Privacy Policy
– June 11, 2021
Page 1 of 5
PRIVACY POLICY
Policy Type:
Management
Initially
Approved:
June 11, 2021
Policy Sponsor:
General Counsel
and University
Secretary
Last
Revised:
Primary Contact:
Information
Management &
Privacy Office
Review
Scheduled:
June 11, 2026
Approver:
Board of Governors
A.
PURPOSE
Mount Royal University is entrusted with the Personal Information of the University community and
is committed to managing this information appropriately. This Policy ensures that the University
protects the privacy of all members of its community, in accordance with applicable privacy
legislation governing the collection, use, disclosure and protection of Personal Information.
B.
SCOPE
This Policy applies to all Personal Information in the custody or under the control of the University.
C.
POLICY STATEMENT
1.
ACCOUNTABILITY
1.1
The University complies with all aspects of the Freedom of Information and
Protection of Privacy Act (“the Act”) and all other privacy legislation that is applicable
to the University.
1.2
The President is ultimately accountable for privacy compliance and may delegate to
an Employee any of duties or functions of the President under the Act in writing.
However, those delegates may not further sub-delegate. Delegations by the
President are captured in the FOIP Delegation of Authority Table.
1.3
All Employees share responsibility for the protection of privacy provisions required
under the Act such as the requirements for the collection, use, disclosure, protection,
and accuracy of Personal Information
in the University’s custody or control. The
Information Management & Privacy Advisor will provide assistance on administering
protection of privacy measures.
1.4
Senior Leaders are responsible for, in consultation with the Information Management
& Privacy Advisor, establishing and maintaining privacy measures that ensure the
protection of privacy within their Departments.
Privacy Policy
– June 11, 2021
Page 2 of 5
1.5
The FOIP Office is responsible for providing the University community with planning
and guidance on privacy compliance requirements and is the official spokesperson
for
the University with the Commissioner’s Office.
2.
COLLECTION OF PERSONAL INFORMATION
2.1
The University may only collect Personal Information when:
a. the collection of information is necessary for an operating program or activity of
the University;
b. the collection of information is authorized by an enactment under Alberta or
Canada; or
c. as otherwise prescribed by the Act
2.2
The University must make every reasonable effort to collect Personal Information
directly from the individual the information is about unless an exception or
circumstance exists under the Act to collect the individual’s Personal Information
from other sources.
2.3
When the University collects Personal Information directly from an individual, notice
must be provided prior to its collection using a FOIP Notification Statement. At
minimum, the FOIP Notification Statement must inform individuals of:
a. the purpose for the collection;
b. the legal authority for the collection; and
c. the contact information of an Employee who can answer questions about the
collection.
2.4
In the event a circumstance exists under the Act that authorizes Personal Information
to be collected indirectly, or from other sources beyond the individual the information
is about, a FOIP Notification Statement is not required.
3.
USE AND DISCLOSURE OF PERSONAL INFORMATION
3.1
Personal Information collected by the University may only be used or disclosed to
the extent necessary to carry out the purpose for which it was collected. It may also
be used or disclosed for other purposes prescribed under the Act.
3.2
Personal Information may be disclosed internally to other Employees on a need-to-
know basis or if the information is necessary for the performance of their duties or
functions.
3.3
The University may only disclose Personal Information to a third party where the
individual has been notified that the Personal Information may be disclosed, has
consented to the disclosure, or as otherwise prescribed under the Act.
3.4
Where a third party is providing a service to the University, and the University is
disclosing Personal Information to that third party to support those services, the
University will enter into a formal agreement with the third party which secures
Privacy Policy
– June 11, 2021
Page 3 of 5
appropriate terms that
address the third party’s collection, use, security, and further
disclosure of the Personal Information.
4. PROTECTION OF PERSONAL INFORMATION
4.1
The University, and its Employees, must protect Personal Information in its custody
or control by making reasonable security mitigation strategies against such risks as,
unauthorized access, collection, use, disclosure, and destruction.
4.2
The University has an Information Security policy that ensures Personal Information
under the control or custody of the University is protected from unauthorized access,
use and disclosure.
4.3
All Employees are expected to, in consultation with the Information Management &
Privacy Advisor, protect Personal Information using appropriate privacy compliance
measures in advance of engaging in any projects where Personal Information is
involved.
