All Ontario Universities and Colleges are responsible to fulfill the requirements of the Freedom of Information and Protection of Privacy Act (FIPPA for short).

• FIPPA was enacted to ensure that Ontario’s publicly funded institutions are transparent and accountable to the people of Ontario through access to information and the protection of privacy
• FIPPA is enforced through the office of the Information and Privacy Commissioner of Ontario (IPC)

Two Key Principles of FIPPA:

Public access to information

• The public has a right to request records that the institution has in its custody or under its control.

The protection of personal privacy

• The institution has a responsibility to protect personal information and other kinds of sensitive records from unauthorized uses and disclosures.

An Institutional Record means any record:

• in the custody or under the control of the institution;
• created or received, and maintained as evidence of institutional decisions, transactions, and relationships; and,
• relevant to the administration and operation of institutional activities.

What is considered Personal Information?

• FIPPA defines Personal Information as information about an identifiable individual
• This includes, but is not limited to, such basic details as name, address, telephone number, gender, age and marital status, employee number, student number, health information, education and employment history, and financial data
• An individual’s name on its own is not personal information unless it discloses other information, which if unauthorized, would be an invasion of privacy
• Personal Information does not include the name, title, business address, and business contact numbers of an employee

Learn More

Institutions may have a policy detailing:

• Access to Information and Protection of Privacy

What if I’m dealing with Personal Health Information?

Generally, even if you are handling records containing health information, FIPPA will continue to apply. The Personal Health Information Protection Act (PHIPA) only applies to the institution’s units/departments that provide health care on the institution’s behalf. Institutions will have health care providers who act as Health Information Custodians within the context of PHIPA, and may include the following:

• Student Health Services
• Personal Counselling Services

Employees of one of the above units should complete PHIPA Training.

Collection Notice Requirements

An institution must inform the individual to whom the information relates that a personal information collection has occurred. Whenever possible, the notice should be provided to an individual at the time of collection, or included on program forms and communications.

The notice to the individual must state:

• The legal authority for the collection;
• The principal purpose or purposes for which the personal information is intended to be used; and
• The title and business contact information of an official of the institution who can answer the individual’s questions about the collection.

Notice must be provided each time there is a collection. The notice should address separate legal authorities or collections if a form is used for multiple purposes.

Example

Brock University’s Collection Notice Template:

Brock University protects your privacy and your Personal Information. The Personal Information requested on this form is collected under the authority of The Brock University Act, 1964, and in accordance with the Freedom of Information and Protection of Privacy Act (“FIPPA”). The information will be used to [specify purpose for collecting the Personal Information]. Direct any questions about this collection to the [contact position], of the [your department] at Brock University at (905) 688-5550, ext. [XXXX] or see www.brocku.ca/[your departmental website].

Click here for the next module: Part 2 – Disclosing Personal Information

When is it appropriate to share Personal Information (PI)?

Sharing PI – INTERNALLY

• You should only disclose PI to a fellow employee if they need the information in the performance of their duties.​

Share PI – EXTERNALLY in Limited Circumstances 
(as permitted by FIPPA)​

Personal information can be shared externally:​​

• For the purpose collected​
• With the consent of the individual to whom it relates​
• Compelling circumstances affecting health and safety​
• Other limited circumstances (e.g. law enforcement proceedings)​

While it is important to recognize that personal information is protected by Ontario’s privacy and access laws, it is also important to realize that these protections are not intended to stand in the way of the disclosure of vital – and in some cases, life-saving- information in emergency or other urgent situations.

Compassionate Circumstances – In situations calling for compassion, when there is a need to notify the spouse, close relative, or a friend about an individual who is injured, ill or deceased, you may disclose personal information without consent in order to facilitate this contact. FIPPA allows this discretionary disclosure, as permitted under FIPPA section 42(1)(i).

FIPPA requires we must notify the individual to whom the information relates, if it is practicable to do so. (i.e., mail to last known address).

If you need consent to share personal information outside of the institution, there are consent templates for this purpose. Generally, it is the institution’s preference to release directly to the individual and the individual can then share their own information as needed.

Learn More

Institutions may have policies detailing:

• Use and Disclosure of Personal Information
• Use of Personal Information for Fundraising
• Protecting Students Health Privacy
• Best Practices for Security Measures for Protecting Personal Information

Click here for the next module: Part 3 – Privacy Breach Prevention & Response

What is a privacy breach?

• A privacy breach occurs when personal information (PI) is disclosed in contravention of the FIPPA.

Examples of real breaches:

• Lost or misplaced information (e.g., lost laptop)
• Stolen information (through hacking or physical theft)
• Unauthorized use (including viewing) or disclosure of information, whether accidentally or deliberately

When you suspect a privacy breach

Learn More

Institutions may have policies detailing:

• Privacy Breach Notification
• Breach Form
• IT Encryption Tools

Click here for the next module: Part 4 – Records Management

What is an Institutional Record?

An institutional record is evidence of work activity, capturing decisions made and actions taken, which exist in any formats (paper and digital information/data).

As an example, Brock’s Records Policy uses the following definition:

University Record means any record:

• in the custody or under the control of the University,
• created or received, and maintained as evidence of University decisions, transactions, and relationships; and,
• relevant to the administration and operation of University activities.
• The Freedom of Information and Protection of Privacy Act (FIPPA), Section 2, defines a record as “any record of information, however recorded”, and then gives many possible examples of types of records

What is NOT an Institutional Record?

