November 4, 2012

PURPOSE

1.00 This policy articulates how Ocean Networks Canada (ONC) complies with the privacy components of the Freedom of Information and Protection of Privacy Act (FIPPA). ONC is an agency of the University of Victoria; as such it is responsible to the University of Victoria for managing the VENUS and NEPTUNE underwater observatory networks.

DEFINITIONS

2.00 Consistent Purpose means a use or disclosure of Personal Information which is consistent with the purposes for which the information was obtained or compiled if the use or disclosure:

has a reasonable and direct connection to that purpose, and is necessary for performing the statutory duties of, or for operating a legally authorized program of, the Unit that uses or discloses the information or causes the information to be used or disclosed.

3.00 Contact Information means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual.

4.00 Personal Information means recorded information about an identifiable individual other than Contact Information.

5.00 Employee in relation to ONC and the university includes a volunteer and a service provider.

6.00 Record includes books, documents, maps, drawings, photographs, letters, vouchers, papers and any other thing on which information is recorded or stored by graphic, electronic, mechanical or other means, but does not include a computer program or any other mechanism that produces records.

7.00 Surveillance Systems means an analog or digital video recording system (with or without audio) authorized and used by the university intended to monitor or record the activities of people or monitor or record an area that is accessible to the university community or public. For the purposes of this policy and its associated procedures, surveillance does not include the use of personal video equipment or the recording or broadcasting of public events or educational activities.

8.00 Unit means scientific or administrative areas at the agency, including but not limited to: projects, departments, divisions, offices, and centres.

JURISDICTION/SCOPE

10.00 This policy applies to all Employees, students and units of ONC. It applies to all Personal Information in the custody or under the control of ONC.

POLICY

11.00 ONC will manage all Personal Information in accordance with the FIPPA and the University of Victoria Privacy Policy (GV0235), collective agreements, contracts, and this and other applicable university policies and associated procedures.

Accountability for Personal Information

12.00 The President will designate an officer who will be responsible for the administration of this policy.

12.01 The Privacy Officer has been designated by the President as the privacy officer.

Privacy Officer

13.00 As the designated individual responsible, the Privacy Officer is responsible for the overall co-ordination of privacy functions and for request management within Ocean Networks Canada.

13.01 The Privacy Officer will carry out his or her duties in consultation with the ONC Executive.

Directors and managers

14.00 Directors and managers are responsible for:
making a reasonable effort to familiarize themselves with the requirements in the FIPPA, this policy and its associated procedures, and for making a reasonable effort to communicate these requirements to the Employees in their Units;

a) making a reasonable effort to ensure that the management of Personal Information in their custody or under their control meets the requirements of the FIPPA, this policy and its associated procedures; and
b) reporting any privacy incidents or breaches of the FIPPA, this policy or its associated procedures in accordance with the university’s Procedures for Responding to a Privacy Incident or Breach.

Employees

15.00 All Employees who collect, access, use, disclose, maintain and dispose of Personal Information are in a position of trust.

15.01 Employees are responsible for:

a) treating all Personal Information to which they receive access in accordance with the FIPPA and this policy;
b) making a reasonable effort to familiarize themselves and to comply with the requirements in the FIPPA, this policy, and its associated procedures;
c) consulting as necessary with the appropriate authority regarding the requirements in the FIPPA, this policy, and its associated procedures; and
d) reporting any privacy incidents or breaches of the FIPPA, this policy, or its associated procedures in accordance with the university’s Procedures for Responding to a Privacy Incident or Breach.

Openness about Personal Information Policies and Practices

16.00 ONC will make the following information available to an individual from whom Personal Information is being collected:

a) the purpose for which the Personal Information is being collected;
b) the legal authority to collect the Personal Information; and
c) the Contact Information of someone who can provide details about the collection.

Identifying Purposes for Personal Information

17.00 ONC and units within ONC collect Personal Information from students, partners, Employees and others in order to fulfill its mandate under the Agency Management Agreement.

17.01 ONC collects Personal Information as authorized by the FIPPA and the University Act.

17.02 ONC collects Personal Information that relates directly to and is necessary for an operating program or activity of the agency.

18.00 ONC will normally obtain either express or implied consent from an individual before collecting Personal Information, but may collect, use or disclose Personal Information without consent in limited circumstances where the FIPPA authorizes such activity.

Limiting Collection of Personal Information

19.00 ONC will normally collect Personal Information directly from the individual whom the Personal Information is about, but may collect Personal Information indirectly in limited situations where such collection is authorized by the FIPPA, another enactment, or the individual.

