Privacy Policy

Ryerson University (the “University”) supports the closely aligned principles of transparency and accountability and as such routinely provides public access to information about the University’s operations and decisions.

At the same time, the University is committed to protecting specific types of information, which, if disclosed, could reasonably be expected to result in harm to the University, an identifiable individual, or a third party. This subset of information includes personal information, teaching and research records, as well as law enforcement, solicitor-client, labour relations and other kinds of information which for the purposes of this policy will be referred to as “restricted information”.

As of June 10, 2006, the University became subject to FIPPA’s legal requirements concerning the use, disclosure, and retention of personal information, as well the obligation to provide access to University records with limited protection for certain kinds of restricted information. To enable the University to meet its statutory obligations under FIPPA, the General Counsel has developed a procedures document (“Privacy Procedure”) which identifies restricted information categories, employee responsibilities, and legislative highlights. This policy and the related Procedures do not limit the rights and obligations outlined in any existing relevant legislation.

Application and Scope

This policy extends to University employees and applies to all records in the custody or control of the University. If a provision of this policy conflicts with a statutory obligation, the conflicting provision of this policy will be inoperative to the extent of the conflict.

Information Protection and Providing Access to Restricted Information Procedure (Privacy Procedure)

This procedure outlines in detail how the University will comply with its legal obligations to protect restricted types of information, such as personal information, and respond to access-to-information requests, privacy breaches and privacy complaints.

Objectives

• To manage and reduce the risk of collection, misuse, destruction or loss of restricted information without limiting academic freedom or complicating access to information for which the University has a legitimate and specific need;
• To define the roles and responsibilities of University employees regarding restricted information in the custody and control of the University, as well as procedures to protect against unauthorized disclosure of restricted information;
• To communicated the authorized procedures for receiving and responding to requests for access to restricted information or complaints about the University’s collection, use and/or disclosure of restricted information; and,
• To communicate the authorized procedure for responding to a suspected privacy breach.

Definitions

Custody and control has the same meaning as under FIPPA and for the University’s purposes is established by evaluating the University’s role in the creation, use, retention and destruction of records. Importantly, establishing custody or control of records determines whether access and privacy protection legislation applies to University records. For example, the University does not have custody or control over records of the Ombudsperson or the students’ unions because the University does not create the records, determine retention periods or have control over destruction of these records. The University does have custody and control over records in the various administrative and academic areas. Ryerson’s official Records Retention Schedule listed under the Records Management Policy clarifies custody and control for records in the university.

FIPPA means the Freedom of Information and Protection of Privacy Act (Ontario).

I&P Officer means the Information and Privacy Officer for the University.

I&P Contact means persons appointed within their administrative or academic unit to liaise between the I&P Officer and their unit for the purposes of responding to an access to information request made under FIPPA.

Personal information has the same meaning as under FIPPA and means recorded information about an identifiable individual, including:

1. information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
2. information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
3. any identifying number, symbol or other particular assigned to the individual,
4. the personal address, personal telephone number, fingerprints or blood type of the individual,
5. the personal opinions or views of the individual except where they relate to another individual,
6. correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
7. the views or opinions of another individual about the individual, and
8. the individual's name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

It does not include business contact information which is defined as name, title and contact information (e-mail, telephone number, fax number and address) utilized in a place of work.

Record has the same meaning as under FIPPA and means any record of information however recorded, whether in printed form, on film, by electronic means or otherwise, and includes, (a) correspondence, a memorandum, a book, a plan, a map, a drawing, a diagram, a pictorial or graphic work, a photograph, a film, a microfilm, a sound recording, a videotape, a machine readable record, any other documentary material, regardless of physical form or characteristics, and any copy thereof, and (b) subject to the regulations in FIPPA, any record that is capable of being produced from a machine readable record under the control of the University by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the University.

Ryerson University Act means the Ryerson University Act, 1977 (amended) (Ontario).

