INF 01.0 FOIP Privacy Policy

FOIP PRIVACY POLICY

INF 01.0

Policy Owner: President Policy Lead: Chief Financial Officer

Responsible Office: Financial Services

Approver: Senior Leadership Team

Initially Approved: November 5, 2019

Review Scheduled: November, 2024

Last Revised: November 5, 2019

Last Edited: January 17, 2023

Related Policy/Procedures: FOIP Access To Information Procedure (INF 01.0-1)

Student Personal Information Policy (Appendix A)

Employee Personal Information Policy (Appendix B)

A. Policy Statement

As a public body, Lakeland College is governed by the Freedom of Information and Protection of Privacy (FOIP) Act as well as other federal and provincial legislation. Lakeland College collects Personal Information from students, employees and other members of the Lakeland College Community in order to accomplish its educational mandate. The college is committed to ensuring that reasonable security arrangements are in place to protect personal information against unauthorized access, use, disclosure or destruction.

The college supports the public’s right of access to information and will provide access as permitted under the FOIP Act. As a public post-secondary institution, Lakeland College also has a responsibility to provide access to information where required under the legislation, and is committed to openness, transparency and public accountability.

B. Scope Statement

This policy applies to all Lakeland College Employees. Appendix A outlines specific guidelines for the collection, storage, access and protection of Student Personal Information. Appendix B outlines specific guidelines for the collection, storage, access and protection of Employee Personal Information.

C. Definitions

Employee: an individual who performs a service for Lakeland College, which includes an appointee, volunteer, student or other individual under a contract or agency relationship

Personal Information: recorded information about an individual, including:

a. the individual’s name, home or business address or home or business telephone number;

b. the individual’s race, national or ethnic origin, colour or religious or political beliefs or associations;

c. the individual’s age, gender, sexual orientation, marital status or family status;

d. an identifying number, symbol or other particular assigned to the individual;

e. the individual’s fingerprints, other biometric information, blood type, genetic information or inheritable characteristics;

f. information about the individual’s health and health care history, including information about a physical or mental disability;

g. information about the individual’s educational, financial, employment or criminal history, including criminal records where a pardon has been given;

h. anyone else’s opinions about the individual, and the individual’s personal views or opinions, except if they are about someone else

D. Guidelines

1. Lakeland College will collect, use, disclose, and manage Personal Information in accordance with the FOIP Act, and other applicable legislation.

2. The President of Lakeland College, as the FOIP Head, may delegate the responsibility for managing personal information accuracy, access, collection, use, disclosure and retention to the FOIP Coordinator, as well as other positions according to the delegation table.

3. All Lakeland College Employees are responsible for the protection of personal, confidential and sensitive information entrusted to them.

4. Lakeland College will ensure that all Employees are aware of the FOIP Act and the college privacy policies and procedures, through publications, training seminars and other communication means.

Collection of Personal Information

5. The college may collect and record Personal Information only where:

a. the collection is expressly authorized by an enactment of Alberta or Canada,

b. the information is collected for the purposes of law enforcement,

c. the information relates directly to and is necessary for an operating program or activity of the college.

6. The purpose of collection shall be clearly stated at or before the information is collected. A FOIP notification statement must be provided at the time the information is collected and be approved by the FOIP Coordinator. The FOIP notification statement must include the following:

a. the purpose for which the information is collected;

b. the specific legal authority for the collection; and

c. the title, business address and business telephone number of the college Employee who can answer questions about the collection.

7. Personal Information shall be collected directly from the individuals, unless otherwise authorized under the FOIP Act, such as where the individual has expressly authorized another method of collection or where an individual is providing emergency contact information.

8. Every effort will be made to ensure that the information collected is accurate and complete. Individuals have a right to request correction to their own Personal Information.

9. Where Personal Information is handled and/or collected a privacy impact assessment must be conducted by the FOIP Coordinator prior to:

a. implementation of a new technology or system that handles or collects Personal Information;

b. change to a technology or system handling or collecting Personal Information;

c. changing from a traditional to an electronic service delivery program; or

d. issuing a new or updated rule/guideline that affects Personal Information.

10. Personal information banks of all Personal Information housed at the college shall be kept as required by the FOIP Act. Personal information banks (PIBs) are descriptions of personal information under the control of Lakeland College that is organized and retrievable by an individual's name or by a number, symbol or other element that identifies that individual

Use of Personal Information

11. Personal Information will only be used:

a. for the purpose for which the information was collected or compiled or for a use consistent with that purpose;

b. for statistical or research purposes according to the requirements set out in s. 42 of the FOIP Act;

c. where the individual for which the information is about has consented in the prescribed manner, as described below, to the specified use; or

d. where the use has been authorized by the Dean/Director/Registrar or the FOIP Coordinator, following the rules outlined in the FOIP Act (s. 40, 41, 42).

12. The college will only use the Personal Information to the extent necessary to enable the college to carry out its operating program or activities in a reasonable manner.

Right of Access

13. Individuals have the right of access to their own personal information. This right is subject only to the limited exceptions in the FOIP Act. This right of access does not include the right to remove or destroy information contained in a file.

