Vancouver Island University (VIU) is a local public body subject to the Freedom of Information and Protection of Privacy Act (FIPPA).
VIU’s Privacy Management Program along with other procedures and protocols referred to throughout this document, regarding the collection, use, disclosure, security, and access to personal information, apply to all VIU employees and service providers.
Roles and Responsibilities
The Head for VIU, the University’s General Counsel and University Secretary has ultimate responsibility for all matters related to VIU's privacy obligations under FIPPA. This position establishes the necessary policy and supporting procedures and protocols to ensure the responsible management of personal information within VIU’s custody or control.
Employees are responsible for reading, understanding, and following VIU’s Privacy Policy, the Privacy Management Procedure and all other associated procedures and protocols, and contacting the Privacy Office at Privacy.Officer@viu.ca with any privacy questions when necessary.
Service Providers are equally responsible for understanding their responsibilities to protect personal information as described within the Privacy Protection Schedule and Privacy Protection Schedule for Cloud Services within their services contract.
Collection, Use and Disclosure of Personal Information
VIU collects and stores employee, student, and visitor personal information such as names, personal contact information, demographic information, educational background, work history, and medical history.
All employees and contracted service providers must ensure that personal information within VIU’s custody or control is at all times protected. FIPPA sets out the following standards regarding the collection, use, disclosure, and security of personal information which VIU is committed to meet:
- Personal information will only be collected by VIU if the collection is authorized by legislation, is necessary for law enforcement, or is necessary for the operation of a program or activity of VIU. Whenever possible, personal information will be collected directly from the individual. There are limited circumstances when indirect collection is permitted.
- When collecting personal information directly from an individual it is a legal requirement to notify them of the specific uses of their information, the legal authority for the collection of that information, and the contact information of someone in the organization who can answer their questions about the collection and use. This must be provided for collections occurring in person, over the telephone, online and on hardcopy forms.
- When collecting personal information, it is important to ensure its accuracy whenever possible. Individuals whose information is in VIU’s custody or control who believe there is an error or omission in their personal information can make a request to the public body to correct the information. Employees who receive a request from an individual to correct their personal information must follow VIU’s Correction of Personal Information Protocol.
- Personal information should be used only for the purpose for which it was collected or for a purpose consistent with that initial purpose, meaning the use has a reasonable and direct connection to the original stated purpose.
- There are certain clearly defined circumstances within FIPPA where release of information is permitted without consent. These circumstances must be reviewed and authorized prior to any disclosure of personal information occurring.
- VIU may disclose personal information to a law enforcement agency in Canada, to assist in a specific investigation being undertaken with a view to a law enforcement proceeding, or from which a law enforcement proceeding is likely to result. VIU may also disclose personal information if compelling circumstances exist that affect anyone’s health or safety. The process for releasing personal information in both these circumstances is outlined in the Disclosure of Personal Information to Law Enforcement or Emergency Personnel Protocol.
Protection of Personal Information
- VIU takes reasonable security measures to ensure the protection of personal information in its custody or under its control.
- When travelling with personal information or working offsite at another location, employees and contracted service providers must take measures to protect electronic and paper records containing personal information. The Removal of Records from the Physical Worksite and Remote Access Best Practices Guide details steps to take to ensure the security and protection of personal information while travelling or working offsite.
- All new employees and service providers (where the service provider is accessing personal information while performing their duties under contract to VIU) must attend VIU privacy training. Annual refresher training must also be attended to ensure their knowledge on privacy processes and practices is current. Attendance at the training will be taken and a record of the attendance will be placed on each employee’s personnel file.
- Employees and contracted service providers must use their VIU assigned corporate email account when conducting any VIU business. Whenever possible employees and service providers should not send personal information via email, and personal identifiers should never be used in the subject of an email. If you must use email to send personal information, ensure that the documents containing personal information are password protected prior to transmission. Do not send the password by email but instead provide it by telephone or text.
- Employees must only be given access to the minimum amount of personal information required to fulfill the duties of their existing position. Employee access will be assigned based on need to know and least privilege principles to ensure that employees can only access the systems and personal information they require for their role.
- VIU will regularly (e.g., every six months) review employee access to personal information to ensure that access is based on current job duties and has been removed from current employees who no longer require access. Former employees will have access removed at time of termination.
Access to an Individual’s own Personal Information
FIPPA gives individuals the right to request records that contain their own personal information. Individuals requesting records that contain their own personal information should put those requests to the department that creates and holds the records.
Privacy Breaches
A privacy breach occurs when personal information is collected, retained, used, disclosed, accessed, or disposed of in ways that do not comply with the provisions of FIPPA. If VIU discovers that personal information in its custody or control has been inadvertently or intentionally disclosed without authorization, it must immediately investigate and report such a breach to their supervisor or VIU’s Privacy Office. Employees who suspect or know a breach of privacy has occurred must immediately refer to the Privacy Breach Protocol for the steps to take. Service providers must follow the requirements in their contract’s Privacy Protection Schedule or Privacy Protection Schedule for Cloud Services.
Privacy Complaints
Individuals have the right under FIPPA to file a complaint about the improper collection, use or disclosure of their personal information by VIU, or about a decision made by VIU concerning a personal information access request. Privacy complaints that are received by VIU must be referred to VIU’s Privacy Office who will investigate the complaint and remediate as required.
Privacy Impact Assessments
A Privacy Impact Assessment (PIA) is a mandatory tool for VIU to assess new technologies, programs and processes, or changes to existing technologies, programs or processes involving personal information to ensure the collection, use, disclosure, and security of the personal information is complaint with FIPPA. Before initiating a new system or process involving personal information, contact VIU’s Privacy Office at Privacy.Officer@viu.ca who will confirm whether a PIA is required, and provide information on the completion of a PIA.
Information Sharing Agreements
Where disclosures of personal information are occurring on a regular basis with an external third party, an Information Sharing Agreement (ISA) should be developed to document the expectations of VIU and the third party regarding the security and protection of the personal information being disclosed or exchanged. Contact VIU’s Privacy Office to determine whether an ISA is required and for direction on the completion of an ISA.
Retention Schedule
Personal information that is used by VIU to make a decision that directly affects an individual will be retained for a minimum of one year after being used so that the affected individual has a reasonable opportunity to obtain access to that personal information.
Compliance and Auditing
VIU may audit the use of its records or systems by employees or service providers to ensure VIU is compliant with FIPPA and that VIU policies and protocols regarding the management of personal information are being followed.
Questions
If you have any questions regarding this Privacy Management Program, please contact VIU’s Privacy Officer at Privacy.Officer@viu.ca.