Restricted information means a record which the University has a responsibility to protect from unauthorized disclosure, and a record that is under the University’s custody or control and is subject to exclusions or exemptions under FIPPA. In the event of an unauthorized disclosure, such a record carries with it an expectation of harm to the University, a third party, or the administration of justice. Restricted has the same meaning as in FIPPA under sections dealing with exemptions and exclusions, and examples relevant to the University context include:

1. teaching records means teaching materials collected, prepared or maintained by an employee of the University or by a person associated with the University for use at the University (FIPPA Section 65 (8.1));
2. research records means information respecting or associated with research conducted or proposed by an employee of the University, or by a person associated with the University (FIPPA Sections 65 (8.1) and 18(1)(b));
3. economic records means records relating to trade secrets, financial, commercial, scientific or technical information that has monetary value or is related to the competitive position of the University (FIPPA Section 18 (1) (a) and (c));
4. labour relations records means:
   1. proceedings or anticipated proceedings before a court, tribunal or other entity relating to labour relations or to the employment of a person by the University,
   2. negotiations or anticipated negotiations relating to labour relations or to the employment of a person by the University between the University and a person, bargaining agent or party to a proceeding or an anticipated proceeding,
   3. meetings, consultations, discussions or communications about labour relations or employment-related matters in which the University has an interest, (FIPPA Section 65 (6) and (7));
5. records of institutional plans means records relating to the management of personnel or administration of the University that have not yet been put in to operation or made public, and information including proposed plans, policies, or projects of the University (FIPPA Section 18 (1)(e-g));
6. records containing advice or recommendations means information that outlines course of action that will be accepted or rejected by the person being advised. It is not background, factual, analytical or evaluative information, nor is it a draft, report, survey, cost estimate, or final plan (FIPPA Section 13);
7. third party records means trade secret, scientific, technical, commercial, financial or labour-relations information supplied in confidence implicitly or explicitly and under FIPPA this definition is expressly limited to circumstances where the unauthorized disclosure carries a reasonable expectation of harm (FIPPA Section 17(1));
8. government-relations records means information received by the University in confidence from a government or government agency (FIPPA Section 15);
9. solicitor-client records means records subject to solicitor-client privilege or records prepared by or for use by legal counsel employed or retained by the University for use in giving legal advice or in contemplation of or for use in litigation (FIPPA Section 19);
10. law enforcement records means:
    1. records used or expected to be used in a law-enforcement proceeding,
    2. records containing investigative techniques or procedures currently in use or likely to be used,
    3. records containing information that would disclose the identity of the confidential source of information in respect of a law-enforcement matter,
    4. law enforcement intelligence information respecting organizations or persons,
    5. records that have been confiscated by a peace officer in accordance with an Act or regulation,
    6. records containing information related to building security, vehicle security, or systems or procedures for protecting sensitive items,
    7. records containing information that would facilitate the commission of an unlawful act or hamper the control of crime,
    8. records that are reports prepared in the course of law enforcement, inspections or investigations by law enforcement (FIPPA Section 14(1) and (2));
11. closed-meetings records means records that reveal the substance of deliberations of a meeting or the subject matter of a meeting of the Board of Governors or the Senate or a committee of the Board of Governors or the Senate (FIPPA Section 18.1 (1); and
12. personal information records are defined above (FIPPA Section 49).

Third party means a person, contractor, union, association, organization or corporation other than the University.

Information and Privacy Legislation Highlights

1. Collection and Use of Personal Information

   The University limits the collection and use of personal information to that necessary to perform operations essential to its educational mandate, as authorized by the Ryerson University Act, or as consistent with FIPPA Sections 41-43. The University must identify the uses for which personal information is collected, at or before the time the information is collected, by posting a notice of collection, by modifying information collection forms, or by other means as appropriate in the circumstances. The University will not use or disclose personal information for purposes other than those for which the information was collected or those that are reasonably consistent with the original collection purpose, except with the direct consent of the individual or unless required or authorized by law. Use or disclosure of personal information not covered by a notice of collection, or without the consent of affected individuals, or that is not used or shared for what would be considered a consistent purpose, or that is not necessary to the legitimate functions of the university is considered a breach of personal privacy.

2. Consent

   An individual’s consent must be obtained in order to collect, use or disclose their personal information, unless required or authorized by law. The University obtains consent from individuals through notices of collection on information-gathering forms. The University obtains indirect consent under limited circumstances, such as when a notice is posted in a publicly-available space to inform individuals that their image is being captured on video surveillance tapes or to inform individuals that their photo may be taken at an event and used for promotional purposes. By choosing to enter the space, individuals imply their consent.

   Personal information that is otherwise publicly available may not require consent prior to its collection, use or disclosure.

