||Freedom of Information and Protection of Privacy
Seneca complies with the requirements of the Freedom of Information and Protection of Privacy Act (FIPPA), and affirms the importance of conducting its operations in a transparent manner and, as far as possible, in ways that are open to public scrutiny.
In summary, FIPPA has two purposes.
The “information” refers to records within Seneca’s custody or control and can include records in all formats and media records containing personal information relating to individual faculty, staff and students, as well as records relating to Seneca’s business operations and administration of academic programs, services and areas. Seneca records may be the subject of an access to information request under FIPPA, and may be required to be disclosed to requesters pursuant to specific exemptions and exclusions in FIPPA.
“Record” means any record of information however recorded, whether in printed form, on film, by electronic means or otherwise, and includes:
“Personal information” is information about an identifiable individual. It includes but is not limited to the following:
However, information about individuals acting in their business or professional capacity such as name and title, work address (including office location), work telephone number, Seneca e-mail address, etc. is NOT personal information.
Some records are exempted from disclosure and must not (mandatory) or may not (discretionary, as determined by the Freedom of Information & Privacy Protection Officer or as ordered by the Privacy Commission) be released under FIPPA. If a record contains information that is exempted from disclosure, but that can reasonably be severed, the right of access applies to the remainder of the record.
Seneca may refuse to grant access to a record in the following circumstances:
COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION
No person shall collect personal information on behalf of an institution unless the collection is expressly authorized by statute, used for the purposes of law enforcement or necessary to the proper administration of a lawfully authorized activity. [FIPPA section 38(2)].
Seneca will only collect, use and disclose personal information with the informed consent of individuals, unless such information is required or authorized by law (e.g. specific sections of the Labour Relations Act, Occupational Health and Safety Act, Statistics Act, etc.). The reasonable expectations of the individual, as well as the sensitivity of the information, will be taken into account in determining whether Seneca will request express consent or rely on implied consent (e.g. a consistent purpose that may reasonably be expected by an individual).
Seneca has legal obligations of due diligence to ensure all employees and students have the right to work and study in a safe environment, including cooperating with requests from the police when they suspect that a person of interest may be associated with Seneca. FIPPA permits the disclosure of personal information to an institution or a law enforcement agency in Canada to aid an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result (section 42 (g) of the Act). Any requests by police for information regarding students, faculty or staff are to be directed to the Freedom of Information & Privacy Protection Officer to determine what personal information can be released and maintain a record of the request.
FIPPA prescribes the use of students’ personal information as necessary to accomplish Seneca’s academic, pedagogical and operational activities. Personal information includes, but is not limited to, student numbers, education or health history, a students’ own grades and professors’ evaluative comments on a student’s learning.
Normally, in determining whether an activity is “lawfully authorized”, consideration should be given to Seneca’s empowering statute. Currently, this is the Ontario Colleges of Applied Arts and Technology Act, 2002, which states in part: “The object of the colleges is to offer a comprehensive program of career-oriented, post-secondary education and training to assist individuals in finding and keeping employment to meet the needs of employers and the changing work environment and to support the economic and social development of their local and diverse communities.”
This Policy is designed to provide for the efficient and effective management of Seneca’s records. Staff are responsible for the orderly and efficient creation, use, maintenance, retention and disposal of records according to legal, fiscal and statutory requirements, and administrative or operational needs. While each department/School creates, receives, uses and maintains records that relate to the administration or operation of Seneca, these records are and remain the property of Seneca.
In some departments/Schools, staff with access to personal and/or business information in the custody or control of Seneca may be required to agree in writing to respect the confidentiality of the personal and/or business information to which they have access.
Staff of each department/School are required to prevent unauthorized access to records and to document and put in place specific security measures. Security measures to be considered include the following: computer use policies (e.g. password restrictions, shutting off computers while not in use, etc.); firewalls; physical security (e.g. locking cabinets and offices); and, administrative protocols (e.g. limiting staff access to certain files).
