Records Management and Privacy Office

Records Management and Privacy Office
Records Management and Privacy Office

Frequently Asked Questions

These FAQs address the most common questions on access, privacy and records management answered by the Office. They are not intended to reflect all the detailed requirements of applicable privacy legislation. If your question is not answered here, please contact us.

FIPPA

What is FIPPA?

FIPPA is the Freedom of Information and Protection of Privacy Act. Its purpose is to make public bodies more accountable and to protect personal privacy.The purposes of the Act are achieved by:

  • Giving the public a right of access to University records
  • Giving individuals a right of access to personal information about them
  • Giving individuals a right to request the correction of personal information about them
  • Ensuring appropriate collection, use and disclosure of personal information
  • Providing an independent review of decisions made under the Act

Access to Information

What can people access under the Act?

Any "record" in the custody or under the control of the University

This does NOT include records excluded from the scope of the Act:

  • Proposed or conducted research
  • Teaching materials
  • Employment or labour relation matters
  • Private donations to the University Archives

What is a record?

  • Any piece of recorded information, however it is recorded (printed, electronic, on film, etc.)
  • Your personal emails or voicemails are not University records; however, emails or voicemails (if saved) relating to university matters are University records and subject to the Act

Are there any restrictions on what people can access? 

There are certain mandatory and discretionary exemptions that govern the University’s response to an access request. They include, but are not limited to:

  • Solicitor-client records
  • Records harmful to the University’s economic interests
  • Records containing third party information
  • Records containing a third party’s personal information
  • Records that pose a danger to health and safety
  • Records that relate to law enforcement
  • Records that are already publicly available or will be available in 90 days

Information Requests

What do I do if I receive a request for access to records?

  • Generally, you should continue to share information that you have normally shared
  • If you receive a request for information that you would not normally share or that you think might be covered under the exemptions, then you should refer the requester to the FIPPA Contact for your faculty, school, or department, or contact the Privacy Officer by email at access.privacy@queensu.ca.

How are these referred or formal requests handled?

These requests are handled by the Office of the Privacy Officer. The requester has to pay a $5.00 application fee and may be required to pay for search time to locate the record, for time taken to prepare the record for disclosure, and for other costs such as photocopying.


Can someone ask for my research material under the Act?

No, records relating to proposed or conducted research are not covered by the Act. However, the Act does require disclosure of the subject matter and amount of funding received with respect to the research.


Can someone ask for my professional records created as part of my consulting work?

No. These records are not University records and are not covered by the Act.


Can I give the family of a deceased employee access to the employee’s email and other records?

The Access Authorization Procedure sets out who can grant access to a deceased employee’s records and accounts. In all cases, access must be provided in accordance with FIPPA. FIPPA permits an individual’s personal representative (or executor) to have full access to the individual’s records and accounts for the purposes of administering the individual’s estate. Given the amount of personal information likely to be in the records—both of the deceased individual and other people—it is important to see proof that the individual making the request is, indeed, the executor.

If the individual making the request is not the executor, then FIPPA permits the disclosure of personal information about a deceased individual to the spouse or a close relative of the deceased individual for compassionate reasons. Note that in this case, only the personal information of the deceased individual may be disclosed. Accordingly, the university would be required to review the documentation carefully to prevent disclosure of information pertaining to other individuals, and information that may be confidential or proprietary information of the university.

Personal Information & Privacy Rights

What personal privacy rights are in the Act?

  • The University must provide the purpose and legal authority for collecting personal information
  • The University must collect personal information directly from the person whom it concerns
  • The University must make an effort to ensure that the personal information it uses is accurate and complete
  • The University must ensure the security of collection, access, use, disclosure, and disposal of personal information
  • The University may only use personal information only for the purpose for which it was collected or for a consistent purpose
  • The University may disclose personal information for the purpose for which it was collected or a consistent purpose or in other specific circumstances, including:
    • upon receipt of written consent
    • to comply with other legislation that allows disclosure
    • to comply with a judicial order
    • to allow a University employee to perform his/her duties
    • to a law enforcement agency under certain conditions
    • if there are compelling circumstances affecting anyone's health and safety or in compassionate circumstances

What is personal information?

Personal information is recorded information about an identifiable individual including but not limited to:

  • Race, national or ethnic origin, colour
  • Religion, age, gender, or sexual orientation
  • Marital or family status
  • Information about educational, criminal, psychiatric, or employment history
  • Any identifying number or symbol
  • The individual’s address, telephone number, fingerprints or blood type

Student Privacy

I usually ask students to provide me with some personal information; can I still collect this information?

