FAQs

Yes. Personal information includes any information about an identifiable individual, including information relating to the education of an individual. There are very limited exemptions to the definition of protected personal information.

No. The preferred method of facilitating contact is to provide the requestor's contact information to the intended recipient, allowing them to initiate contact if they desire.

You can do so in an anonymous way, such as posting by student number, provided that student number and other identifying information such as name has not previously been disclosed (so that the information could be combined to reveal the grades of an identifiable individual).

This is a risky practice and strongly recommended against. Grades and personally identifying information can easily be gleaned by other students, even if they are behind a cover page. Further, there is a risk that the work could be stolen, possibly resulting in copyright and academic appeals issues.

Cloud services are not prohibited, but if the university will be disclosing personal information of students, faculty or staff to the service provider, or requiring students, faculty or staff to disclose their personal information to the service provider, our due diligence should include a review of the service provider’s security and privacy policies and procedures as well as the terms of use or contract. In addition to privacy concerns, there may be enterprise architecture, operational procurement, and other concerns. The Technology Assessment Team assists in reviewing the acquisition of technology, including web and cloud services.

Yes. The privacy officer also works in the same unit as the Manager of Contracts and Legal Services, and can help ensure that the contract gets a full review as required.

Please report it to the privacy officer. If it is an actual breach, the privacy officer will assist in containing the breach, conduct a review in accordance with provincial guidelines and recommend corrective measures. To the extent possible, the identity of complainants will be protected. If it is not a breach, there is no harm done.

Please see the Data Governance Framework - data stewards and data custodians for your area may be able to assist. If it is personal information, the privacy officer can review the request and advise whether it is an appropriate use of the information, having regard to the purposes for initially collecting the information and the consent(s) (if any) given by the individual to whom the information relates, along with other factors that may be relevant.

The privacy officer can review the request and advise whether it is an appropriate disclosure. The university is permitted to disclose personal information to service providers and for research purposes under certain conditions. For example, we should consider whether the use of personal information is necessary or whether de-identified information could be used; the information should be limited to the least amount necessary; and the contract with the service provider should contain explicit protections of the personal information. If the contract is insufficient in this regard, the information may be disclosed under a non-disclosure agreement.

Under the freedom of information legislation, any person has a right to access any record in the custody or under the control of the university, subject to limited exemptions. Generally, requests by external parties should be made formally through the access and privacy office. Certain procedures must be followed, including legislated time lines, and the access and privacy officer will coordinate the response to ensure compliance. If you are unsure how to respond to the request, please contact the Access and Privacy Officer, or have the requestor submit a formal application.

With the exception of certain evaluative material, or the personal information of others, a student generally has the right to access their file, which is their own personal information. Such requests can often be handled informally but if there are any questions or concerns, please involve the access and privacy officer.

Like the university, the federal and other provincial governments are subject to access to information legislation. If they receive a request, and the responsive records includes your information, the federal government may be required to provide formal ‘third party notice’ – they are giving you the opportunity to respond with why the information should not be disclosed. In some cases, these requests capture proprietary or technical information or other financial information which you may not want disclosed. If you receive third party notice, the access and privacy officer can help you review the documents and exemptions and make a response to the government.

Proxy Access Management is a tool that allows students to share certain information (view-only access) with a person or organization (called a proxy). Once given access, the proxy can check the information that was shared with them as often as needed, but they cannot make changes to the data (e.g., register or drop classes, pay tuition).

Shareable information includes: 

• Class registration information (including the specific classes they are registered in) and program information 
• Tuition and fee information 
• Final grade information 

Examples of information that will not be shared are gender, academic standing, and holds.  

Learn more about how students can share their information.