Date : 2018-04-10
|Originating/Responsible Department : Office of the Secretary-General|
1. The purpose of this Procedure is to describe the basics steps in handling a Privacy Complaint as defined in clause 4 of this Procedure.
2. This Procedure shall be read in a manner that is consistent with the University’s obligations under FIPPA and other Applicable Access and Privacy Legislation as well as Policy 90 – Access to Information and Protection of Privacy.
3. Capitalized words or expressions used in this Procedure are defined in Policy 90 or in this Procedure.
BASIC STEPS IN PROCESSING PRIVACY COMPLAINTS
4. If a person believes that the University wrongfully collected, used or disclosed his or her Personal Information the person may file a written complaint with the Director (“Privacy Complaint”). The Privacy Complaint must include a description of the nature and extent of the circumstances affecting the person’s privacy; the academic or administrative unit or office associated with the purported wrongful collection, use or disclosure; the name(s) of any person(s) involved; the date or time period on or within which the purported wrongful collection, use or disclosure occurred; and the person’s expectations regarding the outcome of the Privacy Complaint.
5. The Privacy Complaint shall be filed within 30 consecutive days from the date the person knew or ought to have known of the purported wrongful collection, use or disclosure.
6. The steps and time required to process a Privacy Complaint may vary depending on the nature, circumstances and complexity of the complaint. Generally, the steps in processing a Privacy Complaint are as follows:
- a) Acknowledgment of receipt of the Privacy Complaint, sent to the person who filed it.
- b) Communication with the person who filed the Privacy Complaint in order to obtain clarification or additional information as required.
- c) Communication with the academic or administrative unit or office and person(s) involved with the subject-matter of the Privacy Complaint or who may have knowledge of the circumstances surrounding the Privacy Complaint.
- d) Consultation with other appropriate authorities within the University, including without limitation Legal Services, Protection Services, the Office of Risk Management, and/or Information Technology (IT).
- e) Communication with the person who filed the Privacy Complaint to review the matter, inform them of any steps taken to address the Privacy Complaint, and resolve any outstanding concerns.
- f) Follow-up with the academic or administrative unit or office and person(s) involved with the Privacy Complaint to ensure implementation of corrective or remedial measures, as required.
7. The Secretary-General of the University may approve exceptions or make amendments to this Procedure.