fb pixel
The University of Winnipeg

Privacy Policy Explained

*This document provides a plain language overview of key elements of the Privacy Policy. It is not authoritative and does not address all elements of the Privacy Policy. For official guidance, consult the Privacy Policy or contact the Data Privacy and Compliance Office.*

SECTIONS

1: Introduction to the Privacy Policy
2: Access to PI/PHI
3: Collecting PI/PHI
4: Using and disclosing PI/PHI
5: Obtaining consent
6: Security of PI/PHI
7: Disposing of PI/PHI
8. Privacy breaches
9. Research involving PI/PHI
10. Additional requirements for PHI
11. This is a lot! What are the most important things to remember?
12. Where do I go for more information?

1. INTRODUCTION TO THE PRIVACY POLICY

a) Why was the Privacy Policy created?

The University is committed to protecting the sensitive, private information we collect and receive about our students, employees and partners. To this end, the Privacy Policy was created to enhance compliance with applicable privacy legislation, such as Manitoba's FIPPA and PHIA, and to promote good practice as regards the handling of personal information/personal health information.

b) What does the Privacy Policy do?

Generally speaking, the Privacy Policy sets out requirements on the collection, use and disclosure of personal information/personal health information. It also mandates the application of reasonable security safeguards to preserve privacy and confidentiality.

c) Who does the Privacy Policy apply to?

The Privacy Policy applies to all University employees, contractors, volunteers, students and other persons who may handle personal information/personal health information in the course of their association with the University.

d) Who is responsible for the Privacy Policy?

The Provost and Vice-President, Academic, is responsible for the development, administration and review of the Privacy Policy. The Data Privacy and Compliance Office is responsible for the day-to-day administration of the Policy, including the provision of training to faculty and staff.

e) What's the definition of personal information?

Personal information (PI) is recorded information about an identifiable individual. This includes information that is readily identifiable and can also include information that is potentially identifiable (i.e. information that, if combined with other information that is or may be available, may reveal the identity of the individual). PI can be recorded on any type of record, paper or electronic.

PI includes but is not limited to an individual's:

  • Name, home address, or home telephone, facsimile or email
  • Age, sex, sexual orientation, marital or family status
  • Ancestry, race, colour, nationality, or national or ethnic origin
  • Religion or creed, or religious belief, association or activity
  • Personal health information
  • Blood type, fingerprints, or other hereditary characteristics
  • Political belief, association, or activity
  • Education, employment or occupation, or educational, employment or occupational history
  • Source of income or financial circumstances, activities or history
  • Criminal history, including regulatory offences
  • Personal views or opinions, except if they are about another person
  • Identifying number, symbol or other particular assigned to the individual

f) Is all PI protected under the Privacy Policy?

Yes. However, some information that would normally be considered PI is not included in the above definition. For example, the name and business contact information of a University employee is not considered that employee's personal information. But their personal contact information (home address, home phone, etc.) would be and is therefore protected by the Policy.

g) What about student PI?

All student PI is protected under the Privacy Policy.

Student PI includes but is not limited to:

  • Student number
  • Student email address
  • Contact information
  • Student card photo
  • Grades, assignments and assessments
  • Registration, enrollment and standing
  • Educational history and transcripts
  • Financial standing

h) What's the definition of personal health information?

Personal health information (PHI) is just that - information about someone's physical or mental health. It's defined as recorded information about an identifiable individual that relates to:

  • The individual's health, or health care history, including genetic information about the individual,
  • The provision of health care to the individual, or
  • Payment for health care provided to the individual,

And includes but is not limited to:

  • The personal health identification number (PHIN) and any other identifying number, symbol, or particular assigned to an individual, and
  • Any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.

i) Why does PHI have a separate definition? Why not just include it under PI?

PHI is arguably the most sensitive type of PI as it relates directly to an individual's wellness and being. For this reason, it is deserving of special recognition and protection. Most governments, for example, have created legislation to ensure that PHI is handled with the highest standards of care. In Manitoba, PHIA protects PHI.

j) What are some examples of student PHI?

