Privacy Management Program

General Information:

Section 36.2 of FIPPA requires the head of a public body to develop a privacy management program for the public body and to do so in accordance with the directions of the minister responsible for FIPPA. The following is an overview of UBC’s privacy management program:

Privacy Governance:

Requirement: The head of a public body must designate an individual(s) to be responsible for being a point of contact for privacy-related matters such as privacy questions or concerns; supporting the development, implementation, and maintenance of privacy policies and/ or procedures; and supporting the public body’s compliance with FIPPA.

UBC’s head for FIPPA purposes is the President. The President has delegated all of the duties of the head to the University Counsel and has further designated the Legal Counsel responsible for information and privacy issues (who reports to the University Counsel) to be responsible for being a point of contact for privacy-related matters such as privacy questions or concerns; supporting the development, implementation, and maintenance of privacy policies and/ or procedures; and supporting the public body’s compliance with FIPPA.

Privacy Impact Assessments:

Requirement: FIPPA requires public bodies to have a process for completing and documenting privacy impact assessments (PIAs) for all new systems, projects, programs, or activities. A PIA is a risk management and compliance review process used to identify and address potential privacy and security issues.

UBC has implemented a risk-based approach to conducting PIAs. This process is managed by Safety and Risk Services under the direction of the head.

Information-Sharing Agreements:

Requirement: FIPPA requires public bodies to have a process for completing information-sharing agreements where appropriate.

UBC has developed a variety of information-sharing agreement templates which are managed under the relevant Signing Resolutions. The most commonly used templates are:

The Legal Counsel responsible for information and privacy issues provides legal advice on the completion of information-sharing agreements and can assist in developing customized agreements for particular circumstances.

Privacy Complaint and Breach Process:

Requirement: FIPPA requires public bodies to have a documented process for responding to privacy complaints and breaches.

If an individual wishes to make a complaint to UBC about privacy they may do so by sending an email to access.and.privacy@ubc.ca setting our their name and contact information, their relationship to UBC, the nature of the alleged privacy breach, and the names of any individuals at UBC whom they allege may have been involved in the breach. All such complainants will receive a response regarding the disposition of their complaint.

UBC’s process for investigating and responding to privacy breaches is set out in the fact sheet on Handling Privacy Breaches, which includes information about privacy breach notifications.

Privacy Awareness and Education Activities:

Requirement: FIPPA requires public bodies to have privacy awareness and education activities to ensure employees are aware of their privacy obligations. These activities may be scaled to meet the volume and sensitivity of personal information in the custody or under the control of the of the public body and should be undertaken at timely and reasonable intervals.

UBC has developed privacy and information security training that is mandatory for all faculty and staff. In addition, UBC’s Privacy Matters program organizes regular privacy awareness and education activities for employees, and the Legal Counsel responsible for information and privacy issues customized privacy training sessions to units across both campuses.

Privacy Policies and Processes:

Requirement: FIPPA requires public bodies to make any privacy policies and any documented privacy processes or practices available to employees and where practicable, to the public.

UBC does not have a privacy policy. However, it has developed numerous Privacy Fact Sheets to provide guidance on a variety of privacy issues.

Service Providers:

Requirement: FIPPA requires public bodies to have method(s) to ensure that service providers are informed of their privacy obligations (e.g., awareness activities, contractual terms that address privacy obligations).

UBC’s Information Security Standard U9 (Outsourcing and Service Provider Management) requires the Administrative Head of Unit who engages a service provider to ensure that the provider complies with privacy and security requirements. Among these requirements is an obligation to conduct a Privacy Impact Assessment (PIA) if personal information is involved, and to sign a Security and Confidentiality Agreement (SACA), or another agreement that contains equivalent requirements. The standard form documentation that is used by UBC Payment and Procurement Services when contracting with service providers contains terms related to privacy and information security requirements.

Monitoring of the Privacy Management Program:

Requirement: FIPPA requires public bodies to have a process for regularly monitoring the privacy management program and updating it as required, to ensure it remains appropriate to the public body’s activities and is compliant with FIPPA.

UBC’s Privacy and Information Security Management (PrISM) program is a coordinated cross-portfolio initiative operated jointly by Safety & Risk Services, the Office of the University Counsel, and the Office of the CIO. The PrISM team undertakes coordinated monitoring of the operationalization of this Privacy Management Program and reports at least once a year to the governance committee (Executive Leadership Committee, which includes the University Counsel) on the effectiveness of the program and any changes that may be recommended. The University Counsel will consider such reports and recommendations and may make changes to the privacy management program as appropriate.