¼â½ÐÊÓƵ

Home > About Holland ¼â½ÐÊÓƵ > Office of the President > AI and PPI Policy

Access to Information and Protection of Personal Information Policy


1. BACKGROUND

1.1 On January 31, 2005, the ¼â½ÐÊÓƵ created its policy in relation to the protection of personal information and electronic documents. The policy recognized the commitment made by the ¼â½ÐÊÓƵ to protect privacy while, at the same time, providing procedures for the collection, use, and disclosure of information by the ¼â½ÐÊÓƵ.

1.2 The ¼â½ÐÊÓƵ is a special member of the community. While it is created by statute and delivers a variety of services to the public, the ¼â½ÐÊÓƵ is an autonomous institution that has its own governing body, manages its own affairs, allocates its own funds, develops its own relationships with private individuals, businesses and industries, and offers its own diverse range of academic, vocational, and professional programs. This Policy is a reflection of the unique position of the ¼â½ÐÊÓƵ in the community and must be interpreted with these principles in mind.


2. PURPOSE

2.1 The purpose of this Policy is to enhance the ¼â½ÐÊÓƵ’s continued commitments to:

  1. a) providing access to information;
  2. b) protecting personal information and privacy; and
  3. c) setting out the processes for handling access to information requests (“access requests”) and breach of privacy complaints (“privacy complaints”).

3. SCOPE

3.1 This Policy applies to

  1. a) all requests for access to information maintained by the ¼â½ÐÊÓƵ; and
  2. b) all members of the ¼â½ÐÊÓƵ community with access to information maintained by the ¼â½ÐÊÓƵ.

4. EFFECTIVE DATE

4.1 This Policy is effective May 1, 2017 and shall apply to all information created by the ¼â½ÐÊÓƵ after the effective date of the Policy.

4.2 All requests for information before the effective date of this Policy shall be determined in accordance with the policies and practices in effect at the ¼â½ÐÊÓƵ at the applicable time.


5. ACCESS TO INFORMATION

5.1 The ¼â½ÐÊÓƵ routinely makes large amounts of institutional and other information available to the public on its website. The ¼â½ÐÊÓƵ is committed to continuing this online practice. If information is not available on the ¼â½ÐÊÓƵ’s website, an access request may be filed with the Office of the Chief Privacy Officer (the “Privacy Office”) in accordance with this Policy.


6. PRIVACY

6.1 The ¼â½ÐÊÓƵ is committed to maintaining and protecting the integrity of personal and other confidential information. If a person believes his or her privacy rights have been breached, the person may file a privacy complaint with the Privacy Office in accordance with this Policy.


7. OFFICE OF THE CHIEF PRIVACY OFFICER

7.1 The Privacy Office handles access requests and privacy complaints made to the ¼â½ÐÊÓƵ. The Privacy Office also carries out other associated duties, such as:

  1. a) educating ¼â½ÐÊÓƵ staff on access to information and privacy;
  2. b) assisting ¼â½ÐÊÓƵ staff members in conducting searches and addressing complaints;
  3. c) clarifying and responding to access requests;
  4. d) preparing fee estimates;
  5. e) investigating and remedying complaints;
  6. f) reporting on the number of access requests and complaints; and
  7. g) representing the ¼â½ÐÊÓƵ in interactions following an access request or privacy complaint.

8. PROCESS FOR HANDLING ACCESS REQUESTS

8.1 Basic Steps

8.1.1 The steps in processing an access request may vary depending on the nature of the request. Generally, the Privacy Office follows these basic steps:

  1. a) An access request means a request for access to institutional or personal information. An access request shall be submitted in writing, addressed to the ¼â½ÐÊÓƵ’s Chief Privacy Officer (the “Privacy Officer”), and must provide sufficient detail to enable the Privacy Office to identify the record(s) sought. The person making the request (the “Requester”) must also pay the initial fee and complete the Access Request Form (QF175). In exceptional situations, the Privacy Officer may authorize an access request to be accepted in some other format for the purpose of accommodating the personal circumstances of the Requester;
  2. b) The Privacy Officer shall consider the access request and determine whether it would be appropriate to conduct a search for responsive records;
  3. c) If appropriate, the Privacy Office contacts staff responsible at the faculty, administrative office, or service to conduct a search for records responsive to the access request;
  4. d) The records located as a result of the search are sent to the Privacy Office. The Privacy Officer reviews the records to determine whether exemptions and/or exclusions apply;
  5. e) The Privacy Office notifies the requester about the Privacy Officer’s decision whether to release the records in part or in their entirety and provides an estimate of the fees associated with the release of the records; and
  6. f) Once the Requester pays the fees associated with the access request, the Privacy Office sends copies of the responsive records to the Requester.8.2. Exemptions and Exceptions

8.2.1 There are certain types of records that are exempt from disclosure to protect institutional interests, the privacy of others, confidentiality, ongoing operations of the ¼â½ÐÊÓƵ, and other interests important to the ¼â½ÐÊÓƵ. For example, exemptions and exceptions include, but are not limited, to any information that:

  1. a) is an invasion of privacy;
  2. b) may be harmful to the interests of the ¼â½ÐÊÓƵ, a third party, or an individual;
  3. c) may negatively affect a relationship important to the ¼â½ÐÊÓƵ;
  4. d) may affect public safety or the health or safety of an individual;
  5. e) is confidential or is shared in confidence with the ¼â½ÐÊÓƵ;
  6. f) relates to a policy, project, or other matter under consideration by the ¼â½ÐÊÓƵ;
  7. g) relates to employees, labour relations, or student relations at the ¼â½ÐÊÓƵ;
  8. h) relates to an investigation;
  9. i) relates to a legal or administrative proceeding;
  10. j) relates to a disciplinary matter;
  11. k) is protected by any form of privilege;
  12. l) relates to legal advice given to the ¼â½ÐÊÓƵ; or
  13. m) relates to a request that is frivolous, vexatious, and an abuse of the Policy.

