Collection, Use and Disclosure of Personal Information
Responsibility for privacy protection is shared by all who work at the University. The following practices should be followed by all University faculty and staff when handling personal information.
- Only collect personal information directly from the person to whom the information relates.
- Only collect personal information that you need for official University purposes.
- Only use or disclose personal information as necessary:
- In emergencies, or to reduce threats to health or safety; if disclosing on this basis, document the concern and notify the privacy office as soon as possible.
- For the purpose information was collected or a consistent purpose
- With the individual’s documented consent
- To others working for the University, but only on a need-to-know basis
- Retain personal information for at least one year after the date of its last use, and in accordance with record retention schedules.
- Keep all personal information in secure resources provisioned or approved by University IT services. Do not use unauthorized systems (ie.Gmail) or other unapproved services/apps for University work.
- Always use strong, effective security measures, including; keeping a clean desk, locking cabinets, using strong passwords, and encrypting attachments with personal information.
- Avoid inadvertent exposure of personal information at work, home, transit and elsewhere.
- Destroy personal information securely. If you have questions about electronic destruction, contact your local IT services.
- Conduct a Privacy Impact Assessment (PIA) for all new collections of personal information or when there is a significant change in the purpose or scope of collection of an existing program or practice.
- Consult with legal services to ensure contracts with third party service providers have appropriate privacy and security provisions.
- Immediately notify your supervisor, Freedom of Information Liaison (FOIL) or the Privacy Office of any privacy concern.
University Records and FIPPA
The following are practical, operational practices to proactively manage the risk associated with sharing and disclosing University records. For general records management advice and retention standards, please consult University of Toronto Archives and Records Management Services.
- FIPPA applies to all records, including drafts, e-mails, Teams chats and handwritten notes.
- Teams chat should be used for routine, transitory interactions only. For substantive communications, use a more stable format such as email.
- Consider possible future disclosure (FIPPA requests, legal discovery, breaches) when creating records.
- Be thoughtful when creating records. Include factual information that is necessary for your administrative purpose, but avoid additional editorial comments.
- Outlook email is not intended to be a permanent repository for records. Save institutional emails in the appropriate directory of your unit’s SharePoint site or other central repository, and routinely delete copies of emails from your Outlook account.
- Tip: Use Conversation Clean Up in Outlook to delete unnecessary duplicate emails while retaining conversation threads.
- Use Office365 sharing functionality instead of attaching copies of records to emails to limit duplication and retain control of your office’s records.
- Avoid discussing multiple unrelated matters in a single email thread, especially where they involve the personal information of students/faculty/staff.
- Keep your records easily retrievable. Maintain emails and other records associated with a subject in a single location. When communicating about a specific matter, clearly describe it in the subject line or include a file number for ease of access at a later date.
- Clearly designate responsibility for shared records to avoid duplication and confusion.
- Limit access to records and information strictly to those with a need-to-know for official work purposes; this includes Office 365 access permission settings and the CC line on emails.