|Area Responsible for Administration:||Strategic Initiatives and Government Relations|
|Approval Authorities:||Senior Executive Committee|
|Revision History:||August 2017|
|Review Timeline:||Every 3 Years|
To appropriately steward and dissipate information in Seneca’s custody or control while protecting the privacy of individuals’ personal information in compliance with the Freedom of Information and Protection of Privacy Act (FIPPA) and the General Data Protection Regulation (GDPR).
This policy applies to recorded information in Seneca’s custody or control subject to FIPPA and GDPR.
Freedom of Information and Protection of Privacy Act (FIPPA)
FIPPA applies to Ontario’s provincial ministries and most provincial agencies, board and commissions, as well as universities, colleges, Local Health Integration Networks (LHINs) and hospitals.
The main principles of FIPPA are:
- Access: To provide the public with a right of access to records in Seneca’s custody or control
- Privacy: To protect an individual’s personal information held by provincial ministry and agencies to provide individuals a right of access to their own personal information.
General Data Protection Regulation (GDPR)
A regulation in European Union (EU) law on data protection and privacy for all individuals within the European Union. It affects all EU-based organizations, and those that provide goods and services to, or monitor individual behaviour of, EU citizens globally. It was adopted on April 27, 2016 and came into effect May 25, 2018.
Full-time, part-time and contract faculty, support staff and administrators of Seneca.
Information in Seneca’s custody or control relating to Seneca employees and students or to Seneca’s business operations and the administration of academic programs and services. Information may be recorded in printed form, on film, by electronic means or otherwise and includes:
- Correspondence, memoranda, books, plans, maps, drawings, diagrams, pictorial or graphic works, photographs, film, microfilm, sound recordings, videotapes, machine-readable records, and other documentary material, regardless of physical form or characteristics, and any copy thereof
- Any information that is capable of being produced from a machine-readable record under Seneca’s control by means of computer hardware and software or any other information storage equipment and technical expertise normally used by Seneca, or to which Seneca can reasonably gain access
- Emails, including additional/forwarded copies.
Information about an identifiable individual, including:
- Race, national or ethnic origin, religion, age, sex, sexual orientation, and marital or family status
- Employment and educational history
- Medical, psychiatric and psychological history, prognosis, condition, treatment and evaluation
- Any identifying number (Social Insurance Number, student number), symbol or other assigned particular
- Home address and telephone number
- Personal opinions of or about the individual
- Name, where it appears with or reveals one’s personal information
- Correspondence sent to Seneca by an individual that is implicitly or explicitly of a private or confidential nature and any reply to that correspondence that would reveal its contents.
Note: Information about individuals acting in their business or professional capacity is not personal information. This includes their name, title, work address (including office location), work telephone number and Seneca email address.
An unauthorized collection, use or disclosure of someone’s personal information, in contravention of the Freedom of Information and Protection of Privacy Act or the Personal Health Information Protection Act. The breach may affect an individual or a group.
The coordinator of Seneca’s activities related to FIPPA, including facilitating freedom of information access requests and ensuring Seneca’s compliance with FIPPA provisions.
1. Policy Statement
Seneca is compliant with FIPPA, GDPR and all applicable privacy legislations, as well as affirms the importance of conducting its operations in a transparent manner and in ways that are open to public scrutiny.
2. Access Rights
2.1 Individuals have the right to ask for their own personal information and to request a correction of records containing their own personal information.
2.2 Individuals seeking access to a record must:
- Submit a Freedom of Information (FOI) Access Request form or written request to Seneca’s Privacy Office that provides sufficient detail to identify the record.
- Pay the prescribed application fee of $5.00 (per request).
- Mail the completed request and application fee, made payable to Seneca, to:
8 The Seneca Way
Note: Additional fees may be required to process a request depending on the total costs incurred by Seneca to produce or copy the record. For more information, refer to Seneca’s Freedom of Information and Protection of Privacy Procedure.
3. FIPPA Exemptions
3.1 Records will be exempt from disclosure under FIPPA in circumstances where granting access could:
- Damage Seneca’s relationship with the federal or provincial government, or other agencies providing funding to Seneca
- Damage Seneca’s economic interests if the records – containing financial, commercial, scientific or technical information – belonging to Seneca have actual or potential monetary value
- Damage Seneca’s competitive position if the records contain institutional plans or information that have not been made public
- Damage Seneca’s legal position if the records are subject to solicitor-client privilege or prepared by counsel for the potential use in giving legal advice or in litigation
- Undermine the effectiveness and/or fairness of an auditing procedure
- Undermine the effectiveness and/or fairness of an examination, testing procedure or other means used in the evaluation of student learning.
3.2 If a requested record contains information that is exempt from disclosure and can easily be separated, the right of access shall apply to the remainder of the record.
