Information protection

- January 15, 2007

A Dalhousie researcher wants to collect personal data using an American survey company. A professor wants to collaborate with a researcher from an Ontario university to gather information on Nova Scotians. A department has a contract with an American database manufacturer and is considering renewing its agreement. An administrative unit wants to purchase a new software tool from an American provider. An employee wants to access e-mail while travelling out of the country.

These are just some of the situations that may be impacted by Dalhousie's new Policy for the Protection of Personal Information from Outside of Canada, which was announced today.

The policy was developed in response to the provincial Personal Information International Disclosure Protection Act (PIIDPA), which was proclaimed on Nov. 15, 2006, and took effect for contracts starting December 15, 2006.

PIIDPA places limits on the ability of the university and its researchers to store or back up personal information outside Canada, access or permit others to access personal information held in university and research databases, disclose personal information to individuals or organizations outside of Canada, and to transport personal information outside of Canada.

University Legal Counsel Karen Crombie says the university has developed a policy that is designed to meet these obligations in the least intrusive way possible.

"Compliance with the policy is important because as a public institution, we must not only meet our legal obligations to protect personal information but we must be seen to be doing it," said Ms. Crombie. "This policy provides the framework for us to meet PIIDPA's requirements and to provide the information necessary for the mandatory annual report that we must now file with the Department of Justice on things such as any foreign storage and access of information, and foreign demands for disclosure of personal information." 

Dalhousie's policy affects everyone engaged in collecting personal information (for instance, graduate students, researchers and research staff). The policy contains specific requirements with respect to the storage, transport, access and disclosure of personal information, requiring in many instances approval from one of the vice-presidents.

Personal information as defined by the policy means recorded information
about an identifiable individual, including, but not limited to:
a.        name, address, telephone, email (personal not business);
b.        race, ethnic origin or religious political beliefs or associations;
c.        age, sex, sexual orientation, marital status or family status;
d.        any identifying number or symbol (examples: Dalcard ID, SIN, credit card, health                    insurance, drivers' licence);
e.        fingerprints, blood type, or inheritable characteristics;
f.         medical or personal history;
g.        educational, employment, financial, or criminal history;
h.        personal views or opinions.

There is a variety of ways for the campus community to gain clarification on the policy and how it applies to individuals and departments. Ms. Crombie has provided information sessions to several groups on campus and will continue to do so over the coming weeks.

Researchers with specific questions regarding the policy can contact
Patricia Lindley, Director of the Office of Research Ethics Administration at patricia.lindley@dal.ca.

Any other questions can be directed to Karen Crombie, Legal Counsel at Karen.Crombie@dal.ca.

The complete policy can be viewed here.

Guidelines have been developed specifically for researchers and can be found here: http://researchservices.dal.ca/research_7566.html