The primary purpose of the Access and Privacy Officer is to serve as an expert resource within the University on issues related to access to information and privacy, including compliance with The Local Authority Freedom of Information and Protection of Privacy Act and privacy best practices. The Access and Privacy Officer is a key advisor within the University with respect to the administration of access to information and privacy legislation and exercises delegated decision-making authority with respect to access to information and privacy while providing specialized privacy information and expertise, advice and guidance to all University staff.
The Access and Privacy Officer raises awareness of access and privacy issues on a regular and proactive basis, develops and facilitates training programs and promotes and provides information and resources on access and privacy issues as needed via advocacy and general advice.
The Local Authority Freedom of Information and Protection of Privacy Act, as the name implies, relates to two separate, but interconnected, areas - access to information and protection of privacy.
The University is obligated to provide the public with access, subject to certain restrictions and limitations, to records that are in the custody or control of the University. A record is defined as a record of information in any form.
The role of the Access and Privacy Officer in this regard includes:
In order to operate effectively and efficiently, the University collects personal information about its students, faculty and staff. The University is required to protect the privacy of these individuals by ensuring that their personal information is only used for appropriate purposes.
The role of the Access and Privacy Officer in this regard includes:
The purpose of Right to Know (RTK) Week is to raise awareness about people’s right to access government information while promoting freedom of information as essential to both democracy and good governance.
The Canadian RTK Week takes place the last week of September. See more at www.righttoknow.ca.
As a publicly funded institution, the University of Saskatchewan is committed to accountability and accessibility.
Many requests for information can be handled informally by simply contacting the appropriate department or college. You may be referred to the Access and Privacy Officer if the request cannot be handled by the respective college or department.
In some cases, information is publicly available and a formal request for information is not required. Two common sources of information are the University of Saskatchewan Facts and Statistics and the University of Saskatchewan Reports.
The University of Saskatchewan Facts and Statistics contain data on students, alumni, courses, grading patterns, faculty and staff, finances, library holdings and space at the University of Saskatchewan.
The University of Saskatchewan Reports include annual reports and integrated plan reports and are a form of public reporting allowing the University to share its most current information, including its financial position and the implementation of the current integrated plan.
A formal Access to Information request may be made in Form A of The Local Authority Freedom of Informationand Protection of Privacy Regulations.
Once completed by the applicant, the form may be submitted to the Access and Privacy Officer in Corporate Administration (E290, Administration Building) with the appropriate application fee.
The Access and Privacy Officer may contact the applicant and require clarification of the request. Many applicants do not have detailed knowledge about the types of records the University maintains. The Access and Privacy Officer may be able to identify whether the request can be accommodated informally outside of the Act, whether the information sought is publicly available, or whether the request can be narrowed to certain key records to avoid unnecessary costs to the applicant.
A $20.00 application fee is required with an Access to Information request. Processing fees may also be charged. Fees are prescribed in the Regulations and include, for example, $0.25 per page for photocopying. If access is refused, no processing fees are payable. If processing costs are expected to exceed $50.00, the applicant will be provided with an estimate prior to proceeding.
When an application is received by the University for access to a record, the University must give written notice to the applicant within 30 days stating whether access will be provided upon payment of any required fee, whether the record is published or will be published within 90 days, or whether access is denied.
If the record requested pertains to a third party or if an estimate of fees is required, this time limit may be suspended for a certain period of time while third parties are contacted or the applicant is advised of the fee estimate. There are also other limited circumstances where an extension may be permitted.
Some records may be exempt or excluded from public release under the Act . For example, access to records obtained in confidence from other governments, records related to law enforcement investigations, records containing advice, proposals or recommendations developed by or for the University, or records containing certain third party information may be denied. Further, personal information of another individual will not be disclosed, except in accordance with the Regulations.
Should you be refused access to all or part of a record, you may request a review of the decision by the Saskatchewan Information and Privacy Commissioner. A request for review should be completed in Form B of the Regulations.
In order to operate effectively and efficiently, the University collects personal information about its students, faculty and staff. The University is committed to protecting the privacy of the personal information in the custody or control of the University.
Personal information is defined in the Act as, generally, personal information about an identifiable individual that is recorded in any form. It includes, for example:
Personal information does not include information that discloses:
The Act requires that the University ensure that personal information being used for an administrative purpose be as accurate and complete as reasonably possible.
The Act stipulates that, subject to certain restrictions, an individual whose personal information is contained in a record in the possession or under the control of the University has a right to access the record. Access is gained by making an Access to Information request, as described above, unless it is determined that it can be handled informally.
An individual who has been given access to a record that contains personal information about him or herself is entitled to request correction of the personal information if the individual believes that there is an error or omission in it.
