Privacy

Principle:

Memorial University is entrusted with the personal information of its students, employees, alumni, donors, research participants, retirees and others and is committed to excellence in its management of this information.

Purpose:

To ensure that the University protects the privacy of its students, employees, alumni, donors, research participants, retirees and others whose personal information is in the University's custody or control and that it upholds applicable privacy legislation governing the collection, use and disclosure of personal information.

Scope:

All campuses and organizational units of Memorial University.  All information and records in the custody and/or under the control of the University. The policy is based on the requirements of the privacy legislation that applies to Memorial University. In order of importance for University operations, the three Acts that apply are:

1.         Access to Information and Protection of Privacy Act (ATIPPA) of Newfoundland and Labrador

ATIPPA is the primary privacy legislation with which the University shall comply. The independent oversight authority for ATIPPA is the Information and Privacy Commissioner of Newfoundland and Labrador.

2.         Privacy Act of Newfoundland and Labrador

The Privacy Act of Newfoundland and Labrador establishes grounds for civil action in the event of unauthorized surveillance, recording, impersonation or use of personal communications or documents without the consent of the individual or a duly authorized representative.

3.         Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada

PIPEDA may apply to the University in a few commercial transactions, such as some financial transactions involving parties outside Newfoundland and Labrador or Canada and certain contracts with third parties. The independent oversight authority for PIPEDA is the Privacy Commissioner of Canada.

Definitions:

Commissioner - The Information and Privacy Commissioner of Newfoundland and Labrador if the applicable legislation is the Access to Information and Protection of Privacy Act and the Privacy Commissioner of Canada if the applicable legislation is the Personal Information Protection and Electronic Documents Act.

Compliance Checklist - A pre-Privacy Impact Assessment (PIA) compliance tool to assess privacy compliance and privacy risks of a project, undertaking, software application or Personal Information Bank (PIB)  and determine whether a full Privacy Impact Assessment (PIA) is required.

Employee - Has the meaning given in the ATIPPA, including salaried employees, wage employees, contract employees, independent contractors and others associated with the University who have access to personal information.

IAPP Advisory Committee - A standing committee of the University, reporting to the President, which has responsibility for advising the University Privacy Officer in the development and implementation of the University's privacy policy and procedures. 

IAPP Office - The University's Information Access and Privacy Protection Office Email: iapp@mun.ca.

Legislation - The privacy legislation with which the University is required to comply. Depending on the nature of the personal information and the purposes for which it is collected, used or disclosed, the legislation may be one or more of the Access to Information and Protection of Privacy Act of Newfoundland and Labrador, or the Personal Information Protection and Electronic Documents Act of Canada, as well as the relevant Regulations, and any other privacy legislation which may be enacted.

Personal Information - Means recorded information about an identifiable individual, including (not an exhaustive list)

• the individual's name, address or telephone number
• the individual's race, national or ethnic origin, colour, or religious or political beliefs or associations
• the individual's age, sex, sexual orientation, marital status or family status
• an identifying number, symbol or other particular assigned to the individual
• the individual's fingerprints, blood type or inheritable characteristics
• information about the individual's health care status or history, including a physical or mental disability
• information about the individual's educational, financial, criminal or employment status or history
• the opinions of a person about the individual, and
• the individual's personal views or opinions

Personal Information Bank (PIB) - A collection of paper records or electronic documents that is sorted by a personal identifier, such as name, student ID or employee ID, or a database that is indexed by one or more personal identifiers.

President - for the purposes of the ATIPPA the President is designated as the institution's Head.

Privacy Breach - Occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information.

Privacy Impact Assessment (PIA) - A formal assessment of the privacy obligations, risks and requirements related to a given project, undertaking, software application or Personal Information Bank (PIB).

Privacy Schedule - A schedule to be included in all University contracts, which contains provisions to ensure that the contractor provides adequate privacy protection and related support for personal information governed by the contract.

Project - When used in relation to privacy compliance checklists, Privacy Impact Assessments and related matters, the word "Project" subsumes for the sake of brevity the words "scheme", "program", "initiative", "application", "system", and any other word or term that refers to a formal, defined course of endeavour, which involves personal information.

Public Body - For purposes of this policy refers to Memorial University of Newfoundland.

Record - A record of information in any form and recorded or stored in any manner, including paper, electronic, digital, audio, and video, but does not include a computer program or a mechanism that produces records on any storage medium.

Unit Head - For the purposes of this policy, unit head is the term used to mean Deans, Academic, non-Academic and Administrative Directors, Executive Directors, the University Librarian, the University Registrar and the Principal of Sir Wilfred Grenfell College.

Unit Privacy Officer - This is a functional description, not a title. It refers to employees designated in that role in each academic and administrative unit of the University to implement privacy policy and procedures in that unit.  It does not preclude any unit from establishing a position of unit privacy officer.

University Privacy Officer - The position with overall management responsibility for privacy policy and procedures at the University. This is a functional description, not a title. The University Privacy Officer is appointed by the President of the University. Unless otherwise indicated, the University Privacy Officer is the Information Access and Privacy Protection Coordinator.

Policy:

1.         Memorial University complies in all respects with all applicable privacy legislation, including the Access to Information and Protection of Privacy Act of Newfoundland and Labrador as well as the Personal Information Protection and Electronic Documents Act of Canada and other applicable privacy legislation that may be enacted. 

2.         All employees of Memorial University are responsible for the protection of the privacy of students, employees, alumni, donors, research participants, retirees and others whose personal information is in the custody and/or under the control of the University. All employees are expected to undertake privacy awareness training authorized by the University's Information Access and Privacy Protection (IAPP) Office.

