Privacy Basics at UWinnipeg - Module 2

To begin, we are only permitted to collect PI / PHI where the information is necessary for an approved activity of UWinnipeg. PI / PHI must never be collected "just in case" - there needs to be a valid, necessary purpose for collecting the information. Collection is also permitted where required under law.

In addition, we are only permitted to collect the least amount of PI / PHI necessary to carry out the task at hand.

Whenever possible, collect PI / PHI directly from the individual to whom it relates and consider obtaining their written consent. Also, be particularly careful when collecting especially sensitive information, such as financial information, SIN, and PHI. Ensure that the collection is absolutely necessary and take no more information than is required.

When collecting new PI / PHI directly from an individual, they must be provided with a privacy notice.

A privacy notice must contain:

• the purpose for which the information is collected,
• the legal authority for the collection,
• the title and contact information of a UWinnipeg employee who can answer questions about the collection.

One example is the notice given to students at time of registration:

I understand that my personal information is collected under 36(1)(b) of the Freedom of Information and Protection of Privacy Act and will be used by the University for registration, awards, student records, alumni services, university research and other functions related to being a member of the University community. I authorize the University to disclose my student name, ID and enrolment status to the University of Winnipeg Students' Association as required for voting, health insurance, and the U-Pass/post-secondary pass program. For any questions, contact the University Registrar, 515 Portage Avenue, Winnipeg, Manitoba R3B 2E9, phone (204) 786-9337.

If you are unsure whether a privacy notice is required for a proposed collection of PI / PHI, contact the Information and Privacy Officer for assistance.

Similar to limits on collection, UWinnipeg is also limited in how it may use and disclose the PI / PHI it holds.

The requirements that follow on the next page of this module focus on avoiding "creep," where PI / PHI collected for one purpose is utilized for another purpose without the knowledge and consent of the affected individual.

The term "use" covers all of the ways that employees use and share PI / PHI within UWinnipeg. Examples include viewing documents containing PI / PHI, sharing them with other employees, and all other handling of PI / PHI at work.

The term "disclosure" covers all of the ways that employees share, or provide access to, PI / PHI outside of the University. Examples include sharing PI / PHI with:

• parents,
• students (who are not also employees),
• other universities,
• anyone else outside of UWinnipeg.

PI / PHI may only be used to carry out the purpose for which it was collected or received, or a consistent purpose. Otherwise, consent is required.

In the case of disclosure, the rule is similar - we many only disclose PI / PHI to carry out the purpose for which the information was collected or received, or a consistent purpose. Otherwise, the individual must consent to the disclosure.

However, there are a number of exceptions to this rule that permit disclosure without consent. One example is in the case of an emergency, where disclosure without consent may be necessary to deal with serious health situations and threats. Disclosure may also be possible in situations such as when collecting a debt, assisting a police investigation, or engaging in shared programs with another university in Manitoba.

In non-emergencies, speak with your supervisor or the Information and Privacy Officer to ensure that a disclosure absent of consent is permitted. In emergencies, do what is necessary.

Finally, all use and disclosure of PI / PHI must be limited to the least amount of information necessary to accomplish the task at hand.

This applies to use within an office, sharing with other offices, and sharing with third parties. In all cases, no more information than is necessary should be accessed or shared.

This rule of minimum use also prohibits employee snooping. This involves viewing information without a valid purpose. Even if a University employee has legitimate access to a large database of PI / PHI, for example, that information must only be viewed as required for necessary work purposes.

Use and disclosure should also be limited to the fewest persons reasonably necessary to carry out the purpose for which the information is used or disclosed. As always, the more sensitive the information, the more important this rule becomes.

All use and disclosure of PI / PHI must be on a need-to-know basis. This rule applies for the entire life cycle of a record, from the first point of collection until final destruction.

As before, it is also important to limit the number of people who receive access to the fewest reasonably necessary to carry out the given purpose. This is particularly important with especially sensitive information such as PHI, financial information, and SIN.

Implementing the need-to-know principle also relates to how you organize your records. Access to records should be segregated along a need-to-know basis. Separating records so that only certain categories of employees have ready access is an important privacy protection.

The Privacy Policy does not set out specific retention periods for records containing PI / PHI. However, any information that is used to make a decision that directly affects an individual must be kept long enough to permit the individual to request access to the information.

One year is generally a suitable minimum retention period but the total time that a record must be retained will vary based on legislation, regulation, and University policy. It is important to not retain records containing PI / PHI longer than is necessary.

The Information and Privacy Officer is able to assist University departments in the creation of records schedules that set out the retention period for various University records.

Because PI / PHI is often used to make decisions that affect individuals, it is important to collect and maintain accurate information. Take reasonable steps to ensure that the information in your custody remains accurate and process any required changes. This is of particular importance if the information is dated, incomplete, or was collected from a third party source.

For staff:

• Ensure privacy notices are included on web forms, surveys, hardcopy registration forms, etc.
• Verify identities before providing PI / PHI over the phone or via email.
• Before sharing PI / PHI with vendors, ensure contracts contain adequate privacy protections; seek assistance when contracting.
• Display privacy notices at events where photographs / videos will be taken.

For faculty:

• Take measures to prevent students' viewing their classmates' PI. Avoid posting full student names and numbers. Use limited access means such as Nexus and WebAdvisor to communicate grades whenever possible.
• Discuss appropriate student conduct as regards privacy in the classroom and when assigning group work or peer evaluation.

For everyone:

• Obtain consent before posting personal information online.
• Email communications often contain PI /PHl; share only as necessary or obtain consent.
• Know which of your records contain PI / PHI.
• Limit access to PI / PHI to only those who need it to do their job.
• Review unit policies and procedures to better protect PI / PHI.
• Talk with colleagues about privacy.

Other tips and resources are available on the resources page on the Information and Privacy Office's website.

Key Points

• Ensure that all collection of PI / PHI is necessary, limited to the minimum amount of information, and accompanied by a privacy notice.
• Ensure that all use and disclosure of PI / PHI is related to the purpose of collection and limited to the minimum amount of information.
• Use and share on a need-to-know basis.
• Don't snoop.
• Maintain accuracy.
• Review privacy tips and other resources.