PROTECTION OF PRIVACY
Date
February 17, 2021
Date of Last Review/Revision
March 18, 2021
Number
I 10.11
Mandated Review
February 17, 2024
Policy Authority: General Counsel and University Secretary
Associated Procedure(s):
- How to Request a Correction to Personal Information in University Records;
- Privacy Breach Procedures; and
- Procedures for the Disclosure of Personal Information in Emergency or Compelling Circumstances
EXECUTIVE SUMMARY
This policy establishes a framework for managing personal information in the custody or under the control of Simon Fraser University (“the University”), in compliance with the Freedom of Information and Protection of Privacy Act. The policy applies to all University Employees, Volunteers, and Service Providers who have access to personal information. This policy provides clarity on the principles for collecting, using, and disclosing Personal Information.
TABLE OF CONTENTS
1.0 PREAMBLE
2.0 PURPOSE
3.0 SCOPE AND JURISDICTION
4.0 DEFINITIONS
5.0 POLICY
6.0 ROLES AND RESPONSIBILITIES
7.0 RELATED LEGAL, POLICY AUTHORITIES AND AGREEMENTS
8.0 RETENTION AND DISPOSAL OF RECORDS
9.0 POLICY REVIEW
10.0 POLICY AUTHORITY
11.0 INTERPRETATION
12.0 PROCEDURES AND OTHER ASSOCIATED DOCUMENTS
1.1 Members of the Simon Fraser University community entrust their personal information to the care of the University. As such, the University has an ethical and a legal obligation to protect the privacy of individuals whose information it manages.
1.2 The University will be diligent in promoting the sound management of personal information in a privacy-enhancing manner and in taking reasonable and required measures to protect the personal information in its custody or control. This policy is designed to foster a culture in which privacy is top of mind for every employee whenever they handle personal information belonging to and about others, ensuring the University complies with its ethical and legal obligations.
1.3 British Columbia’s Freedom of Information and Protection of Privacy Act (“the Act”), and the best practices outlined in the Canadian Standards Organization Model Code for the Protection of Personal Information (“the Model Code”), and various standards and guidelines issued by the Office of the Information and Privacy Commissioner of British Columbia inform the substance of this policy.
2.1 The purpose of this policy is to establish how the University complies with its protection of privacy requirements under the Act and manages Personal Information in accordance with best practices.
3.1 This policy applies to all personal information in the custody or under the control of the University and to all University Employees, Volunteers, and Service Providers who have access to personal information.
3.2 This policy does not apply to the research information of faculty or other individuals carrying out research at the University. Simon Fraser University Policy R20.01 Ethics Review of Research Involving Human Participants ensures research involving human subjects complies with professional and disciplinary standards for the protection of privacy.
4.1 See Appendix A for the definitions of words used in this policy and its associated schedules and procedures.
5.1 General
5.1.1 The University will manage all personal information in compliance with the Act as specified below and in accordance with best practices and standards for the protection of personal information.
5.1.2 The University will limit the collection, access, use, disclosure, and retention of personal information to that which is directly related to and necessary for its operations.
5.1.3 The University will make every reasonable effort to ensure the accuracy and protection of personal information in its custody or control.
5.2 Collection of Personal Information
5.2.1 The University will collect personal information only as provided for under Part 3 of the Act, ensuring that at all times it uses appropriate notice and methods of collection.
5.2.2 The University will limit collection of personal information to the minimum amount necessary to carry out the University’s activities as mandated by the University Act.
5.3 Access and Use of Personal Information
5.3.1 The University will grant employees access only to personal information necessary for the performance of their duties.
5.3.2 The University will use personal information only:
a. For the purpose for which that personal information was obtained or compiled;
b. For a use consistent with that purpose;
c. With the written consent of the individual the personal information is about;
d. For the purpose for which that information was disclosed to the University; or
e. For any other purpose permitted under the Act.
