Privacy breaches and complaints
A privacy breach occurs when there is an unauthorized collection, use, disclosure, or disposal of personal information.
These activities are considered “unauthorized” if they occur outside of the legal authorities provided under Part 2 of the Alberta FOIP Act [Sections 33-42].
Mount Royal University may only collect, use, disclose, or dispose of personal information if there is a legal authority provided under the FOIP Act that allows the University to do so.
Notably, one of the most common privacy breaches is an unauthorized disclosure of personal information.
Section 40 provides the legal authorities that outline when Mount Royal University may disclose personal information. This section also requires that the disclosure of personal information must only be to the extent necessary to carry out the University's purpose in a reasonable manner.
Examples of when Mount Royal University may disclose necessary personal information under the FOIP Act include:
(1) 40(1)(c) If the disclosure is for a purpose for which the information was collected or compiled or for a use consistent with that purpose.
(2) 40(1)(d) If the individual the information is about has identified the information and consented, in the prescribed manner, to the disclosure.
(3) 40(1)(h) To an officer or employee of the University if the information is necessary for the performance of the duties of the officer or employee.
(4) 40(1)(l) For the purpose of determining or verifying an individual's suitability or eligibility for a program or benefit.
(5) 40(1)(x) For the purpose of managing or administering personnel of the University.
In Order F2012-23 [para 28], the Office of the Information and Privacy Commissioner of Alberta adjudicator ruled that public bodies are authorized to disclose personal information, in the absence of the individual's consent, on the basis of any of the other purposes or circumstances set out in section 40(1).