1.1 On January 31, 2005, the College created its policy in relation to the protection of personal information and electronic documents. The policy recognized the commitment made by the College to protect privacy while, at the same time, providing procedures for the collection, use, and disclosure of information by the College.
1.2 The College is a special member of the community. While it is created by statute and delivers a variety of services to the public, the College is an autonomous institution that has its own governing body, manages its own affairs, allocates its own funds, develops its own relationships with private individuals, businesses and industries, and offers its own diverse range of academic, vocational, and professional programs. This Policy is a reflection of the unique position of the College in the community and must be interpreted with these principles in mind.
2.1 The purpose of this Policy is to enhance the College’s continued commitments to:
a) providing access to information;
b) protecting personal information and privacy; and
c) setting out the processes for handling access to information requests (“access requests”) and breach of privacy complaints (“privacy complaints”).
3.1 This Policy applies to
a) all requests for access to information maintained by the College; and
b) all members of the College community with access to information maintained by the College.
- EFFECTIVE DATE
4.1 This Policy is effective May 1, 2017 and shall apply to all information created by the College after the effective date of the Policy.
4.2 All requests for information before the effective date of this Policy shall be determined in accordance with the policies and practices in effect at the College at the applicable time.
- ACCESS TO INFORMATION
5.1 The College routinely makes large amounts of institutional and other information available to the public on its website. The College is committed to continuing this online practice. If information is not available on the College’s website, an access request may be filed with the Office of the Chief Privacy Officer (the “Privacy Office”) in accordance with this Policy.
6.1 The College is committed to maintaining and protecting the integrity of personal and other confidential information. If a person believes his or her privacy rights have been breached, the person may file a privacy complaint with the Privacy Office in accordance with this Policy.
- OFFICE OF THE CHIEF PRIVACY OFFICER
7.1 The Privacy Office handles access requests and privacy complaints made to the College. The Privacy Office also carries out other associated duties, such as:
a) educating College staff on access to information and privacy;
b) assisting College staff members in conducting searches and addressing complaints;
c) clarifying and responding to access requests;
d) preparing fee estimates;
e) investigating and remedying complaints;
f) reporting on the number of access requests and complaints; and
g) representing the College in interactions following an access request or privacy complaint.
- PROCESS FOR HANDLING ACCESS REQUESTS
8. 1 Basic Steps
8.1.1 The steps in processing an access request may vary depending on the nature of the request. Generally, the Privacy Office follows these basic steps:
a) An access request means a request for access to institutional or personal information. An access request shall be submitted in writing, addressed to the College’s Chief Privacy Officer (the “Privacy Officer”), and must provide sufficient detail to enable the Privacy Office to identify the record(s) sought. The person making the request (the “Requester”) must also pay the initial fee and complete the Access Request Form (QF175). In exceptional situations, the Privacy Officer may authorize an access request to be accepted in some other format for the purpose of accommodating the personal circumstances of the Requester;
b) The Privacy Officer shall consider the access request and determine whether it would be appropriate to conduct a search for responsive records;
c) If appropriate, the Privacy Office contacts staff responsible at the faculty, administrative office, or service to conduct a search for records responsive to the access request;
d) The records located as a result of the search are sent to the Privacy Office. The Privacy Officer reviews the records to determine whether exemptions and/or exclusions apply;
e) The Privacy Office notifies the requester about the Privacy Officer’s decision whether to release the records in part or in their entirety and provides an estimate of the fees associated with the release of the records; and
f) Once the Requester pays the fees associated with the access request, the Privacy Office sends copies of the responsive records to the Requester.8.2. Exemptions and Exceptions
8.2.1 There are certain types of records that are exempt from disclosure to protect institutional interests, the privacy of others, confidentiality, ongoing operations of the College, and other interests important to the College. For example, exemptions and exceptions include, but are not limited, to any information that:
a) is an invasion of privacy;
b) may be harmful to the interests of the College, a third party, or an individual;
c) may negatively affect a relationship important to the College;
d) may affect public safety or the health or safety of an individual;
e) is confidential or is shared in confidence with the College;
f) relates to a policy, project, or other matter under consideration by the College;
g) relates to employees, labour relations, or student relations at the College;
h) relates to an investigation;
i) relates to a legal or administrative proceeding;
j) relates to a disciplinary matter;
k) is protected by any form of privilege;
l) relates to legal advice given to the College; or
m) relates to a request that is frivolous, vexatious, and an abuse of the Policy.
