The European Union’s (EU) General Data Protection Regulation is a privacy law intended primarily to protect personal data rights. It is designed to give individuals in the EU control over how their data are processed and used. Although it is an EU law, the GDPR may apply to Brock University and other public institutions in certain limited circumstances.
What is the purpose of this Notice?
Who should you contact if you have questions about your privacy?
Brock University may be considered a controller of your personal data. Brock’s contact address is:
1812 Sir Isaac Brock Way
St. Catharines, ON
Brock has designated its Freedom of Information and Privacy Coordinator as its Data Protection Officer, and they can be contacted at Privacy@Brocku.ca.
What information does Brock University collect and process about you?
The University collects and retains personal information about you in order to provide educational programs and support its academic research endeavours. More specifically, the University processes the following types of information:
- Contact information: information you have provided to enable us to contact you, such as name, home address, email address, emergency contacts.
- Application information: information you provided on your application form and any supporting documents requested as part of your admission.
- Academic records: records maintained about your studies at the Universities, including assessments, grades, academic status.
- Financial information: information about your tuition, scholarships and other fees.
- Information about other services: information about your use of other academic and non-academic services and supports, such as residences, career services, Student Health Services, etc.
How does Brock University store and handle your information?
Your personal information is created, stored and transmitted securely in a variety of paper and electronic formats, including some databases that are shared between the University’s Office of the Registrar and the employees who need this information to do their job. Access to your personal information is limited to University employees who have a legitimate interest in it for the purpose of carrying out their employment duties.
In addition to this, the University may process some information about you that is deemed ‘sensitive’ or ‘special category’ personal data, and which requires additional protections. This information is always collected directly from you, never collected without your knowledge and is only collected if necessary to provide supports and services. This includes information such as union membership, health, disability information, and identity information (e.g. religion) if disclosed as part of employment or studies. For certain courses of study, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and your fitness to practice in certain regulated professions.
What purposes does Brock University use your information?
The University will process your personal information for a range of purposes, including:
- To deliver and administer your education, record the details of your studies (including any placements with external organizations), and determine/confirm your academic achievements (e.g. grades, awards).
- Where relevant (e.g. for graduate students), to monitor, evaluate and support your research activity.
- To administer the financial aspects of your relationship with us and any outside funding sources (e.g. student lenders).
- To provide access to facilities and services to you (e.g. IT, athletics, libraries, accommodations, career placement).
- To enable your participation at events (e.g. campus functions, graduation).
- To communicate effectively with you by mail, email and phone, including the distribution of relevant newsletters and notices.
- To operate security, governance, disciplinary, complaint, audit and quality assurance processes and arrangements.
- To support your training, medical, safety, welfare and religious requirements.
- To compile statistics and conduct research for internal and statutory reporting purposes.
- To fulfill our responsibilities under legislation.
- To enable us to contact you or others in the event of an emergency.
What is the lawful basis for processing this information?
The University processes this information to fulfill the University’s legitimate interests, functions and responsibilities as a public, post-secondary educational institution. T processing of your personal information is necessary for:
- the performance of our contractual obligations with you (e.g. to manage your student experience and welfare while studying at the University);
- compliance with a legal obligation (e.g. statistical reporting to the Ministry of Training, Colleges and Universities);
- the performance of tasks we carry out in the public interest or for the University’s official functions (e.g. teaching and research);
- the pursuit of the legitimate interests of the University (e.g. assess your application for admission), or an external organization (e.g. to enable your access to external services).
If we require your consent for any specific use of your personal information, we will collect it at the appropriate time and you can withdraw this at any time.
When we process your Sensitive Personal Information on the basis of your consent, you may withdraw that consent at any time by contacting the Data Processing Officer. If you withdraw your consent, we may still be required to process your Sensitive Personal Information to comply with applicable law, but we will explain to you at the time your consent is withdrawn what processing activities will continue for legal compliance purpose.
Who do we share your information with?
We share your information only as necessary for the purposes outlined above. Who your information is shared with depends on whether you are a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or a contractor, donor, supporter, or research subject, or have some other status, and the types of personal data that you provide. The categories of recipients are likely to include one or more of the following:
- Other employees: we share your personal information within Brock with those employees who need the information in the performance of their duties. (for example, personnel in the Office of the Registrar will have access to personal data related to student admissions, class registration, enrollment, grades and transcript);
- Government departments and agencies: if required by federal departments and agencies, employees of the federal government, including personnel in Canadian Revenue Agency, may receive your personal data; such persons will generally be located in Ottawa, Ontario, employees of Ontario, including personnel in the Ministry of Training, Colleges and Universities, Ministry of Education, and their respective divisions, agencies, and offices, may receive your personal data; such persons will generally be located in Toronto, Ontario, or Ottawa, Ontario;
- Third party service providers where processing is necessary for the purposes of legitimate interests pursued by the University (e.g. university health insurance plan providers, software providers)
- Members of the public: Your name and the type of degree awarded will be published in the relevant graduation program, and videos of graduation ceremonies are posted online. If requested by you, we will confirm details of your results and degrees awarded to external inquirers or organizations, and will provide references to third parties upon request.