5.4 Disclosure of Personal Information
5.4.1 The University will not disclose any personal information of students, employees, alumni, retirees, clients, and donors in its custody or under its control to any third party, unless doing so is provided for under the Act.
5.4.2 Any employee of the University who is aware of an unauthorized disclosure of personal information, or who suspects there has been an unauthorized disclosure of personal information, must immediately notify the University Archivist and Coordinator of Information and Privacy or their designates. It is an offence under the Act to disclose personal information in contravention of the Act.
5.5 Retention and Disposal of Personal Information
5.5.1 The University will retain for at least one year an individual’s personal information when it is used to make a decision that directly affects the individual.
5.5.2 The University will dispose of personal information only with a Records Retention Schedule and Disposal Authority approved and signed by the University Archivist and Coordinator of Information and Privacy.
5.6 Accuracy and Correction of Personal Information
5.6.1 The University will make every reasonable effort to ensure the personal information it uses to make decisions that directly affect individuals is accurate and complete.
5.6.2 Upon request by an individual to whom the personal information relates, the University will correct, make additions to, or annotate the information with a correction when documentary evidence, satisfactory to the University, is provided to substantiate the correction.
5.7 Protection of Personal Information
5.7.1 The University will protect personal information by making reasonable policy, procedural, physical, and technical security arrangements against such risks as unauthorized access, collection, use, disclosure, or disposal.
5.7.2 The University will ensure that protection of personal information is a core consideration in planning, implementing and maintaining new and revising existing systems, projects, programs or activities by completing Privacy Impact Assessments.
5.7.3 The University will manage privacy breaches in an effective and timely manner, in accordance with the Privacy Breach Procedure.
5.8 Storage of Personal Information
5.8.1 The University will store all personal information in its custody or control only inside Canada, unless the individual the information is about has consented to storage outside Canada or unless the storage is permitted under the Act.
6.0 ROLES AND RESPONSIBILITIES
6.1 The University Archivist and Coordinator of Information and Privacy is responsible for:
6.1.1 Providing advisory services to University employees about how this policy and the Act apply to University operations, including advising on whether a department’s activities are in compliance with the privacy principles articulated in this policy;
6.1.2 Advising on, reviewing, and recommending for approval Privacy Impact Assessments;
6.1.3 Coordinating responses to privacy breaches, advising and assisting departments in investigating and responding to breaches;
6.1.4 Providing training and education on matters related to the protection of privacy;
6.1.5 Drafting and approving Records Retention Schedules and Disposal Authorities for departments upon request; and
6.1.6 Maintaining a public listing of the Personal Information Banks in the custody or control of the University.
6.2 Administrators are responsible for:
6.2.1 Ensuring that the activities of their departments are in compliance with the privacy principles articulated in this policy;
6.2.2 Contacting the Information and Privacy Archivist prior to undertaking a new system, project, program or activity to determine whether a Privacy Impact Assessment is required;
6.2.3 Preparing a Privacy Impact Assessment, if the Information and Privacy Archivist determines one is required, and submitting it to the Information and Privacy Archivist;
6.2.4 Ensuring there is adequate lead time available to complete a required Privacy Impact Assessment in relation to other project deadlines;
6.2.5 Abiding by the requirements of a completed Privacy Impact Assessment, including taking steps to correct or mitigate any privacy issues or foregoing the implementation of a new system, project, program, or activity if implementation is in violation of the Act, this policy, or associated procedures;
6.2.6 Contacting the Archives and Records Management Department to request scheduling the retention and disposal of information and records;
6.2.7 Reporting any suspected or actual privacy breaches of the Act, this policy, or its associated procedures in accordance with the University’s Privacy Breach Procedure;
6.2.8 Ensuring that policies and procedures over which they have authority abide by this policy. In a case where there is a conflict between a departmental or university policy or procedure and this policy, this policy will prevail; and
6.2.9 Ensuring collection of personal information is limited to what is necessary to fulfill legitimate University operations. Personal information cannot be collected for speculative future purposes.
