FIPPA FAQs for Faculty - General Information about FIPPA
A: FIPPA is provincial legislation that has applied to Ontario universities, including Toronto Metropolitan University ("TMU") since June 10, 2006. FIPPA is composed of two principles of equal weight:
- Transparency: Access to information is an essential value
- Privacy: Personal information and privacy must be protected and doing so is integral to the dignity and the integrity of the individual
FIPPA applies to any records in TMU's custody or control. Certain records are excluded from FIPPA including:
- Private donations to TMU's archives
- Labour relations and employment-related records leading to agreements
- Research and teaching materials
- Records not in the custody or control of TMU
There are specific exemptions to the obligation to disclose records, for example:
- Personal information
- Closed meetings
- Solicitor-client documents
- Economic and other interests of TMU
- Third-party information
- Advice and recommendations
- Danger to health and safety
- Publicly-available documents
- Law enforcement
- Relations with governments
FIPPA contains particular requirements for the collection, use, protection and disclosure of personal information. Individuals have the right to ask for your own personal information and to request a correction of records containing your own personal information.
- FIPPA requires that personal information and privacy must be protected
- When it comes to creating records (including email and paper documents) consider the possibility that what you are writing could be subject to an access request and therefore could be made public—what would the impact be on your reputation or TMU’s?
- When someone asks you for another person’s information, consider whether it is personal information, and if so, don’t provide it.
- When you are using, storing, duplicating or destroying personal information, take reasonable steps to secure the information, e.g. password protect, locked file cabinets, confidential shredding, personal and confidential envelopes rather than email, not leaving documents sitting out on a desk where unauthorized people might have access.
- Review your files and emails regularly. If you have documents that you don’t need and are under no policy or legal obligation to keep, then destroy them.
- Use common sense and good judgment. If you have specific questions ask your Chair or email the Privacy Officer.
A: Take the following actions:
- Review employee procedures in the Information Protection and Access Policy for Restricted Information
- Take Information Security Awareness Training
- If you are collecting, using, and/or storing other individuals’ personal information (i.e. students or research subjects)
- Always use password-protection
- Password protect your laptop and do not store data on the local drive, use a secure shared drive.
- Be extra careful when sharing personal information via email – make sure the address is correct and include only the minimal information necessary to complete the task.
A: Call security to report at 416.979.5040. Tell them if your computer contained personal information on the hard drive, whether the machine was password protected and whether the data was encrypted.
If there was data on the machine that consists of personal information (student grades, assignments, employee records, research containing other individuals’ personal information) you are required by university policy to contact the Privacy Officer immediately at email@example.com. This is a suspected privacy breach.
If the machine was password protected and the personal information data was encrypted this is not a breach and no further action is required. If you did not use these precautions then you will be involved in notifying all affected individuals about the breach.
A: If you are the source, user, or keeper of the record then you are responsible for ensuring the information’s secure return or destruction once you are finished with it – think “cradle to grave” responsibility.
- talk to your department to find out about access to a shredder or to arrange for shredding of confidential records through Campus Facilities.
A: In general, if you are asked for information that you would normally provide, such as a course syllabus or outline, a reading list, or a copy of an article you should provide that information. You must also provide information that is about the requestor, such as grades on tests and papers. You should not provide a third party with any personal information. You also do not need to provide such things as exam questions, teaching materials or research notes, as these are excluded. If you have a question you may contact TMU’s Privacy Officer at firstname.lastname@example.org. If you choose not to honour a request for information, the requestor has a right to file a Freedom of Information request. In the latter case, it will be TMU's Privacy Officer, who determines access to the information.
A: An access request must be made to TMU's Privacy Officer and requires a $5.00 application fee. The Privacy Officer determines where the requested information is held and will work with the FIPPA contact in that area to find the records requested and to determine if any exclusions or exemptions apply. Fees are charged to the requestor for the time taken to search for and, if appropriate, prepare records for release. If the information is to be given to the requestor, the Privacy Officer redacts any personal information, or other excluded information from the record before it is disclosed.
A: FIPPA applies to records that are in the custody and control of the University. It should not apply to records that are personal to you (including business activities unrelated to the University). However, if you don’t keep those records separate from your University records, it is possible that confusion could occur as to what is actually the University’s and what is yours. A best practice is to keep these separate and clearly mark those files that do not belong to the University (e.g. separate file cabinet, separate folders on computer and email).
