This downloaded copy is unofficial. Check www.mun.ca/policy for the official version.

Memorial University of Newfoundland

  Memorial University of Newfoundland

Privacy

Approval Date: 2008-09-11

Effective Date: 2013-04-09

Review Date: 2020-09-11

Authority:

The President through the University Privacy Officer

Principle

Memorial University is entrusted with the personal information of its students, employees, alumni, donors, research participants, retirees and others and is committed to excellence in its management of this information.

Purpose

To ensure that the University protects the privacy of its students, employees, alumni, donors, research participants, retirees and others whose personal information is in the University's custody or control and that it upholds applicable privacy legislation governing the collection, use and disclosure of personal information.

Scope

All campuses and organizational units of Memorial University.  All information and records in the custody and/or under the control of the University. The policy is based on the requirements of the privacy legislation that applies to Memorial University. In order of importance for University operations, the three Acts that apply are:

1.         Access to Information and Protection of Privacy Act (ATIPPA) of Newfoundland and Labrador

ATIPPA is the primary privacy legislation with which the University shall comply. The independent oversight authority for ATIPPA is the Information and Privacy Commissioner of Newfoundland and Labrador.

2.         Privacy Act of Newfoundland and Labrador

The Privacy Act of Newfoundland and Labrador establishes grounds for civil action in the event of unauthorized surveillance, recording, impersonation or use of personal communications or documents without the consent of the individual or a duly authorized representative.

3.         Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada

PIPEDA may apply to the University in a few commercial transactions, such as some financial transactions involving parties outside Newfoundland and Labrador or Canada and certain contracts with third parties. The independent oversight authority for PIPEDA is the Privacy Commissioner of Canada.

Definitions

Commissioner — The Information and Privacy Commissioner of Newfoundland and Labrador if the applicable legislation is the Access to Information and Protection of Privacy Act and the Privacy Commissioner of Canada if the applicable legislation is the Personal Information Protection and Electronic Documents Act.

Compliance Checklist — A pre-Privacy Impact Assessment (PIA) compliance tool to assess privacy compliance and privacy risks of a project, undertaking, software application or Personal Information Bank (PIB) and determine whether a full Privacy Impact Assessment (PIA) is required.

Employee — Has the meaning given in the ATIPP Act, including salaried employees, wage employees, contract employees, and persons retained under a contract to perform services or the University.

Head — The Head for the purposes of the ATIPP Act is the University President, in accordance with a resolution of the Board of Regents passed on March 22, 2007.

IAP Advisory Committee — Information Access and Privacy Advisory Committee. A standing committee of the University, reporting to the President, which has responsibility for advising the University Privacy Officer in the development and implementation of the University's privacy policy and procedures.

IAP Office — The University's Information Access and Privacy Office.

Legislation — The privacy legislation with which the University is required to comply. Depending on the nature of the personal information and the purposes for which it is collected, used or disclosed, the legislation may be one or more of the Access to Information and Protection of Privacy Act of Newfoundland and Labrador, or the Personal Information Protection and Electronic Documents Act of Canada, as well as the relevant Regulations, and any other privacy legislation which may be enacted.

Personal Information — Recorded information about an identifiable individual, including (not an exhaustive list).

PIA — Privacy Impact Assessment. A formal assessment of the privacy obligations, risks and requirements related to a given project, undertaking, software application or Personal Information Bank (PIB).

PIB — Personal Information Bank. A collection of paper records or electronic documents that is sorted by a personal identifier, such as name, student ID or employee ID, or a database that is indexed by one or more personal identifiers.

Privacy Breach — Occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information.

Privacy Schedule — A schedule to be included in all University contracts, which contains provisions to ensure that the contractor provides adequate privacy protection and related support for personal information governed by the contract.

Project — When used in relation to privacy compliance checklists, Privacy Impact Assessments and related matters, the word "Project" subsumes for the sake of brevity the words "scheme", "program", "initiative", "application", "system", and any other word or term that refers to a formal, defined course of endeavour, which involves personal information.

