Protection of Privacy

The head of a public body must designate an individual(s) to be responsible for being a point of contact for all privacy-related matters.

Lakeland College's Privacy and Access head is the President. The President has delegated all of the duties of the head to the Privacy Officer who is the point of contact for privacy-related matters.

Public bodies must make privacy policies, processes and practices available to employees and, where practicable, to the public.

Lakeland College has a privacy policy. We have also developed numerous Privacy Fact Sheets to provide guidance on a variety of privacy issues.

Public bodies must have methods to ensure that service providers are informed of their privacy obligations.

Lakeland College requires a service provider to comply with privacy and security requirements. Among these requirements is an obligation to conduct a Privacy Impact Assessment (PIA) if personal information is involved, and to sign a Security and Confidentiality Agreement or equivalent. The standard form documentation that is used by Lakeland College when contracting with service providers contains terms related to privacy and information security requirements.

Public bodies must have a process for completing and documenting privacy impact assessments (PIAs) for all new systems, projects, programs, or activities. A PIA is a risk management and compliance review process used to identify and address potential privacy and security issues.

Lakeland College has implemented a risk-based approach to conducting PIAs. This process is managed by Campus Technology Services, with support from the Privacy Office.

Public bodies must have a process for completing information sharing agreements where appropriate.

Lakeland College has developed a variety of information-sharing agreement templates which are managed by Financial Services, including Security and Confidentiality Agreements for contractors and other non-employees who are given access to confidential information.

The Privacy Officer provides advice on the completion of information-sharing agreements.

Public bodies must have a documented process for responding to privacy complaints and breaches. 

If you believe you have accidentally disclosed or mishandled personal information, it is important to report the incident immediately so we can take steps to protect affected individuals and comply with Alberta’s privacy legislation. 

If an individual wishes to make a complaint to Lakeland College about privacy, they may do so by sending an email to popa@lakelandcollege.ca and including the following information: 

• Reporter name and contact information
• Nature of the alleged privacy breach
• Names of any individuals at Lakeland College who may be involved/impacted 

All reporters will receive a response in a timely manner and complaints will be investigated. If a breach is identified, affected parties will be notified and steps to mitigate the harm will be taken. If there is a real risk of significant harm, the Privacy Officer will notify the Minister of Post-Secondary Education and the Office of the Information and Privacy Commissioner.

Breach Notification Requirements | OIPC of Alberta

Public bodies must have privacy awareness and education activities to ensure employees are aware of their privacy obligations. These activities may be scaled to meet the volume and sensitivity of personal information in the custody or under the control of the public body and should be undertaken at timely and reasonable intervals.

Lakeland College provides privacy and information security training that is mandatory for all faculty and staff. In addition, Lakeland College organizes regular privacy awareness and education activities for employees.

Public bodies must have a process for regularly monitoring and updating the Privacy Management Program, to ensure it remains current with the public body’s activities and is compliant with POPA.

Lakeland College’s Privacy Management Program is a coordinated cross-portfolio initiative under the oversight of the VP, Finance, Infrastructure & CFO and operated jointly with the Privacy, Records & Risk Office and Campus Technology Services.

Public

Description: Information approved for release and available to anyone without restriction

What this means: This information can be shared freely inside and outside the College. It has been reviewed and approved for public access. No harm would result from broad distribution.

Examples:

• Content on the Lakeland website
• Public newsletters, announcements, and social media posts
• Job postings and public event information

Internal

Description: Information intended for use within the College by staff, but not for public release.

What this means: Safe to share among College employees; Not reviewed or approved for public distribution; Could cause harm if shared externally

 Examples: 

• Internal emails and memos
• Draft documents not yet finalized for public release
• General operational procedures
• Student email addresses, student numbers, and grade levels when used within approved systems for legitimate educational or operational purposes.
• Data required for extracurricular activities where personal information has been collected with consent, and permission has been granted for its collection, use, and disclosure.

Confidential

Description: Sensitive personal or organizational information that is only accessible to authorized staff and must be protected.

What this means: Access is limited to staff who need it to perform their job; Unauthorized disclosure would cause harm to individuals or the the College; Covered under privacy legislation (POPA).

Examples:

• Student records containing sensitive personal information, including health information, Alberta Student Numbers (ASN), Health Care Numbers, birth certificates and legal identity documents, as well as parent/guardian personal information such as contact details, custody information, and emergency contacts
• Student records that combine multiple identifiers or sensitive attributes
• Student grades, report cards, transcripts, and detailed academic performance data
• Assessment results tied to identifiable students

Restricted 

Description: Highly sensitive information requiring the highest level of protection due to serious risk if disclosed.

What this means: Strict “need-to-know” access only; Unauthorized access or disclosure would cause serious harm (legal, financial, reputational, or personal); Often subject to legal or regulatory controls.

Examples:

• Psychological and Counseling records
• Disciplinary records (staff or student)
• Law enforcement or investigation information
• Financial records (payroll, banking, contracts)
• Legal documents, litigation, and in-camera Board materials
• Biometric or highly sensitive identity data