Memorial University is entrusted with the personal information of its students, employees, alumni, donors, research participants, retirees and others and is committed to excellence in its management of this information.
To ensure that the University protects the privacy of its students, employees, alumni, donors, research participants, retirees and others whose personal information is in the University's custody or control and that it upholds applicable privacy legislation governing the collection, use and disclosure of personal information.
All campuses and organizational units of Memorial University. All information and records in the custody and/or under the control of the University. The policy is based on the requirements of the privacy legislation that applies to Memorial University. In order of importance for University operations, the three Acts that apply are:
ATIPPA is the primary privacy legislation with which the University shall comply. The independent oversight authority for ATIPPA is the Information and Privacy Commissioner of Newfoundland and Labrador.
The Privacy Act of Newfoundland and Labrador establishes grounds for civil action in the event of unauthorized surveillance, recording, impersonation or use of personal communications or documents without the consent of the individual or a duly authorized representative.
PIPEDA may apply to the University in a few commercial transactions, such as some financial transactions involving parties outside Newfoundland and Labrador or Canada and certain contracts with third parties. The independent oversight authority for PIPEDA is the Privacy Commissioner of Canada.
Commissioner - The Information and Privacy Commissioner of Newfoundland and Labrador if the applicable legislation is the Access to Information and Protection of Privacy Act and the Privacy Commissioner of Canada if the applicable legislation is the Personal Information Protection and Electronic Documents Act.
Compliance Checklist - A pre-Privacy Impact Assessment (PIA) compliance tool to assess privacy compliance and privacy risks of a project, undertaking, software application or Personal Information Bank (PIB) and determine whether a full Privacy Impact Assessment (PIA) is required.
Employee - Has the meaning given in the ATIPPA, including salaried employees, wage employees, contract employees, independent contractors and others associated with the University who have access to personal information.
IAPP Office - The University's Information Access and Privacy Protection Office Email: firstname.lastname@example.org.
Legislation - The privacy legislation with which the University is required to comply. Depending on the nature of the personal information and the purposes for which it is collected, used or disclosed, the legislation may be one or more of the Access to Information and Protection of Privacy Act of Newfoundland and Labrador, or the Personal Information Protection and Electronic Documents Act of Canada, as well as the relevant Regulations, and any other privacy legislation which may be enacted.
Personal Information - Means recorded information about an identifiable individual, including (not an exhaustive list)
Personal Information Bank (PIB) - A collection of paper records or electronic documents that is sorted by a personal identifier, such as name, student ID or employee ID, or a database that is indexed by one or more personal identifiers.
President - for the purposes of the ATIPPA the President is designated as the institution's Head.
Privacy Breach - Occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information.
Privacy Impact Assessment (PIA) - A formal assessment of the privacy obligations, risks and requirements related to a given project, undertaking, software application or Personal Information Bank (PIB).
Privacy Schedule - A schedule to be included in all University contracts, which contains provisions to ensure that the contractor provides adequate privacy protection and related support for personal information governed by the contract.
Project - When used in relation to privacy compliance checklists, Privacy Impact Assessments and related matters, the word "Project" subsumes for the sake of brevity the words "scheme", "program", "initiative", "application", "system", and any other word or term that refers to a formal, defined course of endeavour, which involves personal information.
Public Body - For purposes of this policy refers to Memorial University of Newfoundland.
Record - A record of information in any form and recorded or stored in any manner, including paper, electronic, digital, audio, and video, but does not include a computer program or a mechanism that produces records on any storage medium.
Unit Head - For the purposes of this policy, unit head is the term used to mean Deans, Divisions Heads, Heads of Schools, Directors, Executive Directors, the University Librarian, the University Registrar, Associate Vice-Presidents and Vice-Presidents, as applicable.
1. Memorial University complies in all respects with all applicable privacy legislation, including the Access to Information and Protection of Privacy Act of Newfoundland and Labrador as well as the Personal Information Protection and Electronic Documents Act of Canada and other applicable privacy legislation that may be enacted.
2. All employees of Memorial University are responsible for the protection of the privacy of students, employees, alumni, donors, research participants, retirees and others whose personal information is in the custody and/or under the control of the University. All employees are expected to undertake privacy awareness training authorized by the University's Information Access and Privacy Protection (IAPP) Office.
3. The President has ultimate accountability for compliance with ATIPPA privacy provisions. The President may delegate his or her powers under ATIPPA in whole or in part, but his or her delegates may not sub-delegate. The delegation of the President shall be in writing. Delegates may assign related duties to subordinates as necessary to fulfill delegated responsibilities under ATIPPA.
4. Unit heads are responsible for establishing and maintaining measures to ensure their units are protecting privacy, in accordance with the PROCEDURE FOR ADMINISTERING PRIVACY MEASURES WITHIN A UNIT.
6. In compelling circumstances, for example where health and safety may be at stake, disclosures of personal information may be made in accordance with exceptions for such circumstances in the legislation. Employees considering disclosure of personal information in such circumstances must seek advice from the University Privacy Officer and/or the Office of General Counsel.
7. Memorial University is guided by the principles of the Canadian Standards Association Model Privacy Code in a manner that complies with ATIPPA and any other legislation that may apply in the circumstances:
1. University employees who act in good faith and who execute their employment responsibilities with a reasonable standard of care shall not be subject to discipline for privacy breaches.
2. Privacy breaches arising from noncompliance with the legislation or this policy may result in disciplinary action up to and including dismissal.