Public Body — For purposes of this policy refers to Memorial University of Newfoundland.

Record — A record of information in any form, and includes a dataset, information that is machine readable, written, photographed, recorded or stored in any manner, but does not include a computer program or a mechanism that produced records on any storage medium.

Unit Head — For the purposes of this policy, unit head is the term used to mean Deans, Division Heads, Heads of Schools, Directors, Executive Directors, the University Librarian, the University Registrar, Associate Vice-Presidents and Vice-Presidents, as applicable.

Unit Privacy Officer — The employee(s) designated in each academic and administrative unit of the University, to implement privacy policy and procedures in that unit. It does not preclude any unit from establishing a position of unit privacy officer. This is a functional description, not a position title.

University Privacy Officer — The position with overall management responsibility for privacy policy and procedures at the University. This is a functional description, not a position title. The University Privacy Officer is appointed by the President of the University. Unless otherwise indicated, the University Privacy Officer is the Information Access and Privacy Advisor.

Policy

1.         Memorial University complies in all respects with all applicable privacy legislation, including the Access to Information and Protection of Privacy Act of Newfoundland and Labrador as well as the Personal Information Protection and Electronic Documents Act of Canada and other applicable privacy legislation that may be enacted. 

2.         All employees of Memorial University are responsible for the protection of the privacy of students, employees, alumni, donors, research participants, retirees and others whose personal information is in the custody and/or under the control of the University. All employees are expected to undertake privacy awareness training authorized by the University's Information Access and Privacy (IAP) Office.

3.         The Head has ultimate accountability for compliance with ATIPPA privacy provisions.  The Head may delegate his or her powers under ATIPPA in whole or in part, but his or her delegates may not sub-delegate.  The delegation of the Head shall be in writing. Delegates may assign related duties to subordinates as necessary to fulfill delegated responsibilities under ATIPPA.

4.         Unit heads are responsible for establishing and maintaining measures to ensure their units are protecting privacy, in accordance with the Procedure for Administering Privacy Measures within a Unit.

5.         The University Privacy Officer is guided by the Memorial University Privacy Policy in executing her/his responsibilities.

6.         In compelling circumstances, for example where health and safety may be at stake, disclosures of personal information may be made in accordance with exceptions for such circumstances in the legislation. Employees considering disclosure of personal information in such circumstances must seek advice from the University Privacy Officer and/or the Office of General Counsel.

7.         Memorial University is guided by the principles of the Canadian Standards Association Model Privacy Code in a manner that complies with ATIPPA and any other legislation that may apply in the circumstances:

A.        Accountability: The University is responsible for personal information in its custody and/or under its control and has designated a University Privacy Officer who is accountable for the organization's compliance with the following principles.

B.        Identifying Purposes and Consent: The University identifies to the individual the authority and purposes for the collection and use of personal information at the time of collection, and the contact information of an employee who can answer questions about the collection. The University obtains the individual's consent to the collection of sensitive personal information and personal information collected for the purpose of disclosure outside the University. The University collects personal information directly from the subject of the information whenever it is feasible and appropriate to do so. When direct collection is not feasible or appropriate, the University makes every reasonable effort to ensure the accuracy of personal information collected from third parties.

C.        Limiting Collection: The University limits its collection of personal information to that which is required for its programs and services. Wherever feasible and appropriate, the University collects personal information about students, employees, alumni, donors, research participants, retirees and others directly from the individual concerned. A Privacy Notice is provided to the individual at the time of collection. 

D.       Limiting Use, Disclosure and Retention: The University limits its use and disclosure of personal information to those purposes identified under Limiting Collection and in accordance with the applicable privacy legislation. The University uses personal information only for the purpose for which it was collected or compiled; for a consistent purpose; with the written consent of the individual; or for the purpose for which the information was disclosed to the University.  Employees use only the minimum amount of personal information needed. The University does not disclose personal information to any individual other than the subject unless it is permitted under ATIPPA.  Any disclosure is limited to the minimum amount necessary.

E.        Accuracy: The University makes every reasonable effort to ensure that the personal information it collects, uses and discloses is accurate and complete.