8.2.2. A record may contain information about an individual other than the Requester. Generally, information related to another individual is not disclosed.

8.2.3. A record may contain information that reveals commercial, financial, confidential or other information belonging to an external person, entity or organization. Generally, information related to another party is not disclosed.8. 3. Fees

8.3.1. The ¼â½ÐÊÓƵ charges fees for the processing of access requests. Responding to an access request requires the ¼â½ÐÊÓƵ to expend both human and financial resources. An initial and non-refundable fee must therefore be paid to the ¼â½ÐÊÓƵ before the Privacy Office begins to process the access request and records shall not be released until the Privacy Office receives payment in full of all fees associated with request. All costs incurred by the ¼â½ÐÊÓƵ will be the responsibility of the Requester and vary depending upon the size and complexity of the access request. Information on fees is found in the Fee Schedule attached in Appendix A, which forms part of this Policy.


9. PROCESS FOR HANDLING PRIVACY COMPLAINTS

9.1 Complaint

9.1.1 For the purpose of this Policy, a privacy breach occurs when there is unauthorized disclosure of personal information or someone has obtained unauthorized access to personal information. If a person believes his or her privacy rights have been breached, the person may file a privacy complaint in writing, addressed to the Privacy Officer, with the Privacy Office. The person making the complaint must complete the Privacy Complaint Form (QF176). In exceptional situations, the Privacy Officer may authorize a privacy complaint to be accepted in some other format for the purpose of accommodating the personal circumstances of the individual.

9.2 Basic Steps

9.2.1 The steps in processing a privacy complaint may vary depending on the nature, circumstances, and complexity of the complaint. Generally, the Privacy Office follows these steps:

  1. a) receipt of the privacy complaint;
  2. b) communication with the faculty, administrative office or service, and person(s) involved with the complaint or who may have knowledge of the circumstances;
  3. c) consultation with other appropriate authorities and/or external entities, if necessary; and
  4. d) notification of the individual who filed the complaint as to the outcome of the complaint and informing them of any steps taken to resolve the complaint.

10. PROTECTION OF PERSONAL INFORMATION

10.1 Personal Information

10.1.1 Personal information is regularly collected by the ¼â½ÐÊÓƵ from students, employees, alumni, donors and other individuals, and this information is intended to be used for the purpose of administering programs and activities at the ¼â½ÐÊÓƵ, delivering services at the ¼â½ÐÊÓƵ and carrying out the operations of the ¼â½ÐÊÓƵ, including:

  1. a) recruitment, admission, registration, evaluation, and/or graduation in an academic and non-academic program;
  2. b) student associations and organizations, including the alumni association;
  3. c) financial assistance and awards;
  4. d) development and fundraising activities;
  5. e) institutional planning and statistics;
  6. f) reporting to government agencies and/or professional organizations;
  7. g) employment;
  8. h) safety and security; and
  9. i) print, electronic, and internet publications.10.2. Disclosure

10.2.1 It is the general policy of the ¼â½ÐÊÓƵ not to disclose personal information to external individuals or organizations unless:

  1. a) the individual was notified of the disclosure when the personal information was collected;
  2. b) the individual has consented to the disclosure or the disclosure is consistent with the purpose for which the information was collected;
  3. c) disclosure is permitted or required by law;
  4. d) the information is public information; or
  5. d) disclosure is authorized under this Policy.10.3 Correction

10.3.1 Individuals have a right to request access to their own personal information and to request the correction of their personal information. Those who wish to obtain access to their personal information or to request a correction should begin by contacting the faculty, administrative office, or service that has possession of the information at the ¼â½ÐÊÓƵ. Depending on the nature of the request, it may require a written request addressed to the Privacy Officer.


11. RECONSIDERATION

11.1 If an individual disagrees with a decision made by the Privacy Officer under this Policy, the individual may submit a written request for reconsideration to the ¼â½ÐÊÓƵ’s Vice-President Corporate Services within thirty (30) days of the date of the decision. The decision of the Privacy Officer shall be reconsidered by the Vice-President Corporate Services within thirty (30) days and his/her decision shall be final. In the event that the decision under reconsideration relates to the Vice-President Corporate Services or a conflict of interest exists, then the Vice-President Corporate Services shall designate another Vice-President at the ¼â½ÐÊÓƵ to hear and decide the request for reconsideration.


12. RESPONSIBILITIES

12.1 The development and maintenance of this Policy is the responsibility of the President of the ¼â½ÐÊÓƵ.

12.2 The administration of this Policy is the responsibility of the Privacy Office as set out above.


Resources

These are PDFs and will open in a new window.