This downloaded copy is unofficial. Check www.mun.ca/policy for the official version.

Memorial University of Newfoundland

  Memorial University of Newfoundland

Institutional Surveys

Approval Date: 2016-10-05

Effective Date: 2017-01-01

Review Date: 2020-10-05

Authority:

The Provost and Vice-President (Academic) through the Director of the Centre for Institutional Analysis and Planning.

Purpose

To optimize the benefits of Institutional Surveys at the University by ensuring a coordinated and consistent approach.

Scope

Institutional Survey activities that engage any broad sampling or census of members of the University community and that involve direct requests to individuals for information.

This policy does not apply to:

Definitions

Administrative Purpose — A use of information for the operating functions of the University. This may include activities for assessment, evaluation, quality assurance, management or improvement purposes and any other non-research activities pertaining to how the University and/or its Unit(s) operate.

CIAP — Centre for Institutional Analysis and Planning.

Institutional Survey — A survey conducted by a University Unit or its subsidiaries, or by a third-party under the direction of the University for an Administrative Purpose, and directed towards a sample or population of the University. University populations include prospective students, current students, employees, alumni, or other stakeholders.

ISOC — Institutional Survey Oversight Committee, whose Terms of Reference are here.

Survey — The formal collection of information from a sample or population of individuals regarding a topic, program, service, opinion, or experience.

Unit — Academic or administrative unit, as defined in the University Calendar, or any board or other body appointed or elected to carry out University business.

University — Memorial University of Newfoundland.

Policy

Institutional surveys are centrally coordinated to ensure that:

In accordance with its Terms of Reference, CIAP is the University‚Äôs principal agent for surveys for students, employees and alumni. CIAP is the initial point of contact for survey requests. The Procedure for Requesting Survey Approval must be followed for all Institutional Surveys.

Scheduling of Institutional Surveys occurs on an academic year basis. The Schedule of Institutional Surveys reflects the current and upcoming surveys and is updated as surveys are approved. CIAP maintains the approved Schedule of Institutional Surveys.

ISOC is responsible for the review and approval of survey requests through a standardized process.  The guiding principles for the approval of survey requests are:

ISOC may determine that certain regularized Institutional Surveys or survey frameworks require a one-time approval and do not require approval for each subsequent administration. The list of approved, regularized surveys is available here.

Institutional Surveys that are approved by ISOC must be administered according to the Procedure for Administering Institutional Surveysand the protocols outlined in the Institutional Survey Request Form, incorporating any amendments made by the ISOC as a condition of approval.

Surveys that have not been approved by the ISOC may result in the termination of the survey and destruction of any collected data.

Related Documents

Appropriate Use of Computing Resources policy
Contract Administration policy
Electronic Data Security policy
Ethics of Research Involving Human Participants policy
Information Management policy
Institutional Survey Request Form
Privacy policy
Privacy Compliance Checklist
Schedule of Institutional Surveys
Terms of Reference - ISOC

Procedures

For inquiries related to this policy:

Centre for Institutional Analysis and Planning General Office at ciap@mun.ca or709-864-4016

Sponsor: Provost and Vice-President (Academic)

Category: Operations


Procedure for Administering Institutional Surveys

Approval Date: 2016-10-05

Responsible Unit: Centre for Institutional Analysis and Planning

Survey Approval 

All Institutional surveys must have approval from the Institutional Survey Oversight Committee, in accordance with the Institutional Surveys policy.

Required Protocols and Documents

The survey introduction and/or instrument must include:

Determine if a Privacy Compliance Checklist is required.  See the Privacy policy and the Procedure for Checking Privacy Compliance.

Ensure that any individuals who will be handling survey related information who are not regular university employees (e.g., student employees, work-term students, etc.,) complete a Confidentiality Agreement.  A sample confidentiality agreement is available here.

If using a third-party server to host the survey:

If an external third-party agency/contractor is conducting the survey on behalf of the University:

The University office (e.g., Registrar’s Office) that will be supplying the file of contact information for the survey population/sample may require a Researcher Agreement, available here, and other documentation related to privacy protection, data use, and confidentiality.

Design and Methodology 

Institutional Surveys must follow established standards for survey methodologies. These standards are available from the CIAP office and relate to the following:

Information Management and Protection of Personal Information

The University's Privacy, Information Management and Electronic Data Security policies must be followed throughout the survey administration.  Particular attention should be given to the following as related to survey administration:

 


Procedure for Checking Privacy Compliance

Approval Date: 2008-09-11

Responsible Unit: Information Access and Privacy Office

The University uses a two-stage privacy impact assessment process:

The first stage is the Privacy Compliance Checklist, which is mandatory for all projects except research projects involving human subjects which have received ethics approval from a duly-constituted research ethics board.

The Checklist should be completed by the person responsible for the project, such as, the project manager in consultation with the unit's privacy officer and must be approved by the responsible unit head and submitted to the University Privacy Officer for review. Upon the completion of the checklist, a full Privacy Impact Assessment (PIA) may be required depending on the project. 

Privacy Compliance Checklist

A Privacy Compliance Checklist must be completed for all new projects (except those noted above) and personal information banks (PIB's) that are developed, acquired or substantially revised by any academic or administrative unit of the University and is required to be completed during the planning stages of all (1) new projects and (2) modifications of existing projects.  It may be used to check any existing program, paper-based or electronic, for privacy compliance. 

The Privacy Compliance Checklist is available at www.mun.ca/iap or from the University Privacy Officer, who will provide training and support for its use, as necessary.

