Legislation & Policy

Queen’s University is subject to provincial access and privacy legislation with regard to the information it holds about the University and the individuals who participate in the Queen’s community. Specifically, the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Protection Act (PHIPA) apply to various aspects of the University’s operations. To the extent that the University has operations in the European Union, it is subject to the EU General Data Protection Regulation (GDPR). Queen's University's legislative responsibilities are reflected in its policies.

The following is intended as a brief overview of the Freedom of Information and Protection of Privacy Act (FIPPA) (R.S.O. 1990, c.F.31). It does not purport to be a substitute for cogent legal advice or a description of all the requirements of relevant privacy legislation. Members of the University community are encouraged to contact their FIPPA Contact or the Chief Privacy Officer.

The Act contains two principles: The first is transparency. Transparency is achieved by the Act by providing individuals a right of access to institution records, a right to access their own personal information, and the right to request correction to personal information in the custody of the institution that they believe is incorrect. The second is information privacy. Information privacy is achieved by the Act by imposing rules on the manner in which institutions collect, use, disclose, retain and dispose of personal information.

The Act does not apply to private donations in the University's archives, to labour relations and employment-related records, to research and teaching materials, or to records outside of the University's custody or control. The right of access provided by the Act may not apply to records regarding a closed meeting, solicitor-client privileged records, records harmful to the University's economic interests, records that contain advice or recommendations, records that may pose a danger to health and safety, records that are publicly available, records that may endanger national security, records relating to a law enforcement matter, and records relating to relationships with other governments.

As the Act may be amended from time to time, you should check the Government of Ontario's E-Laws website for the most up-to-date version This overview is current as of July 2018.

The following statement is intended to be a brief overview of the Personal Health Information Protection Act (PHIPA) (S.O. 2004, c.3). It should not be held as a substitute for legal advice or a description of all the requirements for compliance with PHIPA. Members of the University community with specific questions about the Act are encouraged to contact the responsible Health Information Custodian or the Chief Privacy Officer.

Queen's has six Health Information Custodians:

  • Student Wellness Services (Counselling Services, Health Services
  • Department of Family Medicine
  • The Physical Therapy Clinic at Queen's
  • Athletic Therapy Services
  • Psychology Clinic at Queen's
  • Regional Assessment and Resource Centre

Under PHIPA, personal health information includes information relating to: the physical or mental health of the individual; the provision of health care to the individual; payments or eligibility for health care; the donation of body parts or substances by the individual; the individual's health number; or plans of service.

PHIPA is intended to provide rules regarding the collection, use and disclosure of personal health information to help protect the confidentiality of the information and privacy of the individual while also allowing for the effective provision of health care. In addition, it provides individuals with mechanisms to access and correct their own health information.

As the Act may be amended from time to time, you should check the Government of Ontario's E-Laws website for the most up-to-date version. This overview is current as of July 2018.

The following statement is intended to be a brief overview of the General Data Protection Regulation EU 2016/679 (GDPR). It should not be held as a substitute for legal advice or a description of all the requirements for compliance with the GDPR. Members of the University community with specific questions about the Regulation are encouraged to contact their FIPPA Contact or the Chief Privacy Officer.

The focus of the GDPR is the collection and use of personal information of persons residing within the European Union (EU) and it represents an overall expansion of these individual's privacy rights. The GDPR applies only to the processing of personal information when: (1) the establishment performing the processing is within the EU; (2) an establishment not within the EU is offering goods or services to data subjects in the EU; or (3) an establishment not within the EU is monitoring the behaviour of persons within the EU.

For questions about the collection and processing of personal information under the GDPR, contact your FIPPA Contact or the Chief Privacy Officer. This overview is current as of July 2018.

The purpose of this policy is to:

  • set out the responsibilities of the university community regarding the right of access to records and information and the protection of privacy of personal information in accordance with the Freedom of Information and Protection of Privacy Act ("FIPPA"); and
  • ensure that personal information in the university's custody or control, including personal information that has been transferred to an agent or service provider, is handled and protected in accordance with FIPPA and other applicable legislation.

Read the policy: Access to Information and Protection of Privacy Policy

The purpose of this policy is to:

  • set out the responsibilities of the university's health information custodians regarding the proper handling of personal health information in accordance with the Personal Health Information Protection Act ("PHIPA"); and
  • ensure that personal health information in the university's custody or control, including personal health information that has been transferred to a Researcher, an agent, or service provider, is handled and protected appropriately.

Read the policy: Policy on the Handling of Personal Health Information

The purpose of this policy is to:

  • ensure responsible management of university records as valuable resources and assets in support of effective decision-making, protection of rights and entitlements, and preservation of corporate memory

  • support the protection of personal information by ensuring university records are managed and disposed of in an appropriate fashion

  • protect the university from the risks associated with inadvertent or inappropriate destruction of information

  • support accountability, and promote operational efficiency and economy

  • ensure compliance with relevant legislation

Read the policy: Records Management Policy