University of Saskatchewan

Corporate Administration

Access and Privacy

Introduction

News and Events

How to Make an Access to Information Request

Protection of Privacy

Frequently Asked Questions

Tips, Tricks and Best Practices

Training

Documents and Resources

Contact

Introduction 

The primary purpose of the Access and Privacy Officer is to serve as an expert resource within the University on issues related to access to information and privacy, including compliance with The Local Authority Freedom of Information and Protection of Privacy Act and privacy best practices. The Access and Privacy Officer is a key advisor within the University with respect to the administration of access to information and privacy legislation and exercises delegated decision-making authority with respect to access to information and privacy while providing specialized privacy information and expertise, advice and guidance to all University staff.

The Access and Privacy Officer raises awareness of access and privacy issues on a regular and proactive basis, develops and facilitates training programs and promotes and provides information and resources on access and privacy issues as needed via advocacy and general advice.

The Local Authority Freedom of Information and Protection of Privacy Act, as the name implies, relates to two separate, but interconnected, areas - access to information and protection of privacy.

Access to Information

The University is obligated to provide the public with access, subject to certain restrictions and limitations, to records that are in the custody or control of the University. A record is defined as a record of information in any form.

The role of the Access and Privacy Officer in this regard includes:

Protection of Privacy

In order to operate effectively and efficiently, the University collects personal information about its students, faculty and staff. The University is required to protect the privacy of these individuals by ensuring that their personal information is only used for appropriate purposes.

The role of the Access and Privacy Officer in this regard includes:

Back to top

News and Events

Right to Know

The purpose of Right to Know (RTK) Week is to raise awareness about people’s right to access government information while promoting freedom of information as essential to both democracy and good governance.      

The Canadian RTK Week takes place the last week of September.  See more at www.righttoknow.ca.

 Back to top

How to Make an Access to Information Request

As a publicly funded institution, the University of Saskatchewan is committed to accountability and accessibility.

Informal Requests

Many requests for information can be handled informally by simply contacting the appropriate department or college. You may be referred to the Access and Privacy Officer if the request cannot be handled by the respective college or department.

Publicly Available Information

In some cases, information is publicly available and a formal request for information is not required. Two common sources of information are the University of Saskatchewan Facts and Statistics and the University of Saskatchewan Reports.

The University of Saskatchewan Facts and Statistics contain data on students, alumni, courses, grading patterns, faculty and staff, finances, library holdings and space at the University of Saskatchewan.

The University of Saskatchewan Reports include annual reports and integrated plan reports and are a form of public reporting allowing the University to share its most current information, including its financial position and the implementation of the current integrated plan.

Formal Access to Information Requests

A formal Access to Information request may be made in Form A of The Local Authority Freedom of Informationand Protection of Privacy Regulations.

Once completed by the applicant, the form may be submitted to the Access and Privacy Officer in Corporate Administration (E290, Administration Building) with the appropriate application fee.

The Access and Privacy Officer may contact the applicant and require clarification of the request. Many applicants do not have detailed knowledge about the types of records the University maintains. The Access and Privacy Officer may be able to identify whether the request can be accommodated informally outside of the Act, whether the information sought is publicly available, or whether the request can be narrowed to certain key records to avoid unnecessary costs to the applicant.

Fees

A $20.00 application fee is required with an Access to Information request. Processing fees may also be charged. Fees are prescribed in the Regulations and include, for example, $0.25 per page for photocopying. If access is refused, no processing fees are payable. If processing costs are expected to exceed $50.00, the applicant will be provided with an estimate prior to proceeding.

Timelines

When an application is received by the University for access to a record, the University must give written notice to the applicant within 30 days stating whether access will be provided upon payment of any required fee, whether the record is published or will be published within 90 days, or whether access is denied.

If the record requested pertains to a third party or if an estimate of fees is required, this time limit may be suspended for a certain period of time while third parties are contacted or the applicant is advised of the fee estimate. There are also other limited circumstances where an extension may be permitted.

Denial of Access

Some records may be exempt or excluded from public release under the Act . For example, access to records obtained in confidence from other governments, records related to law enforcement investigations, records containing advice, proposals or recommendations developed by or for the University, or records containing certain third party information may be denied. Further, personal information of another individual will not be disclosed, except in accordance with the Regulations.

Should you be refused access to all or part of a record, you may request a review of the decision by the Saskatchewan Information and Privacy Commissioner. A request for review should be completed in Form B of the Regulations.

Back to top

Protection of Privacy

In order to operate effectively and efficiently, the University collects personal information about its students, faculty and staff. The University is committed to protecting the privacy of the personal information in the custody or control of the University.

Personal Information

Personal information is defined in the Act as, generally, personal information about an identifiable individual that is recorded in any form. It includes, for example:

Personal information does not include information that discloses:

Access to and Correction of Personal Information

The Act requires that the University ensure that personal information being used for an administrative purpose be as accurate and complete as reasonably possible.

The Act stipulates that, subject to certain restrictions, an individual whose personal information is contained in a record in the possession or under the control of the University has a right to access the record. Access is gained by making an Access to Information request, as described above, unless it is determined that it can be handled informally.

An individual who has been given access to a record that contains personal information about him or herself is entitled to request correction of the personal information if the individual believes that there is an error or omission in it.

Privacy Breach

If you are concerned that your privacy rights may have been breached, please contact the Access and Privacy Officer. The University will immediately take steps to investigate whether a breach of privacy has occurred and, if so, remedy the situation.

Personal Health Information Protection

In some limited circumstances, the University of Saskatchewan is a Trustee pursuant to The Health Information Protection Act with respect to certain personal health information. If you are a patient of or have received services from Student Health and Counselling Services or Academic Family Medicine, including West Winds, Regina Centre Crossing or Northern Medical Services, please contact your health care provider for information on the policies and procedures with respect to the protection of personal health information at their clinic.

