Administration of Information and Privacy Rights: Seven Practices to Remember

1. When you receive a verbal request for information.

Do

Ask what information it is the person needs - narrow the scope of the request. Assist the individual as much as possible by explaining what records exist, don't exist and which ones are routinely available. Refer the individual to the FOIPOP Administrator if the request is for records that contain confidential or personal information Refer verbal requests from the media to the Director of External Affairs.

Don't

Don't treat a verbal request as a FOI request - only requests in writing are handled under the Act. Don't refuse to provide access without an explanation or without advising the individual to put the request in writing and how to submit it.

2. When you receive a request for information in writing:

Do	Determine if the request can be responded to routinely. Contact the FOIPOP Administrator without delay if you believe the records contain confidential or personal information. Send a copy of the written request to the FOIPOP Administrator.
Don't	Don't ignore the request or try to handle it through another University process that makes no provision for production of records. Don't refuse to provide access without an explanation or without referring the individual appropriately. Don't disclose records that contain confidential or personal information.

3. When you collect personal information:

Do	Collect only that personal information required to administer and operate a University program or service. Use an appropriate method of collection - in most cases get the information directly from the person it is about. Ensure that a proper collection notice is printed on the form or included in the letter used to collect the information.
Don't	Don't collect information that you don't need.

4. When you create a University record:

Do	Create records with access in mind - assume someone will ask to see it. Create files with access in mind: - One case - one file. - Eliminate copies. - Use consistent filing practices
Don't	Don't create a record with the expectation of complete and absolute secrecy. Don't inter-file confidential records with ones that are not confidential.

5. When keeping records:

Do	Follow the Records Retention Schedule if one exists for the record. Retain records used to make a decision about an individual for a minimum of one year. Retain complete, accurate and reliable records of evidence.
Don't	Don't destroy records unless authorized under the Records Retention Schedule or without checking with the FOIPOP Administrator.

6. When you conduct a review, inquiry or investigation:

Do	Provide participants with a clear statement of confidentiality. Require that all materials and evidence be supplied in confidence. Write the report with access in mind: - Make it anonymous whenever possible. - Keep confidential and non-confidential material separate.
Don't	Don't write down subjective comments unless you are prepared to have them read. Don't reveal personal details about individuals' private lives unless absolutely necessary to support findings and recommendations. Don't make audio or videotapes of interviews or hearings unless necessary.

7. When designing a new electronic record-keeping system:

Do	Remember to plan and implement reasonable security measures to protect personal information. Establish authorized logon ID's for access to a local network. Password protect access to your desktop computer, local network, each database and automated system.
Don't	Don't assume that the software you are using has built in security features. Don't leave your system vulnerable to attack.