Category: Management and Implementation
LAST REVISED: August 2010
1.2 The SAMRU is primarily subject to Alberta's Personal Information Protection Act ("PIPA"), the purposes of which are stated as:
…to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of an individual to have his or her personal information protected and the need of organizations to collect, use or disclose personal information for purposes that are reasonable.
1.3 In certain circumstances, such as transfers of personal information across provincial or international borders for purposes of a trade or sale of the information itself (and not for purposes of outsourcing), the SAMRU may also be subject to the Personal Information Protection and Electronic Documents Act (Canada), but otherwise PIPA generally will apply.
1.4 If there is any discrepancy between this Policy and applicable legislation, the legislation will take priority to the extent required by law.
2.1 This Policy applies to all personal information about members and employees of the SAMRU and about any members of the public or other individuals which may be collected, used or disclosed by the SAMRU, including alumni.
2.2 Personal information concerning employees collected, used or disclosed by individuals who may also be employees of the SAMRU but who are doing so for personal or domestic reasons, and who are not acting on behalf of the SAMRU or in the course of their employment, is not subject to PIPA or this Policy.
"business contact information" refers to an individual’s name and position or title, business telephone number, business address, business e-mail address, business fax number and other similar business contact information. Business contact information may be made publicly accessible for the purposes of allowing other individuals, including personnel of companies that the SAMRU deals with in the course of its business, and the public, to contact individual employees in relation to their business responsibilities, but for no other purpose.
"collection" means gathering, acquiring, recording, photographing, or obtaining personal information from any source, by any means.
"disclosure", "disclose" and similar variations of the foregoing means showing, telling, sending, or giving personal information to some other individual or organization or the public, but does not include use of the information within the SAMRU.
"employee" means an individual employed by the SAMRU. The term "employee" also includes individuals who perform a service in connection with the SAMRU as a volunteer, participant, or student.
"personal employee information" means information reasonably required by the SAMRU that is collected, used or disclosed for the purposes of establishing, managing or terminating an employment or volunteer-work relationship, or managing a post-employment or post-volunteer-work relationship, but does not include personal information about the individual not related to that relationship.
"personal information" means information about an identifiable individual, but does not include information of an aggregate or anonymous nature where a specific individual or individuals cannot be identified. Personal information also does not include business contact information, but does include personal employee information.
4.1 It is the policy of the SAMRU to collect, use and disclose personal information only for purposes that are reasonable.
4.2 PIPA generally requires that, at or before the time of collecting personal information, the individual is to be notified of the purposes for the collection, use or disclosure of their personal information, and the name or position or title of a person who is able to answer questions the individual may have, and the consent of the individual to that collection, use or disclosure of their personal information is to be obtained.
There are many exceptions to the foregoing. It is the policy of the SAMRU to comply with the provisions of PIPA, but the SAMRU does reserve its rights to all available exceptions and exemptions under PIPA or any other legislation applicable in the circumstances.
4.3 PIPA provides that an individual is deemed to consent to the collection, use or disclosure of personal information about that individual for a particular purpose if the individual voluntarily provides the information for that purpose, and it is reasonable that a person would voluntarily provide that information. The SAMRU will rely on such deemed consent where reasonable to do so.
4.4 In the case of employees, PIPA provides that the SAMRU may collect, use, and disclose an individual’s personal employee information without consent if the individual is an employee of the SAMRU or if the collection, use or disclosure is for the purpose of recruiting a potential employee, provided:
- the collection, use, or disclosure is reasonable for the purposes for which it is being collected, used, or disclosed;
- the information is solely for the purposes of establishing, managing or terminating an employment or volunteer-work relationship, or managing a post-employment or post-volunteer-work relationship between the SAMRU and the individual; and
- The SAMRU has, with current employees, provided notification to them before collecting, using or disclosing the information that the SAMRU is doing so and the purposes for doing so.
4.5 The SAMRU may also disclose personal information about an individual who is a current or former employee to a potential or current employer of the individual without the individual's consent where the personal information that is being disclosed was collected by the SAMRU as personal employee information and the disclosure is reasonable for the purpose of assisting that potential or current employer to determine the individual's suitability for a position with that employer.
4.6 When the SAMRU collects personal information about individuals directly from them, except when their consent to the collection is deemed, or otherwise not required by law, the SAMRU will tell individuals the purpose for which the information is collected, and the name of a person who can answer questions about the collection. It is the policy of the SAMRU to collect personal information directly from the individual concerned, except where it is reasonable in the circumstances to collect personal information from other sources than the individual.
