Google Search
New FIPPA practices explained

Practices will affect staff's day-to-day operations

New practices regarding the Freedom of Information and Protection of Privacy Act (FIPPA), to be released at the end of May, will help staff with the legislation during day-to-day operations.

The new practices are the second in a series being developed by U of T’s FIPP office since the legislation came into effect for publicly funded universities in Ontario in June 2006. In January, a set of academic practices was released as a question and answer guide for instructors on the office of the vice-president and provost’s website. The third part, practices for IT, including university IT resources, security, e-mail and web space, is expected to come out later this year.

“The new practices provide general privacy guidance for activities like collection, use and disclosure of personal information. They also address selected administrative topics such as secure destruction of records and ‘clean desk — or workstation — security’ ” said Rafael Eskenazi, director of U of T’s FIPP office.

Like FIPPA, the practices address privacy and access principles,” Eskenazi said. “A key privacy principle is that personal information can only be shared within the university on a need-to-know basis,” he said. “If you are asked for personal information by staff or faculty, you need some understanding of why the other person is asking, so you know that they need to know the information to carry out a proper university function.”

According to Eskenazi, this can be a difficult principle to implement because of concerns about slowing down university work or bothering co-workers with questions about their information requests. He expects such concerns to ease with increasing awareness and understanding of privacy rights.

A big part of the responsibility lies with persons requesting the information: They should request and use data for reasons that are aligned with university functions, Eskenazi added. Since FIPPA gives the public the right to access university records through freedom of information (FOI) requests, the new administrative practices also provide some general tips for record-keeping and organization. These tips are meant to help guide thinking around which office is responsible for which records to avoid duplication and inconsistencies and facilitate retrieval.

“Ultimately what you [should] have is a clear process for handling information and records so that you are responsible for records that relate to your work, the records support that work effectively, they are easy to find and there is no confusion about record purposes, versions or dates,” Eskenazi said.

While the practices are new, they reflect sound, commonsense operational principles with a long history at the university. Above all, university administrative staff are to report suspected privacy problems to the division’s FOI liaison (FOIL) or the FIPPA office immediately.

“I like to tell people that privacy breaches are a little bit like car accidents: they have legal repercussions later on,” said Eskenazi. “The biggest mistake is not necessarily the privacy breach — although, like a car accident, we do our best to avoid them — the really big mistake is not reporting it immediately so that we can address any harm and prevent the breach from continuing or recurring.”

Visit for a link to the new practices.

Privacy and Access Tips for Staff


1. Collect, use and disclose personal information only as necessary for

established university functions which are consistent with a notice

of collection.

2. Only share personal information with the individual to whom it pertains and with officers, employees, agents or contractors who need it for university business.

3. Check requests for personal information with your FOIL or the FIPP office if they:

• seem to diverge from established university process

• involve disclosures outside the university

• involve significant changes in process or information handling

• appear questionable or inconsistent with sound privacy practices.

4. Retain personal information for at least one year after the date of

its last use.

5. Know privacy requirements for different record types, including correspondence.

6. Use effective security, such as locks, passwords and encryption

to protect privacy.

7. Prevent loss, theft or exposure — e.g., do not leave personal

information in a vehicle.

8. Protect privacy in all contexts, including meetings, work and

social conversations.

9. Report possible privacy issues to your supervisor immediately.

10. If you dispose of personal information, do so securely and promptly.


1. Access legislation generally covers all records, including drafts and e-mails.

2. When creating records, consider the possibility that they may later be disclosed.

3. Only create records or record data as needed to fulfil operational


4. Keep operational records free of unnecessary personal communications

or views.

5. Follow office and university records management and retention standards.

6. Clearly designate responsibility for records to avoid duplication and confusion.

7. Ensure that you can/do the following for records over which you have responsibility:

• store and, if necessary, destroy securely

• be able to file and/or retrieve quickly and efficiently

• know the record’s status — draft, final, official version for circulation, etc.

• know who is/are authorized to access the record

• dispose of unnecessary or superseded copies and versions promptly.

by Michelle MacArthur

© University of Toronto Scarborough