Records relating to the University’s compliance with access to information and protection of privacy legislation.
This records class includes Personal Information Banks.
Related Records | Responsible Unit | Information Steward | Information Confidentiality Classification | Retention | Disposition | Authority | Retention Rationale | Other Units with Copies | Personal Information Banks | Version Information
Content & Scope
The University manages its records in a manner consistent with the Freedom of Information and Protection of Privacy Act (FIPPA), and health care practitioners employed by the University manage their clients’ personal health information in a manner consistent with the Personal Health Information Protection Act (PHIPA).
This records class excludes records documenting information security breaches and their investigation.
This class consists of records created as the University meets its obligations to provide access to and protect the privacy of information, including:
- Records of information access or correction requests, privacy complaints and investigations, and appeals;
- Records of consultations with University staff and administrators concerning information access and privacy, and the University’s responsibilities under information and privacy legislation;
- Annual statistical reports to the Information & Privacy Commissioner (IPC);
- Copies of notices of theft, loss, etc. of personal health information sent to affected individuals, the IPC, and governing Colleges, as required under PHIPA, and associated correspondence;
- Procedures for managing personal information and personal health information, including health information custodian's information management practices, contact information, procedures for individuals requesting access to or correction of a their personal health information records, and a description of how to make a complaint to the custodian and to the IPC;
- Indexes to the University’s personal information banks (PIBs), and the general classes or types of records prepared by or in the custody or control of the University (i.e., the directory of records).
Related Records
For records of information security breaches affecting the University’s information systems and their investigation, see IM30 – Information Security.
Responsible Unit
- Secretariat.
- Campus Wellness.
- Units responding to a privacy breach.
Information Steward
- Associate Provost, Students, for records of Campus Wellness.
- University Secretary, for all other records.
Information Confidentiality Classification
- Public: index of PIBs; directory of records; procedures for managing personal information and personal health information; and, copies of annual statistical reports to the IPC.
- Highly Restricted: copies of responsive documents for information access requests.
- Restricted: all other records.
Retention
- Case records for information access or correction requests, privacy breaches and complaints, appeals, and consultations with the Privacy Officer or delegate: 7 years after last action on the case.
- Index of PIBs, directory of records, and procedures for managing personal information and personal health information: 2 years after superseded.
- Copies of annual statistical reports to the IPC: 7 years.
Note: anonymized data derived from these records may be retained by the University until superseded or obsolete.
Disposition
Secure Destruction.
Note
Responsible Units should document the disposal/destruction of official records using the University records destruction form or equivalent documentation, to verify that we are following our records retention rules.
Authority
- Policy 46 – Information Management.
- Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31.
- Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A.
Retention Rationale
Retention is based on operational use.
Other Units with Copies
Units seeking guidance and assistance from the Privacy Officer.
Retention of Copies
No more than 2 years after last action on the case.
Disposition of Copies
Secure Destruction.
Personal Information Banks
Case records for information access or correction requests, privacy complaints, and appeals include the following personal information: name, contact information, record of payment, subject of request of complaint, and various types of personal information depending upon records requested, the nature of the complaint, or the requested change.
Under Review Date
12 February 2020