Freedom of Information and Protection of Privacy: Privacy and Access to Information Procedures Procedures

Roles and Responsibilities

1. As the Head of a public body, the President of VCC:
   
   
   
   1. Has ultimate responsibility for all matters related to VCC's privacy and access to information obligations under the Act.
   
   
   2. May delegate, pursuant to section 66 of the Act, any duty, power or function of the head of the public body under the Act, except the power to delegate.
   
   
   
   


2. Pursuant to section 66 of the Act, the Head has delegated responsibilities and obligations under FIPPA to VCC's Privacy Officer: the Associate Director of Risk Management and Privacy.


3. The Privacy Office is responsible, in consultation with senior College officials, for establishing policy and protocols to facilitate VCC's compliance with the legislative requirements of the Act. The Privacy Office is the primary point of contact for all privacy and access matters.  


4. All Employees and Board members:
   
   
   
   1. Are responsible for complying with the Act and College policies and procedures when they collect, access, use, disclose, store, and dispose of Personal Information while working or providing services for the College;
   
   
   2. Are responsible for securing and protecting any Personal Information they create, receive, or access while working or providing services for VCC;
   
   
   3. Will only access Personal Information as authorized and as needed to perform their duties, and will not use or disclose Personal Information other than for the purpose for which it was collected or disclosed;
   
   
   4. May receive a request for access to information or records and will act in accordance with these procedures and their requirements under the Act;
   
   
   5. Must immediately report any suspected Privacy Incident or Breach, following the Privacy Breaches and Complaints Procedures, and cooperate fully with any investigation into a Privacy Incident or Breach;
   
   
   6. Are responsible for complying with the terms of the Privacy Protection Schedule, if a Service Provider.
   
   
   
   


5. Employees and Board members have a legal obligation to comply with the requirements of the Act. Individuals who maliciously contravene this policy or the legislation may be subject to discipline or legal proceedings, depending on the severity of the contravention. 

Collection

6. VCC collects Personal Information only for purposes authorized under the Act. This may include Personal Information collected from Students, Employees, Board members, or Community Members.  Collection must be:
   
   
   
   1. Expressly authorized by legislation;
   
   
   2. Necessary for the purposes of law enforcement; or
   
   
   3. Necessary for the operation of a program or activity of VCC. 
   
   
   
   


7. The College will collect an individual's Personal Information directly from the individual when possible, in accordance with section 26 of the Act. The College will obtain the individual's informed consent to collect their Personal Information as required by the Act.


8. When collecting Personal Information directly from an individual, the College must ensure that the individual is told:  
   
   
   
   1. The purpose for collecting the Personal Information;
   
   
   2. The specific uses of the Personal Information;
   
   
   3. The legal authority for the collection of the Personal Information; and
   
   
   4. The contact information for someone in the College who can answer questions about the collection, use, and disclosure of their Personal Information.
   
   
   
   


9. The College may only collect an individual's Personal Information indirectly as authorized under section 27 of the Act.

Use

10. The College will only use the Personal Information it creates, receives, or accesses for the purpose for which it was collected, or for a use consistent with that purpose. A use consistent with that purpose has a reasonable and direct connection to the original stated purpose.


11. The purpose must be related to supporting the College's business operations or instructional programs or activities and may include, but is not limited to:
    
    
    
    1. Providing education, research, and administrative services;
    
    
    2. Communicating with students, faculty, staff, alumni, donors, and other individuals;
    
    
    3. Administering scholarships, bursaries, and other financial assistance;
    
    
    4. Complying with legal and regulatory requirements;
    
    
    5. Investigating incidents and enforcing the College's rules and policies;
    
    
    6. Evaluating and improving the College's programs and services.
    
    
    
    


12. If use extends beyond the original purpose of collection, the College must obtain a person's informed consent for its use. Service Providers will follow the requirements of their Privacy Protection Schedule.  