4.7 In addition to the circumstances outlined above, there are times when the law permits the SAMRU to collect, use or disclose personal information about an individual without their consent. Such circumstances include (but are not limited) to where:
- the collection, use or disclosure is clearly in the interests of the individual and consent cannot be obtained in a timely way;
- the collection, use or disclosure is reasonable for the purposes of an investigation or legal proceeding;
- the personal information is available to the public from a prescribed source;
- the collection, use, or disclosure is required or authorized by a statute or regulation of Alberta or Canada, or a bylaw of a local government body, or a legislative instrument of a professional regulatory body;
- the disclosure of the information is necessary to comply with a binding collective agreement;
- in certain circumstances involving disclosure to certain legally authorized entities, where the disclosure of the information is for the purposes of protecting against, or for the prevention, detection or suppression of fraud;
- the disclosure of the information is necessary to comply with an audit or inspection of the SAMRU that is authorized or required by a statute or regulation of Alberta or Canada (but if practicable to do so, information disclosed by the SAMRU will be limited to non-identifying information)
4.8 The purposes for which the SAMRU collects, uses or discloses personal information include the following:
- for administration of the student health and dental plans;
- for administration of any of the SAMRU's services, including Emergency Student Loans, scholarships and bursaries, appeals and grievances, contests and giveaways, food bank, legal clinic, club registration and for screening and selection of volunteers and employees;
- for verification of member rights to vote in elections, referenda, annual and special general meetings;
- for verification of the identity of individuals and their rights to run for office as Students’ Councillors, Academic Councillors, and Executive Committee members;
- for verification and administration of SAMRU ratified student clubs, club executives, and club volunteers;
- for verification of legal obligations, such as meeting minimum age required for alcohol service;
- for administration, monitoring and application of any sanctions imposed by SAMRU staff, Executive Committee, Students’ Council or the SAMRU Appeal Board; and
- personal employee information may be collected, used and disclosed as described in this Policy.
4.9 The SAMRU will not sell, barter or lease a full or partial membership list or a list of donors to any third party without express consent from the individuals on such list.
4.10 Aggregate personal information, or information rendered anonymous, may be used or disclosed by the SAMRU for evaluative and planning purposes.
4.11 It is the policy of the SAMRU that all electronic and paper forms used to collect information about SAMRU’s members will include the following notification:
4.12 An individual may change or withdraw his or her consent by giving the SAMRU reasonable notice of change or withdrawal. Unless the likely consequences of changing or withdrawing consent would be reasonably obvious to the individual, we will inform the individual of any likely consequences of changing or withdrawing their consent. Withdrawal of consent means that the SAMRU will cease collecting, using or disclosing the information in question, but will not operate to frustrate the performance of a legal obligation, and does not affect the right of the SAMRU to collect use or disclose the information without consent where consent is not legally required or where collection, use or disclosure of the information without consent is permitted by PIPA or other applicable law.
OUTSOURCING AND SERVICE PROVIDERS
5.1 The SAMRU may contract with third party service providers with respect to the collection, use, disclosure or storage of personal information, in which case the SAMRU will enter into contractual arrangements with such service providers requiring them to keep confidential any personal information received from the SAMRU to provide services to the SAMRU.
5.2 In the event that THE SAMRU contracts with a service provider outside of Canada, if the SAMRU uses that service provider to collect personal information with consent, or if personal information is transferred to the service provider outside of Canada, the SAMRU will notify the affected individuals orally or in writing as to the way in which individuals may obtain access to written information about the SAMRU's policies and practices with respect to service providers outside of Canada, and the name or position or title of a person able to answer on behalf of the SAMRU any questions about the collection, use or disclosure of personal information outside of Canada on behalf of the SAMRU.
5.3 Currently, the SAMRU may use electronic survey services, such as Survey Monkey, based in the United States, for carrying out surveys of members, students and staff with respect to particular issues. Participation in such surveys may include providing personal information with consent, and such information will be disclosed to the survey service in question.
RETENTION AND DESTRUCTION OF PERSONAL INFORMATION
6.1 PIPA allows the SAMRU to retain personal information for only as long as is reasonable for legal or business purposes, Upon expiry of an appropriate retention period, bearing in mind reasonable legal and business requirements, personal information will either be destroyed in a secure manner or made anonymous.
6.2 Should any consent, where consent is required (see paragraph 4.12 above), to our collection, use, disclosure or retention of personal information be revoked, the law also allows the SAMRU to continue to retain the information for as long as is reasonable for legal or business purposes.
7.1 The SAMRU recognizes its legal obligations to protect personal information during the course of carrying on its activities. The SAMRU has therefore made, and will continue to make, reasonable arrangements to secure against the unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction of personal information.
7.2 Misuse of an individual’s personal information by another individual may result in disciplinary action, up to and including termination or impeachment, and may have other legal consequences.
NOTIFICATION OF LOSS OR UNAUTHORIZED ACCESS OR DISCLOSURE
8.1 Where an incident occurs involving the loss of or unauthorized access to or disclosure of personal information under the control of the SAMRU, and where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure, the SAMRU will, without unreasonable delay, provide notice to the Information and Privacy Commissioner for Alberta of the incident, including any information required by law at the time to be provided to the Commissioner. While PIPA provides that the Commissioner has the authority to require the SAMRU to notify individuals of the unauthorized access or disclosure, the SAMRU may elect to immediately do so in the event the SAMRU considers it reasonable in the circumstances.