All staff are required to review and comply with this Policy. Failure to do so may be considered a serious employment matter and may give rise to legal liability for Seneca.
||Freedom of Information and Protection of Privacy
The Privacy Office in Strategic Planning and Public Affairs is responsible for Seneca’s compliance under FIPPA, exercising discretion in interpreting what is and is not to be released based on knowledge and understanding of FIPPA and reviewing of jurisprudence from decisions of the Privacy Commission.
REGULATION OF PERSONAL INFORMATION OVERVIEW
FIPPA regulates personal information in the custody or control of Seneca; specifically, it places restrictions on how Seneca collects, uses, and discloses personal information. Seneca collects and records personal information as is necessary for the proper administration of the institution and its academic and other programs, or as required by virtue of data collection or government reporting requirements. Seneca uses personal information for the purpose for which it was obtained or compiled, or for a consistent purpose, where the individual has identified that information and consented to its use. FIPPA also imposes rules on how long Seneca must keep personal information, how it is to be kept secure and the means of its disposal.
CIRCUMSTANCES THAT WARRANT THE COLLECTION OF PERSONAL INFORMATION
FIPPA’s requirements for the collection of personal information are as follows:
Seneca must provide notice of collection to the individual, and in some cases obtain consent.
Seneca can collect personal information (whether directly or indirectly) ONLY in one of the following three circumstances:
FIPPA deals with two types of collection:
FIPPA imposes different rules depending on whether the information is collected directly from the individual or indirectly from another source. For direct collections, Seneca is required to notify affected individuals of the following:
FIPPA permits indirect collection of personal information only in limited circumstances, including the following:
FIPPA allows individuals access to recorded information in the custody or control of Seneca. You should be aware of the following:
Seneca is under strict time limits in relation to compliance with FIPPA: therefore staff, who receive access requests, must immediately forward the request(s) to the Privacy Office in Strategic Planning and Public Affairs. Failure to do so may have serious consequences for Seneca with respect to its compliance obligations under FIPPA. As well, Seneca must report statistics on requests annually to the Ontario Privacy Commissioner.
WHEN CAN SENECA USE PERSONAL INFORMATION?
Seneca may only use personal information in its custody or control in limited circumstances. Normally the uses must be restricted to those for which the affected party has previously been given notice at the time of collection or for a “consistent purpose”. FIPPA defines a “consistent purpose” as one the requestor might have reasonably expected. Personal information may only be used for other purposes if one of the following exceptions applies:
WHEN CAN SENECA DISCLOSE PERSONAL INFORMATION?
Seneca can only disclose personal information in its custody or control under certain circumstances, including the following:
Disclosure can be made to an employee of Seneca who needs the record in the performance of their duties and where disclosure is necessary and proper in the discharge of Seneca’s functions. If an employee is asked for an individual’s personal information, they are responsible for assuring that it is being requested for “necessary and proper” purposes by someone fulfilling his/her work-related duties.
COLLECTING, USING AND DISCLOSING STUDENTS’ PERSONAL INFORMATION
Professors may ask for personal information from students, but only as necessary for course or program delivery. The information collected must be used for the purpose for which it was obtained: for example, students may be asked to provide their name and e-mail addresses for a class discussion or distribution list. Professors are required to inform students of the purpose for which the information is being requested.
In general, access to information in student academic records is given on a need to know basis and as required by Seneca faculty and staff, but the level and nature of access must be related to their particular duties. For example, faculty and staff who are charged with academic advising functions or those who serve on appeal committees are entitled to confidential access to student records for those specific purposes.
Faculty can only share students’ personal information with other Seneca staff whose duties and responsibilities authorize them to have access to that information and who need the information in order to carry out their duties. If faculty or staff wish to share a student’s information beyond those with authorized access, they must obtain the student’s consent for so doing. This restriction on access to student’s personal information applies to parents/guardians/spouse who phone to request such information.
