# H O L L A N D C O L L E G E BOARD POLICY PERSONAL INFORMATION PROTECTION AND ELECTRONICS DOCUMENTS ACT ('PIPEDA') | | | |---|---| | Type | PDF | | Size | 161 KB | [Open original PDF →](https://sam.hollandcollege.com/shared/QMS/Policy/20/BP-20-08.pdf) Referenced from: [Access to Information and Protection of Personal Information Policy](/pages/about/ai-and-ppi-html/) ## Document text ## H O L L A N D C O L L E G E BOARD POLICY Category: FISCAL, PHYSICAL AND INFORMATION Topic: PERSONAL INFORMATION PROTECTION AND ELECTRONICS DOCUMENTS ACT ('PIPEDA') Code: 20-08 Effective Date: September 10, 2025 Revision: TWO Approved by: Jessie Inman, Chairperson, Board of Governors ## Related Documents: Board Policy 20-09 (Freedom of Information and Protection of Personal Privacy (FOIPP) and Access to Information Policy) Administrative Regulation 20-07-2 (Holland College Website - Privacy Policy, PIPEDA and Terms of Use) Administrative Regulation 20-09-1 (FOIPP, Access to Information and Protection of Privacy) ## 1. Purpose - 1.1 The purpose of this Policy is to ensure that the College complies with the Personal Information Protection and Electronic Documents Act ('PIPEDA'), and to promote responsible practices in the management of personal information in accordance with that legislation. - 1.2 PIPEDA and, hence, this Policy only applies where the College collects, uses or discloses personal information in the course of a 'commercial activity'. - 1.3 This Policy is not, therefore, intended to deal with all privacy issues that may arise within the College. ## 2. Definitions ## 2.1 'Commercial Activity' A 'commercial activity' means any particular transaction, act, or conduct or any regular course of conduct that is of a commercial - character, including the selling, bartering or leasing of donor, membership, or other fundraising lists. - 2.2 'Commercial Character' An activity will have a 'Commercial Character' for the purposes of this Policy if it, or another activity with which it is associated: - a) involves the exchange of goods or services for valuable consideration (e.g. money); or - b) is for the purpose of creating a profit, generating revenue, or producing positive cash flow; or - c) involves the selling, bartering, or leasing of donor, membership, or other fundraising lists; and - d) is not principally instructional in nature. ## 2.3 'Personal Information ' Personal Information means information that the College collects, uses, or discloses in the course of a commercial activity about an identifiable individual. It includes, but is not limited to, an individual's name, home address, home telephone number, home email address, I.D. number, information about an individual's personal characteristics (e.g. age, sex, martial or family status, race, social status, educational background, employment background, source of income), financial information, medical information, criminal record information, opinions, evaluations, comments, but does not include the following: - a) the name, title, business address, or business telephone number of an employee of the College or other organization; - b) information that relates only to a corporation or other organization; and - c) publicly available information as defined in PIPEDA. ## 3. Application - 3.1 PIPEDA only applies to personal information about an identifiable individual the College collects, uses, or discloses in the course of a 'commercial activity'. - 3.2 Consequently, this policy does not apply where the College collects, uses, or discloses, the personal information of individual students or former students, employees, or former employees, or third parties, (e.g. family members, or contractors) unless that information is collected, or used or disclosed, in the course of a 'commercial activity'. - 3.3 The College has examined the purposes for which it collects, uses, and discloses the personal information of individual students or former students, employees or former employees, and third parties, and has identified those situations in which PIPEDA likely applies. These 'Designated PIPEDA Activities' are listed below. - 3.4 It is the Policy of the College to comply with PIPEDA when engaged in these Designated PIPEDA Activities. - 3.5 The College does, however, recognize that PIPEDA does not make it clear whether certain College activities are subject to it. Consequently, if an employee of the College has doubt about whether a particular activity falls within PIPEDA and, hence, this Policy the employee shall consult with the College's Chief Pr ivacy Officer. 4. Designated PIPEDA Activities - 4.1 Student Personal Information: The personal information of students or former students of the College will be covered by PIPEDA and, hence, this Policy only if it is collected, used, or disclosed for the purpose of: - a) marketing the College - b) marketing, leasing, or selling products, or marketing or selling non-instructional services, such as: - (i) bookstore sales; - (ii) gift store sales; - (iii) food services; - (iv) rental of residence rooms; - (v) rental of facilities or equipment; - (vi) insurance or other similar products; - c) fundraising that involves the sale of products or services; - d) selling instructional services under contract with an organization or an individual to provide instruction to the employees of that organization or individual. - 4.2 Employee Personal Information: The personal information of employees or former employees of the College will be covered by PIPEDA and, hence, this Policy only if it is collected, used, or disclosed for the purpose of: - a) marketing the College where information other than the name, business address, and business telephone number, of an employee is used; - b) marketing, leasing, or selling products (other than employee benefits), or services, such as: 3. (i) bookstore sales; 4. (ii) gift store sales; 5. (iii) rental of College equipment or facilities. - c) fundraising that involves the sale of products or services. 