The following forms, resources and procedures are provided by the Privacy Office for use by Administrative and Academic Units to help ensure Carleton’s compliance with privacy legislation.
Collection, Use and Disclosure of Personal Information
The collection, storage, utilisation, and dissemination of Personal Information concerning members of the Carleton community is only undertaken as part of ongoing efforts by the University to ensure decision making practices are based on accurate information. The university also ensures that the information gathered for one purpose is not being used inappropriately for another, and that the privacy of an individual is not compromised by disclosure of personal information to third parties without the proper approvals.
Activity-specific Privacy Notices
Frequently academic and administrative units collect Personal Information from individuals for a variety of purposes that are not accounted for in the general privacy notice. This privacy notice template can be added to any form used to collect Personal Information and can be customized with the name and contact information of a direct contact within the faculty or department, usually the Departmental FIPPA Representative. If you require assistance determining the purpose of collection, please contact the Privacy Office.
Disclosing Personal Information to Third Parties
In most cases FIPPA does not allow the disclosure of Personal Information without the consent of the individual involved. Occasionally, however, individuals may require the disclosure of their Personal Information to a Third Party. This may include for an employment or academic reference or to release information regarding tuition fee balances. You can complete a Third Party Release Authorization in your Carleton360 portal, or you can use the following Third Party Authorization form.
Consent to Use or Publish Personal Information
The use of student, faculty or a staff member’s work, testimonials, images and other materials for promotional or other purposes requires the consent of the student, faculty or staff member. In cases where the student, faculty or staff member submits items for publication or use, consent is implied. However, asking the student, faculty or staff member to provide express consent is ideal. The Consent to Publish Information form can be used in most cases. For more information or for help in drafting consent forms for specific purposes, please contact the Privacy Office.
Photographs, Video and Audio Recordings
We are continuously developing tools and resources to assist the campus community with the collection and use of photographs, audio and video recordings. These guidelines are being drafted based on consultations with different units on campus. Annoucements will be made as soon as they become available.
In an effort to address notification requirements for various events held in our community, we recommend using a Poster Notice. This template is easy to use and is adaptable for a variety of purposes. If you need assistance with the development of the poster, or would like to amend the core text, please contact the Privacy Office.
Protection of Privacy
Faculty and staff are encouraged to treat the Personal Information of every member of the Carleton community with sensitivity and due diligence for the protection of privacy.
Electronic communication that contains Personal Information such as grades and other evaluative material (i.e. references) should only be undertaken via official Carleton email systems. This includes CUNET, CMAIL, the alumni.carleton.ca domain and electronic teaching systems such as Brightspace.
E-mail Notification for Non-Carleton Correspondence Students, staff and faculty are required to use Carleton email systems when communicating with the university. This response may be used to explain this policy when replying to email communication sent from non-enterprise systems. Directions as to where one can activate a Carleton account for students, staff, or faculty are included in this notice.
General E-mail Notification for Carleton Correspondence This notice should be attached to any email sent from a Carleton enterprise email system.
Minutes are considered to be a “record” under FIPPA and should contain certain pieces of information in order to make them as clear as possible, and compliant under the standards of the Act. “Minute Taking Tips” outlines the necessary pieces of information required for minutes to provide a clear record of a meeting. The procedures also provide guidance as to what information should be excluded from formal minutes in order to protect the privacy of those in attendance at the meetings. Minutes (unless containing excerpted material) are accessible with a freedom of information request and should strive to provide as much clarity as possible while respecting the privacy rights of the participants.
A ‘privacy breach’ is an incident involving the unauthorized disclosure of Personal Information in the custody or control of Carleton. This would include Personal Information being lost, stolen, or accessed by unauthorized persons. The “Privacy Breach Incident Plan” outlines the best practices for responding to a privacy breach in four simple steps. The “Privacy Breach Reporting Form” must be filled out whenever a privacy breach has been identified. The details you provide on this form will enable Carleton’s Privacy Officer to produce a formal report, should one be required, for Ontario’s Office of the Information and Privacy Commissioner. Once the form is completed, it must be sent back to the Privacy Office (details are provided on the form).
Sharing Personal Information with Non-Carleton Service Providers
When undertaking outside (third-party) services that require the use of Personal Information in Carleton’s custody, proper use and care of this information must be assured. Standards for retention, collection, use, storage, disposal, etc. should be outlined in the contract and bind the contractor to the terms laid out which are in line with provisions under FIPPA. Please contact the Privacy Office for assistance with drafting Data Protection Agreements.