George Brown College has a Records Management Policy Framework which outlines the College’s perspective on records. The Framework’s Principles state that “effective records management ensures that the records maintained are …disposed of accountably, and as legislation requires” (Framework, s. 1).
Also, GBC must adhere to Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA), which clearly identifies the College’s responsibilities in its collection, use, and destruction of personal information. Regulation 459 of FIPPA, Disposal of Personal Information states that an educational institution may dispose of personal information in the following ways only:
- By destroying the personal information.
- By transferring it to the archives of another educational institution, in accordance with an agreement between the educational institutions authorizing the transfer.
- By transferring it to the Archives [of Ontario], in accordance with an agreement between the educational institution and the Archivist of Ontario authorizing the transfer. (O. Reg. 91/07, s. 1 (2)).
GBC has its own Archives which cares for all records that are retained permanently or long-term, which leaves only the 1st point above valid - personal information must be destroyed when it is no longer needed. The Framework explains that destruction through the College Archives is mandatory for all G.B.C. records types that are "Listed" in Ontario's Freedom of Information and Protection of Privacy Act Directory of Records as "Personal Information Bank" records (Framework s. 7.5).
The rules governing this destruction are also very clear: “Where personal information is in the custody or under the control of an institution, no person shall destroy it without the authorization of the [institution’s] head” (R.R.O. 1990, Reg. 459, s. 3). This authorization is ensured through the Archives’ shredding procedure. Obviously, GBC’s President cannot actually control every record, so “Operational responsibility for GBC' s records rests locally with each department head, including staffing and resource allocation support” (Framework s. 7.2). This initial operational responsibility for records ensures that “all reasonable steps are taken to protect the security and confidentiality of personal information that is to be destroyed, including protecting its security and confidentiality during its storage, transportation, handling and destruction (R.R.O. 1990, Reg. 459, s. 4 (1)).
Beyond the protection of personal information required of GBC, FIPPA specifies the criteria for adequate destruction of information: “Every head shall take all reasonable steps to ensure that when personal information is to be destroyed, it is destroyed in such a way that it cannot be reconstructed or retrieved” (R.R.O. 1990, Reg. 459, s. 5.). Throughout the destruction process, the “head of [the] institution shall ensure that the institution maintains a disposal record setting out what personal information has been destroyed … and the date of that destruction” (R.R.O. 1990, Reg. 459, s. 6 (1)). GBC’s Framework covers this point of legislation by mandating that GBC “Archives ensures proper ‘Head of Institution’ authorization signatures are obtained prior to the destruction, ensures it is carried out properly, and retains permanently the necessary "Certificate of Destruction" required by the legislation / regulations” (Framework s. 7.5).