Student PHI includes but is not limited to:

  • Counselling or medical appointment information, notes and records
  • Accessibility records
  • Sick notes
  • Doctor's notes and recommendations
  • Prescriptions
  • Health evaluations
  • Health incidents and reports

k) Does the Privacy Policy apply to research involving PI/PHI?

Yes. That said, the Privacy Policy defers largely to the protocols, policies and procedures of the University's Human Research Ethics Board (HREB) that govern all research involving humans. These are considerably more detailed than the requirements regarding research in the Privacy Policy.

l) Do University employees have to complete privacy training?

Yes, if they handle PI/PHI in the course of their association with the University. These employees must attend a privacy training session (general, in-department, or online) or complete another form of training as may be required by the University.

m) What should I remember from this section?

PI/PHI is defined broadly and almost all of it is protected under the Privacy Policy. If you handle PI/PHI in the course of your association with the University, come to a privacy training session.

2. ACCESS TO PI/PHI

a) Who can have access to PI/PHI?

Access to PI/PHI (physical or electronic) is limited to only authorized persons. For the most part, a person is authorized to access PI/PHI if they need to know the information to carry out the purpose for which it was collected, i.e. a "need to know" basis that is directly connected to the performance of their duties. Access may also be authorized with the consent of the individual to whom the information relates or for another purpose authorized under FIPPA or PHIA. In all cases, access is limited to the fewest number of authorized persons necessary to carry out the purpose.

In practice, this requirement governs the sharing of PI/PHI inside and outside the University, which is explained in greater detail below. But it also mandates limited access to file storage rooms, filing cabinets, etc., so that only those persons who need to know the information have access. It's likewise important to limit access to shared network drives, software programs and similar sites for the use and storage of electronic records.

b) What should I remember from this section?

Ensure that PI/PHI is only accessed and shared on a "need to know" basis.

3.  COLLECTING PI/PHI

a) What's the definition of collecting? What's included?

Collecting means to assemble or accumulate PI/PHI. Basically, any time that PI/PHI is gathered, taken or otherwise received by the University, it is collected.

Collecting includes but is not limited to:

  • Verbal requests for PI/PHI
  • Collecting PI/PHI on forms and surveys, whether paper or electronic
  • Requesting or receiving an individual's PI/PHI from another organization
  • Creating photo/video records of an identifiable individual
  • Collecting PI/PHI through online programs and apps

b) When is it OK to collect PI/PHI?

The University may only collect PI/PHI if authorized under FIPPA or PHIA. Generally speaking, collection is authorized when it is either:

  • Necessary for and directly related to an existing service, program or activity of the University, or
  • Done with a legal basis (i.e. under a law that requires the University to collect certain PI/PHI).

Almost all collection at the University is done under the first authorization. For example, when students apply to the University, collection of their PI (name, contact information, academic history, etc.) is authorized as it is necessary to collect this information to process their admission. But it's always important to consider whether it's truly necessary to collect PI/PHI to carry out a University service, program or activity. It may be possible to achieve the task without collecting any PI/PHI.

c) How much PI/PHI can be collected?

Only the minimum amount of PI/PHI necessary may be collected. When collecting PI/PHI, think about how much is really required to achieve the purpose for which the information is being collected. Take only the reasonable minimum. Using the same example as before, when students apply to the University we collect only the minimum amount of information necessary to process admission. So we do not collect the student's blood type and social insurance number, for example, as this information is not required for the purpose for which PI/PHI is being collected.

d) How should PI/PHI be collected?

PI/PHI needs to be collected in a manner and location that ensures the security, accuracy, integrity and confidentiality of the information, to the extent that it is reasonable to do so.

In plain language, this means to be discreet and careful when collecting PI/PHI, so that individuals who do not need to hear/see/know the information are not exposed to it. Much of this is common sense. For example, do not discuss sensitive student PHI where other students may be able to overhear the conversation. Or if collecting PI/PHI on forms, do not leave completed forms exposed in public view.