4. FIPPA Exclusions
4.1 FIPPA does not apply to labour relations or employment-related records used in the following circumstances:
- Actual or anticipated proceedings before a court, tribunal or other entity
- Actual or anticipated negotiations between Seneca and an individual or bargaining agent/party
- Meetings, consultations, discussions or communications in which Seneca has an interest
- When disclosure of a member of the Seneca community’s past, present or proposed research, would be contrary to public interest, would interfere with a current project or would jeopardize the legitimate interests of a project’s researchers, employees, students or research sponsors
- When teaching materials are collected, prepared, maintained or used by or on behalf of Seneca.
4.2 The following four subcategories of labour relations and employment-related records are exceptions to the excluded records listed in section of this policy and are subject to FIPPA:
- Agreements between Seneca and a trade union
- Agreements between Seneca and one or more employee(s) that ends a proceeding before a court, tribunal or other entity
- Agreements between Seneca and one or more employee(s) resulting from negotiations between Seneca and the employee(s)
- Employee business expense accounts submitted for reimbursement.
5. Collection, Use, Disclosure and Disposal of Personal Information
5.1 In accordance with section 39 (2) of FIPPA, personal information collected by Seneca may be used and disclosed for the purposes of administrative, information technology, law enforcement, statistical, research or provincial/federal government activities.
5.1.1 Seneca shall collect, use and disclose personal information for the following purposes:
- Academic and non-academic programs and evaluations
- Recruitment, admission and graduation
- Financial aid assistance, awards and bursary
- Philanthropic initiatives and activities
- Employment related matters
- Security and information technology
- Institutional planning, research and statistics
- Third-party organization for Seneca-related activities.
5.2 Use and Disclosure of Personal Information
5.2.1 Seneca shall only disclose personal information in its custody or control in circumstances where:
- An access request is submitted and is in accordance with the provisions and regulations set out in FIPPA
- An individual to whom the information relates has consented to disclosure in writing
- It is for the purpose for which it was collected or for a consistent purpose
- It is necessary to aid in the investigation of an allegation that an individual has made false statements or engaged in other misleading conduct:
- Concerning attendance or performance or status within or completion of an academic program of Seneca; or
- With respect to an employment relationship
- Disclosure is made with consent to a physician or other health professional for the assessment of disability, medical leave or similar claims
- It is collected and maintained specifically for the purpose of creating a record available to the general public
- Legislation expressly authorizes disclosure
- Disclosure is to Seneca or a law enforcement agency in Canada to aid in an investigation to the extent that is necessary to prosecute the violation or to continue the investigation
- It is for the health and/or safety of an individual
- Facilitation of contact with the spouse, close relative or friend of an employee or student who is injured, ill or deceased
- Disclosure required by a union or the Council for the purpose of administering a collective agreement
- A Member of Provincial Parliament or bargaining agent who has been authorized by an individual to make inquiries on his/her behalf
- Disclosure is required by the federal government to facilitate the auditing of a shared cost program
- Disclosure required by an agreement for research activities.
5.2.2 Employees may only share students’ personal information with other employees whose duties and responsibilities authorize them to have access to that information. Employees may only share a student’s information beyond those with authorized access if prior consent is obtained from the student.
5.2.3 A student’s parents, guardians or spouse may be provided access to his/her personal information if prior consent from the student, aged 16 or over, is obtained. Signed, parental consent is required if the student is under the age of 16.
5.3 Disposal of Personal Information
5.3.1 Seneca shall retain personal information for a period of at least one (1) year from its last use unless the affected individual consents to a shorter period. Personal information cannot be destroyed prior to this time and may be subject to longer retention periods.
5.3.2 It is an offence to alter, conceal or destroy a record with the intent of denying a right of access. Intentional destruction of Seneca’s records may result in a fine and/or legal proceedings.
5.3.3 Prior to disposing of a record containing personal information, employees must submit a Disposal of Personal Information form to the Privacy Officer for approval (See Appendix A).
6.1 Employees shall prevent unauthorized access to records, and implement and document specific security measures that may include Information Technology policies (password restrictions and automatic lockout of computers when idle), firewalls, physical security (locking cabinets and offices) and administrative protocols (limiting employees’ access to certain files).
6.2 Records in all formats and media containing sensitive information must be securely collected and shredded for disposal. This includes records containing personal information of employees and those related to Seneca’s operations and administration.
7.1 Employees and students will adhere to GDPR principles pertaining to the handling of personal data of EU residents studying and/or working at Seneca and will ensure that EU residents are notified when information is collected from them directly or from a third party, e.g. a recruiter, and how that data is being controlled.
7.2 EU residents will have rights to access, amend or have their data removed from Seneca’s records, when it is no longer being held for the purpose it was collected or required on other legal grounds. The Privacy Officer will be the point of contact for such requests.
Related Seneca Policies
- Personal Health Information Protection Policy
- Freedom of Information and Protection of Privacy Act, R.S.O. 1990, Chapter F.31
- Information and Privacy Commissioner of Ontario
- Ontario Colleges of Applied Arts and Technology Act, 2002, S.O. 2002, Chapter 8, Schedule F
- Personal Health Information Protection Act, 2004, S.O. 2004, Chapter 3, Schedule A
- General Data Protection Regulation (EU) 2016/679