- Unit Responsible: General Counsel and Board Secretariat
- Owner: General Counsel and Secretary of the Board, and Chief Privacy Officer
- Approver: President
- Issued Date: 2008
- Review Dates: 2011, 2025
I. Purpose
1. The University is obligated to protect Personal Information and to provide access to information in University Records in accordance with Ontario’s Freedom of Information and Protection of Privacy Act (“FIPPA”) and to protect Personal Health Information in accordance with Ontario’s Personal Health Information Protection Act (“PHIPA”).
2. The University is committed to transparency and accountability through freedom of information. The University will make University Records available to the public with exceptions being limited and specific as outlined in this Policy or as otherwise in accordance with applicable law.
3. The University is equally committed to protecting the privacy of individuals and respecting an individual’s right to access their own Personal Information. The University’s privacy protection practices follow the Canadian Standards Association Model Code for the Protection of Personal Information (also known as the “Fair Information Principles”).
4. This Policy aims to ensure that the University fulfills these principles and meets its obligations under FIPPA, PHIPA, and any other applicable laws. All collection, use, disclosure, protection, storage, and disposal of University Records containing Personal Information, and all requests for access to information in University Records will be handled in accordance with this policy.
II. Scope and Application
1. This Policy applies to all University Records, regardless of medium, in the custody or control of the University, except for the following University Records (subject to certain limitations as described in “Appendix A: Record categories expressly excluded from FIPPA”):
a. Records in the University’s Special Collections and Archives;
b. Labour-relations and employment-related records;
c. Research records; and
d. Teaching materials.
2. This Policy applies to the collection, retention, use, disclosure and disposal of Personal Information used for University purposes.
3. This Policy applies to University Community members and any other individual with access to Personal Information in the University's custody or control.
4. This Policy shall be interpreted and applied in compliance with the University’s obligations under any collective agreements and in accordance with applicable law. Nothing in this Policy shall be interpreted as limiting or amending the provisions of any collective agreement or applicable law.
III. Definitions
1. “Personal Information” means recorded information about an identifiable individual. For the purpose of this Policy, Personal Information has the same meaning as defined in Section 2 of FIPPA, and it includes Personal Health Information.
2. “Personal Health Information” means information about an individual, whether in oral or recorded form, that identifies the individual or could enable such identification and that relates to: the person’s physical or mental health, medical history or past or future medical treatment, including the identity of a patient’s healthcare provider or a patient’s health number. For the purpose of this Policy, Personal Health Information has the same meaning as defined in Section 4 of PHIPA and is included as a subset of Personal Information in this Policy
3. “Policy” means Privacy and Access to Information Policy.
4. “University” means Toronto Metropolitan University.
5. “University Community” means all students, faculty, and staff, including contractors and visitors.
6. “University Record” means recorded information created or received in the course of conducting University academic and administrative functions and kept as evidence of such activity. This definition extends to all record media and formats, including paper files, electronic files, e-mail, film and print graphics, audio and video recordings, and any other form of recorded information and applies to University Records regardless of their location. Records held by faculty members and instructors that are created and received in the administration of teaching and research are University Records.
IV. Policy
Part 1: Privacy
1. In accordance with Principle 1 (Accountability) of the Fair Information Principles:
a. The University is responsible for the Personal Information in its custody or control and has designated a Chief Privacy Officer and the Office of the General Counsel and Board Secretariat as responsible for the University’s privacy management program.
b. The University shall maintain policies, procedures and practices that are necessary to enable it to comply with its privacy protection obligations pursuant to FIPPA, PHIPA, and any other applicable laws.
c. The University shall use contractual or other means to provide a comparable level of protection for information that it transfers to a third party for processing.
d. The University shall conduct reviews periodically on uses of, and systems containing, Personal Information to evaluate the appropriateness of the collection, use, disclosure, protection, retention and disposal of this information, and to monitor compliance with this policy.
2. In accordance with Principle 2 (Identifying Purposes) of the Fair Information Principles, the University shall, at or before the time Personal Information is collected, identify the purposes for which this information is collected, used, disclosed and retained.
3. In accordance with Principle 3 (Consent) of the Fair Information Principles:
a. The University shall provide individuals with a notice of collection that provides the legal authority for the collection, the purpose of the collection and who, at the University, individuals may contact for more information.
b. Thereafter, individuals who proceed to disclose Personal Information to the University are deemed to have consented to the collection, use, disclosure and retention of their information by the University.
