Part 2 – Disclosing Personal Information
When is it appropriate to share Personal Information (PI)?
Sharing PI – INTERNALLY
Sharing PI internally:
- You should only disclose PI to a fellow employee if they need the information in the performance of their duties.
Share PI – EXTERNALLY in Limited Circumstances
(as permitted by FIPPA)
Personal information can be shared externally:
- For the purpose collected
- With the consent of the individual to whom it relates
- Compelling circumstances affecting health and safety
- Other limited circumstances (e.g. law enforcement proceedings)
While it is important to recognize that personal information is protected by Ontario’s privacy and access laws, it is also important to realize that these protections are not intended to stand in the way of the disclosure of vital – and in some cases, life-saving- information in emergency or other urgent situations.
Compassionate Circumstances – In situations calling for compassion, when there is a need to notify the spouse, close relative, or a friend about an individual who is injured, ill or deceased, you may disclose personal information without consent in order to facilitate this contact. FIPPA allows this discretionary disclosure, as permitted under FIPPA section 42(1)(i).
FIPPA requires we must notify the individual to whom the information relates, if it is practicable to do so. (i.e., mail to last known address).
Key Points
Only disclose the minimum amount of personal information necessary to achieve the University’s or College’s objectives:
- Limit what you share to what is needed.
- Disclosure to a fellow employee is on a “need to know” basis.
- Disclosure outside of the institution to third parties is generally only permitted with consent.
- Confirm consent in advance where possible.
- Personal information must be protected with reasonable security arrangements.
- De-identify if generic inquiry. (Do not automatically blanket copy / forward entire email.)
- Use secure institution-endorsed services to share PI, such as Workday or SharePoint.
- Avoid using your institutional email to share sensitive information (e.g., SIN#) unless the information is encrypted — and don’t use your personal email account for institutional business!
- In emergency situations, FIPPA may permit the institution to disclose a student’s personal information, including information about their mental health, or other health conditions, to parents or others who may be able to help in a crisis.
If you need consent to share personal information outside of the institution, there are consent templates for this purpose. Generally, it is the institution’s preference to release directly to the individual and the individual can then share their own information as needed.
Learn More
Institutions may have policies detailing:
- Use and Disclosure of Personal Information
- Use of Personal Information for Fundraising
- Protecting Students Health Privacy
- Best Practices for Security Measures for Protecting Personal Information
- IPC’s: Disclosure of Information Permitted in Emergency or other Urgent Circumstances
Click here for the next module: Part 3 – Privacy Breach Prevention & Response