|Area Responsible for Administration:||Strategic Initiatives and Government Relations|
|Approval Authorities:||Senior Executive Committee|
|Revision History:||August 2017|
|Review Timeline:||Every 3 Years|
To appropriately steward and dissipate information in Seneca’s custody or control while protecting the privacy of individuals’ personal information in compliance with the Freedom of Information and Protection of Privacy Act (FIPPA) and the General Data Protection Regulation (GDPR).
This policy applies to recorded information in Seneca’s custody or control subject to FIPPA and GDPR.
Freedom of Information and Protection of Privacy Act (FIPPA)
FIPPA applies to Ontario’s provincial ministries and most provincial agencies, board and commissions, as well as universities, colleges, Local Health Integration Networks (LHINs) and hospitals.
The main principles of FIPPA are:
General Data Protection Regulation (GDPR)
A regulation in European Union (EU) law on data protection and privacy for all individuals within the European Union. It affects all EU-based organizations, and those that provide goods and services to, or monitor individual behaviour of, EU citizens globally. It was adopted on April 27, 2016 and came into effect May 25, 2018.
Full-time, part-time and contract faculty, support staff and administrators of Seneca.
Information in Seneca’s custody or control relating to Seneca employees and students or to Seneca’s business operations and the administration of academic programs and services. Information may be recorded in printed form, on film, by electronic means or otherwise and includes:
Information about an identifiable individual, including:
Note: Information about individuals acting in their business or professional capacity is not personal information. This includes their name, title, work address (including office location), work telephone number and Seneca email address.
An unauthorized collection, use or disclosure of someone’s personal information, in contravention of the Freedom of Information and Protection of Privacy Act or the Personal Health Information Protection Act. The breach may affect an individual or a group.
The coordinator of Seneca’s activities related to FIPPA, including facilitating freedom of information access requests and ensuring Seneca’s compliance with FIPPA provisions.
1. Policy Statement
Seneca is compliant with FIPPA, GDPR and all applicable privacy legislations, as well as affirms the importance of conducting its operations in a transparent manner and in ways that are open to public scrutiny.
2. Access Rights
2.1 Individuals have the right to ask for their own personal information and to request a correction of records containing their own personal information.
2.2 Individuals seeking access to a record must:
Note: Additional fees may be required to process a request depending on the total costs incurred by Seneca to produce or copy the record. For more information, refer to Seneca’s Freedom of Information and Protection of Privacy Procedure.
3. FIPPA Exemptions
3.1 Records will be exempt from disclosure under FIPPA in circumstances where granting access could:
3.2 If a requested record contains information that is exempt from disclosure and can easily be separated, the right of access shall apply to the remainder of the record.
4. FIPPA Exclusions
4.1 FIPPA does not apply to labour relations or employment-related records used in the following circumstances:
4.2 The following four subcategories of labour relations and employment-related records are exceptions to the excluded records listed in section of this policy and are subject to FIPPA:
5. Collection, Use, Disclosure and Disposal of Personal Information
5.1 In accordance with section 39 (2) of FIPPA, personal information collected by Seneca may be used and disclosed for the purposes of administrative, information technology, law enforcement, statistical, research or provincial/federal government activities.
5.1.1 Seneca shall collect, use and disclose personal information for the following purposes:
5.2 Use and Disclosure of Personal Information
5.2.1 Seneca shall only disclose personal information in its custody or control in circumstances where:
5.2.2 Employees may only share students’ personal information with other employees whose duties and responsibilities authorize them to have access to that information. Employees may only share a student’s information beyond those with authorized access if prior consent is obtained from the student.
5.2.3 A student’s parents, guardians or spouse may be provided access to his/her personal information if prior consent from the student, aged 16 or over, is obtained. Signed, parental consent is required if the student is under the age of 16.
5.3 Disposal of Personal Information
5.3.1 Seneca shall retain personal information for a period of at least one (1) year from its last use unless the affected individual consents to a shorter period. Personal information cannot be destroyed prior to this time and may be subject to longer retention periods.
5.3.2 It is an offence to alter, conceal or destroy a record with the intent of denying a right of access. Intentional destruction of Seneca’s records may result in a fine and/or legal proceedings.
5.3.3 Prior to disposing of a record containing personal information, employees must submit a Disposal of Personal Information form to the Privacy Officer for approval (See Appendix A).
6.1 Employees shall prevent unauthorized access to records, and implement and document specific security measures that may include Information Technology policies (password restrictions and automatic lockout of computers when idle), firewalls, physical security (locking cabinets and offices) and administrative protocols (limiting employees’ access to certain files).
6.2 Records in all formats and media containing sensitive information must be securely collected and shredded for disposal. This includes records containing personal information of employees and those related to Seneca’s operations and administration.
7.1 Employees and students will adhere to GDPR principles pertaining to the handling of personal data of EU residents studying and/or working at Seneca and will ensure that EU residents are notified when information is collected from them directly or from a third party, e.g. a recruiter, and how that data is being controlled.
7.2 EU residents will have rights to access, amend or have their data removed from Seneca’s records, when it is no longer being held for the purpose it was collected or required on other legal grounds. The Privacy Officer will be the point of contact for such requests.