1 — PURPOSE
The purpose of this policy is to ensure that the University is in compliance with the Personal Information Protection and Electronic Documents Act, hereinafter referred to as "PIPEDA".
This policy is not intended to cover all policy issues concerning the protection of personal information, but only those issues that are raised by PIPEDA.
2 — DEFINITIONS
2.1 "Commercial activity"
A commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
2.2 "Commercial character"
An activity has a commercial character if it, or another activity with which it is associated, a) involves an exchange of goods or services for valuable consideration, b) is for the purpose of creating a profit, generating revenue or producing a positive cash flow and c) is not principally educational in nature, that is, is not principally advancing or communicating knowledge or improving the abilities of students.
2.3 "Personal information"
Personal information for the purposes of this policy means information that the University collects, uses or discloses in the course of commercial activities, which information is about an identifiable individual. Personal information does not include the name, title, business address or business telephone number of an employee of the University.
3 — APPLICATION
This policy only applies to personal information that the University collects, uses or discloses in the course of commercial activities.
This policy does not apply to employee and student information collected, used or disclosed in the administration of the University unless and until that information is used or disclosed in the course of a commercial activity.
The University has examined its activities to identify those that are commercial in character and which involve the collection, use or disclosure of personal information. The results of that examination are summarized in Appendix 1 of this policy.
4 — RESPONSIBILITY FOR COMPLIANCE
The Director of Administrative Services, as the person responsible for most of the activities that could be commercial activities for the purposes of this policy, is designated as the individual responsible for the University's compliance with the PIPEDA.
5 — COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION
The University will collect, use or disclose personal information in the course of a commercial activity only for purposes that a reasonable person would consider are appropriate in the circumstances and to the extent necessary to complete that activity.
6 — DISCLOSURE AND CONSENT
Given the forgoing, and that the commercial activities will be ones in which an individual participates voluntarily, and since it is the University's policy not to use or disclose personal information collected in the course of one commercial activity in any other commercial activity , the University believes that the individual's participation in the activity constitutes sufficient consent to collect that information and that express disclosure of the use that will be made of the personal information is not required.
Furthermore, since personal information that the University collects other than in the course of a commercial activity will only be used in the course of commercial activities in very limited circumstances that are reasonable given the work of the University, such as to provide services to members of the Alumni, express consent is not required for the University to make use of that information. Information on these uses is recorded in Appendix 1 of this policy.
7 — PROTECTION AND PERSONAL INFORMATION
It is the responsibility of each department head to protect in accordance with this policy personal information that is in the possession of the department.
If the University transfers personal information to a third party for processing, the University will ensure that the third party provides a level of protection to that information that is comparable to the level of protection provided by the University.
The following security safeguards will be used to protect personal information against loss or theft, as well as against unauthorized access, disclosure, copying, use, or modification:
- physical copies of such information when not being used shall be stored in locked filing cabinets or in offices to which access is restricted;
- electronic copies of such information shall be stored only on computers or in computer systems that are password protected; and
- access to the information will only be provided to employees who need to have access in order to do their jobs
8 — COMPLAINTS, ENQUIRIES AND REQUESTS
The University shall inform individuals who make enquiries or lodge complaints about matters covered by this policy of the existence of the following procedures.
Individuals who have complaints or questions concerning any of the matters covered by this policy, or who wish to gain access to personal information in the possession of the University, may do so by addressing their complaints, enquiries or requests in writing to the Director of Administrative Services, ¹û¶³´«Ãº University, 65 York Street, Sackville, New Brunswick, E4L 1E4.
This written complaint, enquiry or request must include sufficient information to permit the University to provide an account of the existence, use, and disclosure of personal information. The information so included shall only be used for the purpose of dealing with the complaint, enquiry or request.
The Director shall investigate all complaints. If a complaint is found to be justified, the University shall take appropriate measures, including, if necessary, amending its policies, practices and records and, where appropriate, shall transmit any amended records to third parties having copies of those records.
The Director will respond in writing to the complaint, enquiry or request within 20 working days and in a form that is easily understandable. Depending on the nature of the complaint, enquiry or request, the Director's response shall include the following information:
- a copy of this policy;
- a description of the type of personal information held by the University, including a general account of its source, a general account of its use and its disclosure to third parties, including its disclosure to related organizations; and
- the information that is being held so that the individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
If following this response the individual demonstrates in writing that the information being held is inaccurate or incomplete, the Director will correct or complete the information being held and report to the individual in writing that this was done. If changes or additions requested by the individual are not made, the Director will so report to the individual in writing.
If the Director's response, including the response contemplated in the immediately preceding paragraph, is not accepted by the individual, and the individual so informs the Director in writing, the substance of the unresolved issues shall be recorded and, when appropriate, the existence of the unresolved issues shall be transmitted to third parties having access to the information in question.
