1. Are all records at the University covered by FIPPA?
FIPPA applies to all records in the custody or under the control of an institution unless,
- the record or the part of the record falls within one of the exemptions under sections 12 to 22; or
- the head is of the opinion on reasonable grounds that the request for access is frivolous or vexatious. A university, by legislative amendment, is now an "institution" within the meaning of FIPPA.
2. What is personal information?
Personal information "means recorded information about an identifiable individual, including,
- information relating to the race, national or ethnic origin, colour, religion, age, sex,
sexual orientation or marital or family status of the individual,
- information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
- any identifying number, symbol or other particular assigned to the individual,
- the address, telephone number, fingerprints or blood type of the individual,
- the personal opinions or views of the individual except where they relate to another individual,
- correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
- the views or opinions of another individual about the individual, and
- the individual's name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual"
- Personal information does not include information about an individual who has been dead for more than thirty (30) years.
3. How do I file a request for information in the custody and control of McMaster University?
Often you can obtain the information you want just by calling or visiting the appropriate office. If the office is unable to provide the information and you wish to file a formal request for access to information, the following steps apply:
Step 1: Complete a request form, or write a letter stating that you are requesting information under FIPPA. This request must contain sufficient detail to enable an experienced employee, upon a reasonable effort, to identify the record;
Step 2: Forward the completed request form or letter to the Freedom of Information and Privacy Officer (Ms Helen Ayre, University Secretary, Gilmour Hall 210). Please note: A $5.00 application fee must accompany your request: cheques should be payable to "McMaster University".
No fees are charged for the time required to manually search records containing your personal information, or to prepare such records for disclosure. However, you may be charged certain other fees, including photocopying fees. For all other records, you may be charged fees for photocopying, shipping costs, the costs of manually searching the records you have requested and preparing them for disclosure, or any other costs incurred in responding to your request.
4. How will the University respond to a request after it has been received?
Once the University receives your request and the application fee, you are generally entitled to a response within 30 calendar days.
While FIPPA provides a general right of access to university-held records of information, certain exemptions may apply. Exemptions are provisions in the Act that either permit or require an organization to deny access to requested record, in whole or in part, if specific requirements are met. In view of this, you may not receive everything that you request.
5. Who will take responsibility for FIPPA compliance?
The President of the University ('the head' under FIPPA) has delegated responsibility for FIPPA compliance to the University Secretary, Ms Helen Ayre.
6. Who makes the final decision for release of information from the University?
Ms Helen Ayre, as Freedom of Information and Privacy Officer.
7. What are the consequences to the University if it does not comply with FIPPA legislation?
The adverse publicity surrounding the refusal of the University to comply with provincial legislation is likely the greatest public sanction. In addition, all decisions can be appealed to the Information and Privacy Commissioner (IPC) of Ontario. In an inquiry, the Commissioner may require to be produced to the Commissioner and may examine any record that is in the custody or under the control of the University, and may enter and inspect any premises occupied by the University for the purposes of the investigation The IPC may order part or full disclosure of the information at issue. Failure to comply with an IPC order is an offence and may result in a fine after charge, trial and conviction under the Provincial Offences Act.
8. Does the University have to indicate to a requester the provision and reasoning for excluding information from disclosure?
If the university denies you access to information that you requested under FIPPA, it must give you written notice of its decision along with reasons by reference to a section in FIPPA, and inform you of your right to appeal to the Information and Privacy Commissioner.
9. Under what circumstances may a head disclose personal information?
A head may disclose personal information:
- upon the prior written request or consent of the individual, if the record is one to which the individual is entitled to have access;
- in compelling circumstances affecting the health or safety of an individual, if upon disclosure notification thereof is mailed to the last known address of the individual to whom the information relates;
- personal information collected and maintained specifically for the purpose of creating a record available to the general public;
- under an Act of Ontario or Canada that expressly authorises the disclosure;
- for a research purpose if,
- the disclosure is consistent with the conditions or reasonable expectations of disclosure under which the personal information was provided, collected or obtained,
- the research purpose for which the disclosure is to be made cannot be reasonably accomplished unless the information is provided in individually identifiable form, and
- the person who is to receive the record has agreed to comply with the conditions relating to security and confidentiality prescribed by the regulations; or
- if the disclosure does not constitute an unjustified invasion of personal privacy.
