University Students’ Council of Western University

Personal Information Protection Policy

Authority: Board of Directors

Date Ratified: January 4, 2011

Previous Amendments: None

PURPOSE:

This Policy is created under the Human Resources Directive of Council. Its primary objective is to establish the USC’s compliance with the Personal Information Protection and Electronic Documents Act, which lists ten principles for personal information protection.

1.00 SCOPE

1.01 This Policy affects any USC employee, volunteer, and elected official who acquires or seeks to acquire a record of personal information about any other person while acting in their USC role.

(1) For the purposes of this Policy, “personal information” is defined as any

information about an identifiable individual, excluding the name, title or business address or telephone number of an employee of an organization.

(2) A “record” includes any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form or characteristics, and any copy of any of those things.

(3) “Privacy Administrator” shall be the individual within the Corporation responsible for the administration of this policy. The administrator shall be the Government Services Officer.

(4) A “USC affiliated fundraiser” is any charitable organization recognized by the

Canada Revenue Agency, and is affiliated with a USC ratified club or USC service, program or event.

1.02 This Policy does not affect:

(1) Personal information collected, used, or disclosed by an individual for personal or domestic purposes, and not for any other any other purpose; or,

(2) Personal information collected, used or disclosed by the USC for journalistic, artistic or literary purposes and not for any other purpose.

2.00 INSTANCES IN WHICH PERSONAL INFORMATION MAY BE COLLECTED

2.01 Personal information may only be collected from an individual if there is a meaningful purpose for such collection that is relevant to the functioning of the USC.

(1) Information needed from some members of a group shall not arbitrarily be

requested from all members of the group.

(2) The USC shall never request or otherwise compel any Student, employee, volunteer, or elected official to identify their sexual orientation.

i. Notwithstanding the above, information about sexual orientation may be collected where the anonymity of individuals is assured.

2.02 Whenever personal information is collected, the intended-use(s) of that information must be disclosed, and the individual must provide consent for the information to be used for that purpose.

(1) Utilization of collected information for a substantially different purpose requires that consent again be obtained.

(2) Consent may be express or implicit, and written or verbal, depending on the

circumstance. The collection or utilization of personal information that is of a highly sensitive nature (e.g. medical records) requires express written consent.

2.03 Instances where the collection of personal information are recognized as valid include:

(1) collection of an individual’s personal contact information (email address, phone number, and/or mailing address) in instances where the individual does not have equivalent business contact information, and there is a reasonable likelihood of contacting the individual in the future for business purposes;

(2) requesting a resume and personal statement (i.e. cover letter) from individuals seeking a position within the USC;

(3) collecting emergency contact information;

(4) collecting information required for insurance purposes; and,

(5) collecting information about an individual’s future availability, for the purposes of scheduling a business meeting or activity.

i. Requests about the specific activities that affect an individual’s availability (such as a student’s course schedule) are not usually necessary, and shouldn’t be requested unless the specific circumstances require it.

3.00 STORAGE & SECURITY OF COLLECTED PERSONAL INFORMATION

3.01 Records of personal information may exist in a variety of mediums, each with its own security considerations.

3.02 Records stored on a Computer

(1) Computer files must be secured in accordance with the Information Technology Security Policies and Procedures.

3.03 Records not stored on computers

(1) All personal records not stored on computers must be filed in a room that is always either locked, or under the supervision of a USC employee.

i. The distribution of keys shall be limited to the original recipient of the

personal information held in the room, USC administrative staff who have

been trained by the Privacy Administrator.

ii. Any USC employee supervising a room holding personal information

records must be trained by the Privacy Administrator.

(2) Any information that is particularly sensitive (such as salary records and other human resources documentation) must be exclusively accessible only to individuals who have been given consent to see the information. An additional security measure must be in place for such information, which may include:

i. locking the records inside of a drawer or filling cabinet inside of a room

that is locked or supervised as described above; or,

ii. maintaining a records storage room that only the Privacy Administrator, and trained designates of the Privacy Administrator have the ability to access.