9 — INFORMATION EXPLAINING THE UNIVERSITIES POLICIES AND PROCEDURES AND STAFF TRAINING
The University shall make its employees aware of the importance of maintaining the confidentiality of personal information and shall advise them of the existence of this policy and its application to the collection, use and disclosure of personal information.
A copy of this policy shall be posted on the University's website so that all employees and all interested individuals will have access to the University's policies and procedures concerning personal information.
All staff associated with the Conference Office, or with any other office determined to be involved in commercial activities, shall, at the time their employment commences, receive training in the application of this policy, and in the practices in place to protect personal information.
10 — RETENTION AND DESTRUCTION OF PERSONAL INFORMATION
Personal information shall be retained for a maximum of seven fiscal years following the fiscal year in which the personal information is collected, except for such information that may be stored electronically in the University's student, financial, alumni or fund raising systems. With the exception of this latter information, information which is no longer to be retained shall be destroyed, erased, or made anonymous in a manner that will prevent unauthorized parties from gaining access to the information. Paper copies of such information shall be shredded and electronic records shall be erased in order to comply with this requirement. Further information on retention is provided in Appendix 1 of this policy.
Appendix 1
The following activities have been identified as being, or potentially being, commercial in character and involving, or potentially involving, the collection, use or disclosure of personal information.
1. Affinity Services
University Advancement has relationships with one company which offers life insurance, and one which offers home and auto insurance. No personal information is provided to these companies. However, names and addresses are provided to third-parties which mail to members of the alumni materials from these insurers. Opt-out cards are always included with any materials mailed. Furthermore, if a member of the alumni inform the University that they do not wish to receive such mailings their names and addresses are not provided. We have a contract with one of the third parties restricting their use of the information to the University mailings. A contract will be signed with the other third-party in the near future. There are no PIPEDA issues in respect of these activities.
2. Archives
The operation of the University's Archives is not a commercial activity, although the Archives may be the repository of personal information that was collected for commercial purposes. However, PIPEDA has an exception that permits archives to hold such information and therefore PIPEDA does not have implications for the Archives.
3. Art Gallery
The Gallery has an annual fundraising project which involves the auction of donated works of art. It also sells exhibition catalogues at or below cost. Payments are made by cash or cheque. No personal information is collected other than the personal information that appears on cheques used to make payments. None of this information is retained by the University.
4. Banks
Student Services submits personal information to banks for the purposes of student loans. However, this is only done at the student's request so that, even if this is a commercial activity, PIPEDA is not an issue.
5. Bookstore, Fine Arts Store and Departmental Support Services
With the exceptions of a) a small number of personal orders (1 per cent of bookstore sales) through the bookstore and of b) personal printing, copying, finishing and courier services (20 per cent of Departmental Support Services sales) provided to individuals, these operations deal only with course-related materials and normal University business. Therefore, only the two listed exceptions could be covered by PIPEDA, and in each case consent can be implied to the collection of personal information. Furthermore, a) no personal information is collected when cash or debit payments are made; b) no personal information appearing on cheques is retained once the cheques are deposited once per month in the case of the Fine Arts store and once per day in other cases; and c) personal information on credit card impressions or slips is not used for any other purpose, is retained in locked filing cabinets and is destroyed after seven years.
6. Collection Agencies
Financial Services provides personal information to collection agencies. However, section 7(3)((b) permits the disclosure of personal information without the knowledge or consent of the individual if the disclosure is for the purpose of collecting a debt owed by the individual to an organization.
7. Community Services
University Advancement hosts 30 to 40 events each year which provide services, such as meals or greens fees, in return for a participation fee intended to cover only the costs of providing the services. These events are probably commercial activities. The University uses its alumni and donor databases to mail invitations, and honours any requests from individuals who do not wish to receive such invitations. The only personal information that is collected in the course of such activities would be information provided as a result of payments by credit card. Such information is not used for any other purpose, is retained in a locked cabinet for seven years and is then destroyed. There are no PIPEDA issues in respect of these activities.
8. Computing Services
Printer credits are sold. No personal information is collected.
9. Conferences
Conferences provides services to external groups and individuals for the purpose of making a profit. Therefore, PIPEDA probably applies to these conference activities. Personal information collected could include a person's name, address, phone number, gender, age, food preferences, health issues, and activity preferences. This information is not used for any purpose other than to provide the services that resulted in the collection of the information, is maintained in locked filing cabinets, and is destroyed after seven years.
10. Employee Benefit Providers
With two exceptions, any personal information provided to the University's employee benefit providers is provided on application forms that employees complete and sign for the purposes of applying either for the benefit coverage or for benefits under that coverage. If consent is required for the University to provide that information to the benefit providers, consent is implied.
