Procedure for Administering Privacy Measures Within a Unit
Unit Privacy Officer
- Assign the role of privacy officer within the unit, e.g., a position (or positions) which oversees the application of University privacy policies and procedures, liaises with the University Privacy Officer on privacy matters, develops and implements privacy measures specific to the unit.
Privacy Notices and Consent
- Create privacy notices for all forms/documents/systems which collect personal information, including electronic collection. These privacy notices must state the authority and purpose for the collection and contact information of an employee who can answer questions about the collection. See sample Privacy Notices.
- Obtain written consent to a collection of sensitive personal information, including social insurance numbers, financial/banking information, health information and personal information which is collected for the purpose of disclosure outside the university and for information collected for an unusual purpose, for example, collecting students' opinions on non-curricular matters. As well, consent should be obtained when the intended use involves broad disclosure, e.g., publication of student information (on a website or in a written form).
- Periodically review privacy notices.
- Appropriate security measures will be used to secure the confidentiality, integrity and accessibility of personal information. The nature of such measures will be consistent with the sensitivity of the personal information involved. In all cases, the confidentiality, integrity and accessibility of personal information will be maintained whenever it is in the custody or control of the University. Access to personal information will be restricted to duly authorized persons and organizations.
- Security safeguards will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, modification or disposal, through all phases of its life cycle, regardless of the format in which it is held.
- The methods to protect personal information will include:
- Physical measures (e.g., locked filing cabinets and restricted access to offices; after hours alarms and monitoring systems),
- Organizational measures (e.g., security clearances and other measures to limit access to personal information on a "need-to-know" basis as it relates to job duties), and
- Technological measures (e.g., the use of encryption, role-based user authorization and authentication, transaction logging, intrusion detection, etc.)
- Ensure that employees, including student employees, volunteers and contractors are aware of privacy protection responsibilities and the specific measures established within the unit.
- Orient new employees to privacy awareness. Ensure that all employees complete privacy education and awareness training offered through the IAPP Office.
- Ensure that all contracted individuals and entities, including consultants and external service providers, whose work will involve access to personal information sign the Privacy Schedule. The IAPP Advisory Committee has approved the standard Memorial University Privacy Schedule. In certain situations, alternative privacy provisions may be made with the approval, in writing, of the University Privacy Officer and General Counsel. The standard Privacy Schedule is available from the University Privacy Officer and at www.mun.ca/iapp/resources.
- Ensure that these Privacy Procedures are adhered to by the unit.
- Ensure all new projects involving personal information are checked for privacy compliance using the privacy compliance checklist. See Procedure for Checking Privacy Compliance. Research projects involving human subjects which have received ethics approval from a duly-constituted research ethics board are exempt from this requirement.
- Document, and update when necessary, the unit's privacy measures and file a copy with the respective Vice-President or the President, as appropriate.