Frequently Asked Questions

If you cannot find the answer to your question or need more information, please contact the IAP Office:
Telephone: 709-864-8753
Email: iap@mun.ca

General

For Administrative Employees

FAQs for Academic Staff

FAQs for Students

Q: What is ATIPPA, 2015?

A: The Access to Information and Protection of Privacy Act, 2015 (ATIPPA, 2015) is a Newfoundland and Labrador law governing public sector organizations - government departments, agencies, boards, commissions, municipalities, schoool boards, and public post-secondary institutions.  Public body is a term in the ATIPPA, 2015.  The legislation applies to records in the custody and control of the university.  Certain types of records are excluded from ATIPPA, 2015; these include questions to be included on an examination or test, and teaching materials and research information of employees of post-secondary institutions.

ATIPPA, 2015:

  • gives people a right of access to records
  • gives people a right of access to personal information about themselves
  • gives people a right to request correction of personal information about themselves if they believe it contains an error or omission
  • prevents the unauthorized collection, use and disclosure of personal information by public institutions
  • provides for an oversight agency that reviews decisions made by public institutions under ATIPPA, 2015

The right of access to records is subject to exceptions to disclosure.  These exceptions are designed to protect information such as personal information, third party business information, policy advice, and legal advice.  As well, exceptions may be applied where disclosure may harm conservation or individual or public safety.  Exceptions to disclosure are set out in sections 27 to 41.

ATIPPA, 2015 protects privacy by placing limits on the collection, use and disclosure of personal information.  As well, public institutions are required to ensure that personal information is held securely and is accessible only by those who need access to the information in order to carry out their job responsibilities.

[return to top]

Q: What is a record?

A: Record means "a record of information in any form."  It includes information that is written, photographed, recorded or stored in any manner.  It includes hard copy and electronic data, including email.

Some types of records are excluded records and cannot be accessed under ATIPPA, 2015.  These include questions to be included on an examination or test, and teaching materials and research information of employees of postsecondary institutions.

[return to top]

Q: Who do I contact at Memorial if I have a question about my privacy or use of my personal information?

A: Rosemary Thorne, CIPP/C
University Access and Privacy Advisor
Memorial University of Newfoundland
Spencer Hall, Room SP-4018
St. John's, NL A1C 5S7
Canada
Phone: (709) 864-8214
Email: rosemaryt@mun.ca

[return to top]

Q: Does Memorial have a policy on privacy?

A: Yes, it has a Privacy policy and related procedures.

[return to top]

Q: Does Memorial have a policy on ATIPP requests?

A: Yes, it has an Information Request policy and related procedures.

[return to top]

Q: Does Memorial have a policy on information management?

A: Yes, it has an Information Management policy and related procedures.

For Administrative Employees

[return to top]

Q: What is an ATIPP Request?

A: An ATIPP request is a formal request under ATIPPA, 2015 for access to a record(s) at the university.  The request is made using a specific application form and is submitted to Memorial's IAP office.  The university must respond within 20 business days unless the time limit is extended with authorization from the province's office of the Information and Privacy Commissioner.  An extension may be necessary, for example, if the request involves a large volume of records.  The right of access is set out in Part II of the ATIPPA, 2015.

Access to records is subject to the exceptions to disclosure in ATIPPA, 2015.  For example, another person's personal information may need to be severed from a record before access is granted.

ATIPP requests are subject to fees for time involved in locating records and for photocopies.

[return to top]

Q: Who do I contact at Memorial if I have a question about ATIPPA, 2015?

A: Rosemary Thorne, CIPP/C
University Access and Privacy Advisor
Memorial University of Newfoundland
Spencer Hall, Room SP-4018
St. John's, NL A1C 5S7
Canada
Phone: (709) 864-8214
Email: rosemaryt@mun.ca

[return to top]

Q: Can the university release student information to a collection agency when a student has outstanding accounts?

A: Yes. ATIPPA, 2015 permits disclosure for the purpose of collecting a fine or debt owned by an individual to the university.

[return to top]

Q: Is a verbal consent to use photographs for marketing purposes adequate or should waivers be signed where students are identified or identifiable?

A: If the program in which the sudent is enrolled or paticipating is one where such promotion is a reasonable use of a photograph, then this use should be stated in the privacy notice provided at the time of collection (e.g. sports teams, music programs, fine arts programs).  If the promotion is not a regular part of the program, written consent should be obtained prior to use of a photograph.

[return to top]

Q: Are private records (non-employment related) of an employee that are located on univesity property accessible under ATIPPA, 2015?

