fb pixel
The University of Winnipeg

Guidelines for the Communication of Personal Information and Personal Health Information

Before communicating Personal Information (PI) or Personal Health Information (PHI) by fax, email, phone, mail, or through social media or similar applications, authorized persons subject to the Privacy Policy are responsible for reviewing and taking into account the following guidelines.

General Guidelines
Fax Guidelines
Email Guidelines
Phone Guidelines
Mail/Courier Guidelines
Social Media Guidelines

General Guidelines

1. Verify the necessity

Under Manitoba’s Freedom of Information and Protection of Privacy Act (FIPPA) and Personal Health Information Act (PHIA), the University may communicate PI or PHI only for the purpose for which the information was collected or disclosed. Communication may also be authorized if the individual the information is about provides consent or communication is otherwise authorized under FIPPA or PHIA. This includes both internal use and external disclosure. In all situations, the communication must be limited to the least amount of PI or PHI necessary to accomplish the purpose.

Communicating PI or PHI increases the likelihood that the information may be inadvertently received by an unintended recipient, leading to a potential privacy breach by the sender or recipient. For this reason, PI or PHI should be communicated only as necessary.

2. Consider the sensitivity

All PI and PHI is sensitive and some is especially sensitive. Before communicating PI or PHI, authorized persons must take into account the sensitivity of the information and decide whether it is appropriate to communicate by phone, mail, fax, email, systems hosted by a third-party, or through social media. Some information may be deemed too sensitive to share.

If communication is deemed appropriate, always choose the most secure method appropriate to the circumstances. Additional caution should be exercised with especially sensitive information.

Especially sensitive information

  • Credit card, banking, and other financial information
  • Driver’s license, passport, social insurance number or similar government-issued identification
  • Date of birth
  • Password information or the means to decrypt a password
  • Personal health information
  • Other important identifiers

3. Consider the volume

Communicating large volumes of PI or PHI increases the potential impact of a privacy breach. Always communicate the minimum amount of information possible. If it is necessary to communicate a larger volume of PI or PHI, choose the most secure method appropriate to the circumstances.

4. Consider the urgency

The fastest method is not always the best choice. Communicating PI or PHI by email or fax, for example, is quick but may be less secure than sending it in the mail or by courier. Always consider how quickly the recipient requires the PI or PHI and choose the most secure method appropriate to the circumstances.

5. Verify the information

Before communicating PI or PHI, ensure that it is the most accurate and up to date information available.

6. Verify the recipient’s identity

If communication is appropriate, take steps to verify the identity of the recipient to ensure they are authorized to receive the information.

If a request is made in person, photo identification (such as a driver’s license or UWinnipeg student card) and another piece of identifying information should be requested. If a request for disclosure is made over the phone or by email or fax, identifying information should be requested and verified against known information.

Identifying information may include:

  • a photocopy or scanned copy of a UWinnipeg student card
  • a copy of a signed request, letter of authority or similar document authorizing the individual to receive the information
  • confirmation of home address, telephone number, date of birth
  • confirmation of student or employee number
  • confirmation of another unique identifier
  • confirmation of other information that only the individual to whom the information relates should know

Do not communicate PI or PHI unless satisfied with the recipient’s identity and that they are authorized to receive the information.

Fax Guidelines

1. Faxes should be sent and received in secure areas segregated from the public. Do not leave faxed documents unattended.

2. The amount of PI or PHI being faxed must be limited to the minimum required to fulfill the intended purpose.

3. PI or PHI may be severed or redacted, or replaced with unique identifiers or codes, if it does not negatively affect the remaining record.

4. Fax cover sheets marked confidential or similar shall be used and must indicate the:

  • sender's name, title, department, fax and phone number
  • recipient’s name, title, department, fax and phone number (if available)
  • total number of pages faxed

5. When appropriate to the circumstances, senders should telephone or email in advance to advise the recipient that a confidential fax is to be expected and to confirm the fax number.

6. Before sending a fax, the entered number should be double-checked to ensure accuracy with the recipient’s number.

7. The sender should verify using the fax confirmation report that the message was sent successfully, and make sure that no documents are left behind at the fax machine.

8. Fax cover and confirmation sheets should be retained along with the original faxed records in accordance with all applicable legislation, regulation, and University policy.

9. Pre-programmed fax numbers should be routinely verified for accuracy.

Email Guidelines

1. PI or PHI may be emailed only when no other more secure communication method is appropriate to the circumstances.

2. Encryption/password protection (Hyperlink) should be used whenever practicable.

3. Emails should be sent only from @uwinnipeg.ca email addresses.

4. Only the minimum amount of PI or PHI necessary shall be emailed.

5. PI or PHI may be severed or redacted, or replaced with unique identifiers or codes, if it does not negatively affect the remaining record.

6. Consider using an email disclaimer.

7. When appropriate to the circumstances, senders should telephone or email ahead to advise the recipient that a confidential email is to be expected and to confirm the email address.

8. Before sending an email, the address and the content of the message should be double-checked.  The sender also should verify that the list of intended recipients is accurate and appropriate.

9. The sender should verify the email was sent successfully by requesting both a delivery receipt and a read receipt.

10. Sent emails should be retained in accordance with all applicable legislation, regulation, and University policy.

11. Email addresses should be routinely verified for accuracy.

Phone Guidelines

1. Verify the other party’s identity before discussing PI or PHI (see General Guidelines, item 6).

2. Do not discuss PI or PHI in the presence of those who are not authorized to know the information or in public, unsecured, or open places.

3. Communicate only the minimum amount of PI or PHI necessary.

4. Exercise caution if leaving a voice message and disclose as little, if any, PI or PHI as possible. Voice messages should not contain especially sensitive information (see General Guidelines, item 2).

5. Phone numbers should be routinely verified for accuracy.

Mail/Courier Guidelines

1. Only the minimum amount of PI or PHI necessary shall be mailed.

2. PI or PHI may be severed or redacted, or replaced with unique identifiers or codes, if doing so does not negatively affect the remaining record.

3. When appropriate to the circumstances, senders should telephone or email ahead to advise the recipient that a confidential letter is to be expected and to confirm the mailing address.

4. Secure, opaque envelopes marked confidential or similar shall be used. Envelopes shall only reveal the minimum amount of information that is necessary for identification and use.

5. Before sending a letter, the address and content should be double-checked to ensure accuracy.

6. Couriers should be used and tracking numbers obtained whenever appropriate to the circumstances for the communication of especially sensitive information.

Social Media Guidelines

1. The University’s Privacy Policy applies to the use and disclosure of PI and PHI on social media and information distribution sites such as Dropbox.

2. Exercise caution when using social media platforms as terms and conditions may conflict with the University’s Privacy Policy as well as applicable legislation including FIPPA and PHIA. Contact the Data Privacy and Compliance Office for advice.

3. Do not use social media to communicate especially sensitive information.

4. Do not use social media to communicate PI without the consent of the individual the PI is about. Some exceptions may apply e.g. posting of crowd shots from University events.

5. Avoid associating the PI with other identifiable information about the individual (e.g. by linking to the individual’s social media account) without the individual’s explicit consent.

6. Ensure privacy settings are activated to limit public access where appropriate.

For more information, contact the Data Privacy and Compliance Office.