F.        Security: The University ensures that personal information in its custody is secured in a manner appropriate to the sensitivity and purpose of the information. The University ensures that records containing personal information are protected from unauthorized collection, access, use, disclosure and disposal by putting in place reasonable administrative, physical and technical security measures. All employees ensure that personal information which they handle as part of their job is secure from unauthorized access, that collection, use and disclosure of personal information is minimized and that records are managed in accordance with an established records retention and disposal system.

G.        Openness: The University's Privacy Policy and related procedures are available on the University's policy website at www.mun.ca/policy and this on-line version is the official version.  Printed copies are available from the University Privacy Officer, who responds to any related questions. The University notifies affected individuals of any potentially detrimental breaches of its privacy controls, a requirement in  the Procedure for Administering Privacy Measures Within a Unit.

H.        Individual Access: An individual may access his or her personal information by making a request to the University department responsible for the information, or to the University Privacy Officer. When personal information is used to make a decision affecting someone, the information will be kept for at least one year so that the individual will have sufficient opportunity to access the information, if desired. Upon request from an applicant, the University will correct an error or omission in an applicant's personal information or annotate the file if no correction is made. Other public bodies and third parties to whom the information was disclosed in the previous twelve month period will be notified of the correction or annotation and asked to update their records.

I.         Challenging Compliance: Complaints or questions with respect to the University's compliance with this Privacy Policy may be made in accordance with the Procedure for Challenging Privacy Compliance.  The University Privacy Officer shall investigate all complaints received or shall delegate the investigation to another investigator.

8.         To monitor compliance with the Privacy Policy, all projects involving personal information must be reviewed using the Privacy Compliance Checklist, in accordance with the Procedure for Checking Privacy Compliance.   This may determine that a Privacy Impact Assessment is required. This compliance requirement does NOT apply to research projects involving human participants which have received ethics approval from a duly-constituted research ethics board, including a research ethics body under the Health Research Ethics Authority Act.

Noncompliance

1.         University employees who act in good faith and who execute their employment responsibilities with a reasonable standard of care shall not be subject to discipline for privacy breaches.

2.         Privacy breaches arising from noncompliance with the legislation or this policy may result in disciplinary action up to and including dismissal.

Related Documents

ATIPP Request Form
Privacy Compliance Checklist
Privacy Impact Assessments (PIA's)
Researcher Agreement
Information Request Policy
Information Management Policy

Procedures

For inquiries related to this policy:

Information Access and Privacy Advisor (709) 864-8214

Sponsor: Vice-President (Administration & Finance)

Category: General

Previous Versions:

There is at least one previous version of this policy. Contact the Policy Office to view earlier version(s)

Approval Date 2008-09-11   Effective Date 2008-09-11

Procedure for Administering Privacy Measures Within a Unit

Approval Date: 2013-04-09

Responsible Unit: Information Access and Privacy Office

Unit heads (who for purposes of the procedure and the Privacy policy include Deans, Divisions Heads, Heads of Schools, Directors, Executive Directors, the University Librarian, the University Registrar, Associate Vice-Presidents and Vice-Presidents, as applicable) are responsible for ensuring privacy measures are established, in consultation with the University Privacy Officer, and administered within their respective units, in accordance with the following:

Unit Privacy Officer

Privacy Notices and Consent

Security Measures

Staff/contractor obligations

General

 


Procedure for Challenging Privacy Compliance

Approval Date: 2008-09-11

Responsible Unit: Information Access and Privacy Office

Reporting Non-Compliance Incidents

Informal Resolution
Complaints of non-compliance may be able to be resolved quickly and effectively by contacting the unit responsible. The unit should endeavour to resolve the matter to the complainant's satisfaction.

Resolution through the University Privacy Officer
1. Contact the Office of Information Access and Privacy
2. Complete the Privacy Complaint Form

If no informal resolution has been attempted or if an informal resolution has been unsuccessful, a written complaint may be submitted to the Information Access and Privacy Office, using the Privacy Complaint Form, available at www.mun.ca/iap. A representative of the IAP Office will contact the complainant to discuss the issues raised and arrange a meeting, if necessary.

