Privacy Management Program (PMP) 


General Information:

The Alberta Protection of Privacy Act (the “POPA”) requires Mount Royal University (a “Public Body”) to establish a Privacy Management Program consisting of documented policies and procedures that promote the University’s compliance with its duties under the POPA.

The Privacy Management Program must comply with the prescribed requirements outlined the Protection of Privacy Regulation.

Below provides an overview of the University’s Privacy Management Program (“PMP”):

 

Designation of a Privacy Officer:

The President of Mount Royal University is designated as the head of the University under the POPA.

The POPA states that the President may delegate to any Employee (or person), any power, duty or function of the head, except the power to delegate.

Delegations of the powers, duties or functions as established by the President, in writing, are available in the Access and Privacy Delegation Table (here).

The Information Management and Privacy Advisor is the designated Privacy Officer with the University and is responsible for ensuring the University's Compliance with POPA.

The contact information for the University Privacy Officer is available (here).


Establishment of Policies and Procedures:

The following Mount Royal University Privacy Policies and Procedures are available in response to the PMP requirements and key Privacy functions under the POPA Regulation.

  • MRU Privacy Policy (here)
  • MRU Procedure for Managing a Privacy Breach (here)
  • MRU Procedure for Reviewing (Correcting) Personal Information (here)

  • MRU Information Governance Policy (here)
  • MRU Procedure for the Management of Information Assets (here)
  • MRU Procedure for the Classification of Information Security (here)

  • MRU Acceptable Use of Computing and Communication Resources Policy (here)
  • MRU Information Security Policy (here)

 

Privacy training for employees:

Mount Royal University administers mandatory online privacy training as part of its cybersecurity training program provided annually to Employees.  Employees are asked to complete the training every August 15.

The privacy training includes information for Employees in regards to the University's protection of privacy obligations under POPA.

Additionally, the MRU Access and Privacy Office also provides the following in-depth 1-hour training sessions for Employees throughout the year:

 

The Protection of Privacy Act (POPA 101) Awareness Training: 

Learn the basics! This session provides a 1-hour overview of the Act and its requirements on how University employees must collect, use, disclose, and protect identifiable personal information. Best practices concerning the protection of privacy and disclosing personal information appropriately are discussed in this session. Additionally, the Access to Information request process in accordance with the Alberta Access to Information Act will be discussed.

Employees can login to access the platform (here).

 

The Protection of Privacy Act (Data Matching 101) Awareness Training: 

This 1-hour session will review the new Alberta Protection of Privacy Act requirements specifically for Data Matching activities.  

*It is recommended that participants take POPA 101 first to determine whether Data Matching 101 is required.

Employees can login to access the platform (here).

 

Information Governance - IG 101: 

This 1-hour session reviews the following information governance processes and principles at Mount Royal University.

Information Governance:

  • Discussion on Information, records, and data
  • Official records
  • Transitory records
  • Filing and managing records
  • Digital records
  • Google Drive and directories 
  • Mount Royal University Records Retention Schedule
  • The secure destruction of records (digital / physical)

Employees can login to access the platform (here).


Privacy Impact Assessments:

Privacy Impact Assessments (“PIA’s”) provide a formal way to review practices, programs, projects or services that collect, use and disclose personal information. PIA’s must be completed when there is a new, or substantial change, to an existing initiative of Mount Royal University.

Mount Royal University has developed guidelines and processes for Departments to complete PIA’s,  which also includes when it is required to further submit completed PIA’s to the Office of the Information Management and Privacy Commissioner. The submission of completed PIA’s to the Commissioner’s Office is based on prescribed criteria outlined in the Protection of Privacy Regulation.

PIAs are not performed for every practice, program, project or service, but instead where the risks arising from a new or revised practice, program, project or service meet the threshold for conducting a PIA.  Determining whether a PIA is necessary includes the following considerations:

  • The sensitivity of the personal information;
  • Whether the unauthorized access to, or disclosure of, the personal information for the initiative would reasonably result in a Real Risk of Significant Harm.
  • Additionally, whether the initiative:
    • will involve a significant percentage of the University community.
    • uses of Data Matching between 2 or more public bodies.
    • is part of a common or integrated program or service.
    • involves the development of, or use of, innovative technology.

If you require assistance with determining whether a PIA is required for your practice, program, project or service, please contact the Information Management and Privacy Advisor at privacy@mtroyal.ca.

PIA’s completed by the University are kept on record for future reference purposes.

Departments can access the PIA website for guidelines concerning the process and to obtain the PIA template (here).


Periodic review of the Program:

The MRU Access and Privacy Office will review the Privacy Management Program annually to assess the program to consider if additional updates are required.