Privacy Policy

• Personal Information Protection and Electronic Documents Act (PIPEDA)
• IPPA Reg. 460: General
• Freedom of Information and Protection of Privacy Act (FIPPA)

1. Accountability

As a charitable organization and private university, Tyndale is not currently subject to either PIPEDA or FIPPA, however the University will use this legislation to guide and develop its privacy policies, agreements and best practices.

Tyndale has appointed a CPO who is accountable for implementation and general oversight of this Privacy Policy.

Tyndale Community members are responsible for day-to-day compliance with this Privacy Policy.

2. Identifying Purposes

Tyndale will identify the purposes for which personal information is collected at or before the time the information is collected. The purposes for which Tyndale collects, uses or discloses personal information will be described in a reasonably understandable manner.

3. Limiting Collection

The collection of personal information by Tyndale will be limited to what is necessary for the purposes for which it is collected.

Tyndale will always collect personal information by fair and lawful means.

4. Limiting Use and Disclosure

Tyndale will use or disclose personal information only as needed for delivering its programs, activities and services.

5. Limiting Retention

Personal information will be retained by Tyndale only as long as necessary for fulfilment of the purposes for which it was collected, or as required by law.

6. Accuracy

Tyndale will keep personal information accurate, complete and up-to-date as necessary for the purposes for which it is to be used. From time to time Tyndale may contact the individual to ensure that the information which it has collected is, or remains, accurate and up-to-date.

7. Safeguards

Tyndale will protect personal information by security safeguards appropriate to the sensitivity of the information, including, but not limited to, the use of the following measures:

• physical (e.g., locked filing cabinets, restricted access, appropriate disposal of personal information);
• organizational (e.g., security clearances, access only on a "need to know" basis);
• technological (e.g., passwords, encryption) and training of staff.

8. Openness

Information about Tyndale’s policies and practices relating to the management of personal information will be made available to individuals upon request to the CPO at privacy@tyndale.ca.

9. Individual Access

Upon written request from an individual to the CPO at privacy@tyndale.ca, Tyndale will provide access to the individual for the purpose of reviewing that individual’s personal information. Individuals requesting access should specify the information which they wish to review.

Individuals have the right to challenge the accuracy and completeness of their information and have it amended if it is inaccurate, incomplete or out-of-date.

In certain circumstances, Tyndale may refuse to disclose personal information to the individual to whom the personal information relates:

• where required by law, certain personal information may not be disclosed;
• where the information contains personal information about another individual;
• where the information is of such a nature that its disclosure could reasonably be expected to prejudice the mental or physical health of the individual;
• where the information was gathered in the course of a formal dispute resolution process;
• where the information is subject to solicitor-client privilege.

10. Breach Notification Process

Where it is suspected or evident that an unauthorized disclosure of personal information has occurred (i.e. a privacy breach), the individual or individuals who are aware of the potential privacy breach shall immediately notify the CPO.

The CPO will strike a privacy breach committee composed of the senior operations person representing the department experiencing the privacy breach, and an information technology representative when necessary, to investigate the potential breach. This privacy breach committee will:

• identify the scope of the potential breach and take the necessary steps to contain it;
• identify those individuals whose privacy was breached;
• evaluate the nature of the information disclosed;
• evaluate whether and how notification to the affected individuals should occur;
• evaluate who in addition to the affected individuals should be advised of the privacy breach and so advise those individuals; and
• review policies and procedures relating to the circumstances resulting in the privacy breach and provide recommendations to the appropriate persons to prevent future breaches.