4. In accordance with Principle 4 (Limiting Collection) of the Fair Information Principles:
a. The University shall limit the amount and type of Personal Information or Personal Health Information collected to that which is needed for the purposes identified by the University.
b. The University shall collect the information by fair and lawful means.
5. In accordance with Principle 5 (Limiting Use, and Retention) of the Fair Information Principles:
a. The University shall limit the use or disclosure of Personal Information or Personal Health Information to that which is needed for the purposes for which it was collected, except with the express consent of the individual, or as permitted or required by law.
b. Only University Community members who need a University Record containing Personal Information or Personal Health Information in the performance of work duties shall access it.
c. The University shall limit the retention of Personal Information or Personal Health Information to as long as required to serve University purposes. In general, the University shall retain this information in accordance with legislative requirements and as guided by the University’s Records Retention Schedule.
6. In accordance with Principle 6 (Accuracy) of the Fair Information Principles, the University shall take reasonable steps to ensure that Personal Information and Personal Health Information is accurate, complete, and up-to-date.
7. In accordance with Principle 7 (Safeguards) of the Fair Information Principles:
a. The University shall take reasonable steps to protect Personal Information by the appropriate security measures relative to the sensitivity of the information. The University has outlined expectations for appropriate information-security practices relative to different levels of information sensitivity in the Information Classification Standard and Information Handling Guidelines.
b. University Community members must report all known, suspected, or potential privacy breaches of Personal Information to the Privacy Office within the Office of the General Counsel and Board Secretariat as soon as reasonably possible at privacy@torontomu.ca.
c. The Chief Privacy Officer or a designated individual will investigate all known, suspected or potential privacy breaches. If a privacy breach is found to have occurred, the University will follow its Privacy Breach Protocol (See “Appendix B: Privacy Breach Protocol”).
d. Where there is a breach of Personal Information, the University may have privacy breach reporting requirements to the Information and Privacy Commissioner of Ontario.
8. In accordance with Principle 8 (Openness) of the Fair Information Principles, the University shall make available information about its policies and practices related to the management of Personal Information. Inquiries may be directed to the Chief Privacy Officer or the Office of the General Counsel and Board Secretariat. Information may also be available on the University’s website.
9. In accordance with Principle 9 (Individual Access) of the Fair Information Principles:
a. The University shall make available to an individual, upon formal request and verification of their identity, of the existence, use, and disclosure of their Personal Information, and give access to that information within 30 days unless a specific exception applies, in accordance with FIPPA and PHIPA.
b. Where an individual demonstrates the inaccuracy or incompleteness of their Personal Information the University shall take steps to review and amend the information.
10. In accordance with Principle 10 (Challenging Compliance) of the Fair Information Principles:
a. An individual may lodge a privacy complaint regarding the University’s compliance with these principles to the University’s Privacy Office within the Office of the General Counsel and Board Secretariat. The Chief Privacy Officer, or designated individual, will investigate all privacy complaints. If a complaint is found by the Chief Privacy Officer to be justified, the University shall take appropriate measures.
b. Complaints may also be lodged with the Information and Privacy Commissioner of Ontario.
Part 2: Access to Information
11. The University shall provide access to information in University Records upon request, unless there are reasonable and legal grounds to deny that access and the decision to deny access is permitted pursuant to FIPPA.
V. Roles and Responsibilities
1. The Office of the General Counsel and Board Secretariat is responsible for:
a. Conducting periodic assessments and reviews of information collection, use, disclosure, retention and destruction practices.
b. Developing policies, procedures and tools to carry out a privacy management program.
c. Overseeing, conducting, and setting out requirements for ongoing privacy training for any University Community member with access to Personal information in the University’s custody or control.
d. Investigating privacy complaints, and known or suspected privacy breaches.
e. Responding to access-to-information requests made pursuant to FIPPA or PHIPA.
2. The University Community is responsible for:
a. Reporting known or suspected privacy breaches.
b. Complying with the directives provided by the Chief Privacy Officer in order:
i. To safeguard personal information;
ii. To provide information relating to an investigation of a privacy complaint or a privacy breach; or
iii. To provide records within prescribed timelines in response to an access-to-information request made pursuant to FIPPA or PHIPA.
Appendix A:
Record categories expressly excluded from FIPPA
1. Records donated to archives: Records that were privately donated to the University archives by a person or an organization. This exception does not apply if the donating organization is an institution covered by FIPPA or Municipal FIPPA, or is a health information custodian as defined by the Personal Health Information Protection Act (PHIPA).
