/var/www/www_htdocs/Applications/PoliciesAndProcedures/html-policies/1tOK7GFzAQQVlCeVq4zJ4VJ5-JonDa1er/index

Page 1 of 6

PRIVACY

POLICY

Policy Type:

Management

Initially
Approved:

June 11, 2021

Policy Sponsor:

General Counsel
and University
Secretary

Last
Revised:

March 26, 2026

Primary Contact:

The Access and
Privacy Office

Review
Scheduled:

March 26, 2031

Approver:

Board of Governors

PURPOSE

Mount Royal University is entrusted with the Personal Information of members of the University
community and is committed to managing this information appropriately. This Policy ensures that
the University protects the privacy of all members of its community, in accordance with applicable
privacy legislation governing the creation, collection, use, disclosure and protection of Personal
Information.

SCOPE

This Policy applies to all Personal Information in the custody or under the control of the University.

POLICY STATEMENT

ACCOUNTABILITY

1.1

The University complies with all aspects of the Protection of Privacy Act (“the Act”)
and all other privacy legislation that is applicable to the University.

1.2

The President is ultimately accountable for privacy compliance under the Act and
may delegate to an Employee any of duties or functions of the President under the
Act in writing. However, those delegated by the President may not further sub-
delegate. Delegations by the President are captured in the Access and Privacy
Delegation of Authority Table.

1.3

All Employees share responsibility for the protection of privacy provisions required
under the Act such as the requirements for the creation, collection, use, disclosure,
protection and accuracy of Personal Information in the University’s custody or
control. The Information Management & Privacy Advisor will provide assistance on
administering protection of privacy measures.

1.4

Department Heads are responsible for, in consultation with the Information
Management & Privacy Advisor, establishing and maintaining privacy measures that
ensure the protection of privacy within their Departments.

Page 2 of 6

1.5

The Access and Privacy Office is responsible for providing the University community
with planning and guidance on privacy compliance requirements and is the official
spokesperson for the University with the Commissioner’s Office.

COLLECTION OF PERSONAL INFORMATION

2.1

The University may only collect Personal Information when:

a. the collection of information relates directly to and is necessary for an operating

program or activity of the University, including a common or integrated program
or service;

b. the collection of information is authorized by an enactment under Alberta or

Canada; or

c. as otherwise prescribed by the Act.

2.2

The University  must  make  every reasonable effort to  collect Personal Information
directly  from  the  individual  the  information  is  about  unless  an  exception  or
circumstance  exists  under  the  Act  to  collect  the  individual’s  Personal  Information
from other sources.

2.3

When the University collects Personal Information directly from an individual, notice
must be provided prior to its collection using a POPA Notification Statement.

2.4

At minimum, the POPA Notification Statement must inform individuals of:

a. the purpose for the collection;

b. the legal authority for the collection;

c. the contact information where further information about the collected personal

information can be obtained; and

d. If known at the time of collection, the University’s intention is to input the collected

Personal Information into an automated (artificial intelligence) system to
generate content, or make decisions, recommendations or predictions.

2.5

In the event a circumstance exists under the Act that authorizes Personal Information
to be collected indirectly, or from other sources beyond the individual the information
is about, a POPA Notification Statement is not required.

USE AND DISCLOSURE OF PERSONAL INFORMATION

3.1

Personal Information collected by the University may only be used or disclosed to
the extent necessary to carry out the purpose for which it was collected. It may also
be used or disclosed for other purposes authorized under the Act.

3.2

Personal Information may be disclosed internally to other Employees on a need-to-
know basis or if the information is necessary for the performance of their duties or
functions.

Page 3 of 6

3.3

The University may only disclose Personal Information to a third party where the
individual has been notified that the Personal Information may be disclosed, has
consented to the disclosure, or as otherwise authorized under the Act.

3.4

Where  a  third  party  is  providing  a  service  to  the  University,  and  the  University  is
disclosing  Personal  Information  to  that  third  party  to  support  those  services,  the
University  will  enter  into  a  formal  agreement  with  the  third  party  which  secures
appropriate terms that address the third party’s collection, use, security and further
disclosure of the Personal Information.

CONSENT TO USE AND DISCLOSE PERSONAL INFORMATION

4.1

The Act outlines specific requirements concerning obtaining an individual’s consent
for the University to use and disclose their Personal Information in certain
circumstances under the Act.

4.2

Consent may be given by individuals either in writing, electronically or verbally.
Where consent is obtained verbally, the University will document that verbal consent
was obtained.

4.3

The processes and requirements upon which to obtain valid consent in accordance
with the Act will be provided to Departments by the Access and Privacy Office.

5. PROTECTION OF PERSONAL INFORMATION

5.1

The University, and its Employees, must protect Personal Information in its custody
or control by making reasonable security mitigation strategies against such risks as
unauthorized access, collection, use, disclosure or destruction.

5.2

The University has an Information Security policy that ensures Personal Information
under the custody or control of the University is protected from unauthorized access,
use and disclosure.

5.3

All Employees are expected to, in consultation with the Information Management &
Privacy Advisor, protect Personal Information using appropriate privacy compliance
measures in advance of engaging in any projects or initiatives where Personal
Information is involved.

5.4

All Records containing Personal Information must be retained and destroyed in
accordance with the University’s Records and Information Management (RIM)
Program Policy.

5.5

Any  Records  that  contain  identifiable  Personal  Information  and  that  are  ready  for
disposal  must  be  securely  destroyed  and  made  unreadable  such  as,  permanent
deletion, destruction of medium or secure paper shredding.  Guidelines for securely
disposing  of  Personal  Information  can  be  retrieved  from  the  Access  and  Privacy
Office.

