All Ontario Universities and Colleges are responsible to fulfill the requirements of the Freedom of Information and Protection of Privacy Act (FIPPA for short).
- FIPPA was enacted to ensure that Ontario’s publicly funded institutions are transparent and accountable to the people of Ontario through access to information and the protection of privacy
- FIPPA is enforced through the office of the Information and Privacy Commissioner of Ontario (IPC)
Two Key Principles of FIPPA:
Public access to information
- The public has a right to request records that the institution has in its custody or under its control.
The protection of personal privacy
- The institution has a responsibility to protect personal information and other kinds of sensitive records from unauthorized uses and disclosures.
An Institutional Record means any record:
- in the custody or under the control of the institution;
- created or received, and maintained as evidence of institutional decisions, transactions, and relationships; and,
- relevant to the administration and operation of institutional activities.
What is considered Personal Information?
- FIPPA defines Personal Information as information about an identifiable individual
- This includes, but is not limited to, such basic details as name, address, telephone number, gender, age and marital status, employee number, student number, health information, education and employment history, and financial data
- An individual’s name on its own is not personal information unless it discloses other information, which if unauthorized, would be an invasion of privacy
- Personal Information does not include the name, title, business address, and business contact numbers of an employee
Key Points
- Personal information is any information about an identifiable individual (except employees’ names and work contact details)
- The names of students are personal information as they identify the individual as a student of the institution.
- Record: A record is any record of information however recorded, whether in printed form, on film, by electronic means or otherwise
- FIPPA’s rules for the protection of personal information include:
- Collect only the Personal Information (PI) that you need for the proper administration of the institution;
- Inform people about the collection and about what you intend to do with their PI by including a Collection Notice whenever you collect PI;
- Only use PI for the purpose(s) for which it was collected, or a consistent purpose;
- Only share PI internally with other institutional employees if they need to know the information for the purpose of their role;
- Don’t disclose PI outside of the institution without consent, other than in limited circumstances as specified in FIPPA; and
- Retain PI for a minimum of 1 year past last date of use.
- Privacy breaches must be reported to the institutional privacy office
- Be mindful of privacy when handling records containing PI
- Email: Use institutional email address for all institution emails
Learn More
Institutions may have a policy detailing:
- Access to Information and Protection of Privacy
What if I’m dealing with Personal Health Information?
Generally, even if you are handling records containing health information, FIPPA will continue to apply. The Personal Health Information Protection Act (PHIPA) only applies to the institution’s units/departments that provide health care on the institution’s behalf. Institutions will have health care providers who act as Health Information Custodians within the context of PHIPA, and may include the following:
- Student Health Services
- Personal Counselling Services
Employees of one of the above units should complete PHIPA Training.
Collection Notice Requirements
An institution must inform the individual to whom the information relates that a personal information collection has occurred. Whenever possible, the notice should be provided to an individual at the time of collection, or included on program forms and communications.
The notice to the individual must state:
- The legal authority for the collection;
- The principal purpose or purposes for which the personal information is intended to be used; and
- The title and business contact information of an official of the institution who can answer the individual’s questions about the collection.
Notice must be provided each time there is a collection. The notice should address separate legal authorities or collections if a form is used for multiple purposes.
Example
Brock University’s Collection Notice Template:
Brock University protects your privacy and your Personal Information. The Personal Information requested on this form is collected under the authority of The Brock University Act, 1964, and in accordance with the Freedom of Information and Protection of Privacy Act (“FIPPA”). The information will be used to [specify purpose for collecting the Personal Information]. Direct any questions about this collection to the [contact position], of the [your department] at Brock University at (905) 688-5550, ext. [XXXX] or see www.brocku.ca/[your departmental website].
Click here for the next module: Part 2 – Disclosing Personal Information