By Diana Hall
The registrar’s office at Ryerson University could have violated Ontario’s privacy legislation when it released the name and program of student Alaa Hejazi last November.
Hejazi, whose lawyer had not yet confirmed his enrolment status, had turned himself in to Toronto Police on Nov. 14 in connection with two sexual assaults in the city.
In an email to The Eyeopener, the Globe and Mail confirmed that a reporter called the Ryerson registrar’s office later that day to investigate Hejazi’s student status. The Globe also learned that Hejazi was enrolled as a second-year in the university’s business technology management program.
But according to Tony Conte, director of the office of the vice provost, students, the registrar’s release of such information would violate the university’s privacy policy.
“That’s a problem. That actually does not happen, should not happen and I don’t believe it happened,” Conte said in a Nov. 15 conversation with The Eyeopener.
“We cannot disclose any information about whether or not a person attends Ryerson at all […] Privacy legislation forbids that and I support that one hundred per cent.”
According to privacy officials at Ryerson and the provincial privacy commissioner’s office, a student’s name and enrolment status at a post-secondary institution should be categorized as personal information, which the Freedom of Information and Protection of Privacy Act is bound to protect.
Ryerson became subject to the Act on June 10, 2006.
Under section 21. (3), FIPPA outlines a presumed invasion of privacy where the disclosed personal information “relates to employment or educational history.” Brian Beamish, assistant commissioner of access at Ontario’s office of information and privacy, said universities have a responsibility to determine whether releasing personal information without the individual’s consent is in accordance with exceptions outlined in FIPPA.
“In a case like this where it’s a general member of the public calling up and saying, ‘is so-and-so a student there?’ the school would then have to ask itself – if it were going to disclose that information- is that justified or not?” Beamish said.
According to section 11 of the Act, circumstances that obligate institutions to release these records can include police investigations and other “reasonable and probable grounds to believe that it is in the public interest to do so, and that the record reveals a grave environmental, health or safety hazard to the public.”
“I would say generally speaking as a general rule, an inquiry from a member of the public would not be sufficient grounds [to release a student’s information],” Beamish said.
The policy at Ryerson “is to err on the side of privacy,” said Heather Driscoll, the school’s information and privacy officer.
Driscoll admitted that confirming whether a student attends Ryerson is a “grey area” of policy.
“Though to be quite frank, [the release of a student’s name] is pretty low-risk in almost every case,” she said.
Although Beamish warned such disclosures can also be high risk, Driscoll said Ryerson is more concerned with breaches involving student email addresses, phone numbers and social insurance numbers.
The university has not confirmed whether the release of Hejazi’s name was deemed to be a privacy breach, or if an investigation will be taking place.
1 Pingback