Collection is also a form of access, so it must be limited to the fewest number of authorized persons required to collect the information.

e) What are the other requirements for collecting PI/PHI?

Whenever possible, PI/PHI must be collected directly from the individual to whom the information relates. And if collecting PI/PHI directly from the individual, they must must be provided with the authority and purpose of the collection and given the contact information of a University employee who can answer any questions they may have. Visit the Creating a Privacy Notice page for more information on providing a notice of collection statement (i.e. a privacy notice). Note that there are also additional Privacy Policy requirements if PI/PHI is being collected in the course of a commercial activity.

f) What should I remember from this section?

Before collecting PI/PHI, make sure the collection is necessary. If so, take the least amount of information required to carry out the task. And be sure to provide a notice of collection statement if collecting the information directly from the individual to whom it relates.

4. USING AND DISCLOSING PI/PHI

a) What's the definition of use? What's included?

Use means to access, view, share or otherwise employ PI/PHI inside of UWinnipeg. Basically, any way that PI/PHI is dealt with at the University is considered a form of use. This includes use both within the office that collected or received the information as well as use within other University offices.

Use includes but is not limited to:

  • Viewing documents and databases in any format
  • Being exposed (hearing, viewing, learning, handling) to PI/PHI
  • Sharing PI/PHI with University colleagues

b) What's the definition of disclosure? What's included?

Disclosure means to share, provide, expose, reveal or otherwise release PI/PHI outside of UWinnipeg. This includes sharing with students who are also not University employees.

Disclosure includes but is not limited to:

  • Sharing PI/PHI with parents, family, friends or other students
  • Sharing PI/PHI with other universities
  • Releasing or providing the means of access to PI/PHI to third parties e.g. software vendors, other organizations

c) When can PI/PHI be used and disclosed?

In most circumstances, PI/PHI can only be used and disclosed as required to carry out the purpose for which the information was collected.

For example, a form containing PI/PHI can be used by a University office, and also shared with other University offices, but only to the extent required to carry out the purpose for which the form was created or received. In addition, this "as required" limitation means that documents, spreadsheets, etc., should only be viewed when necessary. Even if an employee is authorized to have access to the PI/PHI, access must be on a as-required basis. Snooping (viewing PI/PHI for purposes unrelated to the performance of necessary work duties) is prohibited.

For an example involving disclosure, payroll information regarding University employees may be shared as necessary with the Canada Revenue Agency, as this is one of the purposes for which this information is collected.

PI/PHI can also be used and disclosed with the consent of the individual to whom the information relates, or for certain specific situations authorized under FIPPA or PHIA. These are detailed in the Policy appendices.

d) How much PI/PHI can be used and disclosed?

The amount of PI/PHI that may be used or disclosed must be limited to the minimum amount of information necessary to accomplish the purpose for which it is being used or disclosed and that a reasonable person would consider appropriate in the circumstances.

For example, a University office may have a database containing multiple types of PI/PHI about a particular individual. If another University office requires access to some of that information, the first office may only share what is necessary to carry out the task. Or if another university requests the academic history of a UWinnipeg student who is now applying at that institution, UWinnipeg may only share the minimum amount of information required to assist in the application process.

e) How should PI/PHI be used and disclosed?

PI/PHI needs to be use and disclosed in a manner and location that ensures the security, accuracy, integrity and confidentiality of the information, to the extent that it is reasonable to do so.

As with collection, this means to be discreet and careful when using and disclosing PI/PHI, so that individuals who do not need to hear/see/know the information are not exposed to it. Use and disclosure are also forms of access, so they must be limited to the fewest number of authorized persons required to fulfill the given task. Also, it's important to take steps to ensure that the PI/PHI being used or disclosed is accurate and up-to-date.

f) What should I remember from this section?

Use and disclose PI/PHI only as required to carry out the purpose for which the information was collected, unless you have the consent of the individual to whom the information relates or are authorized to use or disclose for a purpose under FIPPA or PHIA. Also, limit use and disclosure to the minimum amount of PI/PHI and the fewest number of people necessary to carry out the authorized task.

