Administration of Rights

Do

  • Ask what information it is the person needs – narrow the scope of the request.
  • Assist the individual as much as possible by explaining what records exist, don’t exist and which ones are routinely available.
  • Refer the individual to the Privacy Officer if the request is for records that contain confidential or personal information
  • Refer verbal requests from the media to the Director of Strategic Communications.

Don’t

  • Don’t treat a verbal request as a FOIPOP request – only requests in writing are handled under the Act.
  • Don’t refuse to provide access without an explanation or without advising the individual to put the request in writing and how to submit it.

Do

  • Forward the written request to the Privacy Officer
  • Work with the Privacy Officer to determine if the request can be responded to routinely.
  • Work with the Privacy Officer to assemble the records requests and provide assistance throughout the application and response process.

Don’t

  • Don’t ignore the request or try to handle it through another University process that makes no provision for production of records.
  • Don’t refuse to provide access without an explanation or without referring the individual appropriately.
  • Don’t disclose records that contain confidential or personal information.

Do

  • Collect only that personal information required to administer and operate a University program or service.
  • Use an appropriate method of collection – in most cases get the information directly from the person it is about.
  • Ensure that a proper collection notice is printed on the form or included in the letter used to collect the information.

Don’t

  • Don’t collect information that you don’t need.

Do

  • Create records with access in mind – assume someone will ask to see it.
  • Create files with access in mind:
  • One case – one file.
  • Eliminate copies.
  • Use consistent filing practices
  • Follow the CBU Records Retention Schedule

Don’t

  • Don’t create a record with the expectation of complete and absolute secrecy.
  • Don’t inter-file confidential records with ones that are not confidential.

Do

  • Follow the Records Retention Schedule if one exists for the record.
  • Retain records used to make a decision about an individual for a minimum of one year.
  • Retain complete, accurate and reliable records of evidence.

Don’t

  • Don’t destroy records unless authorized under the Records Retention Schedule or without checking with the Privacy Officer.

Do

  • Provide participants with a clear statement of confidentiality.
  • Require that all materials and evidence be supplied in confidence.
  • Write the report with access in mind:
    • Make it anonymous whenever possible.
    • Keep confidential and non-confidential material separate.

Don’t

  • Don’t write down subjective comments unless you are prepared to have them read.
  • Don’t reveal personal details about individuals’ private lives unless absolutely necessary to support findings and recommendations.
  • Don’t make audio or videotapes of interviews or hearings unless necessary.

Do

  • Remember to plan and implement reasonable security measures to protect personal information. A privacy Impact Assessment is recommended.
  • Establish authorized logon ID’s for access to a local network.
  • Password protect access to your desktop computer, local network, each database and automated system.

Don’t

  • Don’t assume that the software you are using has built in security features.
  • Don’t leave your system vulnerable to attack.