Privacy Basics at UWinnipeg - Module 1
Module 1 introduces important concepts and definitions related to privacy.
Privacy is a common term. But what does privacy really mean?
Privacy is an individual's right to understand and control how their information is collected, used, and shared by others.
At UWinnipeg, privacy includes all of the ways that we collect, use, store, share, and protect the information of our students, fellow employees, and others with whom we engage.
This type of privacy is often referred to as "informational privacy".
In a basic sense, respecting privacy demonstrates care - for our students, for our fellow employees, and for anyone with whom we have a relationship. UWinnipeg strives to provide a community which appreciates, fosters, and promotes values of human dignity, equality, nondiscrimination, and appreciation of diversity. Showing care for people's sensitive, private information helps to achieve this goal.
Other benefits of respecting privacy include:
- Contributing to a safe and welcoming work and learning environment,
- Lessening the likelihood and potential impact of privacy breaches,
- Developing and preserving a positive reputation,
- Adhering to law.
Manitoba has two main laws that protect personal privacy: The Freedom of Information and Protection of Privacy Act (FIPPA) and The Personal Health Information Act (PHIA).
FIPPA and PHIA apply to various public bodies in Manitoba, including all colleges and universities. They require that we handle information about students, employees, and other individuals with respect and safeguard it against misuse. Violating FIPPA and PHIA can lead to serious consequences.
UWinnipeg's Privacy Policy was created, among other reasons, to enhance compliance with FIPPA and PHIA.
Privacy is focused on the respectful handling and protection of personal information (PI).
PI is defined in the Privacy Policy as "recorded information about an identifiable individual." Basically, any information contained in a record (paper or electronic) that can be linked to an identifiable individual is considered that individual's PI.
PI includes but is not limited to an individual’s:
- Name, home address, and personal contact information,
- Age, sex, sexual orientation, marital or family status,
- Ancestry, race, colour, nationality, or national or ethnic origin,
- Personal health information,
- Education, employment or occupation, or educational, employment, or occupational history,
- Source of income or financial circumstances, activities, or history.
With a few exceptions, all PI is protected under the Privacy Policy. One such exception is business contact information (i.e., information found in the University's employee directory), which may be shared freely without consent.
Anonymous information is not considered PI, but think carefully before deciding that information is anonymous. Is there really no reasonable way to identify the individual?
In the case of students, examples of PI include:
- Name and student number,
- Contact information (including WebMail address),
- Student card photo,
- Grades, assignments, and assessments,
- Financial standing.
You may have noticed that personal health information (PHI) is included within the definition of PI.
PHI is one of the most sensitive types of PI and is defined in the Privacy Policy as "recorded information about an identifiable individual that relates to:
- The individual's health, or health care history, including genetic information about the individual,
- The provision of health care to the individual, or
- Payment for health care provided to the individual,"
And includes but is not limited to:
- "The personal health identification number (PHIN) and any other identifying number, symbol, or particular assigned to an individual, and
- Any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care."
PHI is commonly found in records such as:
- Sick notes,
- Medical notes, information,and records,
- Counselling / therapy notes, information, and records,
- Prescriptions,
- Accessibility and accommodation records,
- Health evaluations, incidents, and reports.
Because PHI is so sensitive, it is vital to treat it with the highest level of care and protection. All types of PI / PHI should be protected accordingly to their sensitivity. The more sensitive the information, the more care and protection required.
Employees who handle PHI on an infrequent basis (e.g. supervisors who receive sick notes and other medical information from their staff) should always take time to separate PHI from regular records and ensure it is protected and accessible only on a strict need-to-know basis. More information on protecting PI / PHI will be presented in later modules.
Key Points
- Privacy is an individual's right to understand and control how their information is collected, used, and shared by others.
- Personal information (PI) is recorded information about an identifiable individual and when this information relates to health, it becomes personal health information (PHI).
- PHI is especially sensitive and must be handled and protected with great care.
- Manitoba has two laws – FIPPA and PHIA – that regulate UWinnipeg's handling of PI and PHI, respectively.
- All information must be handled and protected according to its sensitivity.