Approved Board of Governors 2012.2, revised by the Administration Committee 2350.2
ACCESS TO INFORMATION AND PROTECTION OF PRIVACY
1. The purpose of this Policy is to confirm the University of Ottawa’s continued commitment to the principles of access to information (whether personal or institutional) and protection of privacy in light of access to information or protection of privacy statutes and regulations that may apply to the University (“Applicable Access and Privacy Legislation”).
2. This Policy and of any procedures established pursuant to it applies to all Members of the University Community. “Members of the University Community” includes but is not limited to:
- a) employees, including all unionized and non-unionized academic and support staff as well as those whose salary is paid through sources other than the University’s operating funds, such as grants, research grants and external contracts;
- b) clinicians and physicians with an academic appointment; adjunct, visiting and emeritus professors; post-doctoral or clinical fellows; research trainees; and medical residents;
- c) contractors, consultants, suppliers or other entities engaged by the University to provide services or goods when on University property or while acting in a capacity defined by their relationship to the University;
- d) members of the Board of Governors, of the Senate and any of their respective committees, as well as members of any advisory committee formed to help the University achieve its goals;
- e) employees of both unionized and non-unionized employee and student groups when on University property or while acting in a capacity defined by their relationship to the University; and
- f) visitors, including visiting students and volunteers or persons who serve on advisory or other committees.
3. The University of Ottawa is subject to Ontario’s Freedom of Information and Protection of Privacy Act (“FIPPA”) and regulations thereunder. This Policy is not intended to restate the provisions of FIPPA or any other Applicable Access and Privacy Legislation. However, the provisions of this Policy and any procedures established pursuant to it shall be read in a manner that is consistent with the University’s obligations under Applicable Access and Privacy Legislation.
4. This Policy shall be read in conjunction with Procedure 20-5 – Handling Access to Information Requests, Procedure 20-7 – Handling Privacy Complaints; and Procedure 20-8 – Privacy Breach Response Protocol.
5. This Policy shall also be read in conjunction with other instruments that may, in certain circumstances, govern access to information and protection of privacy matters including collective agreements and Policy 14a - Student Records.
6. For the purposes of this Policy and of any procedures established pursuant to it:
“Privacy Breach” means the loss of, unauthorized access to, or unauthorized disclosure of, Personal Information under the University’s custody or control. Situations that may result in a Privacy Breach include the theft or loss of a computing device including mobile devices containing Personal Information or accessing Personal Information that is not required for performance of one’s work duties.
“Personal Information” means recorded information about an identifiable individual, including the individual’s address, sex, age, education, medical or employment history and other information about the individual under the University’s custody or control as provided in FIPPA.
7. Any other capitalized words or expressions used in this Policy are defined for the purposes of this Policy and any procedures established pursuant to it.
ACCESS TO INFORMATION
8. The University routinely makes large amounts of its institutional information available to the public on the University's website. If desired information is not available on the University’s website, a request for information may be made to the University’s Access to Information and Privacy Office (“AIPO”) to the attention to the Director, Compliance, Access to Information and Privacy (“Director”), in accordance with Procedure 20-5 – Handling Access to Information Requests.
9. The University is committed to maintaining and protecting the integrity of Personal Information and confidential information in its custody or control.
10. If a person believes his or her privacy rights have been violated, the person may file a written complaint with the Director, who, in turn, shall investigate the complaint in accordance with Procedure 20-7 – Handling Privacy Complaints.
11. Members of the University Community shall report a Privacy Breach (whether confirmed or suspected) to AIPO and the Privacy Breach shall be handled in accordance with Procedure 20-8 – Privacy Breach Response Protocol.
RESPONSIBILITIES AND DELEGATION OF POWERS
12. The Secretary-General of the University shall be responsible for oversight of access to information and privacy matters at the University.
13. For the purposes of FIPPA, the “head” or individual responsible for compliance with the requirements of FIPPA is the President of the University. The President delegates to the Secretary-General of the University and to the Director all powers and duties related to the University’s compliance with the requirements of FIPPA. The President may appoint an alternate delegate in case the Secretary-General of the University and/or the Director are unable to exercise powers or carry out duties so delegated. All such delegations are pursuant to FIPPA and do not in any way limit the authority of the President as the designated “head” under FIPPA from exercising any of the powers or carrying out any of the duties so delegated.
14. Reporting to the Secretary-General of the University, the Director, handles access to information requests and investigates and responds to privacy complaints and Privacy Breaches. The Director also carries out the following associated duties:
- ensure the University’s compliance with FIPPA, its regulations and other Applicable Access and Privacy Legislation;
- oversee the operational responsibilities of AIPO;
- develop and deliver awareness and training sessions on access to information and privacy;
- exercise delegated powers and duties under FIPPA;
- advise Members of the University Community on access to information and privacy matters;
- establish and review privacy policies, notices, guidelines, and processes across the University;
- conduct privacy impact assessments, or review privacy impact assessments developed by project managers;
- lead the response of a Privacy Breach pursuant to Procedure 20-8 – Privacy Breach Response Protocol;
- report on activities and statistics relevant to the access to information and privacy to the Administration Committee;
- prepare and submit the University’s annual report as required under FIPPA;
- maintain a directory of Personal Information banks; and
- represent the University in interactions with the Information and Privacy Commissioner of Ontario.