7. 4.3 Personal Information of Individual Third Parties: The personal information of individual third parties will be covered by PIPEDA and, hence, this Policy only if it is collected, used or disclosed for the purpose of: - a) selling or leasing products, or selling services, to an individual third party such as: 9. (i) bookstore sales; 10. (ii) gift store sales; 11. (iii) rental or sale of College equipment or facilities; 12. (iv) consultancy services; 13. (v) conferences; 14. (vi) workshops; - b) fundraising that involves the sale of products or services; - c) contracting by the College with an individual third party to provide products or services to the College. 5. Responsibility for Compliance 18. 5.1 The Quality and Privacy Officer is designated as the College's Chief Privacy Officer and shall be responsible for the College's compliance with PIPEDA and this Policy. The College's Chief Privacy Officer may be reached at: 19. Holland College Quality Office 140 Weymouth Street Charlottetown, PE, C1A 4Z1 902-566-9542 Privacy@hollandcollege.com 20. 5.2 Individual members of the Management Executive Committee and all Managers also have a responsibility to oversee compliance © Holland College, 2025 - with PIPEDA and this Policy by employees under their area of responsibility. 6. Collection, Use, and Disclosure of Personal Information - 6.1 The College will collect, use, or disclose personal information in the course of a commercial activity only for purposes that a reasonable person would consider appropriate in the circumstances. 7. The Ten Principles - 7.1 Personal information that is collected, used or disclosed by the College in the course of a commercial activity, will be handled in accordance with the ten privacy principles set out in PIPEDA. These principles are summarized in Appendix A which forms part of this Policy. 8. Inquiries, Requests, Complaints - 8.1 The College shall inform individuals who make inquiries or lodge complaints about matters covered by this Policy, or who seek access to or to correct, personal information in the possession or control of the College of the existence of the following provisions. - 8.2 An individual who has an inquiry or complaint about any matter covered by this Policy, or who wishes to gain access to or to correct personal information in the possession or control of the College may do so by addressing their inquiry, compliant or request, in writing, to the College's Chief Privacy Officer. - 8.3 The written inquiry, complaint, or request should include sufficient information to enable the College to deal with the inquiry, complaint or request. - 8.4 The College's Chief Privacy Officer shall investigate all complaints received. If the complaint is found to be justified, the College shall take appropriate corrective action. - 8.5 The College's Chief Privacy Officer shall respond to the complaint, inquiry, or request normally within 30 days. 9. Policy Review - 9.1 The College will review this Policy to ensure that it remains relevant and current with changing laws, regulations, and decisions. The College reserves the right to amend this Policy at any time for any reason. ## Appendix 'A': Privacy Principles ## Principle 1 - Accountability - The College is responsible for personal information in its possession and under its control. - The College shall designate an individual who is accountable to the College's compliance with the following privacy principles, who shall be known as the College's Chief Privacy Officer. - The College will use responsible means to ensure that any personal information transferred by the College to a third party for processing is given a comparable level of protection. - The College shall implement procedures to protect personal information. - The College shall train staff about its privacy policies and procedures. ## Principle 2 - Identifying Purposes - The College shall identify the purposes for which personal information is collected at or before the time the information is collected and shall document those purposes. ## Principle 3 - Consent - The College will collect, use and disclose personal information only with the knowledge and consent of the individual except where the law does not require such knowledge or consent. ## Principle 4 - Limiting Collection - The College's collection of personal information shall be limited to that which is necessary for the purposes identified by the College. The College will use fair and lawful means to collect personal information. ## Principle 5 - Limiting Use, Disclosure, and Retention - Personal information shall not be used or disclosed for purposes other than those for which it was collected, unless the individual consents, or the use or disclosure is permitted or required by law. The College shall retain personal information only as long as necessary for the fulfillment of those purposes. ## Principle 6 - Accuracy - Personal information collected by the College shall be as accurate, complete, and up to date as necessary for the purpose for which it is to be used. ## Principle 7 - Safeguards - The College shall implement security safeguards appropriate to the sensitivity of the personal information in its possession. ## Principle 8 - Openness - The College shall make specific information about its policies and procedures relating to the management of personal information readily available to individuals. ## Principle 9 - Individual Access - An individual has the right to be informed of the existence, use and disclosure of their own personal information. An individual also has a right to access to, and to request correction, of their own personal information. ## Principle 10 - Challenging Compliance - An individual has the right to challenge the College's compliance with these principles by making a complaint to the College's Chief Privacy Officer. --- Source: [https://sam.hollandcollege.com/shared/QMS/Policy/20/BP-20-08.pdf](https://sam.hollandcollege.com/shared/QMS/Policy/20/BP-20-08.pdf)