Privacy
rgb(255,255,255)
As of July 1, 2025, new requirements were introduced under Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA). These requirements comprise two key responsibilities for all of us within the OCAD University community:
rgb(255,255,255)
Mandatory Privacy Impact Assessments (PIAs)
The Requirement
As of July 1, 2025, OCAD University is required to conduct a PIA before collecting personal information. A privacy impact assessment (PIA) is a risk management tool for assessing how activities with personal information affect the privacy of individuals by identifying privacy and security risks or impacts and how to address them.
What You Should Do
Contact the Privacy Office before collecting any personal information.
Please get in contact with Khellon Roach, Manager, Privacy at khellonroach@ocadu.ca when planning and always before implementing any activity or making changes to any activity that:
- Collects personal information (including, but not limited to student information)
- Uses personal information in new ways
- Stores personal information through new systems or methods
- Discloses personal information to third parties or external organizations
Personal information is collected whenever we obtain or receive it in our work for the University. The Privacy Office will conduct any necessary PIAs with your assistance and provide guidance throughout the process. If you are uncertain whether a PIA is needed or you would like to ask about this new requirement, please do not hesitate to reach out to the Manager, Privacy, who can answer your questions.
For more information on PIAs, please click here.
For Frequently Asked Questions (FAQs) related to PIAs, please click here.
rgb(255,255,255)
Mandatory Privacy Breach Reporting Obligations
The Requirement
As of July 1, 2025, OCAD University is required to report privacy breaches to the Information and Privacy Commissioner (IPC) of Ontario, to notify persons affected by breaches as soon as feasible, and to keep good records of breaches and our institutional response to them.
What You Should Do
Immediately report all actual and suspected privacy breaches and incidents to Khellon Roach, Manager, Privacy at khellonroach@ocadu.ca. Privacy breaches and incidents are situations where personal information, such as student or other community member data are mishandled, stolen, lost, used or disclosed without authorization.
Examples include: leaving personal information in a public place, emailing student information to the wrong recipient, systems compromises or hacking, and any situation where you believe personal information may have been handled inappropriately.
If you are uncertain if there is a breach or incident, always err on the side of caution and report it immediately. Our Manager, Privacy is here to help assess situations and guide appropriate responses. We will support and guide you and answer your questions. Quick reporting enables quick solutions. It protects the people whose personal information we are entrusted, and the University and its communities. When in Doubt, Report immediately.
For more information on Privacy Breach Reporting, please click here.
The Privacy Office
The Privacy Office at OCAD University is committed to ensuring the security and privacy of our students, faculty, staff. Please do not hesitate to reach out to the Manager, Privacy who can answer your questions.
Contact Us
Khellon Q. Roach, Ph.D.
Manager, Privacy (c/o Office of the President)
OCAD University
100 McCaul Street, Toronto, Canada M5T 1W1
khellonroach@ocadu.ca