Definitions
FIPPA privacy requirements pertain to records containing personal information, but not contact information. These terms are defined as follows:
Personal information is defined in FIPPA as “recorded information about an identifiable individual other than contact information”. The term “identifiable individual” means that in order to be considered personal information, the information must be capable of being connected to a specific person in a way that identifies them. The personal information of VIU community members may include: residential address, personal telephone number or (non-VIU) email address, date of birth, personal family or health information, employment or educational history, grades, student number and program of study where that information is connected to an identifiable individual. A personal fact on its own, without an associated name, does not amount to "personal information" for FIPPA purposes. For example: “A student received a B in math at VIU” is not personal information. “Jane Smith received a B in math at VIU” is personal information because the grade is associated with Jane, who is an identifiable individual.
Contact information is the information by which someone can be contacted in their working capacity (such as a work telephone number or address). It is information necessary to allow members of the public to contact employees of public bodies like VIU and is often referred to as “business card information”. Students are generally not also employees of VIU, so identifiers such as their names, student numbers, e-mail addresses and phone numbers are considered personal information. FIPPA does not protect contact information.
Records include: books, documents, maps, drawings, photographs, letters, vouchers, papers and any other thing on which information is recorded or stored by graphic, electronic, mechanical or other means, but does not include a computer program or any other mechanism that produces records. They include e-mails (whether work-related or not), file notes, meeting notes, written and audio recorded phone messages, calendars, memos, handwritten notes, journals, sticky notes, photographs, videos, sound recordings and text messages.
FIPPA authorizes the collection of personal information in limited instances, including where it is: (1) authorized by legislation; (2) necessary for law enforcement or (3) necessary for, and directly related to, the operation of a program or activity of VIU.
Wherever possible, personal information should only be collected from the individual directly, rather than from a third party. When personal information is collected from an individual, they should be advised that the information collected is subject to FIPPA and should understand the purpose for which the information will be used. They should also be directed to VIU’s privacy office if they have any questions about the collection or use of their personal information. Where personal information is collected by way of a form, the form should include a collection notice:
The personal information on this form (or being requested) is collected under the authority of the University Act and is subject to the Freedom of Information and Protection of Privacy Act. The personal information will be used for [state all uses of the information; if a use is not listed, the information cannot be used for it]. For more information regarding the collection and use of the personal information regarding the collection and use of the personal information please contact Vancouver Island University’s Privacy Office at Privacy.Officer@viu.ca.
When collecting personal information, it is important to ensure its accuracy whenever possible. Individuals whose information is in VIU’s custody or control who believe there is an error or omission in their personal information can make a request to VIU to correct the information. Employees who receive such a request should follow VIU’s Correction of Personal Information Best Practice Guide.
When VIU considers a new process, program or technology (such as purchasing new software, changing a process or using new technology) that will involve collecting personal information, it must complete a Privacy Impact Assessment (PIA). A PIA is a way to ensure that new projects comply with FIPPA and carry an acceptably low risk of personal information being unlawfully used or disclosed.
The PIA process involves collecting and analyzing information about a project including:
- The amount and type of personal information collected
- The means by which it is collected and how it will be used; (in hard copy, on servers or using cloud-based technology)
- Where it will be stored (on campus or within Canada or not)
- The circumstances under which it can be accessed, corrected or deleted.
VIU’s Privacy Impact Assessment Process provides guidance in determining whether a PIA is required. It includes the University’s PIA Needs Analysis Questionnaire to assist in determining whether a PIA is required and a Guide to Completing a Privacy Impact Assessment which includes a PIA template.
Once collected, personal information can only be used for the purpose for which it was obtained or compiled, or for a use consistent with that purpose. If the personal information is necessary to perform a different program or activity of the university, the person the information is about must consent to that additional use. For example, personal information collected from an applicant to VIU may not be subsequently used for VIU marketing purposes without that student’s written consent.
Employees and contracted service providers must only be given access to the minimum amount of personal information required to fulfill the duties of their existing position and on a “need to know” basis. VIU’s Inter-department Access to and Disclosure of Personal Information Guidelines provide a series of best practices to assist with meeting this obligation.
Disclosure of personal information outside VIU (without the informed, written consent of the individual who the information pertains to) is highly restricted and should only be done in accordance with VIU’s Disclosure of Personal Information to Law Enforcement or Emergency Personnel Protocol.
Under FIPPA, VIU is required to make “reasonable security arrangements” to safe-guard personal information in VIU’s custody or under its control. Personal information stored in electronic format is especially vulnerable to loss or misuse. Wherever possible, it should be stored on secure servers rather than PCs or portable devices. If it is essential to store personal information on portable devices, it must be encrypted.
VIU has compiled a set of best practices for employees who use and store personal information, and who work remotely: Removal of Records from the Worksite and Working Remotely: Best Practices Guide
The Office of the Information and Privacy Commissioner for BC defines a privacy breach as the loss of, unauthorized access to, or unauthorized collection, use, disclosure or disposal of personal information. Actual or suspected privacy breaches must be reported to the Office of the University Secretariat for investigation. Prompt reporting of privacy incidents ensures that where a breach has occurred, it can be contained as quickly and effectively as possible in accordance with VIU’s Privacy Breach Protocol.
Where VIU uses a person’s personal information to make a decision that directly affects that person, it must retain the personal information for at least one year after it is used.
Retention periods must be established and followed for all records containing personal information. All records must be retained for as long as they are required to meet legal, administrative, operational, and other requirements of the University. It is good practice to avoid retaining documents for longer than this.
Note: VIU is in the process of developing a Records Management Plan that will set out a retention period schedule for all categories of documents at VIU in which personal information is stored.