15. Members of the University Community shall take all reasonable measures to prevent the occurrence of a Privacy Breach.
16. Members of the University Community must cooperate and assist AIPO as required in the fulfillment of the University’s obligations under this Policy, related procedures and Applicable Access and Privacy Legislation.
NOTICE OF COLLECTION OF PERSONAL INFORMATION
17. Personal Information submitted to the University by a student, employee, alumnus, donor or other individual is collected under the authority of the University of Ottawa Act, 1965, and is intended to be used for the purposes of and those consistent with the administration of University programs and activities and in order to carry out other University services and functions, including without limitation the following:
- recruitment, admission and registration, academic programs and evaluations, and graduation;
- evaluation of academic and non-academic programs;
- assistance to student associations, retiree associations and the University’s Alumni Association;
- financial assistance, awards and payment of fees;
- alumni and development activities;
- institutional planning and statistics;
- centralization or sharing of service delivery among academic units, administrative services and programs;
- reporting to government agencies, funding agencies and professional licensing bodies;
- fulfillment of requirements related to federated institutions, including Saint Paul University;
- employment related matters;
- safety and security;
- detection, monitoring and prevention of non-compliance with policies, regulations and procedures; and
- promotion in print, electronic and internet publications.
The University may collect the minimum amount of Personal Information about a student, employee, alumnus, donor or other individual that is publicly available on the Internet, in social media or in any other medium and that is necessary for its needs and for the proper administration or discharge of its functions or lawful activities, including without limitation:
- planning, review or delivery of programs or services;
- research and statistical activities; and
- compliance with policies, procedures and regulations.
The University is required to disclose Personal Information such as Ontario Education Numbers, student characteristics and educational outcomes to the Minister of Advanced Education and Skills Development pursuant to s. 15 of the Ministry of Training, Colleges and Universities Act, R.S.O. 1990, Chapter M. 19, as amended. The Ministry collects this information for purposes such as planning, allocating and administering public funding to colleges, universities and other post-secondary educational and training institutions, as well as research and analysis (including longitudinal studies) and statistical activities conducted by or on behalf of the Ministry in relation to post-secondary education and training. Further information on how the Minister of Advanced Education and Skills Development uses this Personal Information is available on the Ministry’s website.
Questions by an individual regarding the collection and use of their own Personal Information in a particular instance should be addressed to the University faculty, administrative office or service responsible for such collection and use. Questions of a general nature regarding the collection, use and disclosure of information should be addressed to the University’s Director, Compliance, Access to Information and Privacy, by email at email@example.com, by telephone at 613-562-5800 or by mail at University of Ottawa, Access to Information and Privacy Office, 550 Cumberland Street, Ottawa, ON, KIN 6N5.
18. The University shall not disclose Personal Information to external individuals or organizations unless,
- a) otherwise provided by the Notice of Collection of Personal Information in this Policy;
- b) the individual is notified of such potential disclosure when the Personal Information is collected;
- c) the individual has consented to the disclosure; or
- d) permitted under Applicable Access and Privacy Legislation or by law.
INFORMATION COLLECTED FOR PUBLIC PURPOSE
19. The University considers the following information as information collected and maintained for the purpose of creating a record that is available to the public and that may be published in print, electronic format or on the Internet:
- a) the degree or degrees conferred by the University and the date received; and
- b) the recipient of excellence scholarships or other prizes or honours awarded by the University or a third party.
ACCESS TO AND CORRECTION OF PERSONAL INFORMATION
20. Individuals have a right to request access to, and correction of, their own Personal Information. Requests for access to, or correction of, an individual’s own Personal Information shall be directed in the first instance to the faculty, administrative office or service that is likely to have the information. In circumstances where such a request does not yield satisfactory results, a further request for access or correction may be directed to the Director.
PERSONAL INFORMATION BANKS
21. As required by FIPPA, AIPO maintains an index of Personal Information banks which outlines all faculties, administrative offices or services that create and maintain personal information banks for purposes of carrying out University services or functions. The index of Personal Information banks shall be published on AIPO’s web site.
RETENTION AND DISPOSAL OF PERSONAL INFORMATION
22. The records retention schedule established by the University’s Archives sets out the University’s practices regarding the retention and disposal of records. Personal Information that has been used by the University is retained for a minimum of one year after use unless the individual to whom the information relates consents to its earlier disposal.
23. Members of the University Community who handle Personal Information under the custody or control of the University must complete mandatory access to information and protection of privacy training, relevant to their role, as determined by the University.
IMPLEMENTATION, REVIEW AND AMENDMENT
24. (1) The Secretary-General of the University is responsible for periodic review of this Policy.
(2) Amendments to this Policy other than those set out in paragraph (3) below shall require the approval of the Administration Committee.
(3) The Secretary-General of the University may amend this Policy in order to update the following information contained herein:
- i) the designation, title or identity of officials, offices, or departments and contact information within the University;
- ii) the designation or title of government ministries or agencies;
- iii) the title or citation of legislation, regulations, policies or procedures.
(4) The Secretary-General of the University may establish, amend, abrogate or make exceptions to procedures for purposes of the effective implementation of this Policy, provided that such procedures or exceptions are consistent with the provisions of this Policy.
Revised March 28, 2018
(Office of the Secretary-General)