The representative of the IAP Office may determine that the complaint can be handled informally. S/he will advise the University Privacy Officer, who may advise the complainant of the informal resolution process and assist him/her in liaising with the relevant unit.

The University Privacy Officer will review the complaint and investigate to determine the nature of the complaint. This may involve contacting the unit head and other relevant parties to discuss the complaint. The complainant's name will be held in confidence and disclosed only if necessary to investigate and resolve the complaint.

When the University Privacy Officer concludes that a successful resolution has been reached, s/he will respond to the complainant detailing the solution within 30 working days of receipt of the Privacy Complaint Form. The complaint and resolution will be kept on file for 12 months.

When several complaints are received about the same incident and can be resolved together, they will be treated as one complaint.

If the complainant is not satisfied with the resolution, s/he may ask the Office of the Information and Privacy Commissioner to investigate the complaint.


Procedure for Checking Privacy Compliance

Approval Date: 2008-09-11

Responsible Unit: Information Access and Privacy Office

The University uses a two-stage privacy impact assessment process:

The first stage is the Privacy Compliance Checklist, which is mandatory for all projects except research projects involving human subjects which have received ethics approval from a duly-constituted research ethics board.

The Checklist should be completed by the person responsible for the project, such as, the project manager in consultation with the unit's privacy officer and must be approved by the responsible unit head and submitted to the University Privacy Officer for review. Upon the completion of the checklist, a full Privacy Impact Assessment (PIA) may be required depending on the project. 

Privacy Compliance Checklist

A Privacy Compliance Checklist must be completed for all new projects (except those noted above) and personal information banks (PIB's) that are developed, acquired or substantially revised by any academic or administrative unit of the University and is required to be completed during the planning stages of all (1) new projects and (2) modifications of existing projects.  It may be used to check any existing program, paper-based or electronic, for privacy compliance. 

The Privacy Compliance Checklist is available at www.mun.ca/iap or from the University Privacy Officer, who will provide training and support for its use, as necessary.

The Privacy Compliance Checklist will be completed by the responsible organizational unit of the University before any collection, use or disclosure of personal information occurs in conjunction with the project or PIB that is the subject of the checklist.  Completed checklists must be submitted to the University Privacy Officer who will complete a review of the checklist results and may make recommendations to the responsible unit head regarding actions that may need to be taken to reduce any privacy risks identified and to ensure compliance with the legislation, the University's privacy policy, or related procedures.  If Checklist results contain significant privacy risks, the University Privacy Officer will consult with the IAP Advisory Committee.

Should the responsible unit head choose not to accept the recommendations of the University Privacy Officer in whole or in part, reasons for doing so will be communicated to the University Privacy Officer and IAP Advisory Committee in writing.

Privacy Impact Assessment (PIA)

Based on a review of Privacy Compliance Checklist results and other factors, the University Privacy Officer may determine that a full PIA is required.  The University Privacy Officer will consult with the IAP Advisory Committee before rendering a decision regarding the need for a PIA.  Although the University Privacy Officer may overrule the recommendation of the IAP Advisory Committee, he or she would do so only upon very careful consideration of the issues involved.

The University Privacy Officer will provide advice and assistance in the completion of PIAs, but the ultimate accountability for their completion will rest with the unit head responsible for the project or PIB that is the subject of the PIA.

Every PIA will include, at a minimum, descriptions of the following:

A full PIA requires the involvement of a number of project participants and is required for a relatively small number of projects for which Privacy Compliance Checklists are completed.

