Policy on Personal Information (CAN)

Policy Number: 707-CAN

University Records and Information Systems

The permanent link for this policy is: https://policies.northeastern.edu/policy707-CAN/

This policy applies to Northeastern University Canadian Campuses only.

I. Purpose and Scope


Northeastern University is committed to protecting Personal Information of applicants, students, parents, employees and other individuals that it collects, uses, discloses, and maintains in its operations.

This Policy on Personal Information, which applies to Personal Information collected, used or disclosed in Canada, reiterates Northeastern’s commitment to the privacy of Personal Information, as defined below, in accordance with the Personal Information Protection Act (British Columbia) or the Personal Information Protection and Electronic Documents Act (“Privacy Law”), where applicable. This policy outlines practices Northeastern follows in collecting, retaining, using and disclosing Personal Information.


II. Definitions


For purposes of this policy,

Personal Information is information about an identifiable individual (which may include but is not limited to, name, age, home address and phone number, social insurance number, marital status, education, and employment information) but does not include business contact information such as an individual’s name, title, business address, business telephone number or business e-mail address.

Employee Personal Information: means Personal Information, in respect of an individual who is a potential, current or former employee, reasonably required for the purposes of:

(i) establishing, managing or terminating an employment or volunteer-work relationship, or

(ii) managing a post-employment or post-volunteer-work relationship,

but does not include Personal Information about the individual that is unrelated to that relationship.

III. Policy

1. Collecting Personal Information

 Northeastern collects Personal Information that is necessary for operating its business, including Personal Information needed to:

• process applications for admission to Northeastern’s undergraduate and graduate programs and enrollment in courses and programs;

• administer and assess educational programs;

• fulfill public safety obligations;

• deliver and administer education, record the details of studies (including any placements with external organizations for co-op or academic coursework taken at another institution), and determine/confirm academic achievements (e.g. results, prizes);

• administer the financial aspects of the relationship between Northeastern, its students and any funding agencies or lenders;

• provide facilities (e.g. IT, sport, libraries, accommodation);

• operate security, governance, disciplinary, complaint, audit and quality assurance processes and arrangements;

• support training, medical, safety and welfare requirements;

• compile aggregated data for historical descriptive analysis of enrollment trends, required regulatory reporting, and accreditation purposes

• notify designated emergency contact(s) of an emergency or crisis;

• prevent fraud or criminal activity, misuse of products or services, and protect the security of IT systems, architecture and networks; and

• meet legal and regulatory requirements.

In general, Northeastern only collects information directly from the individuals to which it applies. However, Northeastern may collect information from other people with the consent of the individuals to whom the information applies, or as authorized by law.

2. Employee Personal Information

To the extent permitted by Privacy Law, Northeastern may collect, use or disclose Employee Personal Information of any potential, current or former employee without the consent of the employee for the purposes of establishing, managing or terminating the employment relationship, or managing the post-employment relationship. Where the Employee Personal Information relates to a current employee of Northeastern, Northeastern will provide the employee with notice that their Employee Personal Information will be collected, used or disclosed, including the purposes for which the information will be collected, used or disclosed.

Employee Personal Information and Personal Information regarding employees may be collected used and disclosed for purposes including, but not limited to:

• hiring, promotion, compensation and tax reporting

• compliance with legal requirements and obligations;

• compliance with requirements of applicable professional governing bodies;

• provision and administration of health and welfare benefits and programs;

• human resources and payroll administration;

• professional development and performance management; and

• enforcement of Northeastern’s policies and procedures.

Except as otherwise permitted by Privacy Law, all Employee Personal Information and Personal Information in respect of employees shall be treated in the same manner as other Personal Information, in accordance with the terms of this policy. Unless otherwise indicated, the provisions of this policy shall apply to all Employee Personal Information and Personal Information relating to employees.

3. Consent

Northeastern will ask for consent to collect, use or disclose Personal Information, except in circumstances where collection, use or disclosure of Personal Information without consent is authorized or required by law. Consent will be implied where the purpose for collecting, using, or disclosing the Personal Information is obvious and the individual voluntarily provides Personal Information for such purpose.

Where not implied, consent can be provided orally, in writing, electronically, or through an authorized representative.

Subject to certain exceptions (e.g., the Personal Information is necessary to fulfill Northeastern’s legal obligations), an individual may withhold or withdraw their consent for Northeastern to use or disclose their Personal Information. Withholding or withdrawing consent to the use or disclosure of Personal Information may restrict Northeastern’s ability to provide certain products or services, if it does not have the necessary Personal Information.

