropriate method and notice of collection.
  • To ensure that the information privacy rights of those individuals who give their personal information to the University are protected.

Responsibility

The University officials named by the Board of Governors in its FOI/POP Schedule of Authorized Officers are responsible for ensuring the implementation of this policy.

Scope

This policy applies to all departments.

Introduction

The Freedom of Information and Protection of Privacy Act contains six privacy rules:

1.Collection
2.Accuracy
3.Protection
4.Use
5.Disclosure
6.Retention

Together these rules make up the Act's Code Of Fair Information Practices. Collection of personal information is the key privacy rule upon which all others are based.

Described below is:

1.definitions of key terms;
2.the University's policy regarding collection of personal information;
3.procedures that explain the general purposes for which the University may collect personal information;
4.procedures about how personal data must be collected and what we must do when collecting it;
5.sample templates for a protection of privacy collection notice; and
6.a checklist of optional guidelines for reviewing forms.

Definitions

Information

recorded information

 

Recorded Information

information that is recorded or stored by graphic, electronic, mechanical or other means.

 

Record

any document created in the course of practical University activity and constituting written evidence of that activity; such as a letter, memorandum, electronic mail, voice message, map, drawing, photograph, voucher, report and any other thing on which information is recorded or stored.

 

Collection

the collection of personal information:

  • by or for the University, whether the information is collected directly from the person the information is about or indirectly from another source (e.g. a person or organization internal or external to the University); and
  • when such information is assembled or brought together and written down or recorded by any means (e.g. interview, questionnaire, survey, poll, audio tape, computer disk or tape, form, telephone call or letter)

Personal information must be collected directly from the individual it is about except in limited and specific circumstances.

 

Authorization for Collection

personal information may be collected by the University only if the collection of that information is expressly authorized by law, the information is collected for the purposes of law enforcement, or the information relates directly to and is needed for an operating program or activity of the University.

 

Notification of Collection

the University must tell an individual from whom it collects personal information the purpose for collecting it, the legal authority for collecting it, and where the individual might receive answers to questions about the collection.

 

Personal Information

recorded information about an identifiable individual which includes, but is not limited to names, home addresses and telephone numbers, age, sex, marital or family status, identifying number, race, national or ethnic origin, colour, religious or political beliefs or associations, educational history, medical history, disabilities, blood type, employment history, financial history, criminal history, anyone else's opinions about an individual, an individual's personal views or opinions, and name, address and phone number of parent, guardian, spouse or next of kin.

It does not mean the position, function and remuneration of a University employee.

 

Privacy

the claim of individuals to determine for themselves when, how and to what extent information about themselves is communicated to others. Privacy includes such concepts as confidentiality of our personal beliefs and control over information about ourselves and others' knowledge of our affairs.

Policy

  1. Normally the University shall collect recorded personal information directly from individuals, ensuring at all times that it uses an appropriate notice and method of collection as described below under Direct Collection of Personal Information.

     

  2. The University shall collect only recorded personal information about an individual indirectly from another source when:

    • authorized in advance by the individual;
    • in accordance with the Act's provisions as described below under Indirect Collection of Personal Information; or
    • the information is available through a public source.

  3. The University shall only collect personal information that relates directly to and is necessary for its operating programs and activities as mandated by the University Act.

Procedures

A. Purpose for Which Personal Information may be Collected

    1.1 The FOI/POP Act recognizes the University's legitimate need to collect personal information in order to carry out its mandate and to provide services, but restricts that collection to a defined set of circumstances.

    The circumstances are:

     

    1.2 In the case of a University, the University Act gives only general authority for the University's educational program and we must then determine what exact elements of personal information we need to administer that program. The University Act does not specify what personal data elements can be collected.

    1.3 The University's operating program is any series of functions designed to carry out all or part of its mandate and an activity is an individual action designed to assist in carrying out an operating program.

    2.1 The University may do its own collection or may authorize an outside agent to carry out the collection on its behalf, either under contract or through an agreement or arrangement in writing with the other agency.

    2.2 Any written agreement or contract with an outside agent should stipulate that the collection, protection, retention and disclosure of personal information will be governed by the Act.