Transitory records have a temporary utility and are not required for statutory, legal, fiscal, administrative, operational, or archival purposes.  Despite their short-term value they may contain sensitive and confidential or personal information and should be disposed of in a secure manner. Electronic formats should be permanently deleted, while paper should be shredded.

Examples of transitory records include:

• Convenience copies retained for reference (e.g., digital copies of the official record in paper form and filed as the official record; “cc,” “bcc,” or FYI copies.
• Copies of records retained when the original or primary record has been sent to another unit.
• Routine emails to schedule or confirm meetings or events
• Announcements and notices of a general nature

Where to store records?

Wherever possible, institutional records should be stored in secure locations, such as:

• Shared drive
• SharePoint​
• Other departmental applications (such as Workday, etc.)

Records stored in temporary storage locations should be transferred to these secure locations as soon as possible. Temporary storage locations include:

• Laptop hard drive
• Removable media (USB sticks)
• OneDrive (good intermediate step)
• Microsoft Teams
• Paper records

These locations are not suitable for the long-term keeping of records as they are not readily accessible to other employees who may have a legitimate need to access them. Additionally, there are no controls or safeguards to these documents.

Learn More…

Institutions may have policies detailing:

• Records Management Policy
• Records Retention Schedule
• Disposition Procedure & Forms

Click here for the next module: Part 5 – Your Working Environment

While working in the office, or remotely/from home, employees should remember that the documents and other information they create and use in their work are institutional records. ​

​You must still follow the institution’s Access to Information and Protection of Privacy Policy and its supporting Procedurese.g.https://brocku.ca/university-secretariat/fippa/ as you create, use, store and manage institutional records at home. This applies to all institutional records including those containing personal information.​

More about records and working from home

If you won the lottery…​

• What records and information would your replacement and your colleagues need to continue your work? ​
  • Would they be able to access your files and information?​
  • Would they be able to find your files and information? ​
• Best Practice: keep institutional records in an appropriate shared repository​
  • When convenient (Monthly? Weekly?), systematically transfer Records to a shared storage location​

Example:

• You get emails to institutional email that have important information in them.
• If you won the lottery, your team wouldn’t know what is in these emails, or even that these emails existed. ​

Suggestion:​

Once a week, transfer these emails to (for example) a team SharePoint site, and file them in a way that makes it easy to find them. ​

• Name the file something that indicates what the email is about​
• Be sure to store attachments separately​

*Alternative idea: transfer important emails to a shared email account, and make folders in Outlook to sort emails​.

Example:

You create or receive files (pdfs, word docs, presentations, or anything else) that need to be kept. These are stored on your computer, then uploaded to OneDrive. Your team doesn’t have access to your OneDrive, or even know that the files are there.

Suggestion:​

Set up a regular schedule to transfer your files to shared storage such as Shared drive, or SharePoint. Some departments might have a system that has document storage, or a different shared storage location that is appropriate.

• Name the file something that clearly indicates what the file is about
• Include dates at the end of the file so the latest version can be found easily
  • Use the format YYYY MM DD (i.e. 2022 12 08) so that all files with the same name fall chronologically
• Have a folder structure that will make it easy for someone else to find the right file.

Learn More

Institutions may have policies detailing:

• Access to Information and Privacy
• Records Management

Click here for the next module: Part 6 – Freedom of Information Requests

The public has a right to request/access most records by making a Freedom of Information (FOI) request. Freedom of Information (FOI) requests may be filed for any records produced in the course of your work at the institution, including records stored in personal use systems. Examples of records are emails, letters, reports, notes, photographs, and audio and video recordings. If it relates to University business, it can be requested!

The Privacy Office coordinates FOI requests, and is able to help you through the process.

Requests for information:

All FIPPA requests are to be submitted to and processed by the Freedom of Information and Privacy Office.  If there is a request for information affecting records in your area, the request is processed by the Freedom of Information and Privacy Office.

The Freedom of Information and Privacy Office employee(s) will process all FIPPA requests, and may contact the unit/department in order to the meet FIPPA’s requirements as follows:

• assist in locating records requested;
• determine if the requested record might contain personal information or third party information that affects the interests of someone other than the requester and, if so, allow the affected third party to make representations about the disclosure of this information;
• within 30 calendar days of receipt of a request, make records available, deny access or cite extraordinary circumstances resulting in a delay;
• give a written reason for denial; and
• inform the person being denied access of his or her right to appeal to the Information and Privacy Commissioner of Ontario (IPC) within 30 calendar days of receiving the institution’s response.

Records excluded:

FIPPA applies to all records, regardless of medium, in the custody or control of the institution, except for the following records (subject to certain limitations):

• Private donations to Archives;
• Labour relations and employment related records;
• Research records; and
• Teaching materials.

Subject to certain limitations, the institution may withhold records that contain:

• Advice or recommendations of a institutional employee or consultant;
• Information where the disclosure could reasonably be expected to prejudice the economic interests or competitive position of the institution;
• Plans relating to the administration of the institution that have not yet been put into operation or made public;
• Third party information if supplied in confidence and where disclosure could prejudice the interests of a third party; and
• Personal Information about individuals other than the requester where disclosure would constitute an unjustified invasion of personal privacy.

Learn More

Institutions may have policies detailing:

• Access to Information and Protection of Privacy Policy
• Access to University Records
• Making a Request for Information

Click here to access the Final Quiz.