When you receive a verbal request for information:
- Ask what information it is the person needs – narrow the scope of the request.
- Assist the individual as much as possible by explaining what records exist, don’t exist and which ones are routinely available.
- Refer the individual to the FOIPOP Administrator if the request is for records that contain confidential or personal information
- Refer verbal requests from the media to the Director of Marketing and Communication.
- Don’t treat a verbal request as a FOIPOP request – only requests in writing are handled under the Act.
- Don’t refuse to provide access without an explanation or without advising the individual to put the request in writing and how to submit it.
When you receive a request for information in writing:
- Forward the written request to the FOIPOP Administrator.
- Work with the FOIPOP Administrator to determine if the request can be responded to routinely.
- Work with the FOIPOP Administrator to assemble the records requests and provide assistance throughout the application and response process.
- Don’t ignore the request or try to handle it through another University process that makes no provision for production of records.
- Don’t refuse to provide access without an explanation or without referring the individual appropriately.
- Don’t disclose records that contain confidential or personal information.
When you collect personal information:
- Collect only that personal information required to administer and operate a University program or service.
- Use an appropriate method of collection – in most cases get the information directly from the person it is about.
- Ensure that a proper collection notice is printed on the form or included in the letter used to collect the information.
- Don’t collect information that you don’t need.
When you create a University record:
- Create records with access in mind – assume someone will ask to see it.
- Create files with access in mind:
- One case – one file.
- Eliminate copies.
- Use consistent filing practices
- Follow the CBU Records Retention Schedule
- Don’t create a record with the expectation of complete and absolute secrecy.
- Don’t inter-file confidential records with ones that are not confidential.
When keeping records:
- Follow the Records Retention Schedule if one exists for the record.
- Retain records used to make a decision about an individual for a minimum of one year.
- Retain complete, accurate and reliable records of evidence.
- Don’t destroy records unless authorized under the Records Retention Schedule or without checking with the FOIPOP Administrator.
When you conduct a review, inquiry or investigation:
- Provide participants with a clear statement of confidentiality.
- Require that all materials and evidence be supplied in confidence.
- Write the report with access in mind:
- Make it anonymous whenever possible.
- Keep confidential and non-confidential material separate.
- Don’t write down subjective comments unless you are prepared to have them read.
- Don’t reveal personal details about individuals’ private lives unless absolutely necessary to support findings and recommendations.
- Don’t make audio or videotapes of interviews or hearings unless necessary.
When designing a new electronic record-keeping system:
- Remember to plan and implement reasonable security measures to protect personal information. A privacy Impact Assessment is recommended.
- Establish authorized logon ID’s for access to a local network.
- Password protect access to your desktop computer, local network, each database and automated system.
- Don’t assume that the software you are using has built in security features.
- Don’t leave your system vulnerable to attack.