Seneca makes reasonable arrangements to ensure that explanations for evaluation of student learning are made available to the affected students, together with copies of such materials as are relevant to such explanations and which can be disclosed without undermining the integrity of the evaluation system or method in question.
RECORDS NOT COVERED BY THE ACT
This Policy applies to recorded information covered by FIPPA. A limited number of documents are not subject to the Act.
Specifically FIPPA does not apply to records “collected, prepared, maintained or used by or on behalf of an institution” in relation to the following:
However, four subcategories of labour relations-related and employment-related documents are not included in this exemption, and are therefore subject to FIPPA:
USE OF PERSONAL INFORMATION OF ALUMNI
Under the June 2006 amendments to the Act, Seneca may use alumni records for the purposes of its own fundraising activities if the personal information is reasonably necessary for the fundraising activities and provided that certain steps are followed. These steps include the following: (a) giving notice to the contacted person, upon first contact, of his or her right to request that solicitation cease; (b) providing similar notices periodically thereafter when making additional solicitation approaches to the individual; and (c) periodically publishing a general notice of an individual’s right to request that fundraising solicitation cease (e.g. through Seneca’s web page or other printed publications). If asked to cease soliciting for fundraising, Seneca must stop approaching the individual.
Seneca may also disclose personal information for the purposes of fundraising activities (e.g. to our printing contractor or to a fundraising foundation) if the information is necessary for fundraising and Seneca enters a written agreement with the receiving party which meets certain requirements.
Since the June 2006 amendments to FIPPA came into effect, the Act does not apply to records “of teaching materials collected, prepared or maintained by an employee of an educational institution or by a person associated with an educational institution for use at the educational institution”.
There is an exemption in section 49 (c) of FIPPA which provides for an exemption when an individual requests his or her own personal information “if the information is supplied explicitly or implicitly in confidence and is evaluative or opinion material compiled solely for the purpose of assessing the teaching materials of an employee of an educational institution or of a person associated with an educational institution”.
Since the June 2006 amendments to the Act, FIPPA does not apply to records “respecting or associated with research conducted or proposed by an employee of an educational institution or by a person associated with an educational institution”.
Seneca may refuse to disclose information containing the past, present or proposed research activities of the Seneca community where disclosure would be contrary to the public interest, would interfere with the project, or would jeopardize the legitimate interests of the researchers, staff, students, or research sponsors involved in the project.
There is an exemption in section 49 (c) of FIPPA which allows Seneca to refuse to disclose to the individual to whom the information relates personal information where “the information is supplied explicitly or implicitly in confidence and is evaluative or opinion material complied solely for the purpose of assessing the research of an employee of an educational institution or of a person associated with an educational institution”.
However, information regarding the subject matter of research and the amount of funding being received with respect to research is subject to disclosure.
Seneca is required to comply with section 21(1)(e) of FIPPA, which authorizes the disclosure of personal information for a research purpose if the following circumstances prevail:
Members of the Seneca community rely heavily on e-mail as a means of communication. E-mail messages are also considered Seneca records if they contain information that relates to the operation or administration of Seneca.
E-mail as a Seneca record:
The following notice is recommended for inclusion in all Seneca e-mail communications:
This electronic mail (e-mail), including any attachments, is intended only for the recipient(s) to whom it is addressed and may contain information that is privileged, confidential and/or exempt from disclosure. No waiver of privilege, confidentiality or any other protection is intended by virtue of its communication by the internet. Any unauthorized use, dissemination or copying is strictly prohibited. If you have received the e-mail in error, or are not named as a recipient, please immediately notify the sender and destroy all copies of it.
The use of office and personal computers, as well as various handheld data generating and data gathering devices has resulted in a growing awareness of the impact of these technological changes when an institution receives a request under FIPPA. Electronic Discovery, or e-discovery, is different in a variety of ways: the sheer volume of electronic information (e-mails, documents, databases, etc.); collections of electronic data will often contain a mixture of business and personal information; protection of privacy and privileged information is much more difficult in the electronic realm; and, as soon as a request is received Seneca is required by the Privacy Commission to immediately take reasonable and good faith steps to preserve relevant and responsive electronic documents.
