How does FIPPA Categorize Various Types of Information?
Personal information is defined in FIPPA as “recorded information about an identifiable individual other than contact information”. The personal information of VIU community members includes: residential address, personal telephone number or (non-VIU) email address, date of birth, personal family or health information, employment or educational history, grades, student number and program of study.
FIPPA protects personal information.
Contact information is the information by which someone can be contacted in their working capacity (such as a work telephone number or address). It is information necessary to allow members of the public to contact employees of public bodies like VIU. Students are generally not also employees of VIU, so their names, student numbers, e-mail addresses and phone numbers are considered personal information.
FIPPA does not protect contact information.
Records include: books, documents, maps, drawings, photographs, letters, vouchers, papers and any other thing on which information is recorded or stored by graphic, electronic, mechanical or other means, but does not include a computer program or any other mechanism that produces records. They include e-mails (whether work-related or not), file notes, meeting notes, written and audio recorded phone messages, calendars, memos, handwritten notes, journals, sticky notes, photographs, videos, sound recordings and text messages.
FIPPA creates an obligation on public bodies to produce records on request, subject to certain exceptions, such as where they contain personal information. Where this is the case, the record still must be produced, but the personal information will be redacted.
VIU’s FIPPA Obligations
FIPPA protections apply to VIU students, faculty members, directors, officers, employees, affiliates and contractors. All have the right to expect public bodies to protect their personal information by ensuring that it is collected, used, disclosed and retained in a lawful and appropriate manner. They also have the right to:
- access their own personal information;
- request correction of their own personal information if they believe it is inaccurate;
- consent to the collection, use and disclosure of their personal information; and
- complain to the Information and Privacy Commissioner about privacy breaches.
FIPPA authorizes the collection of personal information in limited instances, including where it is: (1) authorized by legislation; (2) necessary for law enforcement or (3) necessary for, and directly related to, the operation of a program or activity of VIU.
Wherever possible, personal information should only be collected from the individual directly, rather than from a third party. When personal information is collected from an individual, they should be advised that the information collected is subject to FIPPA and should understand the purpose for which the information will be used. They should also be directed to VIU’s privacy office if they have any questions about the collection or use of their personal information. Where personal information is collected by way of a form, the form should include a collection notice: [click to expand the italicized definition]
The personal information on this form (or being requested) is collected under the authority of the University Act and is subject to the Freedom of Information and Protection of Privacy Act. The personal information will be used for [state all uses of the information; if a use is not listed, the information cannot be used for it]. For more information regarding the collection and use of the personal information regarding the collection and use of the personal information please contact Vancouver Island University’s Privacy Office at privacy.officer@viu.ca.
When collecting personal information, it is important to ensure its accuracy whenever possible. Individuals whose information is in VIU’s custody or control who believe there is an error or omission in their personal information can make a request to VIU to correct the information. Employees who receive such a request must follow VIU’s Correction of Personal Information Protocol [link].
When VIU considers a new process, program or technology (such as purchasing new software, changing a process or using new technology) and that will involve collecting personal information, it must complete a Privacy Impact Assessment (PIA). A PIA is a way to ensure that new projects comply with FIPPA and carry an acceptably low risk of personal information being unlawfully used or shared.
VIU’s Privacy Impact Assessment Process [link]provides guidance in determining whether a PIA is required. It contains the University’s PIA Needs Analysis Questionnaire to assist in determining whether a PIA is required and a Guide to Completing a Privacy Impact Assessment.
Once collected, personal information can only be used for the purpose for which it was obtained or compiled, or for a use consistent with that purpose. If the personal information is necessary to perform a different program or activity of the university, the person the information is about must consent to that additional use.
Employees must only be given access to the minimum amount of personal information required to fulfill the duties of their existing position and on a “need to know” basis.
Disclosure of personal information outside VIU (without the informed, written consent of the individual who the information pertains to) is highly restricted and should only be done in accordance with VIU’s Disclosure of Personal Information to Law Enforcement or Emergency Personnel Protocol [link]
Under FIPPA, VIU is required to make “reasonable security arrangements” to safe-guard personal information in VIU’s custody or under its control. Personal information stored in electronic format is especially vulnerable to loss or misuse. Wherever possible, it should be stored on secure servers rather than PCs or portable devices. If it is essential to store personal information on portable devices, it must be encrypted.
VIU has compiled a set of best practices for employees who use and store personal information, and who work remotely: Best Practices: Use, Storage and Working Remotely [Link]
According to the Office of the Information and Privacy Commissioner for B.C. defines, a privacy breach includes the loss of, unauthorized access to, or unauthorized collection, use, disclosure or disposal of personal information. Actual or suspected privacy breaches must be reported to the Office of the University Secretariat for investigation. Prompt reporting of privacy incidents ensures that where a breach has occurred, it can be contained as quickly and effectively as possible in accordance with VIU’s Privacy Breach Management Response Protocol. [link]
Where VIU uses a person’s personal information to make a decision that directly affects that person, it must retain the personal information for at least one year after it is used.