Date effective: 2011-12-21
Authorized by: Administrative Committee
HANDLING ACCESS TO INFORMATION REQUESTS AND PRIVACY BREACH COMPLAINTS
1. The purpose of this Procedure is to set out the process for handling access to information requests (“access requests”), privacy breach complaints (“privacy complaints”) under the Freedom of Information and Protection of Privacy Act (“FIPPA”) or other applicable access and privacy legislation. This Procedure must be read in the context of FIPPA and the University’s Policy on Access to Information and Protection of Privacy (Policy 90).
DIRECTOR, COMPLIANCE, ACCESS TO INFORMATION AND PRIVACY
2. The Director, Compliance, Access to Information and Privacy (the “Director”) reports to the Vice- President Governance and handles access to information requests and privacy complaints made to the University. The Director also carries out other associated duties listed below. For example:
• Training and education University staff on access to information and privacy
• assisting University staff members in conducting searches
• forwarding and transferring requests to other institutions
• clarifying access requests
• issuing decision letters, fee estimates, fee waivers, notices in respect of access requests
• reporting on the number of access requests and privacy complaints
• preparing annual report as required under FIPPA
• maintaining directory of personal information banks
• representing the University in interactions with the Information Privacy Commissioner of Ontario (the “IPC”)
• maintaining the University Access to Information and Privacy website
PROCESS FOR HANDLING ACCESS REQUESTS
3. The steps in processing an access request may vary depending on the nature of it. There may also be other considerations taken into account by the Director (see heading “Other Considerations” below) that may require additional steps before the Director decides on whether to release records. Generally, the Director follows the steps listed below in processing an access request:
a) Filing an access request: An “access request” means a formal request for access to general or personal information under FIPPA. An access request must be submitted in writing, addressed to the Director and must provide sufficient detail to enable the Director to identify the record sought. The person making the request (the “requester”) must pay the initial fee (see heading “Fees” below), fill out and sign the Access Request Form (see the Access Request Form) or set out in writing the following:
i) confirmation that the request is made under FIPPA,
ii) a description of the nature of the information,
iii) the time period within which the records may exist,
iv) suggestion on potential locations of the search for the record, and
v) possible key search words that may be used when conducting a search for the record.
b) Acknowledgment of receipt: the Director opens a file and an acknowledgement letter is sent to the requester.
c) Search for records: the Director contacts staff responsible at the faculty, administrative office or service to conduct a search for records responsive to the access request. The Director will assist staff by making suggestions on how to conduct a search and they are encouraged to contact the Director if it is likely that the search will yield a large number of records, if there are any complications or if there are questions or concerns with the access request.
d) Review of records: the records located as a result of the search are sent to the Director. The Director reviews all of the records to determine if any exemptions and/or exclusions pursuant to FIPPA apply and will contact the administrative staff involved with the search for any clarifications. There may be other considerations (see heading “Other Considerations” below) that the Director will take into before proceeding further.
e) Preparation of records: After the Director reviews the records and assesses if there are any applicable exemptions and/or exclusions under FIPPA, the Director prepares the records for release (for a list of examples of exemptions and exclusions that often apply, see the Best Practices #2 FIPPA Exclusions and Exemptions).
f) Decision letter: The Director sends a letter to the requester informing the requester of the Director’s decision whether to release the records in part or in their entirety and the fees associated with the release of the records (see heading “Fees” below).
g) Release of records: Once the requester pays the fees associated with the access request (see heading “Fees” below), the Director sends a copy of the responsive records to the requester.
h) Appeal: If the requester disagrees with the Director’s decision, the requester may file an appeal with the IPC within the time limits required by FIPPA. A third party or affected person may also appeal a decision made by the Director in respect of access request. In all cases, the appeal is to the IPC and must be made in writing to the IPC within 30 consecutive days from the date of the Director’s letter informing the requester of the Director’s decision. The Director will participate in a mediation conducted by the IPC and respond to the issues on appeal.
i) File closed: The Director will close the access request upon its completion or final disposition by the IPC on appeal or if the requester,
i) has not provided the Director with sufficient clarification after the Director’s request to do so,
ii) has not paid in full the fees associated with the request,
iii) has not filed an appeal of a decision to the IPC or has exhausted all rights of appeal to the IPC,
iv) or has not responded to correspondence from the Director after 30 consecutive days from the date of the correspondence.