The Privacy Compliance Checklist will be completed by the responsible organizational unit of the University before any collection, use or disclosure of personal information occurs in conjunction with the project or PIB that is the subject of the checklist.  Completed checklists must be submitted to the University Privacy Officer who will complete a review of the checklist results and may make recommendations to the responsible unit head regarding actions that may need to be taken to reduce any privacy risks identified and to ensure compliance with the legislation, the University's privacy policy, or related procedures.  If Checklist results contain significant privacy risks, the University Privacy Officer will consult with the IAP Advisory Committee.

Should the responsible unit head choose not to accept the recommendations of the University Privacy Officer in whole or in part, reasons for doing so will be communicated to the University Privacy Officer and IAP Advisory Committee in writing.

Privacy Impact Assessment (PIA)

Based on a review of Privacy Compliance Checklist results and other factors, the University Privacy Officer may determine that a full PIA is required.  The University Privacy Officer will consult with the IAP Advisory Committee before rendering a decision regarding the need for a PIA.  Although the University Privacy Officer may overrule the recommendation of the IAP Advisory Committee, he or she would do so only upon very careful consideration of the issues involved.

The University Privacy Officer will provide advice and assistance in the completion of PIAs, but the ultimate accountability for their completion will rest with the unit head responsible for the project or PIB that is the subject of the PIA.

Every PIA will include, at a minimum, descriptions of the following:

A full PIA requires the involvement of a number of project participants and is required for a relatively small number of projects for which Privacy Compliance Checklists are completed.

The PIA will include the results of the Privacy Compliance Checklist, which will be appended to the PIA.  No PIA will be undertaken for any project for which a Privacy Compliance Checklist has not been completed.  The PIA document will have the following table of contents:

1. Executive Summary

2. Definitions

3. Project Description

3.1. Project Objectives

3.2. Requirements for Personal Information

3.3. Authority for Collection, Use and Disclosure of Personal Information

3.4. Information Security Measures

4. List of Personal Information Data Elements

5. Table or Chart of Personal Information Flows

6. Contractual Relationships

7.  Privacy Risks

7.1. Risk 1

7.1.1. Description of Risk

7.1.2. Description of Mitigation Measures

7.1.3. Estimation of Residual Risk after Mitigation

7.2. Risk 2...

8. Summary of Risks and Mitigation Measures

9. General Assessment of Project Compliance with Applicable Legislation

10. Appendices

10.1. Project Charter and Descriptive Documentation

10.2. Completed Privacy Compliance Checklist

10.3. Other relevant Documentation

10.4. ...

A spreadsheet is available from the University Privacy Officer to assist in the assessment of risks for PIAs.  This spreadsheet evaluates user-specified risks and mitigation measures against the ten Fair Information Principles of the CSA Model Privacy Code, which form the basis of the University's Privacy Policy and these Procedures.


Procedure for Requesting Institutional Survey Approval

Approval Date: 2016-10-05

Responsible Unit: Centre for Institutional Analysis and Planning

1.  University Units or subsidiaries (the "requestor") that intend to conduct an Institutional Survey must complete the Institutional Survey Request Form.  The Procedure for Administering Institutional surveys should be referred to when completing the request form.

2.  A completed Institutional Survey Request Form must be submitted by the "requestor" to CIAP. The completed form should be submitted as early as practicable before the anticipated commencement of the survey so that sufficient time is available for consideration of the request.

3.  CIAP carries out an initial review of the Institutional Survey Request Form for content and completeness and will contact the "requestor" if clarification is needed on any item(s).

4.  CIAP forwards the Institutional Survey Request Form and any supplementary documentation to memebers of the ISOC for their review and approval.

5.  The ISOC's decision to approve an Institutional Survey request is made in accordance with the guiding principles stated in the Institutional Surveys policy.  Ihe ISOC may request additional information from the "requestor" as part of the review process.

6.  The decision of the ISOC is one of:

7.  If an institutional survey request is not approved, the rationale for the decision is provided in the written response from the ISOC.

8.  If an institutional survey request is approved with amendments, those shall be included in the written response from ISOC. The "requestor" must incorporate those into the Institutional Survey before proceeding. 


Procedure for Retention and Disposal Schedules

Approval Date: 2016-07-07

Responsible Unit: Office of the Chief Information Officer

The information management and protection lead, as designated by each Unit, is responsible for ensuring that Retention and Disposal Schedules are established for the Unit. The Retention and Disposal Schedule prescribes retention periods and requirements for the legal disposal of Official University Records. It provides direction to ensure that Official University Records are retained for as long as necessary based on their operational, fiscal, legal and historical value. It also prescribes the appropriate disposition of Official University Records – either destruction or archival preservation.

The Office of the Chief Information Officer (OCIO) shall provide advice and support to Units in establishing and using Retention and Disposal Schedules. A Unit must contact the OCIO (im@mun.ca) to initiate the process of creating and implementing a Retention and Disposal Schedule.

Once the Retention and Disposal Schedule is established, the Unit is responsible for adhering to it by maintaining the records for their entire retention period and disposing of them when required.


Procedure for Retention of Personal Information

Approval Date: 2008-09-11

Responsible Unit: Information Access and Privacy Office

Under ATIPPA, any record containing an individual's personal information which is used to make a decision affecting that person must be retained for at least twelve months. The purpose of this requirement under ATIPPA is to give the individual an opportunity to access the record, if desired.