3. Research using Personal Information in University Records

   Under FIPPA, an individual must provide direct consent for Ryerson to use their personal information for research purposes.

   Ryerson’s Research Ethics Board will assist researchers with proposals and research agreements involving restricted information and records, including those that contain personal information that may or may not be under Ryerson’s custody or control. When Ryerson’s records are the subject material, the Research Ethics Board is responsible for ensuring that proposals comply with relevant legislation regarding collection, use, disclosure and destruction. Research agreements will cover Ryerson’s right to audit the researcher’s records to ensure compliance with privacy requirements including adequate security, minimum retention periods, secure destruction, and the researcher’s responsibility to notify affected individuals and the university in the event of a privacy breach. The Research Ethics Board will direct questions regarding the legislation to the I&P Officer.

4. Retention of Restricted Information

   The University will retain restricted information as long as necessary for the fulfillment of its purposes and in accordance with Ryerson’s Records Retention Schedule, and possibly other regulatory requirements. In accordance with FIPPA, records that contain personal information and that are in the custody or control of the University must be retained for a minimum of one year after the date of last use. University operational areas and academic departments that hold these types of records are responsible for taking necessary security precautions to prevent the unauthorized disclosure of this information while it remains in their custody or control. This includes encryption of personal information on mobile devices, such as laptop computers, portable memory devices and mobile phones.

   Direct questions about information security to Ryerson’s Information Systems Security Officer, Communication and Computer Services, or the I&P Officer. Direct questions about records management to the Records Management Coordinator.

5. Destruction of Restricted Information

   Upon completion of the minimum required retention period, operational areas and academic departments which have records containing restricted information are responsible for the secure destruction of the records or transmittal to the University Archives, as required by the official records retention schedule in Records Management Policy. Secure destruction methods protect this information from unauthorized disclosure.

   Should the University receive a request for access to information in records that have passed their retention date but are still in the University’s custody or control (in other words these records were not destroyed as mandated), the University is obliged to consider releasing them and to comply with statutory obligations surrounding the access and privacy of such records.

   Direct questions about secure destruction methods to Ryerson’s Information Systems Security Officer, Communication and Computer Services, or the I&P Officer. Direct questions about the University’s records retention schedule to the Records Management Coordinator.

6. Disclosure of Restricted Information

   The University will comply with relevant legislation and will not disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or unless required or authorized by law. Disclosure of personal information for a purpose consistent with the original use, and disclosure to a university employee, consultant, or agent who needs personal information for the performance of their role in legitimate university functions is permitted by FIPPA (Section 42).

   Upon request the University will disclose restricted information, other than personal information, when there is no element of associated harm or with the consent of affected individuals and third parties as appropriate, or as required or authorized by law. If the disclosure is part of a request for access to information under FIPPA or other relevant legislation, the University will comply with its statutory obligations and will exercise discretion in the application of legislated exemptions and exclusions to achieve a balance between transparency and the protection of personal privacy and restricted information.

   The University will comply with its statutory obligations regarding an individual’s right of access and correction to records about themselves as well as the limited exemptions to these circumstances (FIPPA Sections 47, 48, 49).

7. Disclosure of Restricted Information to Third Parties and Third-Party Disclosures to the University

   It is a necessary part of university operations for the University to work with third parties such as service providers or external consultants. As part of such transactions, it may be necessary that restricted information is disclosed by the University to the third party or by the third party to the University. Before disclosing restricted information to a third party, the University will review the information to be shared to ensure that only those elements necessary to accomplish the task are shared. The University will prepare a written contract with the third party, which outlines limitations on use, access, and disclosure in place to protect personal and other forms of restricted information. For this purpose, General Counsel has developed a Privacy Protection Schedule which is available upon request. This schedule addresses collection, use, access, retention, disclosure and destruction of personal information and provides the University with authority to audit the third party for compliance with the schedule’s provisions.

   It is the University’s responsibility to make third parties aware of how the information related to a contract with the University is affected by privacy-protection legislation.

   University departments in relationships with third parties are responsible for (i) performing risk assessments on disclosures that involve restricted information, with particular attention to transactions involving personal information, (ii) ensuring that the contracts contain the appropriate privacy provisions, (iii) developing an appropriate information protection plan, and (iv) contacting the I&P Officer for information about how the contract may be affected by relevant privacy-protection legislation.