4.00 USE OR DISCLOSURE OF INFORMATION

4.01 Personal information may never be used or disclosed without consent.

(1) Consent for the disclosure or use of personal information should be obtained during the collection of the information, as described above in Section 2.02. However, sometimes consent may be required after the collection of the information, as might occur if the USC wishes to use information for a purpose substantially different than the one for which it was originally collected.

4.02 Emails sent by an individual are considered as a type of personal information about that individual. The disclosure of emails to individuals other than the recipient must be limited, and purposeful.

(1) Express consent is required to disclose an email that is of a highly personal

nature.

(2) Implicit consent for disclosure may be present where an email is not clearly

directed at any one individual, or where the email has been sent to a large

number of people.

(3) Under normal circumstances, emails sent to a USC business email account

are interpreted as being directed at the position-holder. There is implied

consent for any individual holding that position in the future to view the

email.

4.03 Even where consent exists, it is strongly discouraged for employees, volunteers, and elected officials to use or disclose personal information without meaningful purpose.

(1) For instance, a commissioner may consent to providing their personal contact information to future commissioners of the USC. However, it would still be considered inappropriate to include their email address in the manual of every future USC commissioner, since the majority of them would have no use for the information.

4.04 USC affiliated fundraisers may collect student information beyond name and e-mail address.

(1) The fundraiser must provide written agreement that they will adhere to the USC Personal Information Protection Policy.

4.05 If ever it is necessary for a 3rd party to process personal information, such as in the case of an administrative officer who assists with record keeping, or in the case of a company contracted to provide a service requiring access to certain personal data (e.g. a survey):

(1) the 3rd party shall be required to agree to a confidentiality clause that protects the personal information from being further distributed; and,

(2) whenever practical, steps shall be taken to increase the anonymity of data being processed.

5.00 DESTRUCTION OF RECORDS

5.01 Except where otherwise required by law, records of personal information that are no longer of use or benefit to the USC must be destroyed within sixty (60) calendar-days of the expiration of their usefulness.

(1) This includes, for instance, the resumes and cover-letters of individuals applying for USC positions after the selection process has concluded.

(2) With consent, the personal information may be kept on record for a longer period of time.

5.02 Information which is intrinsically valuable as a historical record, but which is embedded with personal information, may be kept indefinitely.

(1) If it is practical, the personal information should be excised, or made anonymous.

(2) Historical records of this nature shall be treated as confidential.

5.03 Paper files that are destroyed must be shredded.

5.04 Digital files to be destroyed must be permanently deleted. Any copies of the original file on other devices must also be deleted.

6.00 DOCUMENTATION

6.01 Anytime an individual provides consent for the collection, use, and/or disclosure of their personal information for a specific purpose, the nature and extent of their consent must be documented.

(1) Documentation may be digital or physical, but must be retrievable by the Privacy Administrator.

6.02 Documentation regarding consent must be maintained for at least as long as the

personal information collected is being used or kept on file. After a record of personal

information has been destroyed in accordance this policy, the records of consent must be maintained for at least six (6) months.

7.00 RIGHTS OF INDIVIDUALS

7.01 Any individual may request to know what personal information records the USC has on file about them, and may:

(1) request to see the record(s);

(2) request a correction a record to ensure its accuracy;

(3) withdraw consent and request that the record be destroyed.

7.02 Excepting extreme or unusual circumstances, the USC commits to responding to

requests within thirty (30) calendar-days.

7.03 Additionally, any individual may file a complaint about the USC’s personal information protection. Such complaints may be directed to the USC Privacy Administrator, or the Canadian Privacy Commissioner.

8.00 PROCEDURAL AUTHORITY

8.01 Further procedures necessary for the effective and efficient implementation of this

policy shall be established and amended as necessary.

(1) The scope of such Procedures is limited to the scope of this policy.

(2) In the event of any conflict, this Policy supersedes any Procedures created under it.

(3) Any new Procedures or amendments to existing Procedures must be ratified by the Executive Council before taking effect.

8.02 Any Procedures ratified by the Executive Council, or any subsections therein, may be repealed by a resolution of Council.