9.1 PIPA permits individuals, including employees, to submit written requests to the SAMRU to provide them with:
- access to personal information about them under our custody or control by way of a copy of the record containing the information or by way of examination of the record;
- information about our use or disclosure of personal information about them and the purposes for doing so; and
- where it is reasonable to do so, if we have in our custody or under our control a record about an individual described in their request, the purposes for which their personal information under our custody or control has been and is being used by us, and the names of persons to whom, and the circumstances in which their personal information has been and is being disclosed by the SAMRU.
9.2 Requests must be in writing and include sufficient detail to allow the SAMRU to identify any record in our custody or under our control containing the personal information requested. While the SAMRU may, in its discretion, respond to such requests sent and received via email, the SAMRU reserves the right to not accept requests, complaints or other inquiries under this Policy via email.
9.3 The SAMRU will respond to requests in the time allowed by PIPA and will make a reasonable effort to assist applicants and to respond as accurately and completely as reasonably possible.
9.4 The SAMRU is not permitted to charge fees for requests for personal employee information or for corrections to errors or omissions in personal information, but may charge fees for granting access to other personal information or the records containing such information.
9.5 The ability of an individual to require access his or her personal information under the control of the SAMRU is not absolute. The law provides that The SAMRU is not permitted to disclose personal information where:
- the disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;
- the disclosure would reveal personal information about another individual; or
- the disclosure would reveal the identity of an individual who has in confidence provided us with an opinion about another individual and the individual providing the opinion does not consent to the disclosure of his or her identity.
9.6 The law further provides that the SAMRU may choose not to disclose personal information where:
- the personal information is protected by any legal privilege (the SAMRU's decision in that regard would be based on the rules concerning legal privilege and would be subject to the SAMRU obtaining any legal advice we considered necessary);
- the disclosure of the information would reveal confidential commercial information and it is not unreasonable to withhold that information;
- the personal information was collected by the SAMRU for an investigation or legal proceeding;
- the disclosure of the personal information might result in similar information no longer being provided to us when it is reasonable that it would be provided;
- the personal information was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he or she was appointed to act
- under an agreement,
- under a statute of Alberta, or of Canada, or of another province,
- under a regulation of Alberta, a regulation of Canada or similar provision of the law of another province that, if enacted in Alberta, would constitute a regulation of Alberta,
- under a legislative instrument of a professional regulatory organization, or
- by a court; or
- the personal information relates to or may be used in the exercise of prosecutorial discretion.
The SAMRU reserves all of its legal rights, in its sole discretion, to choose to not provide access to information under the above circumstances.
9.7 PIPA provides that it is not to be applied so as to affect any legal privilege so communications between the SAMRU and its legal counsel and other records and documents subject to legal privilege will generally not be subject to disclosure.
9.8 The SAMRU's response to requests for access to personal information will be in writing, and will confirm whether the SAMRU is providing all or part of the requested information, whether or not the SAMRU is allowing access or providing copies, and, if access is being provided, when that will be given. Where we are able to sever information we cannot or are not required to provide from information we are required to provide, we will provide the individual with access to the part of the record remaining after such information has been severed.
9.9 It is the policy of the SAMRU to respond to requests for information within the time period stated in PIPA, but the SAMRU reserves its rights to extend the time period where PIPA permits our doing so. Examples of where we can extend the time period include where the applicant does not give sufficient detail to enable us to identify the applicable records, or more time is needed to consult with another organization, a public body or a government or agency of a government of a jurisdiction in Canada.
9.10 If access to information or copies are refused by the SAMRU, we will provide written reasons for such refusal and the section of PIPA on which that refusal is based, along with the name of person who can answer questions about the refusal, and particulars of how the requesting individual can ask the Information and Privacy Commissioner for Alberta to review our decision.
9.11 The law permits individuals, including employees, to submit written requests to the SAMRU to correct errors or omissions in their personal information that is in our custody or control. We reserve the right to require sufficient information and detail from the individual in question in order to properly locate the information and provide a response.
9.12 In the event that an individual alleges errors or omissions in the personal information in our custody or control, we will either:
- correct the personal information and, if reasonable to do so, send correction notifications to any other organizations to whom we disclosed the incorrect information; or
- decide not to correct the personal information but annotate the personal information that a correction was requested but not made.
PIPA provides that corrections or alterations shall not be made to opinions, including expert or professional opinions, as opposed to factual information.
CONTACTING OR COMMUNICATING WITH THE SAMRU
10.1 If you have any questions with respect to our policies concerning the handling of your personal information, or if you wish to request access to, or correction of, your personal information under our care and control, or if you wish to make a complaint about how the SAMRU handles your personal information, please contact the Executive Director of the Students’ Association or his or her designate as follows:
The Students’ Association of Mount Royal University
4825 Mount Royal Gate SW
Calgary AB T3E 6K6
10.2 Rulings of the Executive Director or his or her designate may be appealed to the Students’ Association Appeal Board. Rulings of the Appeal Board are generally final. However, under PIPA with respect to matters related to the collection, use or disclosure of personal information or your privacy, you have the right to contact the Office of the Information and Privacy Commissioner for Alberta at:
410, 9925 - 109 Street
Edmonton, AB T5K 2J8
Telephone (780) 422-6860 or Fax (780) 422-5682