The PIA will include the results of the Privacy Compliance Checklist, which will be appended to the PIA.  No PIA will be undertaken for any project for which a Privacy Compliance Checklist has not been completed.  The PIA document will have the following table of contents:

1. Executive Summary

2. Definitions

3. Project Description

3.1. Project Objectives

3.2. Requirements for Personal Information

3.3. Authority for Collection, Use and Disclosure of Personal Information

3.4. Information Security Measures

4. List of Personal Information Data Elements

5. Table or Chart of Personal Information Flows

6. Contractual Relationships

7.  Privacy Risks

7.1. Risk 1

7.1.1. Description of Risk

7.1.2. Description of Mitigation Measures

7.1.3. Estimation of Residual Risk after Mitigation

7.2. Risk 2...

8. Summary of Risks and Mitigation Measures

9. General Assessment of Project Compliance with Applicable Legislation

10. Appendices

10.1. Project Charter and Descriptive Documentation

10.2. Completed Privacy Compliance Checklist

10.3. Other relevant Documentation

10.4. ...

A spreadsheet is available from the University Privacy Officer to assist in the assessment of risks for PIAs.  This spreadsheet evaluates user-specified risks and mitigation measures against the ten Fair Information Principles of the CSA Model Privacy Code, which form the basis of the University's Privacy Policy and these Procedures.


Procedure for Correcting/Annotating Personal Information

Approval Date: 2008-09-11

Responsible Unit: Information Access and Privacy Office

Under ATIPPA (Section 35), individuals have a right, within statutory timelines, to formally request correction of their personal information if they believe it contains an error or omission.  This right relates to the university's obligations to ensure that decisions are based on accurate information and to individuals' right of access to their own personal information.

Informal handling

When a person advises a unit that s/he believes personal information in a university record contains an error or omission, and they can demonstrate the information is inaccurate or incomplete, every effort should be made to accommodate the request and make the correction, within statutory timelines.  If the same error is contained in records in other units of the university or has been disclosed by the university to an outside party, the other units should also be advised of the corrected information.

If the university unit disagrees with the person and maintains that its record is accurate, the file must be annotated to show that the individual disagrees with the information.  In addition to providing an explanation of their refusal to correct the information, the unit must advise the individual of her/his right to file a formal request to correct personal information with the University Privacy Officer.

Formal request for correction of factual information

All formal correction requests must be submitted to the University Privacy Officer, who has statutory timelines and obligations to fulfill for all requests.  Applications are available from the University Privacy Officer. An applicant whose request for correction is refused has the right to ask the Information and Privacy Commissioner to review the university's decision.

Include correction or annotation with original file

Whenever a correction or an annotation is made, the file should be set up so that the correction or annotation will always be retrieved when the original file is retrieved.

Duty to inform other organizations

If a correction or annotation is made, the University unit should determine if other units or other external organizations have received the information in the past year.  If so, the unit should inform the other unit/organization about the correction/annotation.  A year runs from the date the correction was requested.

When a unit receives information about a correction or annotation, it is required to make the correction on their own files, as well.  Individuals or organizations not covered by the ATIPP Act are not compelled to correct/annotate their records but they must be notified by the University unit.

As normal practice, a record should be kept of all personal information disclosed to other public bodies and third parties, enabling subsequent notification of a correction or annotation to a disclosed record.

 


Procedure for Giving Researchers Access to Personal Information

Approval Date: 2008-09-11

Responsible Unit: Information Access and Privacy Office

All units receiving requests from researchers, whether employees or external to the University, for access to personally-identifiable data in the unit's custody will ensure that the researcher signs the standard Researcher Agreement.  The Researcher Agreement is required whenever a research project will involve the University's disclosure of personally-identifiable information.  The Researcher Agreement is available from the University Privacy Officer.  It should be retained by the unit granting access to the data in its custody.


Procedure for Managing a Privacy Breach

Approval Date: 2010-03-25

Responsible Unit: Information Access and Privacy Office

A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information.  Such activity is "unauthorized" if it occurs in contravention of Part IV of ATIPPA or, if applicable, a relevant provision of PIPEDA.  An example of a privacy breach would be personal information becoming lost or stolen or personal information being mistakenly emailed to the wrong person.

The recommended privacy breach incident protocol has five steps.  Step 1 is the responsibility of the individual or individuals who first become aware of the potential breach.  The second through fifth steps are the responsibility of the University Privacy Officer, working in cooperation with other University officials and staff, as necessary.