If you are concerned that your privacy rights may have been breached, please contact the Access and Privacy Officer. The University will immediately take steps to investigate whether a breach of privacy has occurred and, if so, remedy the situation.
In some limited circumstances, the University of Saskatchewan is a Trustee pursuant to The Health Information Protection Act with respect to certain personal health information. If you are a patient of or have received services from Student Health and Counselling Services or Academic Family Medicine, including West Winds, Regina Centre Crossing or Northern Medical Services, please contact your health care provider for information on the policies and procedures with respect to the protection of personal health information at their clinic.
The Act defines a record as information in any form and includes information that is written, photographed, recorded or stored in any manner, but does not include computer programs or other mechanisms that produce records.
Examples include: documents, letters, handwritten notes, papers, manuals, journal books, drawings, e-mails, etc.
The University is not compelled by the Act to create records responsive to a request; i.e. conduct research and answer questions you may have. We need only provide access to existing records.
Fees are prescribed in section 5 of the Regulations. Some examples include:
Personal information is defined in section 23 of the Act and includes:
The University may deny access to records obtained in confidence from other governments, records related to law enforcement investigations, records containing advice, proposals or recommendations developed by or for the University, or records containing certain third party information may be denied. Further, personal information of another individual will not be disclosed, except in accordance with the Regulations.
If the statistics are readily available in a record and do not contain personal information, the information may be disclosed upon payment of any required fees. However, if the requested records do not exist, or require a new document or record to be created (i.e. a compilation of data), the request may be denied.
Transcripts cannot be provided to individuals, other than the student, without signed consent. Without a signed consent form from the student the University will not, except in exceptional circumstances, release any information about a student to a family member.
This information will not be provided without signed consent from the student.
Not without the consent of the other students.
Yes, the Card Office does have students’ photographs, but at this time the University has not made the policy decision to use these photographs for this purpose.
You may post grades by student number only. You may not post student names and/or NSIDs.
No. Because surveys involve the creation of a record, rather than access to an existing record, they are not handled by the Access and Privacy Officer. Survey requests for students, employees or financial data from external agencies may be directed to specific colleges or departments, Institutional Planning and Assessment or Information Strategy and Analytics.
Safeguards for personal information include administrative safeguards (i.e. policies and procedures), physical safeguards (i.e. locked doors and cabinets) and technical safeguards (i.e. passwords and encryption).
- Pre-program commonly used fax numbers and check these numbers regularly to ensure accuracy.
- Confirm fax number or e-mail address with recipient before sending personal information.
- Carefully check fax number or e-mail address before hitting ‘send’, especially with automatically populated e-mail addresses.
- Use a fax cover sheet clearly identifying the sender, contact information for the sender, the intended recipient, recipient’s fax number
and total number of pages sent and include a confidentiality clause.
- Include a confidentiality clause in your automatic signature in your e-mail.
- Check the fax confirmation report to ensure it went to the right place and all pages were transmitted and received.
- Ask for read receipts on your e-mails.
- Fax or e-mail as little personal information as necessary.
- Fax machines and printers should be physically located in an area of the office that prevents unauthorized individuals from viewing or
retrieving faxes and printed e-mails.
- Ensure that your fax machine, photocopier and computer hard drives are disposed of properly.
More information can be found here
- Limit the amount of personal information on the device
- Mobile devices must be password protected at a bare minimum
- Multi-layer authentication is preferred
- Encrypt the data on the device
- Physically secure your device – do not leave it in the car or unattended in public places
- Maintain the integrity and security by updating software on a regular basis
- Use secure wireless connections
- Wipe data before disposing of the device and enable remote wiping in case of loss or theft
More information can be found here [http://www.oipc.sk.ca/Resources/Helpful%20Tips%20-%20Best%20Practices%20-%20Mobile%20Device%20Security%20-%20March%202011.pdf]
The Access and Privacy Officer is responsible for raising awareness of access to information and privacy matters and developing and facilitating training. If you are faculty or staff and would like to receive training, or would like your unit to receive training, please contact the Access and Privacy Officer.
If you are interested in learning on your own, be sure to look at the Office of the Information and Privacy Commissioner of Saskatchewan website [http://www.oipc.sk.ca] and the Saskatchewan Justice Access and Privacy Branch website [http://www.justice.gov.sk.ca/accessandprivacy]. The Access and Privacy Branch offers an online training course [http://www.justice.gov.sk.ca/privacyLAC].
Rayelle Johnston, LL.B.
Access and Privacy Officer
E288 - 105 Administration Place
Saskatoon, SK S7N 5A2
P: (306) 966-8596
F: (306) 966-8676