G3 – Freedom of Information and Protection of Privacy – Protection of Privacy Procedure
1. Purpose
1.1
The purpose of this Procedure is to set out the processes RRC Polytech follows for the protection of all personal information (including personal health information) in its possession. These Procedures ensure compliance with applicable privacy laws, including The Freedom of Information and Protection of Privacy Act and The Personal Health Information Act.
2. Definitions
2.1
The terms used in this Procedure are to be read consistently with the definitions set out in Policy G3 and the RRC Polytech Glossary.
3. Application
3.1
These Procedures apply to Personal Information, including Personal Health Information referred to in Policy G3 collected by any department or employee of RRC Polytech.
4. Collection, Use and Disclosure of Personal Information
4.1
Subject to any exceptions permitted by law, RRC Polytech employees must only collect and use personal information required for an authorized purpose under The Red River College Polytechnic Act. Generally, personal information connected to RRC Polytech’s mandate and operations is an authorized purpose. Any employee who is unsure whether the collection of any particular type of information is authorized must consult with the Access and Privacy Officer or Coordinator for guidance.
4.2
Employees must use only as much Personal Information as is reasonably required to fulfill the purpose of collection.
4.3
Employees may use Personal Information for purposes other than the purposes for which the information was collected, where:
- an individual has consented; or
- the new purpose is consistent with the original purpose of collection, and the minimum amount of information is used to fulfill that related purpose.
4.4
4.4. Where there is uncertainty as to whether a new purpose being contemplated is consistent with the original purpose of the collection, employees must contact the Access and Privacy Officer or Coordinator for guidance.
4.5
Personal Information must not be disclosed to any individual or entity outside RRC Polytech unless the person the Personal Information is about has consented to the disclosure or the third party otherwise has a legal right to that Personal Information. If they are unsure, Employees should contact the Access and Privacy Coordinator for guidance as to whether a third party has a right of access to Personal Information.
5. Security of Personal Information
5.1
All Records containing Personal Information must be kept in a secure environment when not in use. Paper-based and similar Records containing Personal Information must be kept in a locked location when not in use. Electronic Records must be kept on a secure electronic medium with access protected by password. In addition, Records containing Personal Information on removable storage devices such as flash drives must be encrypted.
5.2
When Records containing Personal Information are removed from their secure environment for use permitted by the G3 Policy and by law, the College employee who is using the Records must take reasonable precautions to guard the confidentiality of the Records. When the College employee is no longer using the Records, they must immediately return them to their secure location.
5.3
Employees who are working remotely as permitted by RRC Polytech’s Remote Work Policy shall ensure that Records containing personal information remain in RRC Polytech’s secure electronic environment or are kept in a locked and secure location as approved by the employee’s manager.
5.4
The Access and Privacy Coordinator shall conduct an audit of security safeguards related to Personal Health Information every two years.
6. Electronic Information Systems for Storing Personal Health Information
6.1
Departments of the College which maintain Personal Health Information electronically, including, without limitation, Student Accessibility Services, Student Counselling Services, Health Services, and Human Resource Services, must maintain a record of user activity for the electronic system that complies with the requirements of PHIA.
6.2
Each record of user activity must be maintained for at least three years.
6.3
A designated person within each department must conduct regular audits, including random and focused audits, of records of user activity in accordance with the Manitoba government Guidelines for Records of User Activity.
6.4
In the context of student accommodation requests, any and all Personal Health Information requested or received by the College electronically must be received and stored within the Student Accessibility Services filing system and shall not be held in an Academic department folder or file.
6.5
In limited circumstances, students may provide electronic Personal Health Information to employees such as instructors, Chairs, Associate Deans, or Deans or to a committee established by RRC Polytech. Any employee or Committee that receives Personal Health Information from a student shall store the information by sending it to healthservices@rrc.ca, where it will be stored in electronic student files maintained and audited by the Health Services Department. The receiving employee or committee will delete and destroy the electronic Personal Health Information from their files afterwards.
7. Breach Procedures
7.1
Where an employee becomes aware of an existing or potential security breach of Records containing Personal Information, including Personal Health Information, the employee must immediately record the circumstances related to the breach or potential breach and forward it to the Access and Privacy Coordinator. The Access and Privacy Coordinator will investigate and provide recommendations, if any, on how to prevent such security breaches. All College employees must follow the recommendations of the Access and Privacy Coordinator.
7.2
Where the Access and Privacy Coordinator determines that a privacy breach has occurred which affects an individual, and there is a real risk of significant harm to the individual because of the breach, the Access and Privacy Coordinator must notify the Access and Privacy Officer of the breach.
7.3
In cases where the law requires, or if not required, the Privacy Officer determines that it is appropriate, RRC Polytech will notify the individual(s) impacted about a privacy breach and, where required by law, notify the Ombudsman of the breach.
8. Retention and Destruction of Personal Information
8.1
RRC Polytech shall comply with The Archives and Recordkeeping Act by ensuring that retention and destruction of records containing Personal Information are carried out in accordance with the authorized Records Schedules maintained by the College.
8.2
Records pertaining to pending or actual legal action or investigation shall not be destroyed while that action or investigation is ongoing or anticipated to arise.
8.3
Records containing Personal Information, including Personal Health Information, must be retained by the department that collected it for a reasonable period in accordance with the applicable Records of Schedule so that the individual that the information is about has a reasonable opportunity to access it.
8.4
For specific advice on how long a Record should be retained, College employees should contact the Access and Privacy Coordinator for direction. The Access and Privacy Coordinator will review the applicable Records Schedule and seek guidance from the Chief Information Officer and other College resources as appropriate when providing advice on retention.
8.5
Records containing Personal Information, including Personal Health Information, may only be destroyed in accordance with the applicable Records of Schedule. Records must be destroyed in a secure manner, that protects the privacy of the individuals that the Personal Information is about.
8.6
For specific advice on how to securely destroy Records, College employees should contact the Access and Privacy Coordinator for direction. The Access and Privacy Coordinator will review the applicable Records Schedule and seek guidance from the Chief Information Officer and other College resources as appropriate when providing advice on the destruction of Records. The College may prescribe further policies and procedures concerning the retention and destruction of Personal Information from time to time.
8.7
Where Records containing Personal Health Information are destroyed, the department which has undertaken the destruction of the Records must keep a destruction record naming the individual whose Personal Health Information was destroyed and the period to which the information relates. The destruction record must also note the method of destruction of the Records, and the person responsible for supervising the destruction. Departments must keep destruction records on file for 10 years.
9. Training and Documentation
9.1
The Access and Privacy Coordinator may deliver training from time to time.
9.2
Employees who are reasonably expected to have access to Personal Health Information in the course of their duties must sign a pledge of confidentiality satisfactory in form and content to the Access and Privacy Officer. The pledge of confidentiality shall be retained in the employee’s employment file managed by RRC Polytech’s Human Resource Services.
RRC Polytech campuses are located on the lands of Anishinaabe, Ininiwak, Anishininew, Dakota, and Dené, and the National Homeland of the Red River Métis.
We recognize and honour Treaty 3 Territory Shoal Lake 40 First Nation, the source of Winnipeg’s clean drinking water. In addition, we acknowledge Treaty Territories which provide us with access to electricity we use in both our personal and professional lives.