Subject: Personal Information Protection Policy - PIPEDA
Approved by: The President
Approval date: March 25, 2004
Effective date: January 1, 2004
Administered by: Vice-President (Administration)
1 — PURPOSE
The purpose of this policy is to ensure that the University is in compliance with the Personal Information Protection and Electronic Documents Act, hereinafter referred to as "PIPEDA".
This policy is not intended to cover all policy issues concerning the protection of personal information, but only those issues that are raised by PIPEDA.
2 — DEFINITIONS
2.1 "Commercial activity"
A commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
2.2 "Commercial character"
An activity has a commercial character if it, or another activity with which it is associated, a) involves an exchange of goods or services for valuable consideration, b) is for the purpose of creating a profit, generating revenue or producing a positive cash flow and c) is not principally educational in nature, that is, is not principally advancing or communicating knowledge or improving the abilities of students.
2.3 "Personal information"
Personal information for the purposes of this policy means information that the University collects, uses or discloses in the course of commercial activities, which information is about an identifiable individual. Personal information does not include the name, title, business address or business telephone number of an employee of the University.
3 — APPLICATION
This policy only applies to personal information that the University collects, uses or discloses in the course of commercial activities.
This policy does not apply to employee and student information collected, used or disclosed in the administration of the University unless and until that information is used or disclosed in the course of a commercial activity.
The University has examined its activities to identify those that are commercial in character and which involve the collection, use or disclosure of personal information. The results of that examination are summarized in Appendix 1 of this policy.
4 — RESPONSIBILITY FOR COMPLIANCE
The Director of Administrative Services, as the person responsible for most of the activities that could be commercial activities for the purposes of this policy, is designated as the individual responsible for the University's compliance with the PIPEDA.
5 — COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION
The University will collect, use or disclose personal information in the course of a commercial activity only for purposes that a reasonable person would consider are appropriate in the circumstances and to the extent necessary to complete that activity.
6 — DISCLOSURE AND CONSENT
Given the forgoing, and that the commercial activities will be ones in which an individual participates voluntarily, and since it is the University's policy not to use or disclose personal information collected in the course of one commercial activity in any other commercial activity , the University believes that the individual's participation in the activity constitutes sufficient consent to collect that information and that express disclosure of the use that will be made of the personal information is not required.
Furthermore, since personal information that the University collects other than in the course of a commercial activity will only be used in the course of commercial activities in very limited circumstances that are reasonable given the work of the University, such as to provide services to members of the Alumni, express consent is not required for the University to make use of that information. Information on these uses is recorded in Appendix 1 of this policy.
7 — PROTECTION AND PERSONAL INFORMATION
It is the responsibility of each department head to protect in accordance with this policy personal information that is in the possession of the department.
If the University transfers personal information to a third party for processing, the University will ensure that the third party provides a level of protection to that information that is comparable to the level of protection provided by the University.
The following security safeguards will be used to protect personal information against loss or theft, as well as against unauthorized access, disclosure, copying, use, or modification:
- physical copies of such information when not being used shall be stored in locked filing cabinets or in offices to which access is restricted;
- electronic copies of such information shall be stored only on computers or in computer systems that are password protected; and
- access to the information will only be provided to employees who need to have access in order to do their jobs
8 — COMPLAINTS, ENQUIRIES AND REQUESTS
The University shall inform individuals who make enquiries or lodge complaints about matters covered by this policy of the existence of the following procedures.
Individuals who have complaints or questions concerning any of the matters covered by this policy, or who wish to gain access to personal information in the possession of the University, may do so by addressing their complaints, enquiries or requests in writing to the Director of Administrative Services, Mount Allison University, 65 York Street, Sackville, New Brunswick, E4L 1E4.
This written complaint, enquiry or request must include sufficient information to permit the University to provide an account of the existence, use, and disclosure of personal information. The information so included shall only be used for the purpose of dealing with the complaint, enquiry or request.
The Director shall investigate all complaints. If a complaint is found to be justified, the University shall take appropriate measures, including, if necessary, amending its policies, practices and records and, where appropriate, shall transmit any amended records to third parties having copies of those records.
The Director will respond in writing to the complaint, enquiry or request within 20 working days and in a form that is easily understandable. Depending on the nature of the complaint, enquiry or request, the Director's response shall include the following information:
- a copy of this policy;
- a description of the type of personal information held by the University, including a general account of its source, a general account of its use and its disclosure to third parties, including its disclosure to related organizations; and
- the information that is being held so that the individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
If following this response the individual demonstrates in writing that the information being held is inaccurate or incomplete, the Director will correct or complete the information being held and report to the individual in writing that this was done. If changes or additions requested by the individual are not made, the Director will so report to the individual in writing.
If the Director's response, including the response contemplated in the immediately preceding paragraph, is not accepted by the individual, and the individual so informs the Director in writing, the substance of the unresolved issues shall be recorded and, when appropriate, the existence of the unresolved issues shall be transmitted to third parties having access to the information in question.
9 — INFORMATION EXPLAINING THE UNIVERSITIES POLICIES AND PROCEDURES AND STAFF TRAINING
The University shall make its employees aware of the importance of maintaining the confidentiality of personal information and shall advise them of the existence of this policy and its application to the collection, use and disclosure of personal information.
A copy of this policy shall be posted on the University's website so that all employees and all interested individuals will have access to the University's policies and procedures concerning personal information.
All staff associated with the Conference Office, or with any other office determined to be involved in commercial activities, shall, at the time their employment commences, receive training in the application of this policy, and in the practices in place to protect personal information.
10 — RETENTION AND DESTRUCTION OF PERSONAL INFORMATION
Personal information shall be retained for a maximum of seven fiscal years following the fiscal year in which the personal information is collected, except for such information that may be stored electronically in the University's student, financial, alumni or fund raising systems. With the exception of this latter information, information which is no longer to be retained shall be destroyed, erased, or made anonymous in a manner that will prevent unauthorized parties from gaining access to the information. Paper copies of such information shall be shredded and electronic records shall be erased in order to comply with this requirement. Further information on retention is provided in Appendix 1 of this policy.