Approval Date: 2008-09-11
Effective Date: 2013-04-09
Review Date: 2020-09-11
The President through the University Privacy Officer
Memorial University is entrusted with the personal information of its students, employees, alumni, donors, research participants, retirees and others and is committed to excellence in its management of this information.
To ensure that the University protects the privacy of its students, employees, alumni, donors, research participants, retirees and others whose personal information is in the University's custody or control and that it upholds applicable privacy legislation governing the collection, use and disclosure of personal information.
All campuses and organizational units of Memorial University. All information and records in the custody and/or under the control of the University. The policy is based on the requirements of the privacy legislation that applies to Memorial University. In order of importance for University operations, the three Acts that apply are:
ATIPPA is the primary privacy legislation with which the University shall comply. The independent oversight authority for ATIPPA is the Information and Privacy Commissioner of Newfoundland and Labrador.
The Privacy Act of Newfoundland and Labrador establishes grounds for civil action in the event of unauthorized surveillance, recording, impersonation or use of personal communications or documents without the consent of the individual or a duly authorized representative.
PIPEDA may apply to the University in a few commercial transactions, such as some financial transactions involving parties outside Newfoundland and Labrador or Canada and certain contracts with third parties. The independent oversight authority for PIPEDA is the Privacy Commissioner of Canada.
Commissioner - The Information and Privacy Commissioner of Newfoundland and Labrador if the applicable legislation is the Access to Information and Protection of Privacy Act and the Privacy Commissioner of Canada if the applicable legislation is the Personal Information Protection and Electronic Documents Act.
Compliance Checklist - A pre-Privacy Impact Assessment (PIA) compliance tool to assess privacy compliance and privacy risks of a project, undertaking, software application or Personal Information Bank (PIB) and determine whether a full Privacy Impact Assessment (PIA) is required.
Employee - Has the meaning given in the ATIPPA, including salaried employees, wage employees, contract employees, independent contractors and others associated with the University who have access to personal information.
IAPP Office - The University's Information Access and Privacy Protection Office Email: email@example.com.
Legislation - The privacy legislation with which the University is required to comply. Depending on the nature of the personal information and the purposes for which it is collected, used or disclosed, the legislation may be one or more of the Access to Information and Protection of Privacy Act of Newfoundland and Labrador, or the Personal Information Protection and Electronic Documents Act of Canada, as well as the relevant Regulations, and any other privacy legislation which may be enacted.
Personal Information - Means recorded information about an identifiable individual, including (not an exhaustive list)
Personal Information Bank (PIB) - A collection of paper records or electronic documents that is sorted by a personal identifier, such as name, student ID or employee ID, or a database that is indexed by one or more personal identifiers.
President - for the purposes of the ATIPPA the President is designated as the institution's Head.
Privacy Breach - Occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information.
Privacy Impact Assessment (PIA) - A formal assessment of the privacy obligations, risks and requirements related to a given project, undertaking, software application or Personal Information Bank (PIB).
Privacy Schedule - A schedule to be included in all University contracts, which contains provisions to ensure that the contractor provides adequate privacy protection and related support for personal information governed by the contract.
Project - When used in relation to privacy compliance checklists, Privacy Impact Assessments and related matters, the word "Project" subsumes for the sake of brevity the words "scheme", "program", "initiative", "application", "system", and any other word or term that refers to a formal, defined course of endeavour, which involves personal information.
Public Body - For purposes of this policy refers to Memorial University of Newfoundland.
Record - A record of information in any form and recorded or stored in any manner, including paper, electronic, digital, audio, and video, but does not include a computer program or a mechanism that produces records on any storage medium.
Unit Head - For the purposes of this policy, unit head is the term used to mean Deans, Divisions Heads, Heads of Schools, Directors, Executive Directors, the University Librarian, the University Registrar, Associate Vice-Presidents and Vice-Presidents, as applicable.
1. Memorial University complies in all respects with all applicable privacy legislation, including the Access to Information and Protection of Privacy Act of Newfoundland and Labrador as well as the Personal Information Protection and Electronic Documents Act of Canada and other applicable privacy legislation that may be enacted.
