91探花

In accordance with the Protection of Privacy Act (POPA), the U91探花 Board of Governors has designated the General Counsel and Vice-President (People and Culture) as the 鈥渉ead鈥� of the public body under U91探花鈥檚 Delegation of Authority Policy. The head is accountable for all decisions made by U91探花 under POPA, including oversight of the Privacy Management Program (PMP).

The head has formally designated the Manager, Access and Privacy as the Privacy Officer for U91探花, responsible for ensuring U91探花鈥檚 compliance with POPA and the day-to-day administration and implementation鈥痮f the PMP. The Manager, Access and Privacy also oversees the U91探花 Access and Privacy Office (APO), is the primary point of contact for privacy related inquiries and concerns, supports privacy policy development, ensures that U91探花 adheres to POPA and PMP requirements, and represents U91探花 during investigations by the Office of the Information and Privacy Commissioner of Alberta (OIPC).

The head has also formally designated the Data Protection Officer as responsible for monitoring U91探花鈥檚 compliance with international privacy laws and regulations such as the European Union鈥檚 General Data Protection Regulation No. 2016/679 (GDPR) and analogous international privacy laws, when applicable to its operations, in accordance with the U91探花 General Data Protection Compliance Standard.

Both the Manager, Access and Privacy and Data Protection Officer report to the head through the Office of the General Counsel, Legal Services (see the Legal Services Organizational Structure). For questions regarding the PMP or U91探花鈥檚 collection, use or disclosure of personal information, please contact the Access and Privacy Office. For questions regarding GDPR or U91探花鈥檚 obligations under international privacy laws, please contact the Data Protection Officer. 

The U91探花 Privacy Policy is the principal policy addressing how U91探花 complies with its duties as a public body under POPA and the collection, use and disclosure of personal information. U91探花 also maintains a host of other policies, procedures and operating standards that may apply to information assets containing personal information in its custody or under its control as outlined in the table below. 

All U91探花 policies, procedures and operating standards are publicly available by visiting the Policies and Procedures webpage. The Access and Privacy Office also maintains a range of supporting operating standards, guidelines and forms on its resources webpage, and an FAQs webpage that addresses how personal information may be collected, used, disclosed, and protected.

In accordance with POPA, members of the U91探花 senior leadership team are responsible for acting as 鈥渋nformation stewards鈥� over the information assets within their area of responsibility under the U91探花 Information Asset Management Policy and Data Matching, De-Identification and Data Quality Assurance Standard. This includes determining the controls under which business records containing personal information, data derived from personal information or non-personal data may be received, created, stored, handled or disposed of and the requirement to maintain an inventory of known data sources, including an up-to-date directory of personal information banks storing identifiable personal information.

The U91探花 Information Security Classification Standard establishes a framework for classifying all information assets containing personal information, data derived from personal information and non-personal data into four security classification levels based on sensitivity:

• Level 1: Public
  Including personal information or data derived from personal information that is publicly available, such as business contact information.
• Level 2: Protected
  Including non-personal data and personal information or data derived from personal information that is not publicly available, but where any loss, unauthorized access or unauthorized disclosure would not result in an unreasonable invasion of personal privacy.
• Level 3: Confidential 
  Including personal information or data derived from personal information that is confidential and where any loss, unauthorized access or unauthorized disclosure would result in an unreasonable invasion of personal privacy.
• Level 4: Restricted
  Including personal information or data derived from personal information that is highly sensitive and where any loss, unauthorized access or unauthorized disclosure would result in an unreasonable invasion of personal privacy and real risk of significant harm.

This standard applies to all records containing personal information, data derived from personal information and non-personal data and establishes the security controls under which all information assets may be handled, stored, accessed, and protected in accordance with the applicable security classification level.

The U91探花 Information Asset Management Policy establishes the overall framework for information and records management at U91探花 and the roles and responsibilities of all faculty and staff, who are required to follow U91探花 privacy and information management policies pursuant to their applicable employment contract and collective agreement. Members of U91探花 leadership who are designated 鈥渋nformation stewards鈥� are responsible for assigning data security classification levels to all information assets in their area of responsibility and implementing appropriate security controls.