5.6

If  an  Employee  becomes  aware  of  unauthorized  access  to  or  collection,  use,
disclosure  or  disposal  of  Personal  Information,  they  must  inform  the  Access  and
Privacy Office immediately in accordance with the Procedure for Managing a Privacy
Breach.

5.7

Individuals who believe that the University has accessed, collected, used or
disclosed their own Personal Information in contravention of the Act may ask the

Page 4 of 6

Commissioner in writing to review the matter as outlined within the Procedure for
Managing a Privacy Breach.

ANONYMIZED INFORMATION AND ARTIFICIAL INTELLIGENCE

6.1

Records  which  have  been  anonymized,  but  the  anonymized  personal  information
may be re-identified to a specific individual, are considered Non-Personal Data under
the  Act.    The  Act  mandates  further  requirements  for  the  University’s  creation,
management, use and disclosure of Non-Personal Data. Guidelines for the use of
Non-Personal  Data  that  achieve  compliance  with  the  Act  will  be  provided  to
Departments by the Access and Privacy Office.

6.2

The  Act  applies  to  how  the  University  uses  Personal  Information  in  automated
systems,  including  Artificial  Intelligence,  to  generate  content  or  make  decisions,
recommendations  or  predictions.  Guidelines  on  the  application  of  these
requirements, including any security or technical recommendations will be provided
to Departments by the Access and Privacy Office.

7. ACCURACY OF PERSONAL INFORMATION

7.1

The University must make every reasonable effort to make sure that the collected
Personal Information is accurate and complete subject to the provisions under the
Act.

7.2

Individuals who believe their Personal Information under the custody or control of the
University contains an error or an omission may request a correction to their Personal
Information in accordance with the Procedure for Reviewing Personal Information.

7.3

Individuals have the right to formally request a correction of their Personal
Information in the custody or control of the University through the Access and Privacy
Office.

7.4

Individuals who formally request a correction of their Personal Information have the
right to complain to the Commissioner about the University’s decision, act or failure
to act that relates to their request.

USE OF VIDEO SURVEILLANCE

8.1

Video Surveillance on University property may only be conducted by Security
Services. The Director of Security Services, or their designate, will act as the Senior
Leader responsible for the oversight and management of the Video Surveillance
system.

8.2

The use or disclosure of Information captured using Video Surveillance will adhere
to all requirements within this Policy, the MRU Access to Information Policy, the
Procedure to Manage Video Surveillance and all applicable legislation.

DEFINITIONS

(1)

Access and Privacy
Office:

means the Information Management & Privacy Advisor and/or
Senior Leaders of the Access & Privacy Office as delegated by
the President in writing.

Page 5 of 6

(2)

Act:

means the Protection of Privacy Act of Alberta. Also known as
the “POPA”.

(3)

Commissioner:

means the Information and Privacy Commissioner of Alberta
appointed in accordance with the Act.

(4)

Department:

means a faculty within the Academic Division or a department
outside of the Academic Division.

(5)

Department Head:

means the leader of a Department.

(6)

ELT:

means Executive Leadership Team.

(7)

Employee:

means individuals who are engaged to work for the University
under an employment contract, including but not limited to
faculty, staff, exempt, casual and management employees.

(8)

Personal
Information:

means recorded information about an identifiable individual,
including:

the individual’s name, home or business address or
home or business telephone number,

the individual’s race, national or ethnic origin, colour or
religious or political beliefs or associations,

the individual’s age, marital status or family status,

the individual’s gender identity, sex or sexual
orientation,

an identifying number, symbol or other particular
assigned to the individual,

the individual’s fingerprints, other biometric information,
blood type, genetic information or inheritable
characteristics,

information about the individual’s health and health care
history, including information about a physical or mental
health,

information about the individual’s educational, financial,
employment or criminal history, including criminal
records where a pardon has been given,

anyone else’s opinions about the individual, and

the individual’s personal views or opinions, except if
they are about someone else.

(9)

Policy:

means the Privacy Policy.

(10)

Record:

means any electronic record or other record in any form in which
information is contained or stored, including information in any

Page 6 of 6

written, graphic, electronic, digital, photographic, audio or other
medium, but does not include any software or other mechanism
used to store or produce the record.

(11)

University:

means Mount Royal University.

(12)

Video Surveillance:

The use of camera and related technologies to continuously
monitor and record activity in specific locations for public safety
purposes.

RELATED POLICIES

● Access to Information policy
● Information Security policy

RELATED LEGISLATION

● Protection of Privacy Act, SA, 2024, c P-28.5

●

Access to Information Act, SA, 2024, c A-1.4

RELATED DOCUMENTS

●  Access and Privacy Delegation of Authority Table
●  Procedure for Managing a Privacy Breach
●  Procedure for Reviewing Personal Information
●  Procedure for Managing Video Surveillance

REVISION HISTORY

Date
(mm/dd/yyyy)

Description of
Change

Sections

Person who
Entered Revision
(Position Title)

Person who
Authorized Revision
(Position Title)

01/19/2022

Editorial

Related Policies

Policy Advisor

General Counsel and
University Secretary

12/20/2022

Editorial

Policy Statement (6) Manager, Security

Services

04/20/2023

Editorial

Definitions

Policy Advisor

General Counsel and
University Secretary

03/26/2026

Major

All

Information
Management &
Privacy Advisor

Board of Governors