Yes. You can collect personal information from students as long as you provide “notice” of the collection. The notice must contain:

  • The legal authority for the collection of personal information
  • The purpose for the collection
  • The title, address and phone number of a contact person

A typical notice statement might look like this: The personal information on this form is collected under the authority of the Queen’s University Royal Charter of 1841, as amended. This information will be used to contact you regarding class related assignments. If you have any questions please contact [your name] at [telephone number] or [email].

You may give notice orally in class if you so choose. Don't collect more personal information than you need for the purpose at hand.


Can I have access to a student's academic transcript?

  • Only if it is necessary to fulfill a specific job duty. For example, faculty who serve on appeals panels or who are charged with academic advising may ask administrators to provide them with a copy of transcripts for that purpose.
  • Due to the limitations of the student data information system you cannot access transcripts from your own computer.

Can I share information about my students with other faculty?

You should refrain from sharing personal information about your students with other faculty without the student’s consent.


Can I act as a referee for students?

Yes. You should ask the student to provide you with written consent and you should keep it on file. Please use the Academic Reference Request Form.

Student Attendance & Grades

If marks are assigned for attendance or participation, can I still take attendance?

You can still take attendance. You can take attendance verbally, or if the class is too large you can pass around a blank sheet and ask students to print their name on the sheet. Avoid passing around a list of student names and student numbers provided by the faculty administration.


Can I leave student assignments or exams outside my office for students to pick up?

Student grades are personal information and the University needs to take reasonable precautions to prevent unauthorized access. Consider using Moodle, returning assignments in class or during office hours, or having administrative staff supervise the return of assignments. Whatever solution you choose, avoid writing the student's grade on the outside of the assignment or exam where it can be easily seen by others.


Can I post student grades?

Posting of student grades is strongly discouraged. If you must post grades, the student's name and the first four digits of the student number should be stripped from the list of marks. The marks should then be sorted and presented in numeric sequence using the last four digits of the student number. If despite this attempt to conceal identity, it is still possible to identify a student (e.g. where there are extreme outliers in the data or the class is very small) grades should not be posted.

Email Privacy

What should be my practice when I use email to correspond with other faculty or administrators?

Email is not a secure medium and is not appropriate for transmitting sensitive personal information. If you must use email to transmit personal information, attach a password-protected document. See the video on encrypting email attachments.

Records Management

How do I know if something is a record?

A record is official recorded information, regardless of medium or characteristics, created, received, or maintained by a Queen’s University office, unit, or Faculty. University Records document decisions, actions, policies, and procedures; serve as legal evidence; provide an audit trail; provide for accountability; or document institutional memory. Non-University Records are records created or received as a result of personal activities and often include such items as research and study notes, teaching materials, publications and personal communications of individual faculty, staff and students. When in doubt contact the Queen’s Records Manager for assistance when determining if a document your unit is holding is a University Record or not.


When can I dispose of a record?

Records may only be disposed of when they have met their minimum required retention period. The Queen's University Directory of Records provides a listing of the types—or series--of records held by the University. Each records series will have its own retention trigger, retention period, and final disposition. Review the Directory of Records to determine when the records you are reviewing are eligible for final disposition. Please note that if your office is not the Office of Primary Responsibility (OPR), you may be eligible to dispose of records at your convenience. Contact the Queen’s Records Manager to determine if your office is the OPR for records you are reviewing.


Paper or digital records, is there a difference?

Records are frequently sheets of paper, but may also be ledgers, databases, word processing documents, or any number of other formats. The content of a record is the most important factor; the medium that the content is recorded on is usually of far less significance. If you plan to scan hardcopy documents, ensure the digital document is a suitable replacement before you dispose of the paper original. Contact the Queen’s Records Manager if you would like assistance before starting a scanning project. See also the Fact Sheet on Scanning University Records.


Is email a record?

Email can be a record if it documents decisions, actions, policies, and procedures; serves as legal evidence; provides an audit trail; provides for accountability; or documents institutional memory. Many email messages are transitory and don’t need to be retained. Often, the record of importance is an attachment to an email message, rather than the message itself. However, email is often used as a record and should be managed accordingly. See the Fact Sheet on Using and Managing Email.


How long do I need to keep email?

The retention of email is based on the type of email it is. Transitory messages may be deleted as soon as they no longer serve a business purpose. Reference messages may be deleted when they are no longer required for reference purposes. Messages that are Records should be retained based on the appropriate Records Retention Schedule. Note that any communication that contains an individual’s personal information (such as an email exchange between a student and an employee) must be retained for a minimum of one year based on the Freedom of Information and Protection of Privacy Act.


Do I need to keep every record I create or receive in the course of my work?

