Policies & Guidelines

As the Government of Alberta has repealed the former FOIP Act, one of the key operational changes required for Departments within Mount Royal University when collecting identifiable personal information is to issue Notice to those individuals, which contains a (new) language framework under the Alberta Protection of Privacy Act.

The Alberta Protection of Privacy Act (the “POPA”) (section 5) requires that Mount Royal University must now provide the following when collecting identifiable personal information:

(a) The purpose, or reason, for which the personal information is collected or required;
(b) The specific legal authority for the collection:

• *typically under section 4(c)
• *If also citing the Alberta Post-Secondary Learning Act (the “PSLA”) - also include 4(a).
• *If including the PSLA - the authority under that legislation is 65

(c) Contact information: the email address, phone number or other contact information (email address - if applicable) to which the individual may direct the individual’s questions about the collection, and

(d) If applicable - the University’s intention (if any) at that time to input the information into an automated system (e.g. Artificial Intelligence (AI)) to generate content or make decisions, recommendations or predictions.

The Government of Alberta also states that the POPA Notification Statement can be provided in many different ways prior to the collection of personal information such as through a:

Generally, Mount Royal University may operationally use and disclose the personal information if it is for a consistent purpose with what has been described for individuals as provided in the original Notification Statement (Notice) issued at the point of collection of the personal information.

In contrast, a record of signed consent (paper or electronic) allows individuals to authorize the University to use or disclose their personal information in a prescribed, directive or particular manner.

Consent is often relied upon in circumstances that involve the disclosure of the individual’s personal information to external third parties - outside of the University.

Examples of scenarios where the University would need to rely on additional signed consent from an individual to authorize the disclosure of their personal information include the following:

• Human resources confirming employment with a bank;
• When parents want to obtain their child’s student information;
• Providing references regarding an individual to an external third party;
• Utilizing photographs or images for public marketing purposes.

Notably, many of the circumstances involving the disclosure of personal information between Government bodies rely instead on the legal allowances outlined under the Alberta Protection of Privacy Act and; therefore, do not require signed consent to authorize these Government disclosures.

 

Signed Consent - Requirements for valid consent under the POPA Regulation

Valid signed consent in writing (or record of consent) must have the following elements to be considered valid under the POPA Regulation:

• It must be signed by the individual the information is about who is giving the consent;
• It must specify the personal information (or type of personal information) to which the consent relates;
• It must specify to whom the personal information may be disclosed and how the personal information may be used and;
• It must specify the date on which the consent is effective and (if applicable) the date on which the consent expires.

Signed Consent - Electronic Signatures 

Valid electronic consents should rely on an “electronic signature”, which uniquely identifies (authenticates) the individual giving the consent. 

The POPA Regulation defines “electronic signature” as an electronic information that an individual creates or adopts (or is uniquely assigned) in order to sign a record and that is in, attached to or associated with the record.

For example, the individual accesses a form by using their official (@mtroyal.ca) login as this authenticates their identity.

Alternatively, the individual may send (attach) signed consent form (via their unique @mtroyal.ca account). 

 

Signed Consent - Language (Example)

• An editable consent form is available (J: Drive) - for access contact (foip@mtroyal.ca)).
• A visual example of the form is available (here).

I [NAME] hereby authorize and give consent to Mount Royal University [DEPARTMENT] to disclose my personal information to [THIRD PARTY NAME], which includes my [LIST/TYPE OF PERSONAL INFORMATION] for the purpose(s) [PROVIDED HERE or LISTED BELOW] - I understand that my consent is effective upon date this consent is signed. 

[If applicable] This consent is in effect for the period of [DATE RANGE i.e. 1 year] after the date consent is signed. 

Name [blank] - Date [blank] - Signature [blank] - possible to require secondary authentication information.

Also include a Protection of Privacy Act - Standard Notification Statement

The personal information that you provide to Mount Royal University is collected under the authority of the Post-Secondary Learning Act (s.65) and the Protection of Privacy Act (ss. 4(a) & (c)). The information will be used for the purposes of [blank].

Questions regarding the collection of personal information can be directed to:

Department Name - Mount Royal University - Phone (and/or) Email (and/or) Department Website (url)

  

Key considerations on authentication of identity

It is best practice to authenticate the identity of the individual either when obtaining consent to disclose or disclosing an individual’s personal information.

The following are key considerations when authenticating individuals:

1. The level of authentication of an individual should be appropriate to the nature of the use or disclosure and the sensitivity of the personal information

The degree of authentication must be appropriate to the nature of the use or disclosure and the sensitivity of the personal information involved.

In circumstances requiring a higher level of authentication, there may be a need to use multi-factor authentication such as requiring the knowledge of two or more kinds of authentication data-sets to confirm an individual’s identity prior to the disclosure of personal information. 

2. Avoid use of a common (known) identifier

Refrain against using common (or likely known) identifiers used by different public bodies and programs in the authentication process.

In other words, relying on information that is only known by the individual and the University increases the certainty that the individual is actually who they purport to be. 

3. Information transmitted remotely carries more risk for authentication

Typically, individuals requesting information remotely such as, by phone or online inherently makes it more difficult to authenticate their identity. 

If the transfer of information must be done remotely, it is a good idea to have multiple security questions within your documented Department processes to ensure that information is disclosed to the correct individual (via phone or online). 

4. Authentication and exercise of the right of consent by other persons

When a public body receives consent from a person exercising the right of consent of another person, the public body must also authenticate the identity of the person exercising the right.

Authentication of an individual typically relies on one or more of the following:

  •  Something the individual knows (Examples might include: a password, security question, PIN, mother's maiden name).

  •  Something you have (Examples might include: a smart card, key, hardware token, texted unique verification number).

  •  Something that you are (Examples might include: biometric data, fingerprints, iris scans, voice patterns or photo id).

Once again, the established authentication process can rely on one or multiple of the requirements indicated above.