4. In addition to the basic steps outlined above (see heading “Basic steps”), there are certain things that the Director may or even must consider which, depending on the circumstances, may change the order of or add to the basic steps, for example:
a) Frivolous requests: The access request may be frivolous or vexatious. In such case, the Director may refuse the request and will notify the requester and give reasons why the request is considered frivolous and vexatious and inform the requester of his or her right to appeal to the IPC.
b) Verification of the identity of the requester: The Director may ask to verify the identity of a person seeking access to his or her own personal information before giving the person access to it.
c) Clarification of an access request: If the access request is not sufficiently clear or is broad in scope so that it is difficult to identify the records being requested, the Director may write to the requester asking for clarification before taking further steps. The requester has 30 consecutive days from the date of the Director’s letter to clarify the access request. If there is no response, the request is considered abandoned and the Director will close the file.
d) Exemptions and exclusions: There are certain types of records that are covered by FIPPA but may be exempt from disclosure to protect public concerns, privacy, University operations or other important interests. In other instances, a record may be specifically excluded from FIPPA. The Director will work with staff in the faculty or service that is familiar with the content of the records so that the Director may have a better understanding of whether exemptions or exclusions apply to all or part of the record. For a list of examples of exemptions and exclusions that often apply, see the Best Practices #2 FIPPA Exclusions and Exemptions).
e) Record containing information about another person: A record may contain the personal information of an individual other than a requester (“affected person”). Generally, the information of an affected person is not disclosed. If, however, no exemptions under FIPPA apply and it appears that the record will be disclosed, the Director will contact the affected person in writing, enclose a copy of the record and invite the affected person to send written comments to the Director on whether or not the information should be released. Should the affected person be a unionized employee, the affected person will be reminded that he or she is free to consult with their union their before sending comments to the Director. The Director will consider the affected person’s comments, if any. Ultimately, the Director decides whether or not to release the information contained in the record and must do so within the time prescribed by FIPPA. If the Director decides that the record will be disclosed, then the Director will so inform the affected person and inform them of their right to appeal the decision to the IPC.
f) Notice to an external person/organization: A record may contain information that reveals commercial, financial or other information belonging to an external person or an external organization (“third party”). FIPPA requires that the University notify third parties if the University intends to disclose records that contain third party information or information. If the Director intends on disclosing the record, the Director will send a letter to the third party enclosing a copy of the record and invite them to send written comments to the Director on whether or not the information related to them should be released. The Director will consider the comments sent by the third party. Ultimately, the Director decides whether or not to release the information contained in the record and must do so within the time prescribed by FIPPA. If the Director decides that a record containing third party information will be disclosed, then the Director will so inform the third party and of their right to appeal the decision to the IPC.
g) Interim access decisions: The Director may issue an interim decision pertaining to for example, a fee estimate which is an estimate of fees associated with the access request. The fee estimate is based on a representative sample of responsive records and/or the advice of knowledgeable staff that are familiar with the type and content of the records. The Director will require a 50% deposit before taking any further steps in processing the request.
Deadlines and time extensions
5. The Director issues a decision letter on whether or not to disclose the records within 30 consecutive days which is the deadline required by FIPPA. The 30 day time period begins to run on the date the Director receives the written access request and the payment of the initial fee or when applicable, upon receipt of sufficient clarification of the request. In the case of an interim decision whereby the Director provides an estimate of the fees associated with the request, the 30 day time period will be suspended until the Director receives payment in full of the deposit at which time the 30 day time period will resume.
6. The Director may extend the 30 day deadline in accordance with FIPPA and will notify the requester in writing of the extension of time. Generally, the Director will extend the time period when the access request is for a large number of records or requires a search through a large number of records or where it is necessary to consult with other individuals or organizations external to the University (third parties).
7. FIPPA allows the University to charge fees for the processing of access requests and requests to correct personal information. An initial and non-refundable fee must be paid before the Director can begin to process the access request and records will not be released until the Director receives payment in full of all fees associated with request. In the case of an interim decision whereby the Director requires a 50% deposit for the fees, the Director will not take any further steps in processing the access request until the deposit is paid in full. The fees must be paid by cash, certified cheque or money order. A personal cheque will not be accepted for fees exceeding $5.00.
