Tyndale University and The Tyndale Foundation (collectively “Tyndale”) recognize the importance of and are committed to the protection of the personal information of its community (students, faculty, staff, donors, volunteers, alumni, directors and governors). Tyndale’s Policy regarding the collection, use and disclosure of personal information is based upon the 10 principles appended to the Personal Information Protection and Electronic Documents Act ("PIPEDA").
Personal Information is information about an identifiable individual and includes, but is not limited to:
- Information relating to race, national or ethnic origin, first language, colour, disability, religion, age, sex, sexual orientation, or marital or family status of the individual;
- Information relating to the educational, medical, psychiatric, psychological, criminal or employment history or remuneration of the individual or about financial transactions involving the individual;
- The home address or home telephone number of the individual;
- Any identifying number, symbol or other identifier assigned to the individual.
- Tyndale is responsible for personal information which it collects, uses, discloses and retains.
- Tyndale has appointed a Chief Privacy Officer who is accountable for Tyndale’s compliance with this Policy and all applicable privacy laws.
2. Identifying Purposes
- Tyndale will always endeavour to identify the purposes for which personal information is collected at or before the time the information is collected.
- The purposes for which Tyndale collects, uses or discloses personal information will be described in a reasonably understandable manner.
- Tyndale will collect, use or disclose personal information only with knowledge and consent, except where required or permitted by law.
Tyndale collects and uses personal information for purposes that include:
- Assess applicants for acceptance and process tuition payment information;
- Registration of applicants;
- Contact with students, employees, alumni or donors when required;
- Graduation activities for graduating students and their families;
- Preparation of the Student, Staff and Faculty Directories;
- Preparation of the annual Accreditation and Regulatory Reports;
- Event notification to Alumni and donors;
- Consent can be express or, in some circumstances, implied, and given in writing, by using or not using a check-off box, electronically, orally (in person or by telephone), or by the conduct of the parties.
- In determining the type of consent to obtain, Tyndale will consider all relevant factors, including the sensitivity of the information and the reasonable expectations of the individual.
- An individual may withdraw consent at any time, on reasonable notice, subject to legal or contractual restrictions.
4. Limiting Collection
- The collection of personal information by Tyndale will be limited to what is necessary for the purposes for which it is collected.
- Tyndale will always collect personal information by fair and lawful means.
5. Limiting Use, Disclosure, and Retention
- Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the individual’s consent or as required or permitted by law.
- Personal information will be retained only as long as necessary for fulfilment of the purposes for which it was collected, or as required by law.
- Library membership-related information of patrons may be disclosed to OCLC WorldShare Management Services and stored on their secure servers in Canada. This information will be used by Tyndale library staff to administer patron library accounts and to contact patrons concerning library related matters.
Tyndale will keep personal information as accurate, complete and up-to-date as necessary for the purposes for which it is to be used. From time to time Tyndale may contact the individual to ensure that the information which it has collected is or remains accurate and up-to-date.
Tyndale protects personal information by security safeguards appropriate to the sensitivity of the information, including through the use of the following measures:
- physical (e.g., locked filing cabinets, restricted access, appropriate disposal of personal information);
- organizational (e.g., security clearances, access only on a "need to know"; basis);
- technological (e.g., passwords, encryption) and training of staff.
• Information about Tyndale’s policies and practices relating to the management of personal information is readily available to individuals upon request to the Chief Privacy Officer.
9. Individual Access
- Upon written request from an individual, Tyndale will provide access to the individual for the purpose of reviewing that individual’s personal information. Individuals requesting access should specify the information which they wish to review in order to facilitate the process to make this information available.
- Individuals have the right to challenge the accuracy and completeness of their information and have it amended if it is inaccurate, incomplete or out-of-date.
In certain circumstances, Tyndale may refuse to disclose personal information to the individual to whom the personal information relates:
- where required by law, certain personal information may not be disclosed;
- where the information contains personal information about another individual;
- where the information is of such a nature that its disclosure could reasonably be expected to prejudice the mental or physical health of the individual;
- where the information was gathered in the course of a formal dispute resolution process;
- where the information is subject to solicitor- client privilege.
10. Breach Notification Process
- Where it is suspected or evident that an unauthorized disclosure of personal information, a privacy breach, has occurred, the individual or individuals who are aware of the potential privacy breach shall immediately notify the Chief Privacy Officer (CPO).
- The CPO will forthwith strike a privacy breach committee composed of the Director of Human Resources, a senior operations person representing the department experiencing the privacy breach, and an information technology representative when necessary, to investigate the potential breach.
This privacy breach committee will:
- identify the scope of the potential breach and take the necessary steps to contain it;
- identify those individuals whose privacy was breached;
- evaluate the nature of the information disclosed;
- evaluate whether and how notification of the affected individuals should occur;
- evaluate who in addition to the affected individuals should be advised of the privacy breach and so advise those individuals; and
- review policies and procedures relating to the circumstances resulting in the privacy breach and provide recommendations to the appropriate persons to prevent future breaches.
11. Contacting Tyndale and/or Compliance
Requests for access to information, issues or complaints about Tyndale’s compliance with this Policy regarding the handling of personal information , and questions or comments about this Policy, can be addressed to Tyndale’s Chief Privacy Officer at privacy [at] tyndale [dot] ca