The following are considered to be transitory records that can and should be disposed of when no longer needed:
- Duplicate stocks of publications, printed literature or blank forms, including those associated with computer-based information systems;
- Duplicate records within the same media retained solely for convenient reference or future distribution (examples include branch-wide memos; "All Staff" e-mails; notices of holidays, special events or routine administrative matters; and personal desk copies of such items as program studies or committee minutes);
- Broadly distributed materials (such as manuals, directives, bulletins and guidelines) used to communicate policies and practices for internal administration (other than original copies kept by the office from which the materials were issued);
- Phone messages, personal messages, and records documenting activities such as holiday parties or charitable fund drives unconnected to program functions;
- Unsolicited advertising materials;
- Publications such as books, journals, magazines, newspapers, newsletters, and published reports which form or will form part of a library's catalogued holdings or are stored within branch libraries or reference shelves;
- Publication extracts which have no significant value in documenting how program data was collected or decisions reached, and which have not therefore been integrated within program files;
- Temporary working papers such as rough notes or informal drafts that are of no value in documenting data collection or in showing how TMU policies or programs were developed or implemented. (That is, they represent no significant steps in the preparation of a final document, were not reviewed by other persons, do not record program decisions, and do not contain important research or background data.)
- Managers should ensure that all transitory items are deleted or destroyed immediately when no longer needed.
Official TMU Records
Official records are distinct from transitory records. Official records serve important business functions, such as supporting program delivery or policy development, or meeting legal, financial and other needs. They may also provide important evidence of institutional decisions and actions. These should only be destroyed in accordance with with TMU’s Record Retention Schedule (see Records Management Policy).
Records Containing Personal Information
Anything which has personal information must be retained for a minimum of one year under FIPPA. Personal information includes, but is not limited to: name, home address, home phone number, student’s email address (home or TMU), identifying numbers (e.g. student number, employee number or social insurance number), education history (grades, degrees received, academic misconduct) health history, or opinions about an individual. Your professional contact information is generally not perceived as personal information (faculty’s business phone number, TMU email, business mailing address). See the definition of “personal information” in the Freedom of Information and Protection of Privacy Act available on the General Counsel’s Information Access and Privacy website.
According to Ryerson's (PDF file) Course Management Policy 145, all student work is to be returned to the student before the end of the academic term. Final exams and unclaimed assignments are the only type of student work that, under FIPPA, will need to be retained for the one-year period because these are not returned to students.
You should also retain all documents and correspondence that may be part of the academic or academic conduct appeals process. You are required by the Course Management Policy to submit a copy of your grade sheet to the Department/School.
A: All emails from and to students that contain personal information as described above and that you use for the purpose of evaluating their contributions during a course or for advising regarding their educational path should be retained for one year under FIPPA. Particular emphasis is placed upon retaining correspondence that reveals something personal about the student beyond their email address (student ID, educational or medical history, financial information, questions about course work, evaluations, etc.). This also includes any correspondence that may pertain to an appeal. You should only correspond with students on their “ryerson.ca” email accounts as per TMU’s policy for the (PDF file) Establishment of Student Email Accounts for Official University Communication 157.
You should be careful about the content of e-mails as they may be retained not only by you but by others, and they can be requested as part of an FOI request. Generally, the “reply all” response should be avoided unless it is necessary. You can never be assured of what is retained by others; so, even if you have deleted an email, that’s no guarantee it will not end up being released as a result of an FOI request.
A: A TMU student’s email address is considered their personal information and as such faculty should take care in the use of these addresses.
All students are provided with an official TMU email address, as per Senate Policy #157, (PDF file) Establishment of Student Email Accounts for Official University Communication, as a means by which Ryerson employees can communicate with students. The address is also a means by which TMU can foster a collaborative learning environment such as through student discussion groups on D2L Brightspace. There are no restrictions on how students can use their email address, such as for personal communications, or for communications outside TMU.
Faculty and staff, however, should take care in using student email addresses. Be cautious in sending group emails; disclosing personal information such as grades, internship placements, home contact information, or details about an academic appeal to other students as these situations would all constitute a privacy breach and TMU's Privacy Officer must be notified immediately.
If you want to send a group email and the text does not identify individuals, consider using the blind-copying function. Refrain from disclosing the student’s email address to non-TMU personnel unless you have the consent of the student.
Using D2L Brightspace to post general information messages to students is one low-risk option. For messages aimed at a specific group of students within a course try using the blind-copying function on your email system; this way students can only see their own address and cannot see who else received the message. It is important to note that the content of the message should dictate the method used to communicate information to students; the more sensitive the information, the less appropriate group communication, including email will be.