The related Information Security Classification Standard establishes the security controls and required administrative, technical and physical safeguards for the protection of information assets containing personal information, data derived from personal information and non-personal data based on the assigned security classification level. It also outlines requirements for the acceptable use of automated systems (including artificial intelligence systems) where personal information is input to generate content or make decisions, recommendations or predictions. 

These access and security requirements are consistent with U91探花鈥檚 Acceptable Use of Electronic Resources and Information Policy and . U91探花 will engage in proactive monitoring of managed information systems and will update these requirements from time to time consistent with prevailing industry standards. Software applications being used to process or store information assets containing personal information must be reviewed by U91探花 IT following a software/ application acquisition or review process as defined in the  and, where information assets are stored on a server managed by a third party, the software vendor must enter into a written agreement with U91探花 containing approved conditions relating to security, confidentiality and U91探花鈥檚 obligations under POPA.

The U91探花 Procedure for Responding to a Privacy Breach establishes the process under which the Access and Privacy Office will review and respond to incidents, including determining whether there has been a real risk of significant harm as a result. If you suspect that a privacy incident/breach has occurred involving the loss of, unauthorized access to or unauthorized disclosure of personal information in U91探花鈥檚 custody or control, please immediately report the incident to the Access and Privacy Office by completing the Privacy Breach Incident Report form and sending it to accessandprivacy@ucalgary.ca.

U91探花 will make every effort to ensure that reasonable security arrangements are in place against such risks as unauthorized access, collection, use, disclosure or destruction of personal information. Individuals who believe that their own personal information has been collected, used or disclosed in contravention of POPA may contact the Access and Privacy Office at accessandprivacy@ucalgary.ca. To investigate a complaint, the Access and Privacy Office may require additional information including your name, relationship to U91探花, and a description of the alleged breach. U91探花 will review all complaints and respond within the required timelines under POPA. 

The U91探花 Information Security Classification Standard requires that a Privacy Impact Assessment (PIA) be completed for any new, or substantial change to an existing, administrative practice, program, project or service where required under POPA. PIAs will be completed with a level of detail commensurate with the complexity of the initiative and in accordance with the security classification level assigned to the personal information involved to determine the depth and scope of review. Initiatives involving higher鈥憇ensitivity information or more complex data flows undergo more detailed assessment to ensure risks are fully understood and mitigated.

The applicable faculty, department or administrative unit carrying out the initiative will be responsible for completing a PIA. The Access and Privacy Office will maintain an oversight and advisory role, will provide guidance, templates, and support, and will identify key compliance requirements to ensure that privacy鈥慴y鈥慸esign principles are integrated into the planning and design of all initiatives. The Access and Privacy Office will also maintain a privacy risk register to document, track, and ensure that privacy and security risks have been identified, evaluated, and addressed throughout the lifecycle of the initiative, and will be responsible for submitting PIAs to the OIPC.

To determine whether a PIA is required for your initiative, or for more information regarding the process for completing and submitting PIAs, please visit the link below.

The U91探花 Data Matching, De-Identification and Data Quality Assurance Standard establishes requirements for data-matching using personal information between two or more databases and outlines a data quality assurance process consistent with generally accepted best practices for the creation, use and disclosure of de-identified or anonymized non-personal data. The Access and Privacy Office has also developed a form for the creation on non-personal data that may be used by faculties, departments and administrative units to assist in ensuring that personal information has been de-identified or anonymized in accordance with generally accepted best practices.

The U91探花 Consent Standard provides documented procedures to ensure that consent, written, oral or electronic, is obtained in accordance with POPA. The Access and Privacy Office also provides standard consent forms available to all faculties, departments and administrative units to ensure that consent is obtained using best practices.

U91探花 requires all faculty and staff to complete Cybersecurity, Privacy Awareness and Research Security Training on an annual basis. Upon request, the Access and Privacy Office also offers customized privacy training. Privacy awareness topics are also regularly integrated into broader U91探花 awareness initiatives such as Cybersecurity Month, Privacy Day, and Academic Integrity week.

U91探花 will review, assess and update the PMP on an annual basis to ensure it remains current, effective, and aligned with U91探花鈥檚 evolving activities and privacy obligations. In addition to this annual review, a comprehensive, full鈥憇cale review of the PMP will be conducted by the Access and Privacy Office as required, and no later than every six years. This approach ensures the PMP remains robust, compliant with POPA, and responsive to changes in legislation, technology, and institutional needs.