FIPPA and CASL Overview What we need to do to ensure we are in compliance with the Privacy Commissioner of Ontario (IPC) based on FIPPA (Freedom on Information and Protection of Privacy Act) and Electronic Communications

FIPPA Outline The Act requires that government institutions (UofG) protect the privacy of an individual’s personal information existing in our records. It also gives individuals the right to request access to AA&D information, including general records and records containing their own personal information. This includes deceased’s personal information for 30 years.

Personal information “means recorded information about an identifiable individual” a. information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual, b. information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved, c. any identifying number, symbol or other particular assigned to the individual, d. the address, telephone number, fingerprints or blood type of the individual, e. the personal opinions or views of the individual except where they relate to another individual, f. correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence, g. the views or opinions of another individual about the individual, and h. the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual" Personal information does not include information about an individual who has been dead for more than thirty (30) years.

FIPPA includes: Rules regarding the collection, retention, use, disclosure and disposal of personal information in its custody or control. Collection = We are allowed to collect data through the fundraising effort requirements of the University of Guelph. Use = We must ensure that our usage is for fundraising purposes only. This can be construed as many efforts (reunions, e-news, events, etc) but we must be able to prove this rationale. This is the reason for the mailing component on IRF and ERF form, to ensure we are meeting the acceptable USE clause. Disclosure = We track and document every time we share someone’s information with external entities from AA&D. This is the purpose of the IRF and ERF.

Anti-Spam Legislation in Canada – Bill C28 (CASL) Outline Please adhere to the following: Ensure we are only contacting people whom we have a proven business relationship. This basically includes donors and alumni. We do not have authority to contact other people. All non 1:1 emails (or personal emails) MUST provided simple, immediate and clear unsubscribe mechanisms (ie. manage your subscriptions link). This is why we use a centralized marketing system called Luminate Online (LO) for ALL mass emails. LO is also linked for tracking of interactions within CRM. We need to adhere to individual preferences that have been relayed to us within an appropriate amount of time. DO NOT REUSE any list older than 2 weeks without asking the IS team to re-run for contact restriction updates. Also, all lists requests should include restrictions based on your business usage.