2. All employees of Memorial University are responsible for the protection of the privacy of students, employees, alumni, donors, research participants, retirees and others whose personal information is in the custody and/or under the control of the University. All employees are expected to undertake privacy awareness training authorized by the University's Information Access and Privacy Protection (IAPP) Office.
3. The President has ultimate accountability for compliance with ATIPPA privacy provisions. The President may delegate his or her powers under ATIPPA in whole or in part, but his or her delegates may not sub-delegate. The delegation of the President shall be in writing. Delegates may assign related duties to subordinates as necessary to fulfill delegated responsibilities under ATIPPA.
4. Unit heads are responsible for establishing and maintaining measures to ensure their units are protecting privacy, in accordance with the Procedure for Administering Privacy Measures within a Unit.
6. In compelling circumstances, for example where health and safety may be at stake, disclosures of personal information may be made in accordance with exceptions for such circumstances in the legislation. Employees considering disclosure of personal information in such circumstances must seek advice from the University Privacy Officer and/or the Office of General Counsel.
7. Memorial University is guided by the principles of the Canadian Standards Association Model Privacy Code in a manner that complies with ATIPPA and any other legislation that may apply in the circumstances:
A. Accountability: The University is responsible for personal information in its custody and/or under its control and has designated a University Privacy Officer who is accountable for the organization's compliance with the following principles.
B. Identifying Purposes and Consent: The University identifies to the individual the authority and purposes for the collection and use of personal information at the time of collection, and the contact information of an employee who can answer questions about the collection. The University obtains the individual's consent to the collection of sensitive personal information and personal information collected for the purpose of disclosure outside the University. The University collects personal information directly from the subject of the information whenever it is feasible and appropriate to do so. When direct collection is not feasible or appropriate, the University makes every reasonable effort to ensure the accuracy of personal information collected from third parties.
C. Limiting Collection: The University limits its collection of personal information to that which is required for its programs and services. Wherever feasible and appropriate, the University collects personal information about students, employees, alumni, donors, research participants, retirees and others directly from the individual concerned. A Privacy Notice is provided to the individual at the time of collection.
D. Limiting Use, Disclosure and Retention: The University limits its use and disclosure of personal information to those purposes identified under Limiting Collection and in accordance with the applicable privacy legislation. The University uses personal information only for the purpose for which it was collected or compiled; for a consistent purpose; with the written consent of the individual; or for the purpose for which the information was disclosed to the University. Employees use only the minimum amount of personal information needed. The University does not disclose personal information to any individual other than the subject unless it is permitted under ATIPPA. Any disclosure is limited to the minimum amount necessary.
E. Accuracy: The University makes every reasonable effort to ensure that the personal information it collects, uses and discloses is accurate and complete.
F. Security: The University ensures that personal information in its custody is secured in a manner appropriate to the sensitivity and purpose of the information. The University ensures that records containing personal information are protected from unauthorized collection, access, use, disclosure and disposal by putting in place reasonable administrative, physical and technical security measures. All employees ensure that personal information which they handle as part of their job is secure from unauthorized access, that collection, use and disclosure of personal information is minimized and that records are managed in accordance with an established records retention and disposal system.
H. Individual Access: An individual may access his or her personal information by making a request to the University department responsible for the information, or to the University Privacy Officer. When personal information is used to make a decision affecting someone, the information will be kept for at least one year so that the individual will have sufficient opportunity to access the information, if desired. Upon request from an applicant, the University will correct an error or omission in an applicant's personal information or annotate the file if no correction is made. Other public bodies and third parties to whom the information was disclosed in the previous twelve month period will be notified of the correction or annotation and asked to update their records.
1. University employees who act in good faith and who execute their employment responsibilities with a reasonable standard of care shall not be subject to discipline for privacy breaches.
2. Privacy breaches arising from noncompliance with the legislation or this policy may result in disciplinary action up to and including dismissal.