4.4
All Records containing Personal Information must be retained and destroyed in
accordance with the University’s Information Management policy.
4.5
Any Records that contain identifiable Personal Information and that are ready for
disposal must be securely destroyed and made unreadable such as, permanent
deletion, destruction of medium or secure paper shredding. Guidelines for securely
disposing of Personal Information can be retrieved from the FOIP Office.
4.6
If an Employee becomes aware of unauthorized access to or collection, use,
disclosure, or disposal of Personal Information, they must inform the FOIP Office
immediately in accordance with the Procedure for Managing a Privacy Breach.
4.7
Individuals who believe that the University has collected, used, or disclosed their own
Personal Information in contravention of the Act may ask the Commissioner to review
the matter.
5. ACCURACY OF PERSONAL INFORMATION
5.1
The University must make every reasonable effort to make sure that the collected
Personal Information is accurate and complete subject to the provisions under the
Act.
5.2
Individuals who believe their Personal Information under the custody and control of
the University contains an error or an omission may request a correction to their
Personal Information in accordance with the Procedure for Reviewing Personal
Information.
6.
USE OF VIDEO SURVEILLANCE
6.1
Video surveillance on University property may only be conducted by Security
Services. The Manager, Security Services, will act as the designated senior official
responsible for the oversight and management of the video surveillance system.
Privacy Policy
– June 11, 2021
Page 4 of 5
6.2
The use or disclosure of Information captured using video surveillance will adhere to
all requirements within this Policy, the FOIP Act and in accordance with the
Procedure to Manage Video Surveillance.
D.
DEFINITIONS
(1)
Act, the:
means the Freedom of Information and Protection of Privacy
Act, RSA, 2000, c F-25
(2)
Commissioner:
means the Information and Privacy Commissioner of Alberta
appointed in accordance with the Act
(3)
Employee:
means individuals who are engaged to work for the University
under an employment contract, including but not limited to
faculty, staff, exempt, casual and management employees
(4)
Personal
Information:
means recorded information about an identifiable individual,
including:
a.
the individual’s name, home or business address or
home or business telephone number,
b.
the individual’s race, national or ethnic origin, colour or
religious or political beliefs or associations,
c.
the individual’s age, sex, marital status or family status,
d. an identifying number, symbol or other particular
assigned to the individual,
e.
the individual’s fingerprints, other biometric information,
blood
type,
genetic
information
or
inheritable
characteristics,
f.
information about the individual’s health and health care
history, including information about a physical or mental
disability,
g.
information about the individual’s educational, financial,
employment or criminal history, including criminal
records where a pardon has been given,
h.
anyone else’s opinions about the individual, and
i.
the individual’s personal views or opinions, except if
they are about someone else.
(5)
Policy:
means the Privacy Policy
(6)
Record:
means a record of information in any form and includes, but is
not limited to, notes, emails, letters, images, audiovisual
recordings, documents, maps, drawings, photographs, letters,
invoices and any other information that is written, photographed,
recorded, captured or stored in any manner. Notably, the
Privacy Policy
– June 11, 2021
Page 5 of 5
definition does not include software or any mechanism that
produces or reads records.
(7)
Senior Leader:
means either (i) any Employee who both reports to a Vice-
President or President and leads a Department and (ii) any other
person designated as a Senior Leader by the Executive
Leadership Team
(8)
Unit:
Means an academic or business Unit of the University
(9)
University:
means Mount Royal University
E.
RELATED POLICIES
• Access to Information policy
• Information Security policy
F.
RELATED LEGISLATION
• Freedom of Information and Protection of Privacy Act, RSA, 2000, c F-25
G.
RELATED DOCUMENTS
• FOIP Delegation of Authority Table
• FOIP Notice Statement Template
• Privacy Breach Report Form
• Procedure for Managing a Privacy Breach
• Procedure for Reviewing Personal Information
• Procedure to Manage Video Surveillance
• Request to Correct Personal Information Form
H.
REVISION HISTORY
Date
(mm/dd/yyyy)
Description of
Change
Sections
Person who
Entered Revision
(Position Title)
Person who
Authorized Revision
(Position Title)
01/19/2022
Editorial
Related Policies
Policy Advisor
General Counsel and
University Secretary
12/20/2022
Editorial
Policy Statement (6)
Manager, Security
Services
04/20/2023
Editorial
Definitions
Policy Advisor
General Counsel and
University Secretary