Effective Date
Approved by the Board of Governors, June 14, 2024.

1. Purpose

Bishop’s University (the ‘’University’’) recognizes the importance of privacy and is committed to protecting the Personal Information it collects and processes as part of its day-to-day operations.

The purpose of this Policy is to inform Members of the University Community of the University’s obligations with respect to the protection of Personal Information that is collected and held by the University as well as the rights of Concerned Individuals with respect to their Personal Information.

This Policy:

  1. sets out the principles and legal obligations governing the protection of Personal Information throughout its lifecycle, from its collection, use, communication and retention to its destruction or anonymization (collectively “Processing”);
  2. defines the roles and responsibilities of persons involved in the protection of Personal Information; and
  3. defines the rights of Concerned Individuals with respect to the University’s use of their Personal Information.

This Policy also complies with the Access Act, which establishes the legal framework for the protection of Personal Information held by public bodies.

2. Scope

This Policy applies to all Authorized Persons with regard to Personal Information (as defined below) held by the University.

3. Definitions

For the purposes of this Policy, the following definitions apply:

“Access Act” means the Act respecting Access to documents held by public bodies and the Protection of personal information, chapter A- 2.1.

“Authorized Person” means a person that requires access to Personal Information in order to perform their role/contract with(in) the University.

“Commission” means the Commission d’accès à l’information du Québec.

“Committee” means the Committee on Access to Information and the Protection of Personal Information, as set out in this Policy, responsible for supporting the University in carrying out its responsibilities and obligations under the Access Act.

“Concerned Individual” means a natural person to whom Personal Information relates (i.e., anyone from whom the University collects Personal Information).

“Confidentiality Incident(s)” means any unauthorized access to, use of, or disclosure of Personal Information, or any loss or breach of the security of such information.

“Confidentiality Incident Register” means the register constituted to record Confidentiality Incidents.

“Confidentiality Incident Response Plan” means the University’s procedure for responding to Confidentiality Incidents.

“Department” means any University department, service, unit or office that collects Personal Information.

“Department Leader” means the person in charge of a department, for example the Manager, Director or Dean.

“Members of the University Community” means faculty, staff, students, researchers, contractors, consultants, agents, volunteers or other persons associated with the University by appointment, employment, contract, or agreement.

“Personal Information” means any information (whether it is held in paper, electronic or any other medium) about an individual, which allows an individual to be directly or indirectly identified, including Sensitive Personal Information (as defined below).

“Personal Information Lifecycle” means all the steps involved in the processing of Personal Information (e.g., its collection, use, communication, storage/retention and destruction or anonymization, as the case may be).

“Privacy Impact Assessment” means an evaluation conducted in accordance with the requirements of the Access Act of the impact that projects involving the processing of Personal Information have on privacy, the identification of associated risks, and the recommendation of mitigation measures where required.

“Privacy Notice” means a document(s), available on the University websites, which can be consulted by individuals, including applicants, employment candidates and web site visitors, which sets out the way the University collects and uses Personal Information.

“Privacy Officer” means the individual designated to be responsible for the application of the Access Act within the University.

“Retention Schedule” means the Bishop’s University Records Retention Schedule (BURRS).

“Sensitive Personal Information” means any Personal Information which, due to its highly personal nature, and/or the context of its use or communication, requires a higher level of confidentiality.

“Serious Injury” means an act or event likely to cause harm to a Concerned Individual or their property, and to prejudice such individual’s interests in a significant way.

4. Policy

4.1 Guiding Principles

4.1.1 The University is responsible for Personal Information that is under its control, including Personal Information that is entrusted to third parties. A Privacy Officer has been appointed and ensures that the Policy is applied and that the University complies with the Access Act and associated legislation when it comes to the Protection of Personal Information.

4.1.2 All Authorized Persons must protect Personal Information throughout its lifecycle in accordance with this Policy, except as otherwise provided by the law.

4.2 Collection of Personal Information

4.2.1 The University only collects Personal Information that is necessary for the fulfillment of its mission and activities.

4.2.2 Personal Information is collected from Concerned Individuals based on express, clear, free and informed consent given for specific purposes. Such consent is valid for the time necessary to fulfill the purposes for which it was requested.

4.2.3 At the time of collection and subsequently upon request, the University informs Concerned Individuals of the purposes and methods of collecting and processing their Personal Information as well as their rights with respect to such information.

4.2.4 When collecting Personal Information through technological means which include adjustable privacy settings, the University ensures that those settings provide the highest level of privacy by default, without any intervention by the Concerned Individual.