Step 1: Reporting the Breach

Any employee who becomes aware of a possible breach of privacy involving personal information in the custody or control of the University will immediately inform his or her immediate supervisor, the unit privacy officer and the University Privacy Officer.  The supervisor will inform the responsible unit head and will verify the circumstances of the possible breach.  As soon as the breach has been confirmed to have or have not occurred, the supervisor will inform both the responsible unit head and the University Privacy Officer.  This confirmation will occur within 24 hours of the initial report.

The unit head in consultation with the University Privacy Officer will decide whether or not to notify the respective Vice-President or the President as appropriate, by taking into consideration the seriousness and scope of the breach.

When a breach has been confirmed, the University Privacy Officer will implement the remaining four steps of the breach incident protocol.

Step 2: Containing the Breach

The University Privacy Officer will take the following steps to limit the scope and effect of the breach.  These steps will include:

1)  Work with units to immediately contain the breach by, for example, stopping the unauthorized practice, recovering the records, shutting down the system that was breached, or correcting weaknesses in security, and

2)  In consultation with University officials, notify the police if the breach involves, or may involve, any criminal activity.

Step 3: Evaluating the Risks Associated with the Breach

To determine what other steps are immediately necessary, the University Privacy Officer, working with other University staff as necessary, will assess the risks associated with the breach.  The following factors will be among those considered in assessing the risks:

1)  Personal Information Involved

a)  What data elements have been breached? Generally, the more sensitive the data, the higher the risk.  Health information, social insurance numbers and financial information that could be used for identity theft are examples of sensitive personal information.

b)  What possible use is there for the personal information?  Can the information be used for fraudulent or otherwise harmful purposes?

2)  Cause and Extent of the Breach

a)  What is the cause of the breach?

b)  Is there a risk of ongoing or further exposure of the information?

c)  What was the extent of the unauthorized collection, use or disclosure, including the number of likely recipients and the risk of further access, use or disclosure, including in mass media or online?

d)  Is the information encrypted or otherwise not readily accessible?

e)  What steps have already been taken to minimize the harm?

3)  Individuals Affected by the Breach

a)  How many individuals are affected by the breach?

b)  Who was affected by the breach: employees, students, alumni, retirees, public, contractors, clients, service providers, other individuals/organizations?

4)  Foreseeable Harm from the Breach

a)  Is there any relationship between the unauthorized recipients and the data subject?

b)  What harm to the individuals will result from the breach?  Harm that may occur includes:

i)  Security risk (e.g., physical safety)

ii)  Identity theft or fraud

iii)  Loss of business or employment opportunities

iv)  Hurt, humiliation, damage to reputation or relationships

c)  What harm could result to the University as a result of the breach? For example:

i)  Loss of trust in the University

ii)  Loss of assets

iii)  Financial exposure

d)  What harm could result to the public as a result of the breach? For example:

i)  Risk to public health

ii)  Risk to public safety

Step 4: Notification

Notification can be an important mitigation strategy in the right circumstances.  The key consideration overall in deciding whether to notify will be whether notification is necessary in order to avoid or mitigate harm to an individual whose personal information has been inappropriately collected, used or disclosed.  The University Privacy Officer will work with the units involved and the appropriate University officials to decide the best approach for notification.

1)  Notifying Affected Individuals

Some considerations in determining whether to notify individuals affected by the breach include:

a)  Contractual obligations require notification.

b)  There is a risk of identity theft or fraud (usually because of the type of information lost, such as SIN, banking information, identification numbers).

c)  There is a risk of physical harm (if the loss puts an individual at risk of stalking or harassment).

d)  There is a risk of hurt, humiliation or damage to reputation (for example when the information lost includes medical or disciplinary records).

2)  When and How to Notify

a)  When: Notification of individuals affected by the breach will occur as soon as possible following the breach.  However, if law enforcement authorities have been contacted, those authorities will assist in determining whether notification will be delayed in order not to impede a criminal investigation.

b)  How: The preferred method of notification is direct - by phone, letter or in person - to affected individuals.  Indirect notification - website information, posted notices, media - will generally occur only where direct notification could cause further harm, is prohibitive in cost or contact information is lacking.  Using multiple methods of notification in certain cases may be the most effective approach.