19.01 ONC may also collect Personal Information indirectly for purposes of:

a) determining suitability for an honour or award, including an honorary degree, scholarship, prize or bursary;
b) a proceeding before a court or a judicial or quasi-judicial tribunal;
c) collecting a debt or fine or making a payment;
d) law enforcement; or
e) any other purposes permitted by law.

Use, Disclosure, and Retention of Personal Information

20.00 ONC uses and discloses the Personal Information in its custody or under its control:

a) for the purpose for which that information was obtained or compiled or for a Consistent Purpose;
b) in a manner to which an individual has consented;
c) as permitted or required by the FIPPA or as authorized or required by other law;
d) for research and statistical purposes; or
e) for archival or historical purposes.

21.00 Employees must only seek to access and use Personal Information necessary for the performance of their duties.

22.00 Employees may allow other Employees to use Personal Information needed for the performance of their duties. Employees may also allow other Employees to use Personal Information if the FIPPA authorizes the use of that Personal Information.

22.01 If an Employee is in doubt whether to allow another Employee to use Personal Information, the Employee may consult with his or her Administrative Authority or manager as necessary.

23.00 ONC will disclose Personal Information to students and individuals or organizations outside the university as permitted by the FIPPA, as authorized or required by an enactment, as permitted by this policy and its associated procedures.

24.00 Disclosure of the following information without consent is permitted:

a) an Employee’s Contact Information;
b) information about an individual’s position, functions, or remuneration as an officer, Employee, or member of ONC;
c) names of individuals who have received degrees, the names of degrees those individuals received and the years in which the degrees were awarded; and
d) Personal Information about an individual in an emergency situation or where ONC Secretary (or designate) determines that compelling circumstances exist that affect anyone’s health or safety.

25.00 ONC will retain Personal Information collected from individuals in accordance with the FIPPA and the university-wide records classification, retention and disposition plan.

25.01 ONC will retain Personal Information used to make a decision about an individual for a minimum of one year.

Ensuring Accuracy of Personal Information

29.00 ONC will make a reasonable effort to ensure that the Personal Information in its custody or under its control is accurate and complete and will allow Employees and students to confirm the accuracy of this information.

29.01 Procedures for the correction of Personal Information are contained within the University of Victoria’s Procedures for the Access to and Correction of Information.

Safeguards for Personal Information

30.00 ONC will take reasonable steps to ensure that Personal Information in its custody or control is protected by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposition.

31.00 When ONC retains an external organization to undertake work on its behalf that involves the collection, use, disclosure or disposition of Personal Information, ONC will enter into an agreement with that organization that requires the organization to protect Personal Information in accordance with the FIPPA.

31.01 The University Secretary (or designate) may waive the requirement in section 30.00 in exceptional circumstances.

Individual Access to Personal Information

32.00 Individuals have a right to access Personal Information about themselves, subject to exceptions under the FIPPA. Access to Personal Information is provided in accordance with ONC‟s Access to and Correction of Information procedure.

33.00 Individuals have a right to request corrections to Personal Information about themselves, subject to exceptions under the FIPPA.

Challenging Compliance with the Privacy Policy

34.00 Individuals are entitled to challenge ONC’s compliance with this policy.

34.01 Employees who receive a complaint or inquiry about compliance with the policy should attempt to resolve the issue with the assistance of a supervisor.

34.02 Individuals may make a formal complaint or inquiry about compliance with this policy by contacting the University Secretary’s Office.

AUTHORITIES AND OFFICERS

I. Approving Authority: Board of Directors

II. Designated Executive Officer: President

III. Procedural Authority: President

IV. Procedural Officer: Privacy Officer

RELEVANT LEGISLATION

Freedom of Information and Protection of Privacy Act

Associated University of Victoria Policies

University of Victoria Privacy Policy (GV0235)

Associated University of Victoria Procedures

Procedures for Responding to a Privacy Incident or Privacy Breach
Procedures for the Management of University Surveillance Systems
Procedures for the Disclosure of Student Personal Information in Emergency or Compelling Circumstances
Procedures for the Management of Personal Information
University Information Security Classification Procedures
Procedures for Responding to the Loss or Theft of a Mobile Computing Device
Records Management Policy (IM7700)
Procedures for the Access to and Correction of Information
Procedures for the Management of University Records
Procedures for the Secure Destruction of University Information (forthcoming)
Information Security Policy (IM7800)
Procedures for Responding to an Information Security Incident
Directory of Records