5. OBTAINING CONSENT

a) When is consent required to collect, use, or disclose PI/PHI?

To use and disclose PI/PHI for a purpose that is not connected to the purpose for which the information was collected, and that is not otherwise authorized under FIPPA or PHIA, individual consent is required. Consent may also be sought when collecting PI/PHI and is often required if collecting in the course of commercial activity. However, obtaining consent does not remove the requirement that the collection must first be authorized under FIPPA or PHIA.

When consent is required for the collection, use or disclosure of PI/PHI, that consent must:

  • Be in writing or otherwise electronically or manually recorded,
  • Relate to the purpose for which the PI/PHI is used or disclosed,
  • Be knowledgeable, so that it is reasonable to expect that an individual to whom the University's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting, including the implications of withdrawal of consent where applicable,
  • Be voluntary, and
  • Not be obtained through misrepresentation.

For example, Student Central requires that students provide consent to share their academic or financial information with parents, guardians or similar designees. This is captured on a consent form.

b) What should I remember from this section?

Consider whether consent is required for a collection, use or disclosure of PI/PHI. If so, ensure that the consent is knowledgeable and create a record of the consent given.

6. SECURITY OF PI/PHI

a) What kinds of security safeguards need to be in place to protect PI/PHI?

The Privacy Policy requires the application of reasonable administrative, physical and technical safeguards.

b) What are examples of administrative safeguards?

Administrative security safeguards include:

  • Privacy training (general or department-specific)
  • The PHIA pledge of confidentiality (see Appendix "B" of the Policy)
  • Department-level policies and procedures
  • Contracts and similar agreements that place restrictions on the handling of PI/PHI

c) What are examples of physical safeguards?

Physical security safeguards include:

  • Limiting physical access to PI/PHI (e.g. in filing cabinets, file storage rooms, etc.)
  • Using discretion when discussing PI/PHI
  • Storing paper files and electronic devices and media in secured areas other than when being used as a necessary function of work
  • Not transporting or removing PI/PHI from secured areas unless necessary
  • If transporting PI/PHI, taking only the minimum amount of information necessary and securing it in an closed, opaque container under the care and control of an authorized person
  • Whenever practicable, de-identifying PI/PHI before removing it from secured areas
  • Not leaving PI/PHI unattended or stored in a vehicle
  • Labelling file folders, storage boxes, electronic devices and media and other storage containers so that only the minimum amount of PI/PHI is used

d) What are examples of technical safeguards?

Technical security safeguards include:

e) What should I remember from this section?

Talk with your colleagues about protecting the confidentiality and security of PI/PHI and consult University resources for assistance. In particular, consult the Guidelines for the Communication of Personal and Personal Health Information before communicating PI/PHI.

7. DISPOSING OF PI/PHI

a) When should PI/PHI be disposed of?

PI/PHI that is used to make a decision that directly affects the individual to whom the individual needs to be retained for a reasonable period of time to allow the individual to obtain access to the information in accordance with any applicable legislation, regulation and University policy. Otherwise, PI/PHI should generally be disposed of when it no longer has business value. But retention periods for records containing PI/PHI vary, depending again on law, regulation, University policy, etc. For assistance in setting a retention period on records containing PI/PHI, contact the Data Privacy and Compliance Office.

b) How should PI/PHI be disposed of?

Records containing PI/PHI need to be destroyed completely in manner that takes into account the sensitivity of the information, including at a minimum:

  • Shredding of paper records, and
  • Effective and complete deletion of the information on all electronic devices and media.

c) What should I remember from this section?

Don't retain PI/PHI longer than necessary. And when it comes time to dispose of the information, ensure it is destroyed fully.

8. PRIVACY BREACHES

a) What is a privacy breach?

