Ryerson University (the “University”) supports the closely aligned principles of transparency and accountability and as such routinely provides public access to information about the University’s operations and decisions.
At the same time, the University is committed to protecting specific types of information, which, if disclosed, could reasonably be expected to result in harm to the University, an identifiable individual, or a third party. This subset of information includes personal information, teaching and research records, as well as law enforcement, solicitor-client, labour relations and other kinds of information which for the purposes of this policy will be referred to as “restricted information”.
As of June 10, 2006, the University became subject to FIPPA’s legal requirements concerning the use, disclosure, and retention of personal information, as well the obligation to provide access to University records with limited protection for certain kinds of restricted information. To enable the University to meet its statutory obligations under FIPPA, the General Counsel has developed a procedures document (“Privacy Procedure”) which identifies restricted information categories, employee responsibilities, and legislative highlights. This policy and the related Procedures do not limit the rights and obligations outlined in any existing relevant legislation.
Application and Scope
This policy extends to University employees and applies to all records in the custody or control of the University. If a provision of this policy conflicts with a statutory obligation, the conflicting provision of this policy will be inoperative to the extent of the conflict.
Information Protection and Providing Access to Restricted Information Procedure (Privacy Procedure)
This procedure outlines in detail how the University will comply with its legal obligations to protect restricted types of information, such as personal information, and respond to access-to-information requests, privacy breaches and privacy complaints.
Custody and control has the same meaning as under FIPPA and for the University’s purposes is established by evaluating the University’s role in the creation, use, retention and destruction of records. Importantly, establishing custody or control of records determines whether access and privacy protection legislation applies to University records. For example, the University does not have custody or control over records of the Ombudsperson or the students’ unions because the University does not create the records, determine retention periods or have control over destruction of these records. The University does have custody and control over records in the various administrative and academic areas. Ryerson’s official Records Retention Schedule listed under the Records Management Policy clarifies custody and control for records in the university.
FIPPA means the Freedom of Information and Protection of Privacy Act (Ontario).
I&P Officer means the Information and Privacy Officer for the University.
I&P Contact means persons appointed within their administrative or academic unit to liaise between the I&P Officer and their unit for the purposes of responding to an access to information request made under FIPPA.
Personal information has the same meaning as under FIPPA and means recorded information about an identifiable individual, including:
It does not include business contact information which is defined as name, title and contact information (e-mail, telephone number, fax number and address) utilized in a place of work.
Record has the same meaning as under FIPPA and means any record of information however recorded, whether in printed form, on film, by electronic means or otherwise, and includes, (a) correspondence, a memorandum, a book, a plan, a map, a drawing, a diagram, a pictorial or graphic work, a photograph, a film, a microfilm, a sound recording, a videotape, a machine readable record, any other documentary material, regardless of physical form or characteristics, and any copy thereof, and (b) subject to the regulations in FIPPA, any record that is capable of being produced from a machine readable record under the control of the University by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the University.
Ryerson University Act means the Ryerson University Act, 1977 (amended) (Ontario).
Restricted information means a record which the University has a responsibility to protect from unauthorized disclosure, and a record that is under the University’s custody or control and is subject to exclusions or exemptions under FIPPA. In the event of an unauthorized disclosure, such a record carries with it an expectation of harm to the University, a third party, or the administration of justice. Restricted has the same meaning as in FIPPA under sections dealing with exemptions and exclusions, and examples relevant to the University context include:
Third party means a person, contractor, union, association, organization or corporation other than the University.
Information and Privacy Legislation Highlights
The University limits the collection and use of personal information to that necessary to perform operations essential to its educational mandate, as authorized by the Ryerson University Act, or as consistent with FIPPA Sections 41-43. The University must identify the uses for which personal information is collected, at or before the time the information is collected, by posting a notice of collection, by modifying information collection forms, or by other means as appropriate in the circumstances. The University will not use or disclose personal information for purposes other than those for which the information was collected or those that are reasonably consistent with the original collection purpose, except with the direct consent of the individual or unless required or authorized by law. Use or disclosure of personal information not covered by a notice of collection, or without the consent of affected individuals, or that is not used or shared for what would be considered a consistent purpose, or that is not necessary to the legitimate functions of the university is considered a breach of personal privacy.
