ampEducator - Guideline on Access to Records & Protection of Privacy

TABLE OF CONTENTS

• Overview
• (PIPEDA) Principles
• Collection and Use of Personal Information
• Staff User (Employee) Access
• Staff & Student User Access / Change / Removal of Information
• Maintaining User Contact Information
• Public Disclosure
• Disclosure to Third Parties
• Legally Mandated Disclosures
• Disclosure in Emergency or Compassionate Situations

Overview

ampEducator Inc. is a Canadian Corporation that provides ampEducator (the “Service”) and as such is governed by the legislation for businesses operating in Canada. Access to Staff and Student records and information is ultimately governed by the Client Institution policy that must comply with the legislation (laws and/or acts) of the country that they operate in and are subject to based on the designated type of institution. In Canada, as in other parts of the world, Client Institutions are subject to different legislation examples that exist for Public or Private business and designated institutions. For Client Institutions operating in countries both inside and outside of Canada the Service requires Client Institutions to make reasonable commercial efforts to ensure all data access to records and protection of privacy is adhered to by following the Service Guideline on Access to Records & Protection of Privacy (the “Guidelines”). ampEducator Inc. and the Service do not warrant that simply by using the Service the Client Institution will meet the required obligations to any or all specific legislation (laws and/or acts) and that this is solely the responsibility of the Client Institution to understand and properly enforce with Users. As per our Terms of Service, by using the Service the Client Institution Staff and Student (“Users”) agree that they shall at minimum collect, use and disclose personal information related to all Users in accordance with the following Guidelines and in general adhere to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) Principles:

(PIPEDA) Principles

An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles. The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection. The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means. Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes. Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used. Personal information must be protected by appropriate security relative to the sensitivity of the information. An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available. Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Data Officer.

Collection and Use of Personal Information

Staff Users employed by the Client Institution and using the Service or Student Users by applying for admission via the Service to the Client Institution and/or by enrolling in a program or course, consent to the collection of personal information for educational, administrative and statistical purposes. Examples of this include, but are not limited to processing admission applications and enrolment and registration in academic programs; to record and track academic progress; to provide the basis for awards and governmental funding and for related record keeping purposes. Users agree that all information and documentation submitted in support of these examples to the Service, becomes the property of the Client Institution. 

Staff User (Employee) Access

Use or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances. Staff Users of the Client Institution are permitted access to information contained in Student User records if Staff Users need to know the information in order to perform their official duties. As a general rule, Staff Users involved in some aspect of academic administration or student affairs are given access to a Student User record. The level and nature of access should be related to Staff User particular administrative duties. Other Staff Users may use Student User personal information for a variety of other fundamental activities related to being a member of the overarching institution community, such as advancement. Admin Roles assigned to Users in the Service have the authority to withdraw access to Student User records from any Staff User.

Staff & Student User Access / Change / Removal of Information

Users have the right to inspect their own official record, with the exception of any information supplied by third parties to the Client Institution with the understanding that they be kept confidential. Users have the right to request that erroneous information contained in their records be corrected and that recipients of any information found to be in error be advised of the correction. Users wishing to inspect their record or make changes must make an appointment or request changes with the Client Institution. An electronic record of Staff or Student User is permanently retained in the Service (or as long as the Client Institution account is active) unless any data contained in the Staff or Student User record is destroyed in accordance with the Client Institution’s records retention policies. The Service does not accept nor does it process requests on behalf of the Client Institution for the removal of Staff or Student User Records. Users must contact the Client Institution directly in writing to the appropriate Officer to request any removal of User Data.

Maintaining User Contact Information

Client Institutions are required to use email to manage duplication of records, verify and communicate with Staff and Student Users with the Service. Staff and Student Users are responsible for maintaining up-to-date email addresses and for ensuring that there are no problems with their external email provider or individual account that would prevent Client Institution from delivering an email to that address.

Public Disclosure

Any information contained in the Staff or Student User record will only be disclosed with the User written consent.

Disclosure to Third Parties

Information may be shared with the third parties to facilitate fundamental activities, but they must be disclosed in advance. Otherwise, all requests from a third party must be approved by the User.

Legally Mandated Disclosures

Specified records or portions thereof may be provided to persons or agencies pursuant to a court order in situations where the Client Institution is required to comply with the law, and as part of law enforcement investigations or proceedings.

Disclosure in Emergency or Compassionate Situations

On occasion, a personal emergency may require Users to be contacted quickly. In emergency situations involving the health and safety of an individual, or in compassionate situations, the Client Institution, if considered to be in the best interest of the User, will release personal information about the User and will then inform the User of the disclosure. Users are required to routinely update their next of kin and emergency contact information.