  •  
    • the collection of information is expressly authorized by or under an Act;
    • the information is collected for purposes of law enforcement (Under the powers conferred on the University President by the University Act, the University does collect, from time to time, law enforcement information in the form of investigations or proceedings that lead or could lead to a penalty or sanction being imposed against an employee or a student ); or
    • the information relates directly to and is necessary for the University's operating programs or activities.

B. How Personal Information is to be Collected

    The FOI/POP Act promotes an individuals' control over his or her personal information by requiring, with few exceptions, that personal information be collected directly from the person it is about unless another method of collection is authorized by the person.

    Direct Collection of Personal Information

    3.1 Collecting personal information directly from the person concerned helps ensure that the University bases its decisions about people on up-to-date, accurate and complete information.

    3.2 The Act imposes an obligation on the University to notify individuals of the purpose for which it is collecting the information, specify all the ways in which their information will be used, its legal authority for the collection and a contact person who can answer questions about the collection.

    3.3 Notice should be given at the beginning of a process either on the form used to collect the information or by giving the same notice to people at the beginning of an interview, mediation, conciliation, arbitration or inquiry process.

    3.4 The notification should be in writing wherever possible. If notification is done verbally, the University should follow up with a written notification to the person(s) concerned.

    3.5 This type of collection notice is called informed notice because it gives only notification.

    3.6 The requirement to notify recognizes the individual's right to know and understand the purpose of the collection and how the information will be used. It also allows the person to make an informed decision as to whether or not to give the information in cases where a response is not mandatory.

    Indirect Collection of Personal Information

    4.1 Indirect collection of personal information is illegal under the FOI/POP Act except in limited and specific circumstances.

    4.2 When collecting personal information about an individual from another source, the University must first obtain written authorization from the person the information is about; but, if permission is given verbally the University should document the conversation and send a letter to the person concerned verifying the consent. [For exceptions to this procedure see section 4.6]

    4.3 When asking a person to give consent for indirect collection of personal information, s/he should be informed of:


    4.4 Where another source is asked for personal information about an individual, the source must also be informed of the purpose and authority for the collection of personal information about the second individual.

    4.5 This type of collection notice is called informed consent because it gives notification as well as seeking the individual's consent to collect information indirectly from another source (collection is not permitted without consent).

    4.6 The University may collect personal information indirectly without prior written authorization only under the following conditions:


    4.7 Notification and consent is not required when information about an individual is collected exclusively from public sources (such as newspaper clippings, published directories or biographical dictionaries) because the personal information is within the public domain.  

    • the nature of the personal information to be collected;
    • the purpose of the indirect collection;
    • the reasons for making the collection indirectly; and
    • the consequences of refusing to authorize the indirect collection.
    • the information may be disclosed to the University under Section 33 of the Act (attached as Appendix A);
    • determining suitability for an honour or award, including an honorary degree, scholarship, prize or bursary;
    • a proceeding before a court or a judicial or quasi-judicial tribunal;
    • collecting a debt or fine or making a payment;
    • law enforcement (see footnote #1); or
    • another method of collection is authorized by the commissioner or another statute.

Sample Templates

Sample Templates: Protection of Privacy Collection Notice

    5.1 In cases of direct collection of personal information the sample template is:

    The information on this form is collected under the general authority of the University Act (R.S.B.C. 1979, c.419), [cite also any applicable administrative policies approved by the University's Board of Governors; other provincial or federal legislation or regulation; binding legal contracts such as collective agreements; etc.]. It is related directly to and needed by the University [describe why (i.e.. the purpose) the information is needed]. The information will be used [must describe all uses and be specific]. If you have any questions about the collection and use of this information please contact [Position Title, Business Address, Business Phone Number].


    5.2 In cases of indirect collection of personal information the sample template is:

    The information received from [specify source] is collected under the general authority of the University Act (R.S.B.C. 1979, c.419), [cite also any applicable administrative policies approved by the University's Board of Governors; etc.]. It is related directly to and needed by the University [describe why (i.e. the purpose) the information is needed]. The information will be used [must describe all uses and be specific]. If you have any questions about the collection and use of this information please contact [Faculty or Department Position Title, Business Address, Business Phone No.].

    Checklist for Review of Forms (attached as Appendix B)

    University offices may use this checklist when reviewing forms to determine compliance with the Freedom of Information and Protection of Privacy Act .