A: The same general advice applies with regards to emails with students. Email is not considered a secure or an appropriate vehicle for communicating highly sensitive information. Emails containing personal information that you have used, needs to be retained for a minimum of one year.
A: In general, you do not have the right to consult a student’s academic record. Faculty who serve on appeals panels or who are charged with academic advising may confidentially access these records for that purpose only. Chairs/Directors and their specified administrative staff may access records for administrative purposes only and are not authorized to share that record with faculty. If you have questions regarding whether you may access an academic record for a particular purpose speak to the Associate Registrar, Enrollment Services.
A: The Course Management Policy states that students’ work must be returned to them confidentially. Putting student work in a box outside your office is not permitted. Departments/Schools are required to develop policies on the confidential disposal of work. Under FIPPA you must retain all unclaimed student work, including final exams, for one year from the date received. Student grades and evaluation comments should be kept confidential. It is advisable not to put the mark and comments on the front page of the document.
A: The concern is that name plus student ID number permits someone else with enough information to impersonate another student. The more information disclosed, the better able some one would be in committing fraud. A similar approach to that outlined in the Course Management Policy Section 2.2(f) should be followed where only part of the student number is included. It is recommended that the last 4 digits be used. In other words, professors can request that students working on group assignments hand in projects listing a portion of the student ID number and no names. In this way the other students in the group will not be privy to the entire student ID number.
A: Attendance at lectures, seminars and labs can still be taken, but professors should be sensitive to how this information is gathered. The student’s full name and complete student ID number should not be circulated.
For final exams, invigilators should walk around the room to verify student photo ID cards on a student-by-student basis, noting the attendance on a sheet of names and numbers, and students should sign their individual exams.
According to the (PDF file) Senate’s Examination Policy 135, Section III (B)(5) students must present relevant photo identification; the policy does not specify that only the OneCard will suffice. There is no need to take a student’s photograph at an exam. It is the student’s responsibility to ensure that he/she brings proper identification. If a student does not have any photo ID, the instructor should first try to confirm that the student is in the class, and the student should be required to bring identification with a signature to the instructor’s office as soon as possible after the exam.
A: Students’ answers, student images – these are the personal information of students. The actual lecture is the teaching material of the instructor and is not meant to be publicly available without his/her consent; teaching materials are protected against disclosure from a formal access request under FIPPA. The image of the instructor is his/her personal information therefore both the instructor’s lecture and image would require the instructor’s consent for capture.
If notice about the intent to capture the lecture by audio or visual recording is provided in advance to the instructor and students, no one’s privacy would be violated. Students with concerns could approach the instructor in advance. If the request to record the lecture stems from an Access Centre request, then these concerns would be relayed to the Access Centre. TMU is obliged under the Ontario Human Rights Code and the Accessibility for Ontarians with Disabilities Act (Bill 118) to seek a reasonable accommodation so that students with disabilities are not at a learning disadvantage. Please contact the Access Centre for further information (ext. 5290). See also the Senate policy (PDF file) Academic Accomodation of Students with Disabilities 159
A: The letter is comparable in purpose to a professor's feedback on an assignment and therefore the student has a right to see it.
A: Yes, if you would have done so prior to FIPPA you should do it now. FIPPA exempts evaluative or opinion material of the type that assesses the teaching materials or research of an employee, or determines eligibility or qualification for admission to an academic program, or determines the qualification for an honour or award to recognize achievement. If the person who is being evaluated uses FIPPA to request access to their own personal information in that evaluation or opinion material, Ryerson has the discretion to refuse that request.
A: Research and teaching materials are excluded from FIPPA. Thus, if someone were to make an FOI request for your research notes on a project, the University would advise the requestor that those records are not subject to FIPPA. However, FIPPA specifies that the subject matter and the amount of funding for research (but not the source of funding) is information that must be made available if requested. For more information consult with OVPRI.
A: FIPPA exempts evaluative or opinion material of the type that assesses the teaching materials or research of an employee, or determines eligibility or qualification for admission to an academic program, or determines the qualification for an honour or award to recognize achievement. If the person who is being evaluated uses FIPPA to request access to their own personal information in that evaluation or opinion material, Ryerson has the discretion to refuse that request.
A: The hiring, promotion and tenure review processes are governed by the collective agreement between Toronto Metropolitan University and the Toronto Metropolitan Faculty Association. Collective agreements are accessible under FIPPA and are available for public access. The collective agreement itself provides for certain access to information rights. For more information speak with the Vice Provost, Faculty Affairs.
NEED MORE INFORMATION?