4.2.5 While the University usually collects Personal Information directly from the Concerned Individuals, it may at times collect Personal Information from third parties (e.g., other academic institutions, government bodies, etc.). In such cases, the University ensures that the transfer from the third party is compliant with this Policy and the Access Act.

4.2.6 The University does not collect Personal Information from a minor aged less than 14 years without the consent of the person having parental authority or of the tutor, except where authorized by law.

4.2.7 If the University collects Personal Information by technological means which include functions allowing for the identification, geolocation or profiling of Concerned Individuals, the University:

  1. discloses the use of such technology; and
  2. ensures that the functions allowing for the identification, geolocation or profiling of Concerned Individuals are disabled by default.

4.3 Use of Personal Information within Bishop’s University

4.3.1 The University only uses Personal Information for the purposes for which it was collected, and/or to the extent provided by law unless the Concerned Individual has consented to other uses. Such consent must be given expressly when it concerns Sensitive Personal Information.

4.3.2 The University manages the access rights of Authorized Persons to Personal Information so that only those who require access to Personal Information in the course of their duties have such access.

4.4 Storage, Retention and Disposal

4.4.1 The University is responsible for protecting the Personal Information it holds.

4.4.2 The University takes all reasonable steps to establish that the Personal Information it holds is current, accurate and complete for the purposes for which it is collected or used.

4.4.3 The University retains Personal Information for as long as necessary for the purpose for which it was collected and for the retention periods required by law.

4.4.4 The University disposes of Personal Information in accordance with the Retention Schedule and applicable laws when it is no longer required to fulfill the purposes for which it was collected, or once the retention period is reached. The University ensures that Personal Information is disposed of (destroyed or anonymized) according to defined procedures and processes.

4.5 Communication of Personal Information to Third Parties

4.5.1 As a general principle, the University does not communicate Personal Information to Third Parties without the consent of Concerned Individuals unless the Access Act requires or permits it, e.g.,

  1. for legal or identification purposes;
  2. in order to ensure protection of people during an emergency situation;
  3. for the exercise of a mandate or the execution of a service or business contract;
  4. to apply a collective agreement, order, directive or regulation establishing conditions of employment;
  5. for study or research purposes;
  6. for the production of statistics; or
  7. to a public organization or a government agency for the exercise of the attributions of this organization, the implementation of a program or the provision of a service.

4.5.2 When required by law, the University ensures that Third Parties are bound by a written agreement that includes the contractual safeguards required to protect the Personal Information entrusted to them.

4.5.3 Prior to communicating Personal Information outside the Province of Quebec, the University conducts a Privacy Impact Assessment and puts in place appropriate security safeguards, including a written agreement with the Third Party.

4.5.4 Prior to communicating Personal Information without the consent of Concerned Individuals for study or research purposes, or for the production of statistics, the University conducts a Privacy Impact Assessment and will only allow the communication if:

  1. the objective of the study or research or of the production of statistics can be achieved only if the information is released in a form allowing Concerned Individuals to be identified;
  2. it is unreasonable to require the University to obtain the consent of the Concerned Individuals;
  3. the objective of the study or research or of the production of statistics outweighs, with regard to the public interest, the impact of releasing and using the information on the privacy of the Concerned Individuals; and
  4. the Personal Information is used in such a manner as to ensure confidentiality.

4.5.5 Any communication of Personal Information by the University to Third Parties must contain only the Personal Information necessary to achieve specific purposes determined prior to this communication.

4.6 Privacy Impact Assessments

4.6.1 The University conducts Privacy Impact Assessments as required to:

  1. assess the risks associated with processing Personal Information;
  2. deploy proper security safeguards to protect Personal Information; and
  3. comply with the University’s obligations pursuant to the Access Act.

4.6.2 The University conducts Privacy Impact Assessments when required, including prior to:

  1. Acquiring, developing or overhauling an information system or electronic service delivery system involving the processing of Personal Information;
  2. Communicating Personal Information outside Quebec or entrusting a Third Party outside Quebec with the task of processing Personal Information; or
  3. Communicating Personal Information to a Third Party wishing to use the information for study or research purposes or for the production of statistics without the consent of Concerned Individuals.

4.7 Security Measures for Protecting Personal Information

4.7.1 The University implements appropriate physical, technical, and administrative security measures to protect Personal Information from unauthorized access, disclosure, loss or theft. These measures are commensurate with the sensitivity of the information, the purpose for which it is collected, its quantity, its location and the medium it is preserved on.

