General Data Protection Regulation (GDPR)
Background: On May 25, 2018 the GDPR came into effect. This European Union (EU) law on data protection and privacy applies to organizations that are located both inside and outside of the EU, if they collect and/or process personal information of individuals located inside the EU. This includes TRU whenever we collect or process personal information of individuals resident in the EU.
With the adoption of the GDPR, residents of the EU have privacy rights that are considered human rights with constitutional like status. In this context is it important to note that the GDPR has a broader definition to what is considered personal information (i.e. an IP address is defined as personal information under this law); the GDPR also outlines additional requirements on obtaining consent to collect and process personal information of individuals located inside the EU.1
Some examples of when the GRPR applies to TRU's collection or processing of personal information include:
- Students going on study abroad to the EU;
- Students/faculty/staff participating in summer programs/field schools that are located in the EU;
- Individuals located in the EU applying to enroll at TRU;
- Individuals located in the EU applying, enrolling and taking TRU online courses;
- Hiring of faculty/staff (for those located within the EU that apply for job postings at TRU, or those whose work requires them to work from an EU location);
- Collecting and processing of the personal information of other 3rd parties located within the EU (i.e. donors, alumni, researchers, and contractors);
- Monitoring behaviors of those individuals located in the EU while on TRU websites.
Currently, the EU Data Protection Authorities (the regulators) are taking an educational approach during the first two years of implementation of this law, and fines for non-compliance with the GDPR are not expected.
Current Status: The Privacy and Access Office is reviewing TRU's Privacy Statement and is developing recommendations to address GDPR requirements. These recommendations will be brought to the Information Security Committee for their review and comments.
It is expected by many observers in the privacy sector that Canadian jurisdictions will adopt a model similar to the GDPR in due course.
To be able to address GDPR requirements, at the direction of General Counsel, the Privacy and Access Office will (in the future) be asking various University departments to create a personal information inventory of the personal information they collect and store. This is similar to the requirement in BC to have a personal information bank2 that includes the personal information that we hold. This inventory is necessary and needed to assess TRU's personal information collection practices at various collection points to ensure TRU is meeting its responsibilities under the GDPR and the BC Freedom of Information and Protection of Privacy Act.
Any questions relating to the GDPR can be sent to the Privacy and Access Office at email@example.com or by calling 250-828-5012.
1. As a result of Brexit, the GDPR no longer applies to individuals resident in the UK The UK has created its own domestic legislation, the UK GDPR, which contains the same key principles, rights and obligations as the GDPR.
2. BC Freedom of Information and Protection of Privacy Act – section 69(6)