8.2.2. A record may contain information about an individual other than the Requester. Generally, information related to another individual is not disclosed.
8.2.3. A record may contain information that reveals commercial, financial, confidential or other information belonging to an external person, entity or organization. Generally, information related to another party is not disclosed.8. 3. Fees
8.3.1. The College charges fees for the processing of access requests. Responding to an access request requires the College to expend both human and financial resources. An initial and non-refundable fee must therefore be paid to the College before the Privacy Office begins to process the access request and records shall not be released until the Privacy Office receives payment in full of all fees associated with request. All costs incurred by the College will be the responsibility of the Requester and vary depending upon the size and complexity of the access request. Information on fees is found in the Fee Schedule attached in Appendix A, which forms part of this Policy.
- PROCESS FOR HANDLING PRIVACY COMPLAINTS
9.1.1 For the purpose of this Policy, a privacy breach occurs when there is unauthorized disclosure of personal information or someone has obtained unauthorized access to personal information. If a person believes his or her privacy rights have been breached, the person may file a privacy complaint in writing, addressed to the Privacy Officer, with the Privacy Office. The person making the complaint must complete the Privacy Complaint Form (QF176). In exceptional situations, the Privacy Officer may authorize a privacy complaint to be accepted in some other format for the purpose of accommodating the personal circumstances of the individual.
9.2 Basic Steps
9.2.1 The steps in processing a privacy complaint may vary depending on the nature, circumstances, and complexity of the complaint. Generally, the Privacy Office follows these steps:
a) receipt of the privacy complaint;
b) communication with the faculty, administrative office or service, and person(s) involved with the complaint or who may have knowledge of the circumstances;
c) consultation with other appropriate authorities and/or external entities, if necessary; and
d) notification of the individual who filed the complaint as to the outcome of the complaint and informing them of any steps taken to resolve the complaint.
- PROTECTION OF PERSONAL INFORMATION
10.1 Personal Information
10.1.1 Personal information is regularly collected by the College from students, employees, alumni, donors and other individuals, and this information is intended to be used for the purpose of administering programs and activities at the College, delivering services at the College and carrying out the operations of the College, including:
a) recruitment, admission, registration, evaluation, and/or graduation in an academic and non-academic program;
b) student associations and organizations, including the alumni association;
c) financial assistance and awards;
d) development and fundraising activities;
e) institutional planning and statistics;
f) reporting to government agencies and/or professional organizations;
h) safety and security; and
i) print, electronic, and internet publications.10.2. Disclosure
10.2.1 It is the general policy of the College not to disclose personal information to external individuals or organizations unless:
a) the individual was notified of the disclosure when the personal information was collected;
b) the individual has consented to the disclosure or the disclosure is consistent with the purpose for which the information was collected;
c) disclosure is permitted or required by law;
d) the information is public information; or
d) disclosure is authorized under this Policy.10.3 Correction
10.3.1 Individuals have a right to request access to their own personal information and to request the correction of their personal information. Those who wish to obtain access to their personal information or to request a correction should begin by contacting the faculty, administrative office, or service that has possession of the information at the College. Depending on the nature of the request, it may require a written request addressed to the Privacy Officer.
11.1 If an individual disagrees with a decision made by the Privacy Officer under this Policy, the individual may submit a written request for reconsideration to the College’s Vice-President Corporate Services within thirty (30) days of the date of the decision. The decision of the Privacy Officer shall be reconsidered by the Vice-President Corporate Services within thirty (30) days and his/her decision shall be final. In the event that the decision under reconsideration relates to the Vice-President Corporate Services or a conflict of interest exists, then the Vice-President Corporate Services shall designate another Vice-President at the College to hear and decide the request for reconsideration.
12.1 The development and maintenance of this Policy is the responsibility of the President of the College.
12.2 The administration of this Policy is the responsibility of the Privacy Office as set out above.
Access to Information and Protection of Personal Information Policy – Board Policy 20-09