    • Pursuant to Section 27(1) of the Freedom of Information and Protection of Privacy Act, I ____________________________, authorize Simon Fraser University to contact the persons or organizations listed below for the purposes of obtaining [specify the information to be collected]. These persons or organizations are authorized to disclose such information. I understand that failure to give my authorization will result in [describe consequences of refusing to authorize the indirect collection].

      Date___________________ Signature_____________________________

Appendix A

Freedom of Information and Protection of Privacy Act

S.B.C. 1992, Chapter 61, as amended by S.B.C. 1993, Chapter 46

The University may collect personal information disclosed to it by another public body only:

  1. in accordance with Part 2 of this Act,
  2. if the individual the information is about has identified the information and consented, in the prescribed manner, to its disclosure,
  3. for the purpose for which it was obtained or compiled by another public body or for a use consistent with that purpose (see section 34),
  4. for the purpose of complying with an enactment of, or with a treaty, arrangement or agreement made under an enactment of, British Columbia or Canada,

...


  1. for the purpose of

    1. collecting a debt or fine owing by an individual to the government of British Columbia or to the University, or
    2. making a payment owing by the government of British Columbia or by the University to an individual,

...


  1. to a public body or a law enforcement agency in Canada to assist in an investigation

    1. undertaken with a view to a law enforcement proceeding, or
    2. from which a law enforcement proceeding is likely to result,

...


  1. if the head of the public body determines that compelling circumstances exist that affect anyone's health or safety and if notice of disclosure is mailed to the last known address of the individual the information is about, or
  2. so that the next of kin or a friend of an injured, ill or deceased individual may be contacted.

...

Definition of consistent purposes

34. (1) A use of personal information is consistent under section 32 or 33 with the purposes for which the information was obtained or compiled if the use

  1. has a reasonable and direct connection to that purpose, and
  2. is necessary for performing the statutory duties of, or for operating a legally authorized program of, the public body that uses or discloses the information.

Appendix B

Checklist for Review of Forms for Compliance with Privacy Protection Provisions

This checklist focuses on forms used for the collection of personal information. By bringing forms into compliance with the privacy protection provisions of the Act, University offices will:


  • Support the public's right to know what personal information University offices collect and how this information is used;
  • Support the right of individuals to access their own personal information; and
  • Help assure individuals that their personal information is protected from unauthorized collection, use or disclosure.

The process of bringing forms used to collect personal information into compliance with the requirements of the Act will be spread over three to five years. Beginning with proclamation in November 1994, University offices should plan to bring existing forms into compliance and implement interim procedures for handling high volume non-compliant forms.

Definitions

"Personal information" is defined in Schedule 1 of the Act as "recorded information about an identifiable individual, including


  1. the individual's name, address or telephone number,
  2. the individual's race, national or ethnic origin, colour, or religious or political beliefs or associations,
  3. the individual's age, sex, sexual orientation, marital status or family status,
  4. an identifying number, symbol or other particular assigned to the individual,
  5. the individual's fingerprints, blood type or inheritable characteristics,
  6. information about the individual's health care history, including a physical or mental disability,
  7. information about the individual's educational, financial, criminal or employment history,
  8. anyone else's opinions about the individual, and
  9. the individual's personal views or opinions, except if they are about someone else."

A "Personal information bank" is defined in Schedule 1 of the Act as

"a collection of personal information, that is organized or retrievable by the name of an individual or by an identifying number, symbol or other particular assigned to an individual."
 
"Collection, use and disclosure of personal information"

    "Collection" of personal information means the collection of personal information by or for the University, whether the information is collected directly from the person the information is about or indirectly from another source.

    "Use" of personal information means access to and use of personal information within the University.

    "Disclosure" of personal information means the release of personal information to any person or organization outside the University.

Checklist of Mandatory Requirements

Parts 1 to 3 of this checklist cover mandatory requirements for compliance with the Act. The relevant section number of the Act is noted after the heading for each part of the checklist.

1. Authorization for Collection (section 26)

What is the authorization for collection of the personal information on the form? (At least one must be Yes)

  • Collection of the information is specifically authorized by or under an Act.
  • The information is collected for the purposes of law enforcement.
  • The information relates directly to and is necessary for an operating program or activity of the public body.
If none of the above questions has been answered with a "yes", a revision to procedures may be required. Consult SFU's Information and Privacy Coordinator.