14. Third parties also have a general right of access under the Act. The college will provide access to information only in accordance with approved policy and procedures, and in compliance with the FOIP Act.

15. The college will strive where feasible to make information available without having to submit a Formal Information Request. Individuals have a right to make a Formal Information Request under

the FOIP Act, which can be submitted in accordance with the Access to Information Procedure INF 01.0-1.

Disclosure of Personal Information

16. Personal Information will not be released to third parties and will only be disclosed where consistent with the purpose for which it was collected, except with the informed consent of the individual, or under the limited exceptions in the FOIP Act.

17. Personal Information is only disclosed to other Lakeland College Employees on a “need to know basis”. The information may only be disclosed where necessary for the performance of the duties the Employee was hired to perform.

18. Certain Personal Information collected by the college is disclosed to specific third parties in order to comply with provincial and federal law and to facilitate routine college operations. Examples include but are not limited to the following: Students’ Association of Lakeland College, Alumni Association of Lakeland College, Alberta government ministries and to the Canadian federal government.

Informed Consent

19. Where an individual has provided consent to disclose the information, the Informed Consent must be in the proper form:

a. individual has identified the information that is being consenting to

b. indicates to whom the Personal Information may be disclosed

c. how the Personal Information may be used; and

d. signed written consent

20. Informed Consent will generally be written; however, electronic and oral consent may be allowed in certain circumstances, where prior approval by the appropriate Dean/Director/Registrar has been given and the following conditions have been met:

a. Where electronic consent is obtained

i. a record of consent will be retained as per Lakeland College’s Retention Schedule, ii. the record of consent is accessible for future reference and use, and iii. contains a reliable electronic signature that authenticates the identity of the user

b. Where oral consent is obtained

i. a record of the consent will be created, ii. the record of consent is accessible for future reference and use, iii. will be retained as per Lakeland College’s Retention Schedule, and iv. the consent reliably authenticates the identity of the user

Security and Disposal

21. Personal Information will be maintained only as long as necessary to fulfill the purpose for which it was collected according to the college’s Records Retention Schedule. Personal Information used to make a decision on an individual must be retained for a minimum of one year.

22. Personal Information authorized for destruction must be safely and securely destroyed:

a. Electronic records should be properly deleted/erased in accordance with the Electronic Media Disposal Standard (IT 9.65).

b. Paper records containing Personal Information should be shredded in a cross shredder or placed in a secure shredding bin.

23. Employees will safeguard personal information and take all reasonable steps to protect this information by following all Lakeland College Policy & Procedures, in particular, but not limited to: Access to Information Procedure (INF 01.0-1), Records Management (INF 11.0), Social Media Policy (ADM 01.0), Information Technology Security Policy (INF 08.0), and Electronic Media Disposal Standard (INF 06.0)

Privacy Breach

24. A privacy breach occurs when personal information is collected, retained, used or disclosed in ways that are contrary to the provisions in the FOIP Act. If a privacy breach occurs the Employee must immediately notify their direct supervisor and the FOIP Coordinator. Where the risk involves a breach of electronic data, the Director of Information and Technology should also be immediately notified.

25. The college will take the following steps to respond to a Privacy Breach:

a. Contain and minimize the breach

b. Evaluation of the impact of the breach,

c. Notification of individuals if required, and

d. Prevention to preclude occurrence of similar breaches in the future

26. The FOIP Coordinator will notify the President and immediately conduct an internal investigation of any breaches assessed at a high risk. The FOIP Coordinator will assess whether notification to third parties and the Office of the Information and Privacy Commissioner is required.

Training

27. The FOIP Coordinator will provide relevant FOIP training and support to employees.

Policy Acknowledgment

28. All Lakeland College employees must sign the Code of Conduct Acknowledgment Form confirming the Employee’s responsibility with respect to confidential information.

29. Each employee who has access in the course of their work to Personal Information shall be asked to sign an acknowledgment that they have read and understood this policy. Any questions about this policy can be directed to the FOIP Coordinator.

E. Exceptions n/a

F. Related Policies/Procedures

Access to Information Procedure (INF 01.0-1)

Correction to Personal Information (FIN 19.0)

Code of Conduct (HR 04.0)

Records Management (INF 11.0)

Social Media Policy (ADM 01.0)

Information Technology Security Policy (INF 08.0)

Electronic Media Disposal Standard (INF 06.0)

G. Relevant Legislation

Freedom of Information and Protection of Privacy Act

Health Information Act

Post-Secondary Learning Act

H. Related Forms/Documents

Request to Correct Personal Information (INF 003)

Request to Access Information Form (INF 004)

Code of Conduct Acknowledgment Form (HR 057)

Retention Schedule

I. Revision History

Date (yyyy/mm/dd)

2019-11-05

Description of Change

New, implemented as FIN 4.02

Approver (Position Title)

2023-01-17 Non-substantive - new numbering INF 01.0 (formerly FIN 4.02) /updated to new template Risk & Compliance Manager