Originator: Vice President, Finance and Administration
Approver: President’s Council
Effective: February 11, 2014
Replaces: March 9, 1999

Download the PDF version of this policy

1. Preamble

Personal Information in the custody of the College is subject to legal protections. Individuals have a reasonable expectation of privacy. The College is subject to legal limitations as to how it collects, accesses, uses and discloses Personal Information and to the amount of Personal Information it collects. In addition, individuals have a qualified right to access their own Personal Information.

2. Policy

The College will collect, use and disclose all Personal Information in the manner prescribed by law, and in accordance with the procedures set forth in this document.

3. Definitions

“College Access and Privacy Coordinator” is the College employee that is responsible for receiving applications for access to Records and for day to day administration of The Freedom of Information and Protection of Privacy Act. The College Access and Privacy Coordinator also acts as a privacy officer as contemplated by Section 57 of The Personal Health Information Act.

“College Access and Privacy Officer” is the person appointed by the College President pursuant to Section 81 of The Freedom of Information and Protection of Privacy Act and Section 58 of The Personal Health Information Act. The College Access and Privacy Officer is deemed to be the “head” of the College in relation to obligations imposed by The Freedom of Information and Protection of Privacy Act.

“Personal Health Information” means recorded information about an identifiable individual that relates to the individual’s health or health care history, the provision of health care to that individual or payment for health care provided to the individual, as further qualified by The Freedom of Information and Protection of Privacy Act and The Personal Health Information Act.

“Personal Information” means recorded information about an identifiable individual, as further qualified by The Freedom of Information and Protection of Privacy Act, and, without limitation, includes Personal Health Information.

“Record” means a record of information in any form, and includes information that is written, photographed, recorded or stored in any manner, on any storage medium or by any means including by graphic, electronic or mechanical means, but does not include electronic software or any mechanism that produces records.

4. Procedures

Collection, Use and Disclosure of Personal Information

4.01

Subject to any exceptions permitted by law, employees of the College must only collect and use as much Personal Information as is reasonably required to fulfill the purpose of collection.

4.02

Employees may use Personal Information for purposes other than the purposes for which the information was collected, where:

  1. an individual has consented; or
  2. the new purpose is consistent with the original purpose of collection, and the minimum amount of information is used to fulfill that related purpose.

Employees should contact the Access and Privacy Coordinator to determine whether a purpose is consistent with the original purpose of collection.

4.03

Personal Information should not be disclosed to a third party unless the person who the Personal Information is about has consented to the disclosure, or unless the third party otherwise has a legal right to that Personal Information. Employees should contact the Access and Privacy Coordinator for guidance as to whether a third party has a right of access to Personal Information.

Requests for Access to Information

4.04

Formal requests for access to information, including Personal Information and Personal Health Information, must be made on the College’s prescribed form. Where the form is available online or another publicly accessible medium, the potential applicant should be directed to such media. The potential applicant may also be directed to the Access and Privacy Coordinator for direction on how to access and complete the form.

4.05

All formal requests for information must be immediately directed to the Access and Privacy Coordinator. Upon delivery to the Access and Privacy Coordinator, the formal request will be date stamped and logged.

4.06

Once the formal request has been logged, the Access and Privacy Coordinator will assess the request and make a determination as to whether the applicant may have access to some or all of the information requested. The Access and Privacy Coordinator has a right of access to all Records that are the subject of any formal request. All employees are obligated to provide copies of all Records related to the formal request to the Privacy and Access Coordinator.

4.07

The Access and Privacy Coordinator, in consultation with other College stakeholders and subject matter experts, will review all Records related to a formal request, and determine which Records, if any, to which the applicant is entitled to have access. All College stakeholders and subject matter experts must cooperate with the Access and Privacy Coordinator in order to assist in making the correct determination.

4.08

Upon completion of the review of Records, the Access and Privacy Coordinator will communicate with the applicant as prescribed by law, informing them of the number of Records to which they have access, and describing how the applicant may gain access to the non-exempt Records.

4.09

Where Records naming any employee of the College are being released to an applicant, the Access and Privacy Coordinator will advise the affected College employee where it is reasonable to do so.

Retention and Destruction of Personal Information

4.10

Records containing Personal Information, including Personal Health Information, must be retained by the department who collected it for a reasonable period of time so that the individual that the information is about has a reasonable opportunity to access them. For specific advice as to how long a Record should be retained, College employees should contact the Access and Privacy Coordinator for direction. The Access and Privacy Coordinator will seek guidance from the Chief Information Officer and other College resources as appropriate when providing advice on retention.

