Access and Privacy at VIU

Forms

• Authorization for Release of Information
• Request Form for Access to VIU Records
• Privacy Impact Assessment Template

A Guide for Students, Faculty and Staff

• Requests for Information and Records
• Records
• Responses
• Privacy
• Collection and Use of Information
• Protection of Information
• Information Retention
• Privacy Breaches
• Responsibilities of Faculty and Staff

Requests for Information

Requests for records that may contain sensitive or confidential information are called Freed of Information (FOI) requests.  These requests are processed by the Office of the University Secretariat in accordance with procedures set out in the Freedom of Information and Protection of Privacy Act (FIPPA).

FOI requests may be made in writing in a letter, fax, or email and sent to the Office of the University Secretariat.  VIU has 30 business days, from the date received, to respond to the request.

Records

The FIPPA applies to all records in the custody or under the control of VIU. Records include all recorded information in paper and electronic form.  For example:

• Emails, spreadsheets, and other electronic documents
• Letters, memos, reports, newsletters, draft documents
• Calendars, agendas, minutes
• Handwritten notes, journals, sticky notes
• Photographs, videos, sound recordings (including voicemail messages).

Not all information must be released in response to an FOI request.  The University Secretary may sever (black out) information if it falls under any of the “exceptions to disclosure” listed in the FIPPA.  For example, information may be withheld if its disclosure would:

• Unreasonably invade a third party’s privacy
• Harm VIU’s financial interests
• Reveal advice or recommendations
• Harm someone’s safety or the security of a facility or system.

The following factors are not relevant in determining whether to withhold information:

• The requester’s identity
• The fact that the records  may be an embarrassment to VIU or any of its staff

Responses

If not satisfied with VIU’s response, requesters can ask the Information and Privacy Commissioner for BC to review the response.  The Commissioner’s Office is independent of government and has the authority to use binding orders to resolve disputes related to FOI requests. 

Privacy

Under the FIPPA, VIU must collect, use and disclose personal information in a lawful and appropriate manner.  The FIPPA also gives individuals the right to:

• Access their own personal information
• Ask for their own personal information to be corrected if they believe it is inaccurate
• Consent to the disclosure of their own personal information
• Complain to the Information and Privacy Commissioner about privacy breaches

“Personal information” is defined as “recorded information about an identifiable individual”, e.g. biographical, financial, educational, and employment information.  As an exception, the name and work contact information of an employee is not considered to be personal information.

Collection and Use of Information

Personal information should only be collected when it relates directly to and is necessary for a program or activity of VIU, and only from the individual, rather than from a third party.  When personal information is collected from an individual, the individual should be informed of the purpose for collecting the information. 

Personal information can only be used for the purpose for which it was obtained or compiled, or for a use consistent with that purpose.

Personal information may be disclosed to other VIU staff on a “need-to-know” basis.  Disclosure of personal information outside VIU is highly restricted and should only be done with the authorization of the University Secretary.

Protection of Information

Under the FIPPA, VIU is required to make “reasonable security arrangements” to safe-guard personal information in VIU’s custody or under its control. Personal information stored in electronic format is especially vulnerable to loss or misuse.  Wherever possible, it should be stored on secure servers rather than PCs or portable devices.  If it is essential to store personal information on portable devices, it must be encrypted.

Personal information may not be stored or accessed outside Canada.  This restricts VIU’s use of “cloud computing” applications, e.g., Gmail and Facebook. 

Information Retention

Personal information must be retained for at least one year after it is used to make a decision that directly affects the individual.  If the information has not been used to make a decision, this retention requirement does not apply.

Privacy Breaches

Unauthorized collection, use, disclosure, or disposal or personal information is a serious matter and must be reported immediately to the Office of the University Secretariat for investigation.

Responsibilities of Faculty and Staff

Everyone at VIU has a role to play in ensuring compliance with the requirements of FIPPA:

• Assist the University Secretary to locate and retrieve records in response to FOI requests.
• Collect personal information with proper authority, using a privacy notification.
• Share personal information within VIU on a need-to-know basis.
• Do not share personal information outside VIU without approval.
• Follow applicable records management and retention standards.
• Create records when necessary to fulfill operational requirements.
• Ensure all communications are professional.
• Ensure personal information is securely stored and transmitted.
• Store personal information on secure servers wherever possible; otherwise, mobile storage devices should be encrypted.
• Do not store personal information outside Canada.