Access and Privacy at UWinnipeg

FIPPA – Collection, Use, Disclosure, and Protection of Personal Information

This guideline provides instructions for the collection, use, disclosure, and protection of personal information (PI), according to the provisions of The Freedom of Information and Protection of Privacy Act (FIPPA).

This guideline is intended for all employees of the University of Winnipeg and is applicable to all personal information collected, used, or disclosed in the conduct of official University business. Additional procedural guidelines are available to assist University employees in fulfilling their duties under FIPPA.

Collection of Personal Information

University employees are permitted to collect PI only if the collection is necessary for an existing function or activity. In addition, collection must be limited to the minimum amount of information necessary to accomplish the function or activity.

When collecting PI, employees must also:

• Notify the individual of the purpose for which the information is being collected;
• Provide the individual with the contact information of an employee who can answer the individual’s questions about the collection; and
• Collect the information directly from the individual whenever possible.

Use of Personal Information

Generally speaking, FIPPA limits the use of PI to the purpose for which it was collected – or a directly related purpose – unless the individual has provided their informed consent. “Use” refers to the sharing of PI within the University. The use of PI should also be limited to the minimum amount of information necessary to accomplish the purpose for which it was collected.

Disclosure of Personal Information

Similarly, FIPPA limits the disclosure of PHI to the purpose for which it was collected – or a directly related purpose – unless the individual has provided their informed consent. “Disclosure” refers to the sharing of PI outside the University. Disclosure should also be limited to the minimum amount of information necessary. Other instances where disclosure may be permitted include, but are not limited to:

• If disclosure is authorized or required by another enactment of Manitoba or Canada;
• To the Government of Canada in order to facilitate the monitoring, evaluation, or auditing of shared cost programs or services;
• For the purpose of determining or verifying an individual’s suitability or eligibility for a program, service, or benefit;
• Where disclosure is necessary to protect the mental or physical health or the safety of any individual or group of individuals;
• For the purpose of complying with a subpoena, warrant, or order issued by a court with jurisdiction;
• For law enforcement purposes or crime prevention; and
• For contacting a relative or friend of an individual who is injured, incapacitated, or ill.

Protection of Personal Information

FIPPA requires the University to establish reasonable physical, electronic, and operational security measures to safeguard against unauthorized access, use, disclosure, or destruction of PI. Paper records should be stored in locked cabinets or specially designed rooms. Electronic records should be password protected or encrypted. Employee access to PI should be restricted to only those employees who require the information for the performance of their duties, and consistent with the purposes for which the information was collected. PI must be destroyed securely and completely.