Policies & Guidelines

Notification Statements and Consent

As the Government of Alberta has repealed the former FOIP Act, one of the key operational changes required for Departments within Mount Royal University when collecting identifiable personal information is to issue Notice to those individuals, which contains a (new) language framework under the Alberta Protection of Privacy Act.

The Alberta Protection of Privacy Act (the “POPA”) (section 5) requires that Mount Royal University must now provide the following when collecting identifiable personal information:

  • Collect personal information directly from the individual the information is about,
    • (unless certain limited circumstances otherwise apply that permits the indirect collection of personal information from another third party under the POPA).
  • Use a standard POPA Notification Statement to inform individuals of the following at the time of direct collection of their personal information.
  • Ensure that the issued Notice includes the following informative elements:
(a) The purpose, or reason, for which the personal information is collected or required;
(b) The specific legal authority for the collection:
  • *typically under section 4(c)
  • *If also citing the Alberta Post-Secondary Learning Act (the “PSLA”) - also include 4(a).
  • *If including the PSLA - the authority under that legislation is 65
(c) Contact information: the email address, phone number or other contact information (email address - if applicable) to which the individual may direct the individual’s questions about the collection, and

(d) If applicable - the University’s intention (if any) at that time to input the information into an automated system (e.g. Artificial Intelligence (AI)) to generate content or make decisions, recommendations or predictions.

The Government of Alberta also states that the POPA Notification Statement can be provided in many different ways prior to the collection of personal information such as through a:


Collection of Personal Information - Notification Statements

Finally, when collecting personal information the University may only collect personal information if that information relates directly to, and is necessary for, an operating program or activity of the University.  The Government of Alberta uses the term "demonstrable need" for needing the personal information or in regards to having the authority of a public body to collect the personal information.

Below consists of the standard notification language under the POPA (when collecting personal information directly from the individuals the information is about).


The Protection of Privacy Act - Standard Notification Statement Example (1 of 2)

The personal information that you provide to Mount Royal University is collected under the authority of the Post-Secondary Learning Act (s.65) and the Protection of Privacy Act (ss. 4(a) & (c)). The information will be used for the purposes of [blank].

Questions regarding the collection of personal information can be directed to:
Department Name - Mount Royal University - Phone (and/or) Email (and/or) Department Website (url)

NOTE: Subsection is abbreviated to ss.


The Protection of Privacy Act - Standard Notification Statement Example - (Artificial Intelligence) (2 of 2)

The personal information that you provide to Mount Royal University is collected under the authority of the Post-Secondary Learning Act (s.65) and the Protection of Privacy Act (ss. 4(a) & (c)). The information will be used for the purposes of [blank].

The University may ["will" if known at time of drafting notice] input the collected personal information into automated systems to fulfill the purposes stated above. This may include such activities as to generate content, evaluate programs or make institutional recommendations and predictions.

Questions regarding the collection of personal information can be directed to:
Department Name - Mount Royal University - Phone (and/or) Email (and/or) Department Website (url)

NOTE: It is recommended that University Departments that function as a main collection hubs for personal information such as, Office of the Registrar and Human Resources follow the Notice outlined above as (2 of 2) - and rely on the following language:

  • "The University may...input the collected personal information into automated systems..."

Signed Consent to Disclose Personal Information to a Third Party under the POPA 

Generally, Mount Royal University may operationally use and disclose the personal information if it is for a consistent purpose with what has been described for individuals as provided in the original Notification Statement (Notice) issued at the point of collection of the personal information.

In contrast, a record of signed consent (paper or electronic) allows individuals to authorize the University to use or disclose their personal information in a prescribed, directive or particular manner.

Consent is often relied upon in circumstances that involve the disclosure of the individual’s personal information to external third parties - outside of the University.