3.         The President has ultimate accountability for compliance with ATIPPA privacy provisions.  The President may delegate his or her powers under ATIPPA in whole or in part, but his or her delegates may not sub-delegate.  The delegation of the President shall be in writing. Delegates may assign related duties to subordinates as necessary to fulfill delegated responsibilities under ATIPPA.

4.         Unit heads are responsible for establishing and maintaining measures to ensure their units are protecting privacy, in accordance with the PROCEDURE FOR ADMINISTERING PRIVACY MEASURES WITHIN A UNIT.

5.         The University Privacy Officer is guided by the Memorial University Privacy Policy in executing her/his responsibilities.

6.         In compelling circumstances, for example where health and safety may be at stake, disclosures of personal information may be made in accordance with exceptions for such circumstances in the legislation. Employees considering disclosure of personal information in such circumstances must seek advice from the University Privacy Officer and/or the Office of General Counsel.

7.         Memorial University is guided by the principles of the Canadian Standards Association Model Privacy Code in a manner that complies with ATIPPA and any other legislation that may apply in the circumstances:

A.        Accountability: The University is responsible for personal information in its custody and/or under its control and has designated a University Privacy Officer who is accountable for the organization's compliance with the following principles.

B.        Identifying Purposes and Consent: The University identifies to the individual the authority and purposes for the collection and use of personal information at the time of collection, and the contact information of an employee who can answer questions about the collection. The University obtains the individual's consent to the collection of sensitive personal information and personal information collected for the purpose of disclosure outside the University. The University collects personal information directly from the subject of the information whenever it is feasible and appropriate to do so. When direct collection is not feasible or appropriate, the University makes every reasonable effort to ensure the accuracy of personal information collected from third parties.

C.        Limiting Collection: The University limits its collection of personal information to that which is required for its programs and services. Wherever feasible and appropriate, the University collects personal information about students, employees, alumni, donors, research participants, retirees and others directly from the individual concerned. A Privacy Notice is provided to the individual at the time of collection. 

D.        Limiting Use, Disclosure and Retention: The University limits its use and disclosure of personal information to those purposes identified under Limiting Collection and in accordance with the applicable privacy legislation. The University uses personal information only for the purpose for which it was collected or compiled; for a consistent purpose; with the written consent of the individual; or for the purpose for which the information was disclosed to the University.  Employees use only the minimum amount of personal information needed. The University does not disclose personal information to any individual other than the subject unless it is permitted under ATIPPA.  Any disclosure is limited to the minimum amount necessary.

E.        Accuracy: The University makes every reasonable effort to ensure that the personal information it collects, uses and discloses is accurate and complete.

F.         Security: The University ensures that personal information in its custody is secured in a manner appropriate to the sensitivity and purpose of the information. The University ensures that records containing personal information are protected from unauthorized collection, access, use, disclosure and disposal by putting in place reasonable administrative, physical and technical security measures. All employees ensure that personal information which they handle as part of their job is secure from unauthorized access, that collection, use and disclosure of personal information is minimized and that records are managed in accordance with an established records retention and disposal system.

G.        Openness: The University's Privacy Policy and related procedures are available on the University's policy website at www.mun.ca/policy and this on-line version is the official version.  Printed copies are available from the University Privacy Officer, who responds to any related questions. The University notifies affected individuals of any potentially detrimental breaches of its privacy controls, a requirement in  the PROCEDURE FOR ADMINISTERING PRIVACY MEASAURES WITHIN A UNIT.

H.        Individual Access: An individual may access his or her personal information by making a request to the University department responsible for the information, or to the University Privacy Officer. When personal information is used to make a decision affecting someone, the information will be kept for at least one year so that the individual will have sufficient opportunity to access the information, if desired. Upon request from an applicant, the University will correct an error or omission in an applicant's personal information or annotate the file if no correction is made. Other public bodies and third parties to whom the information was disclosed in the previous twelve month period will be notified of the correction or annotation and asked to update their records.

I.          Challenging Compliance: Complaints or questions with respect to the University's compliance with this Privacy Policy may be made in accordance with the PROCEDURE FOR CHALLENGING PRIVACY COMPLIANCE.  The University Privacy Officer shall investigate all complaints received or shall delegate the investigation to another investigator.

8.         To monitor compliance with the Privacy Policy, all projects involving personal information must be reviewed using the Privacy Compliance Checklist, in accordance with the PROCEDURE FOR CHECKING PRIVACY COMPLIANCE.   This may determine that a Privacy Impact Assessment is required. This compliance requirement does NOT apply to research projects involving human participants which have received ethics approval from a duly-constituted research ethics board, including a research ethics body under the Health Research Ethics Authority Act.

Noncompliance

1.         University employees who act in good faith and who execute their employment responsibilities with a reasonable standard of care shall not be subject to discipline for privacy breaches.

2.         Privacy breaches arising from noncompliance with the legislation or this policy may result in disciplinary action up to and including dismissal.

Related Documents:

• ATIPP Request Form
• Privacy Compliance Checklist
• Privacy Impact Assessments (PIAs)
• Researcher Agreement
• Information Request Policy

Procedures

• Procedure For Administering Privacy Measures Within A Unit
• Procedure For Challenging Privacy Compliance
• Procedure For Checking Privacy Compliance
• Procedure For Correcting/annotating Personal Information
• Procedure For Giving Researchers Access To Personal Information
• Procedure For Managing A Privacy Breach
• Procedure For Retention Of Personal Information
• Procedure For Shredding And Disposal Of Confidential Materials - St. John's Campus