- if the disclosure does not constitute an unjustified invasion of personal privacy.
10. What must a head consider when determining whether disclosure constitutes an unjustified invasion of personal privacy?
Subject to ss. 21(3)(invasion of personal privacy) and 21(4)(exceptions to personal privacy), a head, in determining whether a disclosure of personal information constitutes an unjustified invasion of personal privacy, shall consider all the relevant circumstances, including whether:
- the disclosure is desirable for the purpose of subjecting the activities of the Government of Ontario and its agencies to public scrutiny;
- access to the personal information may promote public health and safety;
- access to the personal information will promote informed choice in the purchase of goods and services;
- the personal information is relevant to a fair determination of rights affecting the person who made the request;
- the individual to whom the information relates will be exposed unfairly to pecuniary or other harm;
- the personal information is highly sensitive;
- the personal information is unlikely to be accurate or reliable;
- the personal information has been supplied by the individual to whom the information relates in confidence; and
- the disclosure may unfairly damage the reputation of any person referred to in the record.
11. What may a University ask for to determine whether fees charged to respond to an access request will cause 'financial hardship' for the applicant?
The University need not make such a request. It is the requester's responsibility to ask the University for a fee waiver. However, a request for a waiver need not be explicit, it may be implied. The party seeking a fee waiver also bears the responsibility of establishing his/her case.
For example: If the requester does not supply sufficient information to convince the University that a fee waiver is justified, the University is not required to grant the waiver. What the University considers sufficient information will likely be influenced by the specific facts of the request.
12. Can access to a record be denied under the Act because the requester already has a copy of the requested record?
No, but the request can be denied if it is considered frivolous or vexatious. Under the regulations, a frivolous or vexatious request occurs where the request is part of a pattern of conduct that amounts to an abuse of the right of access or where responding to the request would interfere with the operations of the University. Therefore, if a requester has already received the record under a FIPPA request, this section might be invoked.
13. When do you notify third parties about information requests?
If the University is considering giving an applicant access to a record containing personal or business information of a third party, then notice must be given the relevant third party. A notice to an affected party gives that party an opportunity to make representations about the proposed disclosure of records that affect him/her.
14. Will records that have been accessible before the Act came into effect become inaccessible?
Records that were open previous to the implementation of FIPPA need to be reassessed under the Act in order to determine whether they can remain open or whether elements of personal privacy require some to become protected as such.
15. Is the University required to create a record from a record or data that is in electronic form, i.e. information contained in several databases rather than as one record?
There is no obligation to create a record in response to a request under FIPPA, except in certain circumstances involving information maintained on a computer.
An institution may generate a report in a certain format from data in a computer file. A requester under the Act may ask for a different kind of report using the same computer data sorted or presented differently.
According to s.2(machine readable records) FIPPA Regulation 460, requests for machine readable records are subject to the ability of an institution to produce them without unreasonably affecting its day-to-day operations.
A request for access to hardcopy records must be for actual records that exist at the time a request is received. There is no requirement to compile information from a number of records to create a new hardcopy record in response to a request.
The Act does not require that records be translated into the language of the requester.
16. If records have been sent for destruction but not yet destroyed when an access request is received, does the University have to include such records in the request process?
Yes. When a request for records is received all records requested are "frozen" and no further actions may be taken to destroy the requested records if they have been designated for destruction.
A FIPPA request for records includes all records, which have not been destroyed at the time the request was received. Records can include e-mail records that have not yet been deleted from your e-mail system, and records that have been designated and sent for destruction but not yet destroyed.
17. How is e-mail affected by FIPPA?
Faculty and staff's communication on University matters is not considered private outside of the specific exemptions set out in FIPPA. The fact that the record is electronic does not change the application of the Act.
It is not the mode of communication that is important as much as what is communicated and why. When faculty and staff use e-mail, it should be remembered that a record is being created that may be subject to the Act, and therefore care and professionalism should be exercised.
18. Is it appropriate to circulate a monthly listing of FOI requests, including the name of the requester, to internal departments?
No. The identity of a requester is protected personal information.