Examples of scenarios where the University would need to rely on additional signed consent from an individual to authorize the disclosure of their personal information include the following:

  • Human resources confirming employment with a bank;
  • When parents want to obtain their child’s student information;
  • Providing references regarding an individual to an external third party;
  • Utilizing photographs or images for public marketing purposes.

Notably, many of the circumstances involving the disclosure of personal information between Government bodies rely instead on the legal allowances outlined under the Alberta Protection of Privacy Act and; therefore, do not require signed consent to authorize these Government disclosures.

 

Signed Consent - Requirements for valid consent under the POPA Regulation

Valid signed consent in writing (or record of consent) must have the following elements to be considered valid under the POPA Regulation:

  • It must be signed by the individual the information is about who is giving the consent;
  • It must specify the personal information (or type of personal information) to which the consent relates;
  • It must specify to whom the personal information may be disclosed and how the personal information may be used and;
  • It must specify the date on which the consent is effective and (if applicable) the date on which the consent expires.

Signed Consent - Electronic Signatures 

Valid electronic consents should rely on an “electronic signature”, which uniquely identifies (authenticates) the individual giving the consent. 

The POPA Regulation defines “electronic signature” as an electronic information that an individual creates or adopts (or is uniquely assigned) in order to sign a record and that is in, attached to or associated with the record.

For example, the individual accesses a form by using their official (@mtroyal.ca) login as this authenticates their identity.

Alternatively, the individual may send (attach) signed consent form (via their unique @mtroyal.ca account). 

 

Signed Consent - Language (Example)

  • An editable consent form is available (J: Drive) - for access contact (foip@mtroyal.ca)).
  • A visual example of the form is available (here).

I [NAME] hereby authorize and give consent to Mount Royal University [DEPARTMENT] to disclose my personal information to [THIRD PARTY NAME], which includes my [LIST/TYPE OF PERSONAL INFORMATION] for the purpose(s) [PROVIDED HERE or LISTED BELOW] - I understand that my consent is effective upon date this consent is signed. 

[If applicable] This consent is in effect for the period of [DATE RANGE i.e. 1 year] after the date consent is signed. 

Name [blank] - Date [blank] - Signature [blank] - possible to require secondary authentication information.

Also include a Protection of Privacy Act - Standard Notification Statement

The personal information that you provide to Mount Royal University is collected under the authority of the Post-Secondary Learning Act (s.65) and the Protection of Privacy Act (ss. 4(a) & (c)). The information will be used for the purposes of [blank].

Questions regarding the collection of personal information can be directed to:

Department Name - Mount Royal University - Phone (and/or) Email (and/or) Department Website (url)

  

Key considerations on authentication of identity

It is best practice to authenticate the identity of the individual either when obtaining consent to disclose or disclosing an individual’s personal information.

The following are key considerations when authenticating individuals:

  1. The level of authentication of an individual should be appropriate to the nature of the use or disclosure and the sensitivity of the personal information

The degree of authentication must be appropriate to the nature of the use or disclosure and the sensitivity of the personal information involved.

In circumstances requiring a higher level of authentication, there may be a need to use multi-factor authentication such as requiring the knowledge of two or more kinds of authentication data-sets to confirm an individual’s identity prior to the disclosure of personal information. 

  1. Avoid use of a common (known) identifier

Refrain against using common (or likely known) identifiers used by different public bodies and programs in the authentication process.

In other words, relying on information that is only known by the individual and the University increases the certainty that the individual is actually who they purport to be. 

  1. Information transmitted remotely carries more risk for authentication

Typically, individuals requesting information remotely such as, by phone or online inherently makes it more difficult to authenticate their identity. 

If the transfer of information must be done remotely, it is a good idea to have multiple security questions within your documented Department processes to ensure that information is disclosed to the correct individual (via phone or online). 

  1. Authentication and exercise of the right of consent by other persons

When a public body receives consent from a person exercising the right of consent of another person, the public body must also authenticate the identity of the person exercising the right.

 

 

 


 Back to top