The following forms and procedures are provided by Carleton’s Privacy Office for use by Administrative and Academic Units to help ensure Carleton’s compliance with privacy legislation.

Collection, Use and Disclosure of Personal Information

The collection, use and disclosure of Personal Information  by Carleton University must be undertaken in compliance with Ontario’s FIPPA legislation.

Notice of Collection (Student Registration)

Freedom of Information and Protection of Privacy legislation stipulates that no person shall collect Personal Information on behalf of an institution unless that collection is authorized by statute or necessary in the proper administration of a lawful activity. Carleton University collects Personal Information from students for use in the administrative activities of the university under the authority of the Carleton University Act (1952) and the use of collection notices on all Carleton forms make this clear. The Notice of Collection (Student Registration) contains more information about how this information will be used.

Notice of Collection (General)

Frequently academic units collect Personal Information from students for a variety of purposes. This Notice of Collection (General) can be added to any form used to collect Personal Information by an academic unit and can be customized with the name and contact information of a direct contact within the faculty or department, usually the Departmental FIPPA Representative.

Disclosing Personal Information to Third Parties

In most cases FIPPA does not allow the disclosure of Personal Information without the consent of the individual involved. Occasionally, however, individuals wish the disclosure of their Personal Information to a Third Party. This may include for an employment or academic reference or to release information regarding tuition fee balances. The Third Party Authorization form should be used to grant permission in such cases.

Consent to Use or Publish

The use of student, faculty or a staff member’s work, testimonials, images and other materials for promotional or other purposes requires the consent of the student, faculty or staff member. In some cases where the student, faculty or staff member submits items for publication or use, consent is implied. Generally, however, it is best to obtain explicit consent by asking the student, faculty or staff member to sign a consent form. The Consent to Publish Information form can be used in most cases. For more information or for help in drafting consent forms for specific purposes, please contact Carleton’s Privacy Office.

Guidelines for the Processing of Photographs, Video and Audio Recordings

Guidelines for the taking and use of photographs and video and audio recordings by Carleton staff and faculty for institutional use are under development and will appear here shortly.  In the meantime, please contact the Privacy Office for advice and recommendations concerning the handling of photographs, video and audio recording.

Access to Information

FIPPA states that, unless certain exemptions apply, every person has a right of access to a record or a part of a record in the custody or under the control of an institution. Further, unless certain exemptions apply, every individual has a right of access to their own Personal Information in the custody or under the control of an institution. Additionally, unless certain exemptions apply, every individual who is given access to their own Personal Information is entitled to request correction where they believe there is an error or omission or indicate disagreement where a correction was requested but not made. Requests for Access or Correction This form has three options from which the applicant may select the most appropriate:

Access to Information Request Form

  • general request for information;
  • request for access to one’s own Personal Information and;
  • correction to one’s own Personal Information.

Forward the completed form with the required application fee to Carleton’s Privacy Office.

Protection of Privacy

Faculty and staff are encouraged to treat the Personal Information of every member of the Carleton community with sensitivity and due diligence for the protection of privacy.


Electronic communication that contains Personal Information such as grades and other evaluative material (i.e. references) should only be undertaken via official Carleton email systems. This includes Network and Connect Accounts, the domain, Carleton Complete and electronic teaching systems such as WebCT.

E-mail Notification for Non-Carleton Correspondence Students, staff and faculty are required to use Carleton email systems when communicating with the university. This response may be used to explain this policy when replying to email communication sent from non-enterprise systems. Directions as to where one can activate a Carleton account for students, staff, or faculty are included in this notice.

General E-mail Notification for Carleton Correspondence This notice should be attached to any email sent to or from a Carleton enterprise email system.

Taking Minutes

Minutes are considered to be a “record” under FIPPA and should contain certain pieces of information in order to make them as clear as possible, and compliant under the standards of the Act. “Minute Taking Tips” outlines the necessary pieces of information required for minutes to provide a clear record of a meeting. The procedures also provide guidance as to what information should be excluded from formal minutes in order to protect the privacy of those in attendance at the meetings. Minutes (unless containing excerpted material) are accessible with a freedom of information request and should strive to provide as much clarity as possible while respecting the privacy rights of the participants.

Privacy Breaches

A ‘privacy breach’ is an incident involving the unauthorized disclosure of Personal Information in the custody or control of Carleton. This would include Personal Information being lost, stolen, or accessed by unauthorized persons. The “Privacy Breach Incident Plan” outlines the best practices for responding to a privacy breach in four simple steps. The “Privacy Breach Reporting Form” must be filled out whenever a privacy breach has been identified. The details you provide on this form will enable Carleton’s Privacy Officer to produce a formal report, should one be required, for Ontario’s Office of the Information and Privacy Commissioner. Once the form is completed, it must be sent back to the Privacy Office (details are provided on the form).

Sharing Personal Information with Non-Carleton Service Providers

When undertaking outside (third-party) services that require the use of Personal Information in Carleton’s custody, proper use and care of this information must be assured. Standards for retention, collection, use, storage, disposal, etc. should be outlined in the contract and bind the contractor to the terms laid out which are in line with provisions under FIPPA. Please contact the Privacy Office for assistance with drafting 3rd party privacy agreements.