Freedom of Information and Protection of Privacy

Category: Governance
Number: GOV-060-005
Audience: Board of Governors, all University employees, contractors, and third-party service providers
Revised: March 12, 2013
Owner(s): Executive Director (University Governance)
Approved by: Board of Governors
Contact: Executive Director (University Governance) - 306-585-5545

Introduction

This policy outlines the University’s position on access to information and protection of privacy under The Local Authority Freedom of Information and Protection of Privacy Act (the “Act”) and The Local Authority Freedom of Information and Protection of Privacy Regulations

The University of Regina (the “University”) affirms the importance of access to information and the obligation to conduct its operation in ways that are open to public scrutiny.  The University is also committed to the protection of privacy of those who work or study here. 

The Act provides every person a right to access records in possession or under the control of a local authority, subject to certain exemptions outlined in Section 5.

Policy

Members of the University’s Board of Governors and all faculty and staff are responsible for the appropriate collection, access, use, disposal/archival and disclosure of information as defined in the Act, Regulations, and this policy.

Contractors and third party service providers who receive confidential University records or personal information are also required to comply with the Act, Regulations, and this policy.

Access Guidelines

  • Information in University records should be available on request in accordance with the Act.  Access to Information may be limited by exceptions under the Act and Regulations, and certain other restrictions, including library circulation policies, copyright regulations, and licensing agreements.
  • The process for requesting information under the Act is shown in Figure 1 and follows the process outlined in the Act.  Applications for requests for information and the required nonrefundable fee specified in the Regulations should be sent to the Head.  An access request is deemed to be made when the application form and application fee are received by the Head.  Fees for searching for a record, preparing a record for disclosure and reproducing a record may be charged as provided for in the Regulations. 

Protection of Privacy

  • Personal information about an identifiable individual is protected under the Act and will not be used or disclosed except for the specific purpose for which it is collected or in accordance with one of the exceptions in the Act or the Regulations.
  • Subject to the Act and Regulations, individuals are entitled to access their own personal information and to request correction of the personal information where they believe there is an error or omission. 

Roles and Responsibilities

The Board of Governors has designated the Executive Director (University Governance) as Head on all matters related to freedom of information and protection of privacy.

The Head:

  • is responsible for implementation of this policy within the University,
  • receives requests for access to University records either directly or by referral from other members of the University community,
  • works with the appropriate department, faculty of operational unit to respond to a request,
  • makes the final decision concerning a request and communicates the University’s decision in writing to the person making the request as required by the Act,
  • oversees the adoption of record-keeping and disclosure practices consistent with this policy and the Act, and
  • investigates any complaints about unauthorized disclosure of personal information on the University’s behalf.

Consequences for Noncompliance

A breach or unauthorized disclosure may have ramifications for the University, which could include: legal action; financial costs; imposition of fines; and, the loss of reputation.  Individuals who breach the Act or misuse personal information may also be subject to disciplinary actions. 

Processes

Process for a Request for Information

See Figure 1 – Routing of Requests under the Freedom of Information and Protection of Privacy Act.

Process for a Breach in Privacy

  1. If you become aware of a privacy breach involving personal information in the custody or control of the University notify the Head immediately.
  2. The Head will investigate to confirm the privacy breach, usually within 24 hours of the notification.
  3. The Head will decide who within the University to notify depending on the scope of the breach.
  4. The Head will take the following steps to contain the breach:
    1. Work with the unit to contain the breach.  This could include recovering records, correcting weaknesses in security, etc.
    2. In consultation with University officials, notify the police if the breach involves, or may involve any criminal activity.
    3. Notify affected individuals as soon as possible following the breach or have the police determine notification.
    4. Report the privacy breach to the Office of the Privacy Commissioner.
    5. Work with the unit to mitigate the risk of any further privacy breach.

Related Information