4. Using and Disclosing Personal Information

Northeastern will only use or disclose Personal Information for the purposes for which the information was collected, except as authorized by law. If Northeastern wishes to use or disclose Personal Information for any additional purpose, Northeastern will ask for consent unless consent is not required by law.

Northeastern may, from time to time, transfer Personal Information to Northeastern systems or affiliates located in the United States. Such affiliates may receive, process and handle Personal Information for the purposes described in this policy and will provide a level of protection for Personal Information that is comparable to that provided by Northeastern.

Additionally, Northeastern may disclose Personal Information to other third-party service providers for the purposes of providing services or functions on behalf of Northeastern. Personal Information will not be disclosed to such third-party service providers except as described in this policy and Northeastern’s Online Privacy Notice, with consent of the individual or as required or permitted by law. Northeastern will endeavour to ensure that its contracts with third party service providers limit the retention, use and disclosure of Personal Information by the third-party service provider solely for the purpose of carrying out the contracted services and provide a level of protection for Personal Information that is comparable to that provided by Northeastern.

5. Retaining Personal Information

Northeastern University will retain Personal Information for as long as is reasonable to fulfil the purposes for which the information was collected, or as required for legal, compliance or business purposes.
Notwithstanding the foregoing, Personal Information used to make a decision that directly affects an individual, will be retained for at least one (1) year following the decision.

6. Accuracy of Personal Information

Northeastern will make reasonable efforts to maintain the accuracy of the Personal Information used and disclosed.

Individuals may request a correction if there is an error or omission in their Personal Information. An individual must make a request in writing to correct their Personal Information, which request must provide sufficient detail to identify the Personal Information and the correction being sought.

If Personal Information is demonstrated to be inaccurate or incomplete, Northeastern will correct the information as required and send the corrected information to any organization to which it disclosed the Personal Information in the previous year. If Northeastern decides not to correct the Personal Information, Northeastern will note that a correction was requested but not made in the file.

7. Securing Personal Information

Northeastern will protect Personal Information in a manner appropriate to the sensitivity of the information. Northeastern will make reasonable efforts to prevent loss, misuse, disclosure, copying, modification, disposal or destruction of Personal Information or any unauthorized access to Personal Information. Employee access to Personal Information is limited to those employees who require such Personal Information to carry out their responsibilities.

Northeastern continually reviews and updates its security policies and controls as technology changes to promote ongoing Personal Information security.

8. Access to Personal Information

Individuals may access their own Personal Information in Northeastern’s custody or control, subject to certain exceptions (e.g. Privacy Law prohibits access to information that may contain Personal Information about another individual or confidential business information. Access may also be refused if the information is subject to solicitor-client privilege.) In some cases where exceptions to access apply, Northeastern may withhold that information and provide the remainder of the information.

A request to access Personal Information must be made in writing to Sean O’Connor, Chief Technology Officer, and provide sufficient detail to identify the Personal Information being sought. Individuals may also request information about Northeastern’s use of their Personal Information and any disclosure of that information to persons outside the organization.

Northeastern will respond to an individual’s request within the time limits specified by Privacy Law and will indicate whether the individual is entitled to access the information. If access is refused, in whole or in part, Northeastern will provide reasons for the refusal, the name of the person who can answer questions about the request and advise of the right to have the decision reviewed by the Privacy Commissioner of British Columbia or the Privacy Commissioner of Canada.

Northeastern may charge a minimal fee for providing access to Personal Information, however, no fee will be charged for providing access to Employee Personal Information. Where a fee will apply, Northeastern will provide the individual making the access request with an estimate of the fee before providing access.

IV. Additional Information


Northeastern will only use Personal Information to provide marketing information, including but not limited to updates and information about new programs and services, upcoming events or other promotions or news, if the individual has consented to Northeastern doing so. Individuals may opt out of receiving marketing communications at any time by emailing Northeastern at: privacy@northeastern.edu.

V. Contact Information


Any inquiry or complaint about this policy or the collection, use and disclosure of Personal Information by Northeastern should be directed in writing to:

Sean O’Connor
Associate Vice President and Chief Technology Officer
Email: se.oconnor@northeastern.edu or OIS@northeastern.edu
Phone: (617) 373-7901

If an individual is not satisfied with a response or has a complaint, the individual may contact the Privacy Commissioner of British Columbia or the Privacy Commissioner of Canada.

Responsible Office/Department(s)

Office of Information Security

Related Procedures





Personal Information; Personal Data

Version History

Last Revision Date: April 8, 2020

Issued: January 28, 2019