6.3 Employees are responsible for:
6.3.1 Handling all personal information to which they receive access in accordance with the Act and this policy;
6.3.2 Accessing personal information only as necessary for the performance of their duties; and
6.3.3 Reporting any suspected or actual privacy breaches of the Act, this policy, or its associated procedures in accordance with the University’s Privacy Breach Procedure.
7.0 RELATED LEGAL, POLICY AUTHORITIES AND AGREEMENTS
7.1 The legal and other University Policy authorities and agreements that may bear on the administration of this policy and may be consulted as needed include but are not limited to:
7.1.1 University Act, R.S.B.C. 1996, c. 468
7.1.2 Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165
7.1.3 Canadian Standards Organization Model Code for the Protection of Personal Information [CAN/CAS-Q830-96]
7.1.4 Head of the Institution and Delegation of Authority Under the Freedom of Information and Protection of Privacy Act (I10.02)
7.1.5 Access to Information (I10.04)
7.1.6 Collection of Personal Information (I10.05)
7.1.7 Fair Use of Information and Communications Technology (GP 24)
7.1.8 Office of the Information and Privacy Commissioner of British Columbia’s guideline on “Privacy Breaches: Tools and Resources” (March 2012)
7.1.9 Canadian Anti-Spam Legislation, S.C. 2010, c. 23
8.0 RETENTION AND DISPOSAL OF RECORDS
8.1 Information and records made and received to administer this policy are evidence of the University’s actions to manage personal information in the custody or under the control of the University. Information and records must be retained and disposed of in accordance with a records retention schedule approved by the University Archivist.
9.1 This policy will be reviewed at least every three years.
10.1 This policy is administered under the authority of the General Counsel and University Secretary.
11.1 Questions of interpretation or application of this policy or its procedures shall be referred to the General Counsel and University Secretary whose decision shall be final.
12.0 PROCEDURES AND OTHER ASSOCIATED DOCUMENTS
NOTICE: Procedures and other documents referred to in section 12 of this policy that are not posted on the University’s Policy Gazette can be found on the SFU Archives and Records Management FIPPA website: Protection of Privacy Policy Resources - Archives and Records Management - Simon Fraser University (sfu.ca)
APPENDIX A - DEFINITIONS
12.1 Appendix A contains the definitions applicable to this policy and its associated schedules and procedures.
ASSOCIATES PROCEDURES
12.2 The procedures for this policy are:
12.2.1 How to Request a Correction to Personal Information in University Records;
12.2.2 Privacy Breach Procedures; and
12.2.3 Procedures for the Disclosure of Personal Information in Emergency or Compelling Circumstances.
ASSOCIATED SCHEDULES
12.3 The schedules for this policy are:
12.3.1 Schedule 1: Defining Personal Information
12.3.2 Schedule 2: Privacy Breach Response Action Plan and Timelines
ASSOCIATED FORMS AND TEMPLATES
12.4 The forms and templates that must be used to comply with protection of privacy rules are located on the SFU Archives and Records Management website Protection of Privacy Policy Resources - Archives and Records Management - Simon Fraser University (sfu.ca) and include:
12.4.1 Collection
a. Collection Notice
b. Consent to Collect Personal Information Indirectly from a Third Party
12.4.2 Access and Use
a. General Privacy and Confidentiality Agreement
b. Collection Notice
12.4.3 Disclosure
a. Research Agreement
b. Consent to Disclose Personal Information
12.4.4 Protection of Personal Information
a. Privacy Impact Assessment Questionnaire
b. Privacy Impact Assessment Form
c. Privacy Protection Schedule
d. Cloud Privacy Protection Schedule
e. Privacy Breach Report Form
OTHER RESOURCES
12.5 There are other procedures and resources related to the management of personal information in the custody or control of the University on the SFU Archives and Records Management website, including SFU’s Personal Information Directory (PID) and the Records Retention Schedules and Disposal Authorities (RRSDAs): See Protection of Privacy Policy Resources - Archives and Records Management - Simon Fraser University (sfu.ca)