The two exceptions concern personal information that the University provides to its life insurance provider for the purposes of premium renewals and to its long term disability insurance provider for the purpose of processing claims for disability benefits. In each case, consent can be reasonably implied. However, the University will ensure that these insurers have policies and practices in place so that they a) do not use any personal information provided by the University in any other commercial activity, b) protect that information from disclosure to other parties, c) do not retain the personal information longer than necessary, and d) discard the information in an appropriate manner once the information is no long required.
11. Food Services
Food services are provided to students who live in residences and PIPEDA does not apply. However, since the food service provider is a commercial organization, the transfer of personal information to the food service provider may be covered by PIPEDA. As a result, the only information that is transferred is the student's name, student identification number and residence room number.
12. Governments
It is unlikely that the University would disclose to a government any personal information collected by the University in the course of a commercial activity, or disclose to a government any personal information as part of a commercial activity. Even if such a disclosure were to occur, PIPEDA permits the disclosure without the knowledge or consent of the individual a) if the disclosure is made in response to a request for the information that identifies the authority to obtain the information and indicates that the disclosure is requested for the purpose of administering any law or b) if the disclosure is required by a person with jurisdiction to compel the disclosure or c) if the disclosure is required by law. The University is not aware of any disclosures that would be made to governments that would not fit under one of these three categories.
13. Lawyers
The University may at times disclose personal information to its lawyers. However, PIPEDA permits such disclosures without the knowledge or consent of the individual.
14. Library
The Library sells printer credits and photocopy cards. No personal information is retained.
15. Payroll & Pensions
Since the University uses external and commercial payroll and pension service providers, the provision of personal information to those providers for the purposes of providing services to the University is not a disclosure of personal information in the course of a commercial activity. However, if a service provider were to use that information in the course of its own commercial activities, that use could be covered by PIPEDA. Therefore, the University will ensure that these service providers have policies and practices in place so that they a) do not use in any commercial activity personal information provided by the University, b) protect that information from disclosure to other parties, c) do not retain the personal information after it is no longer necessary to provide services to the University, and d) discard the information in an appropriate manner once the information is no longer required.
16. Physical Recreation and Athletics
Memberships, classes and facilities rentals are offered to the public at a charge. These activities may be covered by PIPEDA. The Department in some cases collects names, addresses, phone numbers or e-mail addresses. There are no payments made by credit card. Copies of cheques are not retained when payments are made by cheque. The personal information is stored in locked cabinets, or on computers that are password protected, and in offices that are not open to the public.
17. Research
If research involves the collection, use or disclosure of personal information, and if the research has a commercial character, PIPEDA may apply to that research. For the research to have a commercial character it would have to have a stronger connection to commerce than to the research and educational mandate of the University. It is likely that the required connection would be present if the research were undertaken in conjunction with commercial partners or with a view to the commercialization of the products. The University is not aware of any such research. If such research were to be conducted in the future, the approval of the Research Ethics Board would be required and that Board would be responsible for ensuring that the requirements of PIPEDA were met.
18. Residences
¹û¶³´«Ãº's residences are provided only to permit students to attend the University and to offer the students a learning experience, and are important to our efforts to educate the whole person. Therefore, the operation of the residences for students is not a commercial activity and PIPEDA does not apply. No personal information concerning residence students is provided to any third parties.
19. Service Clubs
The University has in the past provided personal information to local service clubs to permit them to market goods or services for valuable consideration as part of fundraising efforts. Given that the provision of these goods or services for valuable consideration constitutes a commercial activity, the University will not provide such information in the future.
20. Student Organizations
The only personal information that is transferred to such organizations are a) a list of student names and the Student Union membership fees that they have paid, which list is provided to the Students' Union and b) mailing labels that are provided to the Students' Union that are used for the purpose of mailing yearbooks to former students. PIPEDA has no application to the first transfer and probably has no application to the second transfer. However, in the case of the second transfer steps will be taken to ensure that copies of the labels are not retained and that the labels are not used for any purpose other than the purpose for which the labels are produced.
Requests from student organizations for other personal information will be assessed on an individual basis and steps will be taken to ensure that the information is not used for a commercial purpose by the organization making the request or by a third party.
21. Student Services
Students pay for transcripts and diplomas. No personal information is collected.
22. Summer Camps and Other Activities Offered to the Public Other than Conferences
A list of names may be prepared to identify those who may attend such activities. Additional personal information may be collected if room and board is provided. However, room and board services are offered through Conferences and therefore the Conferences section of this appendix covers the PIPEDA issues that might be associated with such activities.
23. Motyer-Fancy Theatre/Performing Arts
Tickets to performances and, in the case of Performing Arts, series subscriptions are sold to individuals. Payments are made by cash and cheque. No personal information contained on cheques is retained. The only personal information retained is the list of subscribers.