Corporate Legal

Policies and Corporate Legal

G3 – Freedom of Information and Protection of Privacy

Approver: President and CEO
Policy Owner: Chief Human Resources Officer
Date Approved: August 27, 2024

1. Preamble

1.1

Red River College Polytechnic (“RRC Polytech”) will conduct operations in a transparent manner that supports the right of public access to RRC Polytech records and maintains adequate and appropriate privacy protection for personal information collected, used and retained by the Polytech in compliance with relevant legislation.

2. Purpose

2.1

This Policy and its associated Procedures govern RRC Polytech’s practices related to access to records held by the College and the protection of privacy. The purpose of this Policy is to ensure compliance with applicable privacy legislation.

3. Application

3.1

This Policy applies to Personal Information and Personal Health Information collected by RRC Polytech and to records collected by, retained or destroyed by RRC Polytech.

3.2

All RRC Polytech employees shall conduct themselves in accordance with this Policy.

3.3

All members of the public who wish to access RRC Polytech’s records shall do so in accordance with this Policy and the associated Procedures.

4. Policy

4.1

RRC Polytech will assist individuals in obtaining access to records in accordance with the Procedures and as set out in FIPPA and PHIA, subject to the restrictions set out by law and the payment of fees as established in the Procedures.

4.2

For greater clarity, RRC Polytech values academic integrity. Consistent with the laws, RRC Polytech will not assist a member of the public in accessing teaching or research materials of RRC Polytech’s staff or faculty or in accessing a question that may be used on an examination or test.

4.3

RRC Polytech will make reasonable efforts to ensure the accuracy and completeness of information collected and/or retained by RRC Polytech. Further, RRC Polytech will assist individuals who wish to request a correction to their personal information, including Personal Health Information, as set out in the Procedures and as required in FIPPA and PHIA, subject to the restrictions set out by law.

4.4

RRC Polytech will collect Personal Information and Personal Health Information in accordance with FIPPA and PHIA where reasonably required for an authorized purpose under The Red River College Polytechnic Act or other provincial or federal legislation.

4.5

RRC Polytech will use Personal Information for the purposes for which it was collected or consistent with that purpose, where the individual has consented to the use or as permitted or required by law. Similarly, RRC Polytech will only disclose Personal Information as required or permitted by FIPPA and/or PHIA.

4.6

RRC Polytech will protect privacy by establishing and following reasonable physical, administrative and technical safeguards to prevent the unauthorized collection, access, use, disclosure or disposition of personal information as set out in the Procedures or other guiding documents.

4.7

RRC Polytech will store Records and dispose of Records in accordance with Records Authority Schedules established under The Archives and Recordkeeping Act.

4.8

RRC Polytech will inform individuals of a privacy breach that is reasonably expected to create a real risk of significant harm to that individual and will notify the Manitoba Ombudsman of that breach.

5. Responsibilities

5.1

The Chief Human Resources Officer has the responsibility to cause Procedures to be developed pursuant to this Policy and the authority to approve Procedures relating to the implementation of this Policy.

5.2

The Access and Privacy Officer has been delegated responsibility under the applicable legislation and acts as the “head” of the Polytech for the purposes of The Freedom of Information and Protection of Privacy Act and The Personal Health Information Act and is responsible for overseeing RRC Polytech’s compliance with the applicable privacy laws.

5.3

The Access and Privacy Coordinator is responsible for:

  1. advising employees of their duties and obligations respecting Personal Information;
  2. assisting applicants in the completion of formal requests for access to information;
  3. implementing processes to facilitate Access to Personal Information as set out in the Procedures;
  4. implementing processes to ensure the protection of Personal Information as set out in the Procedures;
  5. receiving records of security breaches involving Personal Information, conducting an investigation of such breaches, and providing recommendations to minimize the likelihood of a reoccurrence of such breaches;
  6. complying with mandatory reporting requirements imposed by law; and
  7. arranging for Employee training that is reasonably prudent.

5.4

RRC Polytech Leaders are responsible for ensuring that:

  1. the employees under their supervision comply with this Policy; and
  2. their departments follow appropriate collection, retention, destruction and security procedures with respect to Personal Information that is in their possession.

5.5

All RRC Polytech employees are responsible for:

  1. collecting, using and disclosing Personal Information as prescribed by this policy and by law;
  2. complying with the Procedures concerning the protection of personal information;
  3. complying with the Procedures concerning reporting of potential privacy breaches;
  4. sharing information with the Access and Privacy Coordinator as needed in order to respond to an access request or determine whether a breach has occurred or as otherwise requested.

