Privacy Impact Check-list
When can personal information be disclosed within the University?
FIPPA section 42 (1)(d) permits University employees to share personal information in limited and specific circumstances:
- when it is necessary to perform one’s duties;
- when it is proper to the performance of one’s duties
In addition to consulting with supervisors, the following questions should be considered when sharing personal information within the University:
- Does FIPPA apply?
- Are there other legislations/policies that guide you?
- Is it personally identifiable information or aggregate statistical information?
- Is access to the information required to perform duties?
- Are those duties part of the person’s position description?
- Is all the personal information necessary and proper to the activity?
- Could such access have been reasonably expected at the time the information was collected?
- Will it be subsequently shared within/without the University?
- Have security procedures for the collection, transmission, storage and disposal of personal information, and access to it, been documented?
- Will it be kept for a minimum of one year?
- Will the personal information be used exclusively for the purpose for which it is being obtained or compiled?
- Where data linkages such as data matching or profiling occur, are they consistent with the stated purposes for which the personal information was collected?
- Will the personal information be used in decision-making processes that directly affect individuals, such as eligibility for programs or services?
- Has consideration been given to providing full disclosure of the purposes for which personal information is collected?
- To ensure accuracy, does the record of personal information indicate the date of last information update?