Personal Information
Personal Information
How Your Personal Information is Handled at UBC
How your data is collected
No doubt you’re accustomed to being asked for your consent to the collection of your personal information. That’s because the private-sector privacy laws that cover businesses and other private organizations are based on consent. Under these laws, organizations have to publish a privacy policy that explains how they use and disclose personal information. They are required to give individuals the opportunity to consent to the collection of this information. Not only that, but they must allow individuals to withdraw their consent at any time.
So why doesn’t UBC ask for your consent before collecting your information? Because UBC is a public body, not a private entity, and the public sector privacy law (the Freedom of Information and Protection of Privacy Act, or FIPPA) allows public bodies to collect personal information without consent.
When you think about it, it makes sense that public bodies do not have to ask for your consent. They are legally required to provide public services and to do so, they sometimes need to collect personal information from the public.
Rules around the collection of personal information
While UBC doesn’t need to ask for your consent to collect your personal information, FIPPA contains strict rules around how such information is collected:
- The personal information must directly relate to and be necessary for a program or activity of the public body.
- No more information should be collected than necessary.
- The information should be collected directly from you, not from a third party.
- The public body must tell you its legal authority to collect the information, how the information will be used, and the contact information for somebody who can answer your questions about the collection.
How your data is disclosed
Can UBC employees disclose personal information to other employees? How about a student’s parents? Or the police?
Under the privacy law that governs UBC (Freedom of Information and Protection of Privacy Act, or FIPPA) there are detailed rules governing when we are allowed to disclose personal information. Disclosing personal information without authority is a serious matter. The really important thing for you to remember is that disclosure inside UBC is authorized on a “need to know” basis whereas disclosure outside UBC is only authorized in rare circumstances.
Disclosure inside UBC
UBC faculty and staff are authorized to share personal information if they have a 'need' to know this information. It’s not enough for them to be curious; they only have a right to see the information if it is necessary to do their job.
Disclosure outside UBC
Disclosure outside UBC is much more tightly controlled than disclosure inside the organization. Personal information may only be disclosed to people outside UBC in exceptional circumstances. For example:
- With the consent of the individual, the information is about
- Court orders
- Law enforcement investigations
- Health or safety reasons
If you are a UBC employee who has been asked to disclose personal information outside UBC, please ensure that you have the authority to do so. If you have any questions about this, you should email access.and.privacy@ubc.ca.
In an emergency, keep in mind that safety always trumps privacy. Faculty and staff have an obligation to disclose personal information to the extent necessary to prevent harm to people’s health or safety.
How your data is used
The privacy law that governs UBC (Freedom of Information and Protection of Privacy Act, or FIPPA) contains strict rules around how personal information may be used. After all, public bodies collect large amounts of personal information about citizens, so it makes sense for the law to place restrictions on how this information is used.
Under FIPPA your personal information may normally only be used for the purpose for which the information was obtained or compiled, or for a use consistent with that purpose. This is called the “consistent use” principle. For example, if you get a checkup at the medical clinic on campus, personal information will be collected from you for health purposes. It would not be permissible for UBC to use that information for, say, fundraising or disciplinary purposes because that use would be inconsistent with the original purpose.
There are some exceptions to the above rule. For example, we could ask you for your consent to use the personal information for another purpose. However, we will only do this in rare situations.
The restrictions on the use of information have a further benefit: they tend to discourage public bodies from placing all personal information in a central repository or file. For example, UBC does not have a giant database where it stores all the personal information it has ever collected. While keeping data in a central location might be more efficient, it would not be acceptable from a privacy standpoint because it would allow us to use the information without regard for its purpose for the collection. Keeping personal information in many different repositories ensures it is only used for authorized purposes, and also helps to keep it secure and confidential.
How your data is retained
UBC employees destroy records all the time. They shred notes, delete draft documents, and clean out their email inboxes when they run out of space. Have you ever wondered how UBC decides how long to keep all of these records and data?
FIPPA requirements
The privacy law that governs UBC (Freedom of Information and Protection of Privacy Act, or FIPPA) requires public bodies to keep personal information for at least a year after they use it to make a decision that affects an individual. For example, after UBC completes a hiring process, we have to keep all of the resumes and cover letters for at least a year because we have used them to make a decision about who to hire. If you were one of the applicants you have a right to see all of the information we had about you that we used to make our hiring decision.
Retention schedules
UBC has published records retention schedules under its Records Management Policy. These schedules set out how long we have to keep different types of records. While most of these schedules are still in draft form, Records Management is working hard to finalize them in the coming year.
Therefore, if you ever need to know how long data is retained, you simply need to check the retention schedules. Each type of record has a retention period, which ranges from a few days to many years. Some records have permanent retention, which means that these records are transferred to the Archives.
There is a special retention schedule for transitory records, which are records or data of temporary usefulness. Transitory records should be destroyed when they are no longer required for operational purposes. Many of the records UBC employees produce, including routine emails and draft documents, are transitory records and can be destroyed after a few days or weeks.
Go even further...
For a much more in-depth look at how your personal data is handled at UBC, you can:
Learn more about the retention of personal information by UBCLearn more about Disclosing Personal Information for Health and Safety Reasons [PDF]
Learn more about the collection of personal information by UBC [PDF]
Read more about the Freedom of Information and Protection of Privacy Act (FIPPA)