Privacy Impact Check-list

When can personal information be disclosed within the University?

FIPPA section 42 (1)(d) permits University employees to share personal information in limited and specific circumstances:

  • when it is necessary to perform one’s duties;
  • when it is proper to the performance of one’s duties

In addition to consulting with supervisors, the following questions should be considered when sharing personal information within the University:

  • Does FIPPA apply?
    • Are there other legislations/policies that guide you?
  • Is it personally identifiable information or aggregate statistical information?
  • Is access to the information required to perform duties?
    • Are those duties part of the person’s position description?
  • Is all the personal information necessary and proper to the activity?
  • Could such access have been reasonably expected at the time the information was collected?
  • Will it be subsequently shared within/without the University?
  • Have security procedures for the collection, transmission, storage and disposal of personal information, and access to it, been documented?
  • Will it be kept for a minimum of one year?
  • Will the personal information be used exclusively for the purpose for which it is being obtained or compiled?
  • Where data linkages such as data matching or profiling occur, are they consistent with the stated purposes for which the personal information was collected?
  • Will the personal information be used in decision-making processes that directly affect individuals, such as eligibility for programs or services?
  • Has consideration been given to providing full disclosure of the purposes for which personal information is collected?
  • To ensure accuracy, does the record of personal information indicate the date of last information update?