A: No. Generally, employees' private (non-employment related) records are not covered by ATIPPA, 2015.  Records that relate to the operational functions of the university are the property of the university and are covered by ATIPPA, 2015.

[return to top]

Q: How long should job applications from unsuccessful candidates be kept?

A: Personal information, including job applications, used to make a hiring decision must be retained for at least one year, in order to permit a candidate an opportunitiy to seek access to the information.  Unsolicited applications and resumes would be retained only if they were considered in the process of a pesonnel search.

[return to top]

Q: Can I use the personal information in our database for another program or purpose?

A: Only if the purpose for the new use is substantially similar to the purpose for which the information was originally collected or compiled or you have the consent of the individual the information is about.  Other uses may be permitted under the ATIPPA, 2015.  Contact the IAP Office for clarification.

[return to top]

Q: Do I need consent in order to collect personal information?

A: Notice is required for all direct collections of personal information. When collecting personal information from a person, the university must notify the person of 1. the authority for the collection; 2. the purpose for the collection; and 3. the contact information of a person who can answer questions about the collection.

[return to top]

Q: How can I make sure personal information is kept safe when I take work home with me and on the road?

A: First, take only the minimum personal information necessary.  If it is in paper format, ensure that it is transported in an envelope, or carrying case, or other method to prevent scenarios like papers blowing away in the wind.  Ensure the envelope or case is not left in a vehicle where it may be visible to passers-by. If the information is in electronic format, ensure that the mobile device is encrypted.

[return to top]

Q: How do I ensure privacy protection when selecting a vendor to provide a solution? What about cloud solutions?

A: Contact the IAP office or the IM&P office for advice on language for your RFP or tender documents. If the vendor will have access to personal information for which the university is responsible, you must complete a Privacy Compliance Checklist and have it reviewed by the IAP office.  If the selected solution is cloud-based, you must also have the vendor complete a cloud assessment and security assessment through consultation with the IM&P office.  If the vendor will have access to personal information for which the university is responsible, the vendor must sign a privacy schedule, along with the main agreement between the vendor and the university. 

[return to top]

FAQs for Academic Staff

Q: What is personal information?

A: Personal information is "information about an identifiable individual." It includes among other things a person's name, address, telephone number, age, health, financial and educational information, and identifying numbers and symbols like a student number and employee number.  This is not an exhaustive list.  Any information about an identifiable individual is that person's personal information.

The University holds personal information belonging to students, faculty, staff, alumni, donors, library and bookstore patrons, and others.  Sometimes personal information may be categorized as sensitive personal information.  Most often, people consider their health information to be sensitive personal information; others may feel that their personal financial information is particularly sensitive.  In terms of privacy risks like identity theft, name, address, date of birth and social insurance number are often all that is needed to steal someone's identity.  

Personal information is defined in Section 2 of ATIPPA, 2015.  It reads:

"personal information" means recorded information about an identifiable individual, including:

  • the individual's name, address or telephone number;
  • the individual's race, national or ethnic origin, colour, or religious or political beliefs or associations;
  • the individual's age, sex, sexual orientation, marital status or family status;
  • an identifying number, symbol or other particular assigned to the individual;
  • the individual's fingerprints, blood type or inheritable characteristics;
  • information about the individual's health care status or history, including a physical or mental disability;
  • information about the individual's educational, financial, criminal or employment status or history;
  • the opinions of a person about the individual, and
  • the individual's personal views or opinions, exept where they are about someone else.

[return to top]

Q: Can employeees have open access to student information?

A: No. The fact that access to student information is possible does not imply that an employee should have access to it.  Faculty and employees should have access only to personal information that they require to perform their duties as an employee of the university.  Accessing personal information in contravention of the ATIPPA, 2015 is an offence, purusant to s. 115.

[return to top]

Q: Will a student be able to access a letter of reference that was submitted in confidence when s/he is the subject of the information?

A: Generally speaking, evaluative opinions are the personal information of the person being evaluated and ATIPPA, 2015 allows individuals, subject to limited and specific exceptions, a right of access to personal information about themselves.  In the case of a reference letter submitted by a writer with the expectation that it would be held in confidence, s. 32 may limit the right of the subject to access the letter. If a letter of reference pertains to admission to an academic program or suitability for an award, access to the letter may be limited.

[return to top]

Q: How do I handle privacy issues that arise when a student provides medical information in support of a request for academic accommodation?

A: Personal information used to make a decision affecting a person is required to be retained for one year after its last use.  Medical information must be stored securely.  Unless retention of the information is needed because it directly relates to an ongoing matter (e.g. an academic appeal), secure destruction of this kind of information after one year has passed is strongly recommended.