8. Information on fees is located on the University’s website (see the web page on Fees).
9. If a requester asks the Director to waive the fees associated with an access request, the Director will consider whether it is fair and equitable to do so in the circumstances after considering factors, for example: financial hardship, public health and safety benefits and any other matter required by FIPPA. If the Director decides not to waive the fees, a requester may write to the IPC and request a review of the decision.
PROCESS FOR HANDLING PRIVACY COMPLAINTS
Content and Timing
10. If a person believes his or her privacy rights have been violated, the person may file a written complaint with the Director. The complaint must include the nature and extent of the circumstances affecting the person’s privacy, the faculty, administrative office or service in which the problem occurred, the name(s) of person(s) involved the date or time period when the alleged violation occurred and the person’s expectations on the outcome of the complaint.
11. The complaint must be filed within 30 consecutive days from the date the person knew or ought to have known of the alleged violation.
Basic Steps in Processing a Complaint
12. The steps and the time it will take to process a privacy complaint may vary depending on the nature, the circumstances and complexity of the complaint. Generally, the Director follows the steps listed below in processing a privacy complaint:
a) Acknowledgment of receipt of the complaint is sent to the person who filed the complaint
b) Communication with the person who filed the complaint to obtain clarification or additional information
c) Communication with the faculty, administrative office or service and person(s) involved with the complaint or who may have knowledge of the circumstances.
d) Consultation with other appropriate authorities within the University for example, Legal Services, Protection Services, Office of Risk Management and/or, Computing and Communications Service
e) Communication with the person who filed the complaint to review the matter, inform them of any steps taken to address the complaint and resolve any outstanding concerns.
f) Follow-up with the faculty, administrative office or service and person(s) involved with the complaint to ensure that there is a plan to implement corrective or remedial measures, if any.
Privacy breach response guidelines
13. A breach of privacy may occur, for example, in the case of theft or an inadvertent disclosure or disposal of the sensitive information. For the purposes of this Procedure, a privacy breach occurs when there is or suspected unauthorized disclosure of personal information or someone has or it is suspected that someone has obtained unauthorized access to personal information.
14. The actions listed below will depend on the nature and seriousness of the breach. It will depend on the circumstances as to who should carry out certain steps and whether they should be carried out simultaneously or in quick succession.
a) Notification of the Director and of appropriate staff: The Director must be notified of the breach and he or she will ensure appropriate authority within the faculty, administrative office or service is immediately notified of the breach. Depending on the nature or seriousness of the privacy breach, the Director may be a need to contact appropriate authorities within the University, for example: Legal Services, Protection Services, Computing and Communication Services, Office of Risk Management, Communications Directorate. It may also be advisable to notify and/or consult with external entities for example, the IPC.
b) Containment: Identify the scope of the potential breach, meaning identify the individuals whose privacy was breached and take steps to contain it. For example,
i) where possible ensure that no copies of the personal information have been made or retained by the individual who was not authorized to receive the information and obtain the person’s contact information in the event that follow-up is required; and
ii) determine whether the privacy breach would allow unauthorized access to any other personal information and take whatever steps are appropriate to prevent it (change passwords, temporarily shut down a system)
c) Risk assessment: The Director with the assistance of appropriate authorities within the University will determine what information is involved, assess the cause and extent of the breach, identify individuals affected and determine what harm is foreseeable from the breach.
d) Notification of individual whose privacy was breached: The Director and appropriate authorities within the University will need to consult and consider a number of factors when deciding on who should notify the individual and how the individual is notified. For example, notification may be done in person, by telephone or in writing. When notifying individuals affected by the breach, provide details of the extent of the breach and the specifics of the personal information at issue. Inform the individual of the steps that have been taken or will be taken to address the breach both immediate and long term.
e) Investigation and remediation: The Director will look into the matter to prevent reoccurrence of the circumstances leading to the breach: to ensure immediate requirements of containment and notification have been addressed; to review the circumstances surrounding the breach; to review the adequacy of the existing policies and procedures in protection personal information; to review the adequacy of performance of service providers as it relates to protection of privacy; and to inform and education staff on protecting privacy. The Director will inform appropriate authorities within the University of any findings and recommended remedial steps. The Director or the person who notified the individual of the breach will inform him/her and any other stakeholders of the results of the investigation and remediation efforts.
Published on December 21, 2011
(Office of the Vice-President, Governance)