19. Will a request for an individual's own personal information always be a formal FOI request under the Act?
Yes. Although an individual has a right of access to his/her personal information, the University has a responsibility to protect the privacy of third parties. It may be necessary, therefore, to sever third party information from an individual's file before granting access to that file.
20. How much will it cost to obtain information about myself?
A $5.00 fee must accompany all formal requests for access to information under FIPPA.
21. Must supervisors retain files for a specific time?
Personal information that has been used by an institution must be retained for at least one year after use unless the individual to whom the information relates consents to its earlier disposal.
22. What happens if the Freedom of Information and Privacy Office is in a conflict of interest? Does the authority to decide revert back to the President?
Yes, the authority would revert back to the President who may then exercise it or re-delegate.
23. If the University is unable to guarantee the anonymity of grade lists, can they be posted?
Grade lists cannot be posted without the University being able to guarantee anonymity. Posting grades alongside student names OR full identification numbers is not permitted.
24. Can photographs be taken at public events on the campus?
The taking, use or disclosure of photographs, videotapes or audiotapes recorded at public events or activities related to the University is not considered to be an unreasonable invasion of the personal privacy of the individuals photographed or recorded if the images simply indicate “attendance at” or “participation in” the event. Public events may include “a graduation ceremony, sporting event, cultural program or club, or field trip”. In this case, there is no need to obtain consent for the use or disclosure of the photographs or tapes, however, it may be a good precaution to announce or post a notice that photographs are likely to be taken or that the event is likely to be recorded (taped).
Notwithstanding the above, if an individual attending such an event or, more likely, speaking or participating in the ceremony or event, explicitly requests that the information (in this case, photographs or tapes) not be disclosed, the University must abide by that request or advise the person not to participate.
25. We are required to keep personal information for a minimum of one year - is there a maximum time allowed for retaining personal information?
No, there is no prescribed maximum for retention of personal information.
26. In the athletics area, can we deny someone the right to participate in activities if they refuse to provide us with the personal information we have requested on a form?
Yes, where the information is necessary for participation, a right to participate may be denied.
27. How do offices such as Human Rights & Equity, Academic Integrity and Ombuds fare under FIPPA? Much of the information in these offices must be seen to be held confidential. How much must be disclosed under FIPPA? If the Ombuds is acting as a lawyer (though not hired as such) can solicitor-client privilege be claimed?
Although it seems odd, strictly speaking, all of these offices are subject to FIPPA. While specific exceptions may apply to much of the information in the custody and control of these offices, there is no blanket exemption applying to any of them or a section restricting the application of FIPPA to those areas. There is considerable lobbying by province wide associations representing those groups to have blanket exemptions passed.
In regards to the s.19 solicitor-client privilege exemption under FIPPA, an Ombuds is not protected unless the party is in fact hired as counsel to the University and is as acting as counsel. Generally, this exemption is reserved for outside counsel and actual in-house counsel of the University. Regardless of whether an individual is professionally trained as a lawyer, the exemption will not apply unless that individual is officially acting in the capacity of a lawyer.
28. When organizing conferences, certain information about the participants is often included on the conference website. Can this practice continue? What must be done to comply with FIPPA in this context?
If the information is personal information, notice should be given to the person to whom the information relates at the time of collection, namely submission of application and/or registration.
Consent may also be obtained from this person at this time. However, if the information is gathered from a media such as the person’s own publicly accessible website, then the information is publicly available information and may be posted without notice or consent.
29. Some of our first year students are quite young. What is the minimum age for giving consent for the use of personal information?
The minimum age for consent under FIPPA is sixteen (16) years.
30. Under FIPPA, what information can/must the institution share with a parent?
Parents are not entitled to the personal information of their children where a child is over the age of sixteen. Personal information may only be disclosed to a parent in accordance with the provisions of the Act which includes situations involving personal health or compassionate circumstances.
31. Is there a distinction made under FIPPA between the official minutes of a committee and the private notes of a member or informal emails circulated amongst members?
No there is not. In all cases, a record is created, which, subject to certain exemptions, shall be accessible by request; however in camera sessions of University committees of the Board and Senate and the information generated at those meetings is likely protected.
32. Are we obliged to put oral discussions/assessments in writing?
FIPPA contains no such requirement.