4.11

Records containing Personal Information, including Personal Health Information, may only be destroyed after an appropriate period of time has elapsed. Records must be destroyed in a secure manner, that protects the privacy of the individuals that the Personal Information is about. For specific advice as to how to securely destroy Records, College employees should contact the Access and Privacy Coordinator for direction. The Access and Privacy Coordinator will seek guidance from the Chief Information Officer and other College resources as appropriate when providing advice on destruction of Records. The College may prescribe further policies and procedures concerning the retention and destruction of Personal Information from time to time.

4.12

Where Records containing Personal Health Information are destroyed, the department which has undertaken the destruction of the Records must keep a destruction record naming the individual whose Personal Health Information was destroyed and the time period to which the information relates. The destruction record must also note the method of destruction of the Records, and the person responsible for supervising the destruction. Departments must keep destruction records on file for 10 years.

Security of Personal Information

4.13

All Records containing Personal Information must be kept in a secure environment when not in use. Paper based and other similar Records containing Personal Information must be kept in a locked location when not in use. Electronic Records must be kept on a secure electronic medium with access protected by password. In addition, Records containing Personal Information that are contained on removable storage devices such as flash drives must be encrypted.

4.14

When Records containing Personal Information are removed from their secure environment for use permitted by this policy and by law, the College employee who is using the Records must take reasonable precautions to guard the confidentiality of the Records. When the College employee is no longer using the Records, they must immediately return them to their secure location.

4.15

Where an employee becomes aware of an existing or potential security breach as it relates to Records containing Personal Information, the employee must immediately record the circumstances related to the breach or potential breach, and forward it to the Access and Privacy Coordinator. The Access and Privacy Coordinator will conduct an investigation, and provide recommendations, if any, as to how to prevent such security breaches in the future. All College employees must follow the recommendations of the Access and Privacy Coordinator.

Training and Documentation

4.16

Employees must undertake such reasonable privacy and access training as the Access and Privacy Coordinator may prescribe from time to time.

4.17

Employees who are reasonably expected to have access to Personal Heath Information in the course of their duties will sign a pledge of confidentiality in form and content that is satisfactory to the Access and Privacy Officer.

5. Responsibilities

The College Access and Privacy Coordinator is responsible for:
  1. advising employees of their duties and obligations respecting Personal Information;
  2. assisting applicants in the completion of formal requests for access to information;
  3. logging all formal requests for access to information;
  4. assessing what Records, if any, an applicant may be entitled to with respect to a formal request to access to information;
  5. informing applicants of what Records that they are entitled to access and how they may obtain access;
  6. informing College employees that Records naming the employee are going to be released to an applicant in circumstances where it is reasonable to do so;
  7. receiving records of security breaches involving Personal Information, conducting an investigation of such breaches, and providing recommendations to minimize the likelihood of a reoccurrence of such breaches;
  8. arranging for training Employees as deemed reasonably prudent in the sole discretion of the Access and Privacy Coordinator.

The College Access and Privacy Officer acts as the “head” of the College for the purposes of The Freedom of Information and Protection of Privacy Act and The Personal Health Information Act.

Employees of the College are responsible for:
  1. collecting, using and disclosing Personal Information as prescribed by this policy and by law,
  2. forwarding all formal requests for access to information to the College Access and Privacy Coordinator
  3. consulting with the College Access and Privacy Coordinator with respect to informal requests for disclosure of Personal Information to third parties;
  4. consulting with the College Access and Privacy Coordinator with respect to timely retention of Personal Information and secure destruction of Personal Information;
  5. accessing Personal Information in a secure manner as prescribed by this policy;
  6. noting the destruction of records containing Personal Health Information as prescribed by this Policy and retaining same;
  7. reporting existing or potential security breaches involving Personal Information to the Access and Privacy Coordinator;
  8. following the recommendations of the Access and Privacy Coordinator following an investigation into a security breach;
  9. completing such training as the Access and Privacy Coordinator may prescribe from time to time;
  10. signing a pledge of confidentiality as reasonably required by the Access and Privacy Officer;
  11. otherwise complying with the obligations of this policy and legislation that is applicable to Personal Information, including Personal Health Information.

Supervisors of the College are responsible for ensuring that their employees comply with this policy, and ensuring that their departments maintain appropriate retention, destruction and security procedures with respect to Personal Information that is in their possession.

6. Enforcement

6.1

College employees who violate this policy may be subject to disciplinary action up to and including dismissal.

Related Policy and Legislation

The Freedom of Information and Protection of Privacy Act C.C.S.M. c. F175, and its Access and Privacy Regulation

The Personal Health Information Act C.C.S.M. c. P33.5, and its Personal Health Information Regulation