No, many records are transitory and can be disposed of when no longer of use. Notes taken as an aide-memoire, drafts of documents that have been superseded by later drafts or the final document, audio recordings once transcribed, and similar types of records can be destroyed as transitory. If you have received a record from another office as a courtesy copy or simply for your information, it is likely the sending office has primary responsibility of retaining the authoritative copy of the record and you can dispose of your copy. Lastly, if a record has met or exceeded its minimum retention period, it should be disposed of in accordance with the Records Retention Schedule. Retaining records past their identified retention period exposes the university to greater risk and increased costs.

Recording Online Classes and Meetings

Is there a preferred tool for recording online classes and meetings?

While a variety of tools exist to facilitate remote learning and meetings, Microsoft Teams and Zoom have been authorized for use by Queen’s and are therefore the recommended tools for virtual classes and meetings. Be sure you are using the enterprise versions provided and supported by Queen’s ITS.

Make certain you are familiar with the features of your preferred tool, either Teams or Zoom, including how to enable security and privacy safeguards. Assistance and resources can be accessed through Queen’s ITS online tutorials.


What privacy issues do I need to be aware of when making a recording?

When recording a virtual session, you should maintain an awareness of the confidentiality of those meetings, classes, or events. Consider whether it is possible for others in your home or remote workplace to overhear confidential conversations.

Be mindful that while many devices allow for enabling video, some individuals may prefer to participate using voice only, or to obscure the background of their meeting space.

Making video or audio recordings of meetings, classes, or events should only be done if there is a compelling reason to do so. Recordings are records and require proper management and storage. Remember that a recording may become subject to an access to information request.

See also the Fact Sheets on Working Remotely and Privacy and Remote Teaching and Learning.


Am I allowed to make a recording without the consent of the other attendees?

For most situations involving employees, express consent is not required, but it is considered best practice and a professional courtesy to ensure all attendees are aware that you intend to record the session and for what purpose. You may announce your intention to record prior to the meeting in the meeting invitation, or immediately after the meeting has begun.

When students are being recorded, FIPPA requires that we provide notice that we are collecting their personal information. Include a notice of recording in the course syllabus, through the Learning Management System (e.g., onQ), on a course website, or by other reasonable means. See the Fact Sheet on Privacy and Remote Teaching and Learning for a sample notice.

Express consent is required where teleconferencing or video conferencing is used to facilitate student advising or other kinds of medical or counselling activities. Consent must be documented. Documentation can include a purpose created form, an email reply, or even in-video oral consent.

Both Teams and Zoom alert attendees that a recording is taking place once the “Record” option has been selected. Additionally, Zoom can ask participants for consent when a recording starts if the Recording Disclaimer has been enabled in the Recording tab under the Settings menu on the Zoom website.


Can I stop attendees from making a recording using the video conferencing tool?

Yes. If you set the meeting options before the meeting occurs, you can determine who will have the ability to use a variety of functions including starting or stopping recording. Organizers can do this by default; you can also designate specific individuals to act as presenters who will also have access to various functions including recording.

In Teams, if you do not limit the Who can present? permission to Organizers (Only me), or Presenters (Specific people), then all attendees (Everyone) will have access to the recording functions.

In Zoom, you need to access your Zoom account via the Zoom website. The Recording tab under the Settings menu will allow you to set the Local Recording option to enable or disable “Allow hosts and participants to record the meeting to a local file” by toggling a slider. Attendees may also request and be granted approval to record if they do not begin the meeting with that permission.


Where is my video stored once the recording is stopped?

By default, recordings made using Teams are processed and accessible in the Microsoft Stream app. In Stream you can manage and share your recording. You will receive an email notification when your recording is ready to be managed.

Zoom meetings can recorded either to cloud-based Zoom servers, accessed via your Zoom web account, or locally on your device. You will receive an email notification when your recording is ready to be managed if you saved the file to the cloud. The local storage location can be defined by the user or else it will appear by default in a folder named Zoom in the Documents folder of your profile.


How long are my recordings retained?

Recordings made by Teams are retained by Stream indefinitely. It is up to the owner(s) of the recording to delete the recording when it is no longer required. Deleted recordings in the Teams environment persist in the recycle bin and will only be permanently deleted after 30 days unless the owner manually empties their recycle bin.

Recordings made using Zoom’s cloud save option will only be accessible for 30 days before the recording expires. To retain a recording for longer than 30 days it must be downloaded and preserved via other means. Locally saved recordings will persist until the user deletes them.

Note that recordings containing the personal information of a student (e.g., name, image) must be retained for a minimum of one year after use in accordance with FIPPA s. 40 (1).

The disposal of University records should be documented using the University records destruction process. Documenting the disposal of records is required by FIPPA for records such as recordings of students which contain personal information. It is not necessary to document disposal of transitory records, such as a recording of a meeting taken as an aide-memoire for the purpose of preparing minutes.