Disclosure

13. The College and its Service Providers will treat Personal Information with the highest degree of confidentiality and will disclose an individual's Personal Information to a third party inside or outside of Canada only as authorized under section 33 the Act. This includes:
    
    
    
    1. Disclosing the Personal Information only for the purposes of the program and/or services for which it was collected;
    
    
    2. As required by law; or,
    
    
    3. In specific circumstances with the consent of the relevant individual.
    
    
    
    


14. Requests for a disclosure of Personal Information from law enforcement or emergency personnel must be directed to the Department of Safety, Security, Risk, and Privacy and requires a notification to the Privacy Officer.

Accuracy and Correction

15. VCC will make every reasonable effort to ensure that Personal Information in its control or custody is accurate and complete.


16. VCC will follow the Correction of Personal Information Procedures to address any requests to correct or annotate individuals' Personal Information.
    
     

Retention

17. Units, departments, or offices (Departments) will retain any Personal Information, or any Record containing Personal Information, for at least one year after the Personal Information is used to make a decision that directly affects an individual.


18. Records may be retained for longer than one year to meet with the requirements of VCC's Records Retention Schedule (RRS) and Records Management Policy, and Records will be disposed of in accordance with the Records Management Policy. 

Protection and Security

19. VCC protects Personal Information in its custody or under its control through reasonable security measures appropriate to the sensitivity of the personal information, including:
    
    
    
    1. Physical safeguards (i.e. locked filing cabinets, staff-only access, securely stored computing equipment);
    
    
    2. Administrative safeguards (i.e. VCC policies, education and training, role-based user access controls, proper Privacy Protection Schedules in contracts, accessing personal information on a need-to-know basis); and
    
    
    3. Technical safeguards, as defined by the VCC Cyber Security Standards.
    
    
    
    


20. Employees and Board members must take measures to protect digital and paper records containing Personal Information when travelling or working offsite at another location.


21. Employees and Board members must use their VCC-assigned corporate accounts when conducting any VCC business, and should:
    
    
    
    1. Avoid sending Personal Information via email;
    
    
    2. Never use personal identifiers in the subject of an email;
    
    
    3. Send documents securely and encrypted if possible; and
    
    
    4. Only use records and data storage solutions that are approved by VCC.
    
    
    
    

Education & Training

22. VCC requires all Employees to complete VCC's Privacy and FOI Training Modules.
    
    
    
    1. Employees will complete these modules when they are hired to VCC.
    
    
    2. Employees will review the modules when required by People Services to ensure that their knowledge is current.
    
    
    
    


23. The Privacy Office will provide other privacy and access education and training opportunities to the College, including by consultation or advice as needed. 


24. All Employees are required to be aware of their rights and responsibilities under the Act.

Privacy Breaches and Complaints

25. VCC will follow the Privacy Breaches and Complaints Procedures to address any Privacy Incidents, Privacy Breaches, or other suspected or confirmed unauthorized disclosures of personal information, or any Complaints about the collection, use, or disclosure of personal information.

Information Sharing Agreements

26. The College will complete an Information Sharing Agreement (ISA) before beginning any initiative that involves the College and another organization, including another public body, jointly collecting, using, and/or disclosing Personal Information. The ISA will document the conditions for the collect, use, and/or disclosure of Personal Information and be approved by the party within VCC responsible for the initiative, and the other parties. The Privacy Office will maintain a file of the completed ISAs.

Privacy Impact Assessments

27. Any Department or Employee undertaking a new initiative or making a significant change to an existing initiative is required by the Act to complete a Privacy Impact Assessment (PIA). An initiative includes any enactment, system, project, program, or activity of VCC (including, but not limited to, new software or information systems). A significant change includes any change to the collection, use, or disclosure of Personal Information, including the disclosing of Personal Information outside of Canada for storage.


28. The Employee initiating the PIA is responsible for ensuring that all information required to conduct the PIA is supplied to the Privacy Office and that there is adequate time to complete the PIA process.


29. An Employee from the Department undertaking the initiative must be accountable for and involved in drafting and completing the PIA.