6. Breaches

6.1

RRC Polytech employees who breach this Policy and any associated Procedures may be subject to disciplinary action up to and including dismissal.

7. Definitions

7.1

“Access” means the viewing or copying of a Record held in the custody or under the control of the Polytech.

7.2

“Access and Privacy Coordinator” is the RRC Polytech employee, typically a member of the Legal and Compliance Department, that is responsible for receiving applications for access to Records and for the day-to-day administration of The Freedom of Information and Protection of Privacy Act (“FIPPA”) as it applies to RRC Polytech. The Access and Privacy Officer may also act as the Access and Privacy Coordinator as required.

7.3

“Access and Privacy Officer” is the RRC Polytech employee appointed by RRC Polytech’s President and CEO pursuant to s.81 of FIPPA and Section 58 of The Personal Health Information Act (“PHIA”). The Access and Privacy Officer is deemed to be the “head” of RRC Polytech in relation to obligations imposed by FIPPA and PHIA.

7.4

“Disclosure” of Personal Information and Personal Health Information means making the information known, revealing, exposing, showing, providing, selling or sharing the information with any person or entity outside of RRC Polytech employees. FIPPA and PHIA permit disclosures of Personal Information and Personal Health Information for authorized purposes only and within limitations.

7.5

“Personal Health Information” is Recorded Information about an identifiable individual that relates to:

  1. the individual’s health, or health care history, including genetic information about the individual,
  2. the provision of health care to the individual, or
  3. payment for health care provided to the individual,

    and includes
  4. the Personal Health Information Number (“PHIN”) and any other identifying number, symbol or particular assigned to an individual, and
  5. any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.

7.6

“Personal Information” means Recorded Information about an identifiable individual, including:

  1. the individual’s name,
  2. the individual’s home address, or home telephone, facsimile or email number,
  3. information about the individual’s age, sex, sexual orientation, marital or family status,
  4. information about the individual’s ancestry, race, colour, nationality, or national or ethnic origin,
  5. information about the individual’s religion or creed, or religious belief, association or activity,
  6. personal health information about the individual,
  7. the individual’s blood type, fingerprints or other hereditary characteristics,
  8. information about the individual’s political belief, association or activity,
  9. information about the individual’s education, employment or occupation, or educational, employment or occupational history
  10. information about the individual’s source of income or financial circumstances, activities or history,
  11. information about the individual’s criminal history, including regulatory offences,
  12. the individual’s own personal views or opinions, except if they are about another person,
  13. the views or opinions expressed about the individual by another person, and
  14. an identifying number, symbol or other particular assigned to the individual.

7.7

“Record” or “Recorded Information” means a Record of information in any form, including information that is written, photographed, recorded or stored in any manner, on any storage medium, or by any means, including by graphic, electronic or mechanical means, in the custody or under the control of RRC Polytech.

7.8

“Significant harm” includes bodily harm or humiliation to an individual, damage to the individual’s reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the individual’s credit rating or report, and damage to or loss of the individual’s property.

7.9

“Third Party”, in relation to a request for access to a Record or for correction of Personal Information, means any person, group of persons or organization other than (i) the person who made the request, or (ii) a public body.

7.10

“Use” of Personal Information and Personal Health Information means accessing, viewing, gaining entry to, hearing, receiving, reproducing, transmitting, employing or otherwise dealing with the information within RRC Polytech. Use of Personal Information and Personal Health Information must be for an authorized purpose of RRC Polytech and shared between RRC Polytech employees to the minimum extent reasonably necessary to fulfil the purpose.

8. Review Period

8.1

This Policy will be reviewed and updated as required within five years of its approval date.

9. Related Documents

  • Access to Records Procedures
  • Protection of Privacy Procedures
  • Information Classification and Handling Directive
  • The Freedom of Information and Protection of Privacy Act C.C.S.M. c. F175
  • Access and Privacy Regulation
  • The Personal Health Information Act C.C.S.M. c. P33.5,
  • Personal Health Information Regulation
RRC Polytech > Policies and Corporate Legal > G3 – Freedom of Information and Protection of Privacy

RRC Polytech campuses are located on the lands of Anishinaabe, Ininiwak, Anishininew, Dakota, and Dené, and the National Homeland of the Red River Métis.

We recognize and honour Treaty 3 Territory Shoal Lake 40 First Nation, the source of Winnipeg’s clean drinking water. In addition, we acknowledge Treaty Territories which provide us with access to electricity we use in both our personal and professional lives.

Learn more ›