Part 2 – Disclosing Personal Information

When is it appropriate to share Personal Information (PI)?

Sharing PI – INTERNALLY

Sharing PI internally:​

  • You should only disclose PI to a fellow Brock employee if they need the information in the performance of their duties.​

Share PI – EXTERNALLY in Limited Circumstances 
(as permitted by FIPPA)

Personal information can be shared externally:​

  • For the purpose collected​
  • With the consent of the individual to whom it relates​
  • Compelling circumstances affecting health and safety​
  • Other limited circumstances (e.g. law enforcement proceedings)​

While it is important to recognize that personal information is protected by Ontario’s privacy and access laws, it is also important to realize that these protections are not intended to stand in the way of the disclosure of vital – and in some cases, life-saving- information in emergency or other urgent situations.

Compassionate Circumstances – In situations calling for compassion, when there is a need to notify the spouse, close relative, or a friend about an individual who is injured, ill or deceased, you may disclose personal information without consent in order to facilitate this contact. FIPPA allows this discretionary disclosure, as permitted under FIPPA section 42(1)(i).

FIPPA requires we must notify the individual to whom the information relates, if it is practicable to do so. (i.e., mail to last known address).


Key Points

Only disclose the minimum amount of personal information necessary to achieve the University’s objectives:

  • Limit what you share to what is needed.​
  • Disclosure to a fellow employee is on a “need to know” basis.
  • Disclosure outside of the institution to third parties is generally only permitted with consent.
  • Confirm consent in advance where possible.
  • Personal information must be protected with reasonable security arrangements.
  • De-identify if generic inquiry. (Do not automatically blanket copy / forward entire email.)​
  • Use secure institution-endorsed services to share PI, such as Workday or SharePoint.
  • Avoid using your institutional email to share sensitive information (e.g., SIN#) unless the information is encrypted — and don’t use your personal email account for University business!
  • In emergency situations, FIPPA may permit the institution to disclose a student’s personal information, including information about their mental health, or other health conditions, to parents or others who may be able to help in a crisis.

If you need consent to share personal information outside of the University, here are 2 different consent templates for this purpose. Generally, it is the University’s preference to release directly to the individual and the individual can then share their own information as needed.

Note – Students may consent to the release of their personal information (Financial, OSAP, Registrar) by completing the Third-Party Authorization form on the student portal.


Learn More



Click here for the next module: Part 3 – Privacy Breach Prevention & Response

License

Icon for the Creative Commons Attribution 4.0 International License

FIPPA & Records Management @ Brock University Copyright © by Marion Hansen, Manager, Privacy & Records Management is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book