Privacy Impact Checklist

When can personal information be disclosed within the University?

The Freedome of Information and Protection of Privacy Act (FIPPA) section 42 (1)(d) permits University employees to share personal information in limited and specific circumstances:

• when it is necessary to perform one’s duties;
• when it is proper to the performance of one’s duties

In addition to consulting with supervisors, the following questions should be considered when sharing personal information within the University:

• Does FIPPA apply?
  • Are there other legislations/policies that guide you?
• Is it personally identifiable information or aggregate statistical information?
• Is access to the information required to perform duties?
  • Are those duties part of the person’s position description?
• Is all the personal information necessary and proper to the activity?
• Could such access have been reasonably expected at the time the information was collected?
• Will it be subsequently shared within/without the University?
• Have security procedures for the collection, transmission, storage and disposal of personal information, and access to it, been documented?
• Will it be kept for a minimum of one year?
• Will the personal information be used exclusively for the purpose for which it is being obtained or compiled?
• Where data linkages such as data matching or profiling occur, are they consistent with the stated purposes for which the personal information was collected?
• Will the personal information be used in decision-making processes that directly affect individuals, such as eligibility for programs or services?
• Has consideration been given to providing full disclosure of the purposes for which personal information is collected?
• To ensure accuracy, does the record of personal information indicate the date of last information update?