Document Number:
HR - 11004
Published / Last Updated Date:
Revision #:


Tyndale recognizes the importance of, and is committed to, the protection of the personal information of its community members, alumni and donors. This document addresses the parameters by which the collection, use and disclosure of personal information will be governed.


  • Chief Privacy Officer
Requests for access to information, issues or complaints about Tyndale’s compliance with this Policy regarding the handling of personal information, and questions or comments  about this  Policy, can be addressed to Tyndale’s CPO at [email protected].

Terms and Definitions:



Community Member Includes full-time and part-time faculty and staff (including student workers), instructors, secondees, volunteers, contractors, consultants and students.
CPO Chief Privacy Officer
Personal Information Personal Information is information about an identifiable individual and includes, but is not limited to:
  • Information relating to race, national or ethnic origin, first language, colour, disability, religion, age, sex, sexual orientation, or marital or family status of the individual;
  • Information relating to the educational, medical, psychiatric, psychological, criminal or employment history or remuneration of the individual or about financial transactions involving the individual;
  • The home address or home telephone number of the individual; and,
  • Any identifying number, symbol or other identifier assigned to the individual.

Responsible Department or Functional Area:

  • *All Departments


  • *Everyone


As a charitable organization and private university, Tyndale is not currently subject to either PIPEDA or FIPPA, however the University will use this legislation to guide and develop its privacy policies, agreements and best practices.

Tyndale has appointed a CPO who is accountable for implementation and general oversight of this Privacy Policy.

Tyndale Community members are responsible for day-to-day compliance with this Privacy Policy.
Identifying Purposes 


Tyndale will identify the purposes for which personal information is collected at or before the time the information is collected. The purposes for which Tyndale collects, uses or discloses personal information will be described in a reasonably understandable manner.
Limiting Collection 


The collection of personal information by Tyndale will be limited to what is necessary for the purposes for which it is collected.

Tyndale will always collect personal information by fair and lawful means.
Limiting Use and Disclosure 


Tyndale will use or disclose personal information only as needed for delivering its programs, activities and services.
Limiting Retention 


Personal information will be retained by Tyndale only as long as necessary for fulfilment of the purposes for which it was collected, or as required by law.


Tyndale will keep personal information accurate, complete and up-to-date as necessary for the purposes for which it is to be used.  From time to time Tyndale may contact the individual to ensure that the information which it has collected is, or remains, accurate and up-to-date.


Tyndale will protect personal information by security safeguards appropriate to the sensitivity of the information, including, but not limited to, the use of the following measures:
  • physical (e.g., locked filing cabinets, restricted access, appropriate disposal of personal information);
  • organizational (e.g., security clearances, access only on a "need to know" basis);
  • technological (e.g., passwords, encryption) and training of staff.


Information about Tyndale’s policies and practices relating to the management of personal information will be made available to individuals upon request to the CPO at [email protected].
Individual Access 


Upon written request from an individual to the CPO at [email protected], Tyndale will provide access to the individual for the purpose of reviewing that individual’s personal information. Individuals requesting access should specify the information which they wish to review.

Individuals have the right to challenge the accuracy and completeness of their information and have it amended if it is inaccurate, incomplete or out-of-date.

In certain circumstances, Tyndale may refuse to disclose personal information to the individual to whom the personal information relates:
  • where required by law, certain personal information may not be disclosed;
  • where the information contains personal information about another individual;
  • where the information is of such a nature that its disclosure could reasonably be expected to prejudice the mental or physical health of the individual;
  • where the information was gathered in the course of a formal dispute resolution process;
  • where the information is subject to solicitor-client privilege.
Breach Notification Process 


Where it is suspected or evident that an unauthorized disclosure of personal information has occurred (i.e. a privacy breach), the individual or individuals who are aware of the potential privacy breach shall immediately notify the CPO.

The CPO will strike a privacy breach committee composed of the senior operations person representing the department experiencing the privacy breach, and an information technology representative when necessary, to investigate the potential breach.  This privacy breach committee will:
  • identify the scope of the potential breach and take the necessary steps to contain it;
  • identify those individuals whose privacy was breached;
  • evaluate the nature of the information disclosed;
  • evaluate whether and how notification to the affected individuals should occur;
  • evaluate who in addition to the affected individuals should be advised of the privacy breach and so advise those individuals; and
  • review policies and procedures relating to the circumstances resulting in the privacy breach and provide recommendations to the appropriate persons to prevent future breaches.

Links to Content:

Primary Author / Owner:



Chief Privacy Officer [email protected]