Create records with the expectation that they may be disclosed. Omit unnecessary information; collect and record only the information needed to accomplish a task or meet a requirement.
Records should be factual, objective and include only what is relevant.
GUIDELINES FOR TAKING AND USE OF PHOTOGRAPHS, VIDEO AND AUDIO RECORDINGS
Photographs, video and audio recordings are “records” as defined in FIPPA. The information contained in them is considered “personal information” when they contain recorded information about an identifiable individual. Note that information recorded about people in their business, professional or official capacity is not considered personal information.
If photographs or audio or video recordings are going to be stored in an image bank and/or used for another purpose in the future, it is important to obtain written consent. It is essential that the consent form contain a waiver of indemnity and release (i.e. that Seneca is not responsible for the misuse or alteration of any such photographs/recordings by third parties; that Seneca and any of its officers, directors, agents, employees or servants are released from any and all actions, claims, loss or causes of action arising from the use or misuse of such images; etc.). Depending on the uses (e.g. where there may be financial gain for Seneca) contemplated for the photographs/recordings there is additional language concerning indemnity and release that would need to be included please contact the Freedom of Information & Privacy Protection Officer for assistance in preparing the waiver.
Photographs or video or audio recordings must not be used or disclosed for purposes that were not identified in the original collection notice unless the individuals in the photographs or video or audio recordings have consented to the new use or disclosure.
In this electronic age, it may be more accurate to refer to images, to include both the traditional film photos and electronic or digital “photographs”.
Caution must be exercised when posting information on websites. Information that may be relatively innocuous when hanging on the wall in a school corridor such as a student’s or staff name or photograph may have serious privacy issues when posted on a website. This information, which can be downloaded and combined with other information, may result in a potentially significant invasion of privacy and potentially lead to significant concerns about personal safety and security.
REPORTING PRIVACY BREACHES
A privacy breach:
If a privacy breach is suspected or confirmed, immediately report it to your supervisor and the Freedom of Information and Privacy Protection Officer.
HOW LONG MUST SENECA RETAIN PERSONAL INFORMATION?
Personal information must be retained for a period of at least one year from its last use unless the affected individual consents to a shorter period. Personal information cannot be destroyed prior to this time and may be subject to longer retention periods under Seneca’s retention schedules or legal statutes.
SECURITY DISPOSAL OF SENSITIVE INFORMATION
Records in all formats and media containing sensitive information such as, but not limited to, records containing personal information of individual staff and students, as well as records relating to Seneca’s business operations and administration of academic programs, services and areas must be securely collected and shredded for disposal.
When disposing of personal information (personal information related to staff or students, including students’ tests/exams, etc.), Seneca is required to use “reasonable steps” to ensure information cannot be reconstructed or retrieved. A disposal record/form must be submitted to the Freedom of Information & Privacy Protection Officer for approval, identifying which information is to be destroyed. In addition, FIPPA requires that measures be taken to ensure security and confidentially during storage, transportation, handling and destruction.
All sensitive information must be separated and placed in designated secure collection containers specifically provided by the approved secure shredding vendor. Secure collection containers are strategically placed throughout Seneca and are serviced on a regularly scheduled basis. Departments/Schools requiring special secure collection and shredding services for large volumes of sensitive information should contact the approved secure shredding vendor to arrange for a special collection.
Shred documents in an office paper shredder (cross-cut shredders are preferred over strip shredders) or in a locked confidential disposal bin provided by an external shredding service vendor.
For electronic media such as floppy disks, CDs, USB keys, personal digital assistants (PDAs) and hard drives, destroy electronic records by overwrite software or physical destruction of the disk, drive or other digital storage media. Note that overwriting may not irreversibly erase every bit of data on a drive.
Questions with respect to this Policy or Procedure should be directed to Seneca’s Freedom of Information and Privacy Protection Office at extension 77846.