2. Employment-related Records: Records collected, prepared, maintained or used by or on behalf of the University in relation to labour relations; employment-related matters; labour negotiations; and meetings, consultations, discussions or communications about the labour relations and employment related matters. The exclusion does not apply to labour-relations agreements and expense records.
3. Research records: Records about or associated with research conducted or proposed by an employee or a person associated with the University. The exclusion does not apply to the subject or amount of the funding received by an employee or a person associated with the University for research.
4. Teaching materials: Records of teaching materials collected, prepared or maintained by an employee or a person associated with the University for use at the University. The exclusion does not apply to evaluative or opinion material compiled about teaching materials or research, supplied explicitly or implicitly in confidence, for the sole purpose of assessing the teaching materials or research of an employee or person associated with the University.
Appendix B: Privacy Breach Protocol
It is the responsibility of the University Community to report known or suspected breaches of Personal Information or Personal Health Information as soon as reasonably possible, and to cooperate with the Chief Privacy Officer and the Office of the General Counsel and Board Secretariat to ensure that privacy breaches are contained properly, investigated, and prevented from recurring.
A privacy breach is any unauthorized disclosure of Personal Information, including Personal Health Information. Some causes of privacy breaches include but are not limited to:
a) Emails sent to the wrong sender, or emails containing the incorrect file;
b) Paper records left unattended or lost;
c) Lost or stolen phone, laptop, or other mobile devices;
d) Hacked or insecure data systems;
e) Access to records by an individual who does not need that information in the performance of their employment duties; or,
f) Disposal of equipment or paper records without secure destruction.
The Privacy Breach Protocol describes the University’s five-step approach to responding to and managing a privacy breach.
Step 1: Reporting a privacy breach
Responding quickly is an effective way to limit the scope and impact of a privacy breach.
Any University Community member who becomes aware of a suspected, possible or actual privacy breach immediately will inform the Privacy Office within the General Counsel and Board Secretariat, and if the member is an employee of the university they will immediately notify their Leader.
The Privacy Office can be reached at privacy@torontomu.ca.
Step 2: Containing a privacy breach
The Privacy Office advises and coordinates with the unit that identified the breach to take necessary and immediate steps to limit the scope and impact of the privacy breach.
Examples of containment measures include but are not limited to:
a) Reviewing the collection, use, retention, disclosure and destruction processes associated with the affected information to assist in mapping possible containment options;
b) Determining if it is possible to recapture, return, and re-secure the breached data (physical and/or electronic);
c) Working with Computing and Communications Services and any other University IT services to re-secure the data. This could involve temporary suspension of some user accounts or systems, and / or remote wiping or locking of devices.
d) Working with third-party providers who may provide data storage or data processing services to the University to plug any gaps and determine if a suspension of services is warranted; and / or,
e) Working with the unit responsible for processing the breached information to determine whether the process should be suspended.
Step 3: Investigation and Risk Assessment
The Privacy Office conducts a risk assessment to determine the possible harms resulting from the privacy breach. The Privacy Office reviews the circumstances leading to the breach, reviews of prior privacy impact assessments, previous breaches or complaints for any associated University systems or services involved in the breach, and reviews of practices associated with handling the Personal Information or Personal Health Information affected by the breach. The Privacy Office advises on notification to individuals whose information was breached and makes recommendations on steps to safeguard the information prior to resuming any processing, systems, or tasks that use similar data.
Step 4: Notification
The Chief Privacy Officer determines notification steps arising from a privacy breach.
This may include:
a) Affected Individuals:
The University may notify affected individuals at the first reasonable opportunity at the direction of the Privacy Office with consideration to the type of notification based on the circumstances.
b) Regulatory:
i) FIPPA: The University may report breaches of significant scope or harm to the Information and Privacy Commissioner of Ontario (“IPC”). The University will cooperate with the IPC’s investigation.
ii) PHIPA: The University has mandatory reporting requirements to the IPC for any breach of Personal Health Information. The University will cooperate with the IPC’s investigation.
Step 5: Remediation
The University’s procedures, processes and controls will be reviewed to determine whether there are opportunities to improve safeguards to protect Personal Information and Personal Health Information. Privacy and/or information-security training may be recommended.
In the event the University determines the breach was deliberate and/or malicious, the circumstances will be reviewed with the unit’s relevant leader, and may also include HR or the Vice-Provost, Faculty Affairs.