Queen's Gazette | Queen's University

Search form

Queen’s introduces two new privacy policies

The Access to Information and Protection of Privacy Policy and Policy on the Handling of Personal Health Information are now in place following approvals.

Queen University has introduced two new policies focused on access to information and the protection of personal and health information.

The policies – Access to Information and Protection of Privacy Policy and Policy on the Handling of Personal Health Informationwere recently approved by the Vice Principals’ Operations Committee (VPOC). 

Both policies apply to the whole Queen’s community and are a response to recent audit reviews that highlighted the need to clearly define the expectations and responsibilities of the university and its employees in providing access to information and protecting the privacy of personal information and personal health information the university collects and uses, explains Carolyn Heald, Director, University Records Management and Chief Privacy Officer.

As a public institution Queen’s must comply with the requirements of the Freedom of Information and Protection of Privacy Act (FIPPA). FIPPA gives people a right to make an access to information request for university records, and requires the university to protect the privacy of the personal information it collects and uses. The Records Management and Privacy Office advises on the implications of access and privacy legislation and implements mechanisms to ensure compliance with the law.

“We collect a lot of personal information here at Queen’s, whether it’s for students, parents, or even summer campers, and we need to make sure that this information is protected appropriately as per the legislation,” Heald says.

The Access to Information and Protection of Privacy Policy aligns with FIPPA and sets out the expectations for the Queen’s community.

“This includes the university’s use of third-party providers – such as cloud service providers,” Heald says. “The policy addresses the need to ensure that personal information is handled in the appropriate way by providers, through contractual or other means.”

The Policy on the Handling of Personal Health Information focuses specifically on personal health information that is gathered by the university’s Health Information Custodians – Queen’s Family Health Team; Student Wellness Services; Athletic Therapy Services; Physical Therapy Clinic; Psychology Clinic; and the Regional Assessment and Resource Centre (RARC) – that provide health care to the Queen’s and Kingston communities.

Once again, Queen’s must follow the requirements of the Personal Health Information Protection Act (PHIPA) and the new policy clearly defines the expectations and requirements for employees when dealing with personal health information.

The importance of protecting personal information has been highlighted internationally in the past year with a number of prominent breaches, as well as the use of social media platforms to create profiles of potential voters without their knowledge or consent.

“There has been so much more public awareness lately in terms of all the personal information we, as individuals, are giving out to private sector interests through apps and social media. I think the case involving Facebook and Cambridge Analytica has focused people’s attention and made them realize how much information is being collected for purposes that perhaps we don’t always know about, whether it’s for political profiling or adtech or whatnot,” Heald says “Societal expectations are shifting and we also see that in decisions the courts are making about people’s reasonable expectations of privacy.”

The European Union strengthened its privacy legislation in May with the introduction of the General Data Protection Regulation (GDPR).  The GDPR affects Queen’s to some extent and the new policies were developed with an eye to that legislation as well.

All Queen’s University policies are available on the University Secretariat and Legal Counsel website.