Handling of personal information
The protection of personal privacy is one of the key purposes of the Freedom of Information and Protection of Privacy Act (FIPPA). It contains specific rules on how to collect, use and disclose personal information.
The University of Ottawa can only collect personal information if "the collection is expressly authorised by statute, used for the purposes of law enforcement or necessary to the proper administration of a lawfully authorised activity." (section 38(2) FIPPA)
The University must provide a notice of collection to individuals whenever personal information is collected.
The notice must include the following three requirements:
- the legal authority for the collection;
- the principle purposes for which the personal information is intended to be used;
- the contact information of an employee of the University of Ottawa who can answer questions about the collection.
Sample Notice of collection
Your personal information on this form is collected under the authority of the University of Ottawa Act, S.O. 1965, C.137 and will be used for the purposes of processing your access to information and/or correction of your personal information request. At all times your personal information will be protected in accordance with the Freedom of Information and Protection of Privacy Act. If you have any questions regarding this collection, please contact the Access to Information and Privacy Office (AIPO).
Personal information may be used within the institution where any one of the following circumstances exists:
- individual consent was obtained for the specific use;
- for the purpose for which it was obtained or compiled or for a consistent purpose;
- for a purpose for which the information may be disclosed to the institution;
- use of personal information in its alumni records for the purpose of its own fundraising activities (see section 41 of FIPPA for limitations).
Within the University
If the University has provided a Notice of Collection, disclosure to an employee or consultant or agent of the University is authorized if:
- the disclosure must be made to an officer, employee, consultant or agent; and
- who needed the information in the performance of his or her duties; and
- the disclosure must be necessary and proper in the performance of the institution's functions.
Outside the University
The following list consists of partial list of circumstances under which the University is permitted to disclose personal information (please consult section 42 of FIPPA for the complete list):
- If consent was received from the individual to whom the information relates;
- for the purpose for which it was collected or for a consistent purpose;
- where disclosure is made to an officer, employee, consultant or agent of the institution who needs the record in the performance of their duties and is necessary and proper for institution's functions;
- for the purpose of complying with an Act of the Legislature or an Act of Parliament or a treaty, agreement or arrangement there under;
- for law enforcement purposes;
- in compelling circumstances affecting the health or safety of an individual;
- to the Information and Privacy Commissioner;
- disclose personal information in its alumni records for the purpose of its own fundraising activities (see section 42 of FIPPA for limitations).
FIPPA defines the following terms as:
Means recorded information about an identifiable individual, including:
- information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual;
- information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
- any identifying number, symbol or other particular assigned to the individual;
- the address, telephone number, fingerprints or blood type of the individual;
- the personal opinions or views of the individual except where they relate to another individual;
- correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the individual;
- the individual's name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual (section 2(1) of FIPPA).
Business Identity Information
Includes the name, title, contact information or designation of an individual that identifies the individual in a business, professional or official capacity. (section 2(3), FIPPA)
Business identity information is not considered to be personal information.
Personal information that has been used by the University must be retained for a minimum of one year after use, unless the individual to whom the information relates consents to its earlier disposal. (R.R.O. 1990, Reg. 460, s. 5 (1)).