30. PIAs will be reviewed and completed in accordance with the guidelines and process developed by the Privacy Office.


31. PIAs must be reviewed and signed by the appropriate signatories, including the Privacy Officer, before the initiative is implemented.


32. PIAs must be completed regardless of any other existing contracts, agreements, or technical or security assessments.


33. The Privacy Office will maintain a file of the completed PIAs.

Personal Information Banks

34. The Privacy Officer will develop and maintain a directory of Personal Information Banks and make it accessible to the public as required under the Act.

Access to Own Personal Information

35. An individual may make a request for their own Personal Information by contacting the relevant Department directly.


36. Departments will release the requested records to the individual if they only contain Personal Information about that individual.


37. Departments will verify the identity of an individual making a request for their Personal Information prior to disclosing it, following guidelines developed by the Privacy Office and without collecting additional Personal Information. Departments will obtain the individual's consent before releasing their Personal Information.


38. An individual may make a formal access request for any other records that are not routinely available information.


39. Departments will consult the Privacy Office if they are unsure about whether a request is for an individual's own Personal Information or whether records may be released.


40. Service Providers will follow the requirements of the Privacy Protection Schedule.

Access to Personal Information by Third Parties

41. Any requests for another individual's Personal Information from outside of the College must provide the College with proof that the requester is authorized to receive the Personal Information.


42. Departments will, as needed, develop and use consent forms for an individual to release their Personal Information to an authorized third party.  


43. Departments will not release any Personal Information to a third party without an individual's written consent or completed authorization form, even if the request is received verbally.


44. Departments may only disclose an individual's Personal Information to a third party without their authorization in specific situations as authorized by the Act, such as when the health and safety of the individual or others is at imminent risk.


45. Departments will consult with the Privacy Office when developing authorization forms or with any questions about releasing Personal Information to authorized third parties.

Access to Information and Freedom of Information (FOI) Requests

46. Departments may provide individuals with Routinely Available Information without requiring the individual to complete a formal access request under the Act.


47. The Privacy Officer will work with the College to designate categories of Records that will be made available to the public without the need to make a request in accordance with the Act. 


48. Some access to information requests that are not for Routinely Available Information may be fulfilled through offices such as the Registrar's Office or International Education, as established and authorized.


49. For all other requests that do not contain Routinely Available Information, individuals may make a formal request for access to records (FOI request).
    
    
    
    1. FOI requests must be for access to Records in VCC's custody or under its control.
    
    
    2. They must be in writing and provide enough detail to enable an experienced employee of VCC, with a reasonable effort, to identify the record sought.
    
    
    3. The applicant must also provide written proof of the authority of the applicant to make the request, if the applicant is acting on behalf of another person.
    
    
    4. Requests should be made to the Privacy Office at privacyandfoi@vcc.ca.
    
    
    
    


50. Employees who receive an FOI request must immediately direct the request to the Privacy Office at privacyandfoi@vcc.ca.


51. VCC may charge fees for an access to information request under the Act, other than for a request for the individual's own Personal Information, in accordance with section 75 of the Act. VCC will not charge an application fee.


52. The Privacy Office will contact Employees and Board members with a call for records when they are required to search and produce Records.


53. Employees and Board members will search all their and/or their Department's Records (including deleted items, drafts, digital and physical records, etc.) for Records that respond to the request, without interpreting the request too narrowly. Employees and Board members will:
    
    
    
    1. Be able to declare that they performed an adequate search; 
    
    
    2. Produce all the records they have that are responsive to the Privacy Office's request, without altering the records;
    
    
    3. Confirm that they have no responsive records, if that is the result of the search;
    
    
    4. Respond to a call for records within 5 business days of receiving the request.
    
    
    
    


54. The Privacy Office will respond to applicants and process all FOI requests in accordance with the timelines and procedures required by the Act.

Access for Research, Statistical, Archival or Historical Purposes

55. The College will allow access to Personal Information for research, statistical, archival, or historical purposes under conditions specified in sections 33(3)(h) and 33(4) of the Act, in accordance with other relevant College policies.