4.7.2 Authorized Persons are offered awareness training as required so they understand the significance of data privacy and how to handle Personal Information securely.

4.8 Proper Documentation

4.8.1 As required by law, the University takes measures to properly document:

  1. Its Personal Information files;
  2. Consent by Concerned Individuals to collect and use their Personal Information;
  3. Privacy Impact Assessments;
  4. Communications of Personal Information to third parties pursuant to an exception to consent;
  5. Concerned Individuals’ rights requests;
  6. Confidentiality Incidents; and
  7. Third party risk assessments.

4.9 Confidentiality Incidents

4.9.1 Suspected Confidentiality Incidents must be reported to the Privacy Officer.

4.9.2 Confidentiality Incidents are addressed in accordance with the law and the University’s Confidentiality Incident Response Plan.

4.9.3 If it is determined that a Confidentiality Incident presents a risk of Serious Injury to Concerned Individuals, the University notifies both the Concerned Individuals and the Commission.

4.10 Rights of Concerned Individuals

4.10.1 Concerned Individuals have the following rights pertaining to their Personal Information held by the University.

  1. Subject to exceptions prescribed by law, the University provides Concerned Individuals the right to access their Personal Information, verify its accuracy, and request that any errors be corrected in compliance with the Access Act.
  2. Concerned Individuals have the right to withdraw their consent to use and communicate Personal Information disclosed to the University that is not mandatory, i.e., not essential for the provision of the service for which it was collected.
  3. In situations where the University uses Personal Information to render a decision based solely on the automated processing of such information, Concerned Individuals are notified accordingly, not later than at the time it informs the person of the decision. In such situations, and upon request, Concerned Individuals have the right to know the reasons, the principal factors and parameters that led to the decision as well as the right to have any error in the Personal Information used to render the decision corrected.
  4. Upon request, the University provides a Concerned Individual with a copy of Personal Information collected from them. At their request, computerized Personal Information collected from the Concerned Individual will be communicated to them in a structured, commonly used technological format, unless doing so raises serious practical difficulties.
  5. Concerned Individuals may ask questions and raise concerns about their Personal Information. They may also file a complaint regarding non-compliance with the principles set out in this Policy. Any questions, concerns or complaints are directed to the Privacy Officer.

5. Governance Roles and Responsibilities

5.1 Privacy Officer

5.1.1 The Secretary General acts as the University’s Privacy Officer, responsible for the application of this Policy, monitoring internal compliance and advising on the University’s privacy obligations.

5.2 Committee on Access to Information and the Protection of Personal Information

5.2.1. The Committee is responsible for supporting the University in carrying out its responsibilities and obligations under the Access Act.

5.3 Senior Administrators or their Designates

5.3.1 Senior administrators or their designates are responsible for ensuring that the processing of Personal Information in their organizational areas conform to this Policy and applicable legislation.

5.4 Authorized Persons

5.4.1. All Authorized Persons must comply with this Policy and the requirements of the Access Act.

5.4.2. Specifically, Authorized Persons must:

  1. only use Personal Information for the purposes for which it was collected;
  2. collect and use only minimally required Personal Information and only retain it for as long as is strictly necessary;
  3. keep Personal Information up-to-date (where possible and relevant);
  4. keep Personal Information secure, in accordance with University standards, procedures and guidelines;
  5. take additional care when processing Sensitive Personal Information;
  6. not disclose Personal Information to unauthorized persons, whether inside or outside the University, unless required by law;
  7. complete relevant training as required;
  8. report promptly any suspected or actual Confidentiality Incident to their Department Leader or the Privacy Officer; and
  9. seek advice from their Department Leader or the Privacy Officer if they are unsure how to comply with this Policy or the Access Act.

6. Point of Contact

6.1 The responsibility for protecting personal information and for access to information rests with the Secretary-General. The Secretary-General is the University’s Privacy Officer as well as the person responsible for access under the Act. Questions and/or complaints about the use of Personal Information can be directed to secretary.general@ubishops.ca.

7. Policy Compliance

7.1 Any breach of this Policy must be reported immediately in writing to the Privacy Officer. Any breach of this Policy may constitute a violation of the University’s legal or contractual obligations and may result in disciplinary action, legal recourse or termination of agreement with a third party or subcontractor.

8. Changes To This Policy

8.1 This Policy may be updated periodically to comply with changes to the Access Act or to improve the University’s privacy practices.

8.2 The Privacy Officer has overall responsibility for implementing and recommending amendments to this Policy.