Back to top

Frequently Asked Questions

What is a record?

The Act defines a record as information in any form and includes information that is written, photographed, recorded or stored in any manner, but does not include computer programs or other mechanisms that produce records.

Examples include: documents, letters, handwritten notes, papers, manuals, journal books, drawings, e-mails, etc.

The University is not compelled by the Act to create records responsive to a request; i.e. conduct research and answer questions you may have. We need only provide access to existing records.

What additional fees may be charged to me if I request and receive a record?

Fees are prescribed in section 5 of the Regulations. Some examples include:

What is considered "personal information"?

Personal information is defined in section 23 of the Act and includes:

What type of information can the University refuse to disclose?

The University may deny access to records obtained in confidence from other governments, records related to law enforcement investigations, records containing advice, proposals or recommendations developed by or for the University, or records containing certain third party information may be denied. Further, personal information of another individual will not be disclosed, except in accordance with the Regulations.

I would like current statistics that are not yet published.  Is the University required to disclose them?

If the statistics are readily available in a record and do not contain personal information, the information may be disclosed upon payment of any required fees. However, if the requested records do not exist, or require a new document or record to be created (i.e. a compilation of data), the request may be denied.

My family member asked me to pick up his or her transcript from Student Central.  Can I do this?

Transcripts cannot be provided to individuals, other than the student, without signed consent. Without a signed consent form from the student the University will not, except in exceptional circumstances, release any information about a student to a family member.

Can a family member obtain information about a student's application or registration status, or be informed if a student has withdrawn or been discontinued?

This information will not be provided without signed consent from the student.

An alumnus wishes to contact old classmates.  Can I share alumni’s personal e-mail addresses or other contact information with other alumni?

Generally, no.

A student wants the e-mail addresses or other contact information of students in their course work group; can I share this with them?

Not without the consent of the other students.

I would like photographs of the students in my class so I can get to know them better. Does the Card Office have students’ photographs?

Yes, the Card Office does have students’ photographs, but at this time the University has not made the policy decision to use these photographs for this purpose.

Can I post grade lists outside of the classroom?

You may post grades by student number only. You may not post student names and/or NSIDs.

I would like the University to participate in a survey. Does the Access and Privacy Officer handle these requests?

No.  Because surveys involve the creation of a record, rather than access to an existing record, they are not handled by the Access and Privacy Officer. Survey requests for students, employees or financial data from external agencies may be directed to specific colleges or departments, Institutional Planning and Assessment or Information Strategy and Analytics.

Back to top

Tips, Tricks and Best Practices

Safeguards for personal information include administrative safeguards (i.e. policies and procedures), physical safeguards (i.e. locked doors and cabinets) and technical safeguards (i.e. passwords and encryption).

Fax and e-mail best practices

-       Pre-program commonly used fax numbers and check these numbers regularly to ensure accuracy.

-       Confirm fax number or e-mail address with recipient before sending personal information.

-       Carefully check fax number or e-mail address before hitting ‘send’, especially with automatically populated e-mail addresses.

-       Use a fax cover sheet clearly identifying the sender, contact information for the sender, the intended recipient, recipient’s fax number
        and total number of pages sent and include a confidentiality clause.

-       Include a confidentiality clause in your automatic signature in your e-mail.

-       Check the fax confirmation report to ensure it went to the right place and all pages were transmitted and received.

-       Ask for read receipts on your e-mails.

-       Fax or e-mail as little personal information as necessary.

-       Fax machines and printers should be physically located in an area of the office that prevents unauthorized individuals from viewing or
        retrieving faxes and printed e-mails.

-       Ensure that your fax machine, photocopier and computer hard drives are disposed of properly.

More information can be found here

Mobile device best practices

-       Limit the amount of personal information on the device

-       Mobile devices must be password protected at a bare minimum

-       Multi-layer authentication is preferred

-       Encrypt the data on the device

-       Physically secure your device – do not leave it in the car or unattended in public places

-       Maintain the integrity and security by updating software on a regular basis

-       Use secure wireless connections

-       Wipe data before disposing of the device and enable remote wiping in case of loss or theft

More information can be found here [http://www.oipc.sk.ca/Resources/Helpful%20Tips%20-%20Best%20Practices%20-%20Mobile%20Device%20Security%20-%20March%202011.pdf]

 Back to top

Training

The Access and Privacy Officer is responsible for raising awareness of access to information and privacy matters and developing and facilitating training. If you are faculty or staff and would like to receive training, or would like your unit to receive training, please contact the Access and Privacy Officer.

If you are interested in learning on your own, be sure to look at the Office of the Information and Privacy Commissioner of Saskatchewan website [http://www.oipc.sk.ca] and the Saskatchewan Justice Access and Privacy Branch website [http://www.justice.gov.sk.ca/accessandprivacy]. The Access and Privacy Branch offers an online training course [http://www.justice.gov.sk.ca/privacyLAC].

 Back to top

Documents and Resources

Legislation and Regulations

The Local Authority Freedom of Information and Protection of Privacy Act 

The Local Authority Freedom of Information and Protection of Privacy Regulations

Forms

Access to Information Request Form

Request for Review 

Links

The Saskatchewan Office of the Information and Privacy Commissioner

The University of Saskatchewan Freedom of Information and Privacy Policy 

 Back to top

Contact

Rayelle Johnston, B.A., LL.B.
Access and Privacy Officer
E288 - 105 Administration Place
Saskatoon, SK  S7N 5A2
P: (306) 966-8596
F: (306) 966-8676
E-mail: rayelle.johnston@usask.ca