Skip to main content
Apply Visit Give
fr

Privacy & Protection of Personal Information

Employee guide to protecting Personal Information

It is our responsibility to protect the Personal Information entrusted to us. 

Overview

This guide breaks down the key points from Concordia’s Policy Concerning the Protection of Personal Information, SG-9. It’s designed to help Concordia employees (faculty, staff, contractual, full-time or part-time) understand their obligations and remain compliant with privacy rules in day-to-day work. 

What is Personal Information?

Quebec’s privacy legislation creates obligations for how we protect Personal Information in our care. 

Personal Information is any information, alone or together with other information, that could allow an individual to be identified.  

Our obligations cover each stage of the life cycle of Personal Information: its collection, use, communication, retention and destruction. 

In this guide, you’ll find the key points you need to be mindful of as a Concordia employee when you are handling Personal Information as part of your work, presented according to each stage of its lifecycle.

Collecting Personal Information

Collect only the Personal Information that is necessary to achieve your purpose(s):

  • Necessary info: collecting food allergy details from attendees before a catered event
  • Not necessary: providing a field in a form for students to optionally provide their phone number. If the Personal Information is optional, it is not necessary for your purposes.

Determine whether you need to request consent for your purpose:

  1. Check our Privacy Notices and the Consent section of the Privacy Toolbox.
  2. Determine if your purpose corresponds with the University’s core purposes of teaching, learning, research or employment to make sure your purpose is consistent with these. 

If your purpose is outside of those parameters, contact the Privacy Office for guidance on requesting consent. There are specific requirements for how we request consent and what information we must provide to the individual.

Using Personal Information

Restrict your use of Personal Information to the specific purposes for which consent was obtained OR as necessary for the University’s core missions of teaching, learning, research or employment (see our Privacy Notices for examples). 

Keep communications professional and relevant; do not, for example, send students an email message about events or activities that aren't related to the course and/or their studies at Concordia.

Communicating Personal Information

Personal Information cannot be shared publicly or privately unless you have consent to do so, or under certain exceptions. For instance, you may share Personal Information with a colleague at Concordia if either of you need it to carry out your duties.  

Take precautions:  

  • Use a closed office or headphones if sharing Personal Information with others.

  • Encrypt files you need to share. 

  • Redact Personal Information concerning a third party before sending a document.

  • Double-check email address(es) before hitting Send. 

  • Share personal information only with consent or when necessary for teaching, learning, research or employment. For example, never post lists of student IDs or grades.

Out of province 

If you are communicating Personal Information outside of Quebec, let the Privacy Office know first. We may need to perform a Privacy Impact Assessment.

Retaining personal information

Documents should be retained according to the retention schedule in Concordia’s Records Classification and Retention Plan.  

For any information not specified in the Plan, Personal Information should be retained only for the amount of time consented to, which should be the amount of time necessary to complete the purpose(s) for which the information was collected.

It is your responsibility to protect the Personal Information in your possession, whether it is printed or electronic.

  • Keep paper documents containing Personal Information in a locked drawer and office. 

  • Documents containing Personal Information must be kept on University premises; unless required to perform your duties, do not remove them from the University.

  • Use password protection and Multi-Factor Authentication.

  • When consulting personal information, make sure you are in a private area where your computer screen can’t be seen by others. Do not consult Personal Information in public locations like a train, restaurant, or airport. 

  • Pay attention to what windows are open on your computer before you share your screen with others.

Use electronic tools approved by Concordia; if you want to use other software or an online tool that collects, processes, keeps or destroys Personal Information, first request a Privacy Impact Assessment.

Learn more about data governance and protection

Destruction of Personal Information

Once we no longer need Personal Information and after the retention period has run out, documents that contain the Personal Information should be destroyed, whether they are paper or electronic. 

  • Paper documents should be securely shredded. They can be placed in a secure shredding bin or sent to Records Management and Archives.

  • Electronic documents, including email messages, should be permanently deleted from devices and cloud storage. 

  • Contact Records Management and Archives at records.management@concordia.ca to arrange for the secure destruction of all non-paper-based documents and materials such as CDs, DVDs, microfiches or ID cards.

Anonymizing Personal Information: An alternative to destruction is to anonymize Personal Information to use it for public interest purposes. Once anonymized, it can no longer directly or indirectly identify the person it relates to. The process must be irreversible. There is a procedure that must be followed and the anonymization must be entered into a Register: contact the Privacy Office before you pursue this option.

Tips for research

Quebec’s rules for consent go beyond what is required by the Tri-Council Policy Statement, 2nd Ed. This includes how you request consent and what information you must provide when you do so.  

External repositories: If you want to use data from or submit your data to an external repository, exercise caution by following these guidelines.

To obtain data: 

  • Use reputable data providers.
  • Select data sets that do not allow you to re-identify individuals.
  • Read and understand the repository’s Terms of Use.
  • If you want to submit your own data, seek consent from your subjects from the outset and make sure to de-identify the data before you submit it.

If something goes wrong

If you believe Personal Information has been compromised, report it as a privacy incident immediately.

Privacy incidents include:

  • the loss or theft of a device containing Personal Information
  • someone accessing Personal Information inappropriately or unnecessarily
  • an email containing Personal Information sent to the wrong recipient

Email mishaps

Did you send an email with personal information to the wrong recipient?  

  • Use the Outlook recall function to recall the email message before it is read. 
  • If the recall is unsuccessful, let the recipient know you sent the email in error and ask them to delete it from their inbox and trash folder. 
  • Report a Privacy Incident to the Privacy Office.

If you receive an email containing Personal Information in error, let the sender know and delete the email from your inbox and trash folders.

Additional training and resources

Employees can find more detailed information in Carrefour.

 
Back to top

© Concordia University