A privacy breach is any collection, use, disclosure or destruction of PI/PHI in contravention of applicable privacy legislation such as FIPPA or PHIA. More often than not, a privacy breach is caused by unauthorized access to or disclosure of PI/PHI. But breaches can also be caused by actions such as employee snooping (unauthorized use) or the inadvertent destruction of records containing PI/PHI.

b) What should I do if I know of or suspect a privacy breach?

Any complaint received about a privacy breach, or any knowledge of a privacy breach or a reasonable suspicion of a privacy breach, needs to be reported immediately to the Information and Privacy Officer and the responsible administrator e.g. VP, AVP, dean, chair, director or manager.

c) What happens next?

The Data Privacy and Compliance Office and the responsible administrator will determine whether the alleged Privacy Breach warrants investigation. If the privacy breach is confirmed as a breach of privacy legislation, they will take steps to contain the privacy breach and also implement corrective procedures to address the privacy breach and lessen the likelihood of future privacy breaches. A report will also be generated and may be shared with external agencies and/or law enforcement.

d) What are some common breaches?

Unauthorized disclosure of PI/PHI is likely the most common privacy breach. This can happen when PI/PHI is stolen (e.g. a laptop is stolen), lost (e.g. a USB stick goes missing) or accidentally shared (e.g. an email containing PI/PHI is sent to the wrong person).

e) What can be done to prevent breaches?

Consult the Guidelines for the Communication of Personal and Personal Health Information before sending PI/PHI by email, fax, etc. Use password protection/encryption if transporting PI/PHI on USB sticks, laptops, and similar portable media. Create a strong password and change it periodically. And consider disabling Outlook Auto-Complete List.

f) What should I remember from this section?

Report all known or suspected privacy breaches. And follow University security/privacy best practices to reduce the likelihood of a breach.

9. RESEARCH INVOLVING PI/PHI

a) What are the rules regarding research involving PI/PHI?

PI/PHI can only be collected, used or disclosed for a research purpose in accordance with an HREB-approved protocol and FIPPA and PHIA, where appropriate. Visit the Research Office's website for more information on research at UWinnipeg.

b) What should I remember from this section?

Consult the Research Office before collecting, using or disclosing PI/PHI in the context of a research project.

10. ADDITIONAL REQUIREMENTS FOR PHI

a) Why are there additional requirements for PHI?

PHIA contains certain additional requirements that apply only in respect of PHI.

b) What are these additional requirements?

Briefly, the three additional requirements, which are described in full in the Privacy Policy, are:

  • Where the University uses an electronic health information system to maintain PHI, the administrator responsible for that system needs to create and maintain a record of user activity for at least three years. These records can be created manually or electronically and must be audited at least once for breaches of privacy before being destroyed.
  • At least every two years, the University will conduct an audit of safeguards employed to protect PHI.
  • Departments that retain PHI must use a sign, brochure or similar type of notice to inform individuals of their right to examine and receive a copy of the PHI or to designate another person to examine and receive a copy of their PHI.

c) What should I remember from this section?

Departments that use electronic health information systems have recordkeeping obligations and all departments that retain PHI must provide notice of an individual's right to access their own information.

11. THIS IS A LOT! WHAT ARE THE MOST IMPORTANT THINGS TO REMEMBER?

If you handle PI/PHI in the course of your association with the University it's important to read the Privacy Policy and understand exactly how it affects your particular work.

However, there are also some general principles that apply to most University employees and situations:

  • Attend privacy training and don't be afraid to ask questions.
  • Consider the necessary minimum when collecting, using or disclosing PI/PHI - what is the least privacy invasive way to achieve your task?
  • When using or disclosing PI/PHI always consider the purpose for which the University collected or otherwise received the information.
  • Talk to your colleagues about privacy and review available University security/privacy resources.
  • Be especially careful when communicating or transporting PI/PHI - this is when many security breaches happen!
  • Report any known or suspected privacy breaches.

12. WHERE DO I GO FOR MORE INFORMATION?

The Privacy Policy can be viewed here. For questions, contact the Data Privacy and Compliance Office.