[return to top]

Q: How should our committee address questions about privacy protection?

A: When committee work requires members to view and use personal information about others, they should be asked to sign a confidentiality agreeement in respect of the committee work. Confidentiality agreements are strongly recommended when the committee has student and/or community membership. Committees can use this confidentiality agreement.

[return to top]

Q: Can teaching assistants and student markers take exams and papers off campus in order to grade them?

A: If possible, grading by teaching assistants and student markers should be done on campus.

[return to top]

Q: Can the Registrar release a student's address/phone number to a faculty member who is teaching the student?

A: This information would be supplied only on a need to know basis. The onus is on the faaculty member to show that the information is necessary.

[return to top]

Q: Can a faculty member ask a student for personal information?

A: Yes. A faculty member is permitted to ask a student for personal information if the information relates directly to and is necessary for an operating program or activity of the course or program. S/he would also have to inform the student of the purpose for which the information is required.

[return to top]

Q: Can student grade lists be posted?

A: Grade lists should be posted only if the department has taken reasonable precautions to assure the confidentiality of the information; these include not using names, using only the last three or four digits of student numbers, and notifying students of the method of informing them of interim grades. If a class is so small that grade holders are easily identified despite any process to conceal identities, then garde lists should not be posted.

[return to top]

Q: How should marked exams, lab reports, and essays be distributed to students? Can they be left on a table in the hallway or in the classroom so that students can retrieve them on their own? Do they need to be returned in sealed envelopes?

A: Section 64 of ATIPPA, 2015 states that athe head of a public body must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or destruction. As a result, the practice of placing graded examinations and assignments in a public place for pick up is not in keeping with privacy legislation. Examinations and assignmens should be returned directly to the student. Graded assignments may be left on a desk in the classroom so that students can retrieve their own exam/assignment only if the instructor or a teaching assistant is present to supervise. Grades and comments should not be made on the cover or first page of an assignment. Ideally, graded assignments should be returned directly to the student.

[return to top]

Q: Does email correspondence received from students need to be retained for a specific length of time?

A: The university is required to keep for one year all records used to make a decision affecting a person. If the email message documents a decision or was used to make a decision and is not recorded in a more permanent format, it should be kept for one year. If the information is of temporary value or has been documented in another university record, it is considered transitory and should be retained only as long as it is required.

[return to top]

FAQs for Students

Q: Do I have to file a formal request under ATIPPA, 2015 to access information the university has about me?

A: No. ATIPPA, 2015 is in addition to and does not replace existing procedures for access to information or records.  Filing an ATIPP request should be seen as an instrument of last resort. Memorial will continue to routinely provide information when requested and proactively disclose information to the community. However, when routinely and proactively disclosing information, the university must not disclose another perosn's personal information or business information that could harm a third party.

[return to top]

Q: How do I file a formal ATIPP request for information?

A: Try first to access the records you are seeking through existing procedures. A formal ATIPP Request should be directed to the IAP Office.

[return to top]

Q: How much will it cost to obtain general information?

A: An ATIPP request for access to general records may be assessed fees in accordance with the Cost Schedule set by the Government of Newfoundland and Labrador.

[return to top]

Q: How much will it cost to obtain personal information about myself?

A: No fees are applied to your request for your own personal information.

[return to top]

 Q: How long must the university keep my personal information?

A: Under ATIPPA, 2015, the university must keep personal information that has been used to make a decision affecting an individual for at least one year.

[return to top]

Q: Will I be able to access a letter of reference that was submitted on my behalf?

A: Generally speaking, evaluative opinions are the personal information of the person being evaluated and ATIPPA, 2015 allows individuals, subject to limited and specifc exceptions, a right of access to personal information about themselves.  In the case of a reference letter submitted by a writer with the expectation that it would be held in confidence, s. 32 may limit the right of the subject to access the letter. If a letter of reference pertains to admission to an academic program or suitability for an award, access to the letter may be limited.

[return to top]

Q. Can the university release information about me without my knowledge?

A: Yes, in certain circumstances. For example, personal information could be disclosed if required by law or for law enforcement purposes, to collect a debt that you owe the university, where necessary for delivery of a program or service, and in an emergency or other compelling circumstances where a person's health or safety is at risk.

[return to top]

 

 

Contact

Information Access and Privacy

230 Elizabeth Ave

St. John's, NL A1B 3X9 CANADA

Tel: (709) 864-2530

Fax: (709) 864-2552

becomestudent@mun.ca