2. Source of Information (subsection 27(1))

Yes / No

    2.1 Is the form designed to be filled out by the individual the information is about or by an official or employee of the public body on behalf of the individual (direct collection)?

    If yes, go to question 3.

    2.2 If the form is designed to be filled out by a source other than the individual the information is about (indirect collection), is there evidence on the form or elsewhere on file of one of the following:

    (At least one must be Yes)


    • The indirect collection is authorized by the individual the information is about, by statute, or by the Information and Privacy Commissioner.
    • The personal information on the form is provided by another public body, in accordance with sections 33 to 36 of the Act.
    • The personal information is collected to determine the suitability for an honour or award.
    • The personal information is collected for the purpose of collecting a debt or fine or making a payment.
    • The personal information is collected for a proceeding before a court or a judicial or quasi-judicial tribunal.
    • The personal information is collected for law enforcement purposes.

3. Notification of Collection (subsection 27(2))

    3.1Is notification of the following points provided to the person from whom the information is collected?

    All must be Yes

    This notification may be printed on the collection form, on a separate form or given verbally. An example of a notification designed to be included on a form is given above on page 6.

    3.2 If notification as described in 3.1 is not given to the person from whom the information is collected, does one of the following conditions exist?

    If there is a No under 3.1, at least one of the following must be Yes


  • The information is about law enfocement or is information the disclosure of which could be harmful to law enforcement.
  • The minister responsible for the Act has excused the public body from complying with notification requirements
    • The specific purposes for which the information will be used.
    • The specific legal authority for the collection of the information.
    • The title, address and telephone number of an official in the University who can answer questions about hte collection of the personal information.

If neither of the above questions has been answered with a "yes", a revision to procedures may be required.  Consult SFU's Information and Privacy Co-ordinator.

Checklist of Optional Guidelines

Parts 4 to 5 of this checklist cover points which are not mandatory requirements for compliance with the Act. These guidelines should be considered in reviewing forms used to collect sensitive personal information.

4. Optional Guidelines for Notification

Yes / No

    4.1 Does the form include a notification of collection and use (as described in part 3 of this checklist)?

    4.2 Does the design of the form ensure that the individual from whom the information is collected is given a copy of the notification?

    4.3 Does the design of the form ensure that a copy of the notification is also kept on file by the public body?

    4.4 Does the notification of collection and use include the following information:

  • The right of the person the information is about to appeal a refusal to correct information.

    • 4.5 If the form is designed to be filled out from a source other than the individual the information is about (indirect collection) is there evidence on the form or elsewhere on file of one of the following:

    •  Is a notification of collection provided to the person the information is about?
      • Is a copy of the notification kept on file by the public body?

    5. Optional Guidelines for Computer Generated Forms

    If the information is either collected on an electronic form or keyed directly into a database during an interview:

    Yes / No

      5.1 Is there provision for obtaining the individual's signature authorizing collection and use of the information?

      5.2 Is a hardcopy of the completed form provided to the person from whom the information is collected?

      5.3 Is a hardcopy notification of collection (as outlined in part 3 of this checklist) provided to the person the information is about?

      5.4 Does the office retain a copy of the authorization and/or notification?

      5.5 If the answer to any one of questions 5.1 - 5.4 is "no", is some other form of audit trail maintained of the authorization for collection, the source of information and the notification of collection and use?

    Guidelines on Interim Procedures

    The following are suggested guidelines to bring existing forms into compliance with the Act.

    • Include the requirements of the Act in your normal forms review process.
    • Keep stocks of all forms used to collect personal information at minimum levels pending review.
    • Make revisions to forms at normal re-order points to avoid special printing runs.
    • Set up interim procedures for staff to follow pending forms revision:
    • Train staff who receive forms containing personal information over the counter on how to give a verbal notification that meets the requirements of the Act. Such verbal notification should cover: the purpose for which the information is collected, the authorization for collection and the name of a person who can provide more information about the collection and use of the information.
    • Prepare a supply of photocopied notifications covering the above points and attach to forms when they are given out to individuals for completion.
    • In cases where some of the information on a form should no longer be collected, instruct clients or employees not to fill out certain fields. Such instructions may be given verbally or on a printed notification of collection attached to the form. If the form is photocopied rather than preprinted, the fields which should not be completed may be blacked out prior to photocopying.