An individual’s consent must be obtained in order to collect, use or disclose their personal information, unless required or authorized by law. The University obtains consent from individuals through notices of collection on information-gathering forms. The University obtains indirect consent under limited circumstances, such as when a notice is posted in a publicly-available space to inform individuals that their image is being captured on video surveillance tapes or to inform individuals that their photo may be taken at an event and used for promotional purposes. By choosing to enter the space, individuals imply their consent.
Personal information that is otherwise publicly available may not require consent prior to its collection, use or disclosure.
Under FIPPA, an individual must provide direct consent for Ryerson to use their personal information for research purposes.
Ryerson’s Research Ethics Board will assist researchers with proposals and research agreements involving restricted information and records, including those that contain personal information that may or may not be under Ryerson’s custody or control. When Ryerson’s records are the subject material, the Research Ethics Board is responsible for ensuring that proposals comply with relevant legislation regarding collection, use, disclosure and destruction. Research agreements will cover Ryerson’s right to audit the researcher’s records to ensure compliance with privacy requirements including adequate security, minimum retention periods, secure destruction, and the researcher’s responsibility to notify affected individuals and the university in the event of a privacy breach. The Research Ethics Board will direct questions regarding the legislation to the I&P Officer.
The University will retain restricted information as long as necessary for the fulfillment of its purposes and in accordance with Ryerson’s Records Retention Schedule, and possibly other regulatory requirements. In accordance with FIPPA, records that contain personal information and that are in the custody or control of the University must be retained for a minimum of one year after the date of last use. University operational areas and academic departments that hold these types of records are responsible for taking necessary security precautions to prevent the unauthorized disclosure of this information while it remains in their custody or control. This includes encryption of personal information on mobile devices, such as laptop computers, portable memory devices and mobile phones.
Direct questions about information security to Ryerson’s Information Systems Security Officer, Communication and Computer Services, or the I&P Officer. Direct questions about records management to the Records Management Coordinator.
Upon completion of the minimum required retention period, operational areas and academic departments which have records containing restricted information are responsible for the secure destruction of the records or transmittal to the University Archives, as required by the official records retention schedule in Records Management Policy. Secure destruction methods protect this information from unauthorized disclosure.
Should the University receive a request for access to information in records that have passed their retention date but are still in the University’s custody or control (in other words these records were not destroyed as mandated), the University is obliged to consider releasing them and to comply with statutory obligations surrounding the access and privacy of such records.
Direct questions about secure destruction methods to Ryerson’s Information Systems Security Officer, Communication and Computer Services, or the I&P Officer. Direct questions about the University’s records retention schedule to the Records Management Coordinator.
The University will comply with relevant legislation and will not disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or unless required or authorized by law. Disclosure of personal information for a purpose consistent with the original use, and disclosure to a university employee, consultant, or agent who needs personal information for the performance of their role in legitimate university functions is permitted by FIPPA (Section 42).
Upon request the University will disclose restricted information, other than personal information, when there is no element of associated harm or with the consent of affected individuals and third parties as appropriate, or as required or authorized by law. If the disclosure is part of a request for access to information under FIPPA or other relevant legislation, the University will comply with its statutory obligations and will exercise discretion in the application of legislated exemptions and exclusions to achieve a balance between transparency and the protection of personal privacy and restricted information.
The University will comply with its statutory obligations regarding an individual’s right of access and correction to records about themselves as well as the limited exemptions to these circumstances (FIPPA Sections 47, 48, 49).
It is a necessary part of university operations for the University to work with third parties such as service providers or external consultants. As part of such transactions, it may be necessary that restricted information is disclosed by the University to the third party or by the third party to the University. Before disclosing restricted information to a third party, the University will review the information to be shared to ensure that only those elements necessary to accomplish the task are shared. The University will prepare a written contract with the third party, which outlines limitations on use, access, and disclosure in place to protect personal and other forms of restricted information. For this purpose, General Counsel has developed a Privacy Protection Schedule which is available upon request. This schedule addresses collection, use, access, retention, disclosure and destruction of personal information and provides the University with authority to audit the third party for compliance with the schedule’s provisions.
It is the University’s responsibility to make third parties aware of how the information related to a contract with the University is affected by privacy-protection legislation.
University departments in relationships with third parties are responsible for (i) performing risk assessments on disclosures that involve restricted information, with particular attention to transactions involving personal information, (ii) ensuring that the contracts contain the appropriate privacy provisions, (iii) developing an appropriate information protection plan, and (iv) contacting the I&P Officer for information about how the contract may be affected by relevant privacy-protection legislation.