3)  What will be Included in the Notification?

Notifications will include the following pieces of information:

a)  Date of the breach

b)  Description of the breach

c)  Description of the information inappropriately accessed, collected, used or disclosed.

d)  The steps taken to mitigate the harm.

e)  Next steps planned and any long term plans to prevent future breaches.

f)  Steps the individual can take to further mitigate the risk of harm.

g)  Contact information for the University Privacy Officer.

4)  Others to Contact

Regardless of what obligations are identified with respect to notifying individuals, notifying the following authorities or organizations will also be considered:

a)  Police: if theft or other crime is suspected.

b)  Insurers or others: if required by contractual obligations.

c)  Professional or other regulatory bodies: if professional or regulatory standards require notification of these bodies.

d)  Applicable research ethics authority

e)  Office of the Information and Privacy Commissioner: The following factors are relevant in deciding when to report a breach to the OIPC:

i)  the sensitivity of the personal information;

ii)  whether the disclosed information could be used to commit identity theft;

iii)  whether there is a reasonable chance of harm from the disclosure including non pecuniary losses;

iv)  the number of people affected by the breach; and

v)  whether the information was fully recovered without further disclosure.

Step 5: Prevention

Once the immediate steps are taken to mitigate the risks associated with the breach, the University Privacy Office will investigate the cause of the breach.  If necessary, this will include a security audit of physical, organizational and technological measures.  As a result of this evaluation, the University Privacy Officer will assist the responsible unit(s) to put into effect adequate long term safeguards against further breach.  Policies will be reviewed and updated to reflect the lessons learned from the investigation and regularly after that.  The resulting plan will also include audit recommendations, if appropriate.


Procedure for Retention of Personal Information

Approval Date: 2008-09-11

Responsible Unit: Information Access and Privacy Office

Under ATIPPA, any record containing an individual's personal information which is used to make a decision affecting that person must be retained for at least twelve months. The purpose of this requirement under ATIPPA is to give the individual an opportunity to access the record, if desired.


Procedure for Shredding and Disposal of Confidential Materials - St. John's Campus

Approval Date: 2016-05-26

Responsible Unit: Department of Facilities Management

The University, through the Department of Facilities Management, contracts a service provider for the shredding and disposal of confidential materials, on site and off site, for the St. John's Campus. Materials include: records, video, diskettes, compact discs, hard drives

Units with their own shredding equipment, capable of achieving a maximum cut size of 15-16 mm. in width, should use that equipment for small amounts of shredding. The central service should be used for larger quantities or for multimedia that cannot be shred with the unit's equipment.

The preferred method for the central service of shredding and disposal is off site.

The on-site method should only be requested if you wish to observe the shredding process; otherwise, the off-site method should be used. The cost per box may differ for on-site and off-site shredding.  Units must contact the Procurement Officer before requesting any on-site shredding as the operation and/or noise levels of the shredding equipment may affect personnel working in various locations.

Units requesting shredding must:

  1. Complete the Facilities Management "Service/Material Authorization" form and indicate which service you are using (“on-site” or “off-site”). If you select the “on-site” service and wish to observe the actual shredding process please inform the service provider when you contact them to schedule the service. 
  2. Contact the service provider directly and arrange with them to collect the materials to be shredded. 
    1. The current service provider for “On-site” service is Access Corp: 709-237-2237
    2. The current service provider for “off-site” service is Avalon Recycling Services Ltd.: 368-0416. 
  3. Provide the service provider with the building location, room number and contact person/phone number along with the RR number from the Facilities Management "Service/Material Authorization" form. The service provider will confirm an appointment.
  4. When the materials have been collected for shredding, the service provider will issue a “Certificate of Destruction.” Forward the completed "Service/Material Authorization" form and the "Certificate of Destruction” to the attention of: 

    Bernard Doyle
    Procurement Officer
    Facilities Management
    Room FM-2029