The University does not share your information for marketing or commercial purposes outside of what is permitted under the GPDR
Transfer of Personal Data to Third Country or International Organizations
The majority of your personal information processing happens in Canada, however, if the University has a contract with a third–party service provider that is based in another country, or you are participating in a student exchange program, the University may be required to transfer your personal data to a third country or international organization.
In transferring your personal data, Brock will employ suitable safeguards to protect the privacy and security of your personal information so that it is only used in a manner consistent with your relationship with the university and this Notice.
How long do we keep your information for?
The University keeps your Personal Information as required by law, and no longer than necessary to perform our legitimate interests. See the University’s Records Management Policy for details of the current university record and data retention policies. If you have specific questions concerning how long a certain type of personal data will be retained, please contact Privacy@Brocku.ca.
What rights do you have with respect with your personal information?
As a Data Subject pursuant to the GDPR, you have certain rights. This GDPR Privacy Notice summarizes what these rights under the GDPR involve and how you can exercise these rights. More detail about each right, including exceptions and limitations, can be found in Articles 15-21 and 77 of the GDPR.
The Right of Access
You have the right to request that the University confirm whether it is processing your Personal Information. If the University is processing your Personal Information, you have the right to access that Personal Information, and the University will provide you with a copy of that Personal Information unless prevented by applicable law.
The Right of Correction
You have the right to request that the University correct any inaccurate Personal Information that it maintains about you. You also have the right to request that the University complete any incomplete Personal Information that it maintains about you, which could be accomplished by incorporating a supplementary statement that you submit. If the University concurs that the Personal Information is incorrect or incomplete, the University will promptly correct or complete it.
The Right to Erasure
You have the right to request the erasure of Personal Information that the University maintains about you in certain circumstances. These circumstances are identified in Article 17 of the GDPR and include that the Personal Information is no longer necessary in relation to the purpose(s) for which it was collected or otherwise processed.
Please note, there are exemptions where the University can refuse to erase your data, for example, where the University still needs your information for compliance with a legal obligation or where the information is necessary for the establishment, exercise or defence of a legal claim, in which case the University will retain the information until no longer needed.
The Right to Restrict Processing of Personal Information
You have the right to request that the University restrict the processing of your Personal Information where one of the reasons identified in Article 18 of the GDPR apply. These reasons include that the Personal Information is inaccurate, the processing is unlawful, or the University no longer needs the Personal Information.
If the University grants your request to restrict processing, the University will only process that Personal Information with your consent, for the protection of the rights of another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable law.
The Right to Data Portability
Where the basis for processing is either consent or performance of a contract between you and the University, and where the processing is carried out by automated means, you have the right to receive your Personal Information that you have provided to the University. The University will provide the Personal Information in a structured, commonly used, and machine-readable format. Where technically feasible and upon your request, the University will transmit the Personal Information directly to another entity.
The Right to Withdraw Consent
If the basis for processing your Personal Information is consent, you may revoke your consent at any time. Upon receipt of your notice withdrawing consent, and if there are no other legal grounds for the processing, the University will stop processing the Personal Information unless the processing is necessary for the establishment, exercise, or defense of legal claims. Revoking consent does not affect the lawfulness of processing that occurred before the revocation.
The Right to Object to Processing
In certain situations, you may have the right to object to processing of your Personal Information
- Public Interest or Legitimate Interests. If the basis for processing your Personal Information is public interest or legitimate interests, you have the right to object to processing the Personal Information. The University will cease processing unless it demonstrates overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.
- Direct Marketing. If the University is using your Personal Information for direct marketing purposes such as fundraising, you have the right to object at any time, and the University will stop using your Personal Information for that purpose.
The Right to File a Complaint
You have the right to submit a complaint with an EU supervisory authority, in particular the one in the EU Member State of your habitual residence, place of work, or place of the alleged violation, if you believe that the University’s processing of your Personal Information violates the GDPR.
For more information on the process for submitting a complaint, consult the relevant EU supervisory authority: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/ index_en.htm. The Right to Know if Brock Uses Your Personal Data in Automated Decision-Making, Including Profiling
The GDPR limits Brock’s right to use your personal data for predictive purposes as part of an automated decision-making process, including profiling. Such a process uses your personal data, such as preferences, interests, behavior, locations, and personal movement, to make an analytically-determined decision, instead of a personalized, individual decision. The GDPR limitation does not apply when such automated decision-making is necessary for the performance of a contract to which you are, or will be, a party. Brock does not intend to use personal data in an automated decision-making process, except in the context of such a contract. However, if it does, it will seek your consent for such use.
GDPR Official website