Print | PDF

This online version is for convenience; the official version of this policy is housed in the University Secretariat. In case of discrepancy between the online version and the official version held by the Secretariat, the official version shall prevail.

Approving Authority: President

Original Approval Date: July 3, 2013

Date of Most Recent Review/Revision: N/A

Office of Accountability: Assistant Vice-President: Academic Services

Administrative Responsibility: Information and Communication Technologies (ICT)

Background

Both ICT and the Privacy Office have received numerous requests for direction regarding the collection, use, storage and destruction of data collected by the university. Additionally, there was a great deal of uncertainty about what departments’ obligations were regarding data (for example in order to comply with the Freedom of Information and Protection of Privacy Act). In order to address this, ICT and the Privacy Office worked together to create a policy which provides guidance about what records should be confidential and how all data at the university should be treated.

Purpose

1.00 The purpose of this policy is to provide guidance to the University community regarding the classification, retention, storage, circulation and disposal of University records. 

Definitions

2.01 Record

Any record of information created or used by the University however recorded, whether in printed form, on film, or by electronic means.

2.02 Encryption

See Appendix B: Explanation of Encryption and Instructions on Use.

2.03 Personal Information

Recorded information about an identifiable individual.

2.04 Data Owners

Data Owners are University employees (AVP/Director level) who have direct operational-level responsibility for the management of one or more types of records, either in electronic or paper form. Data Owner responsibilities include:

• The application of this and related policies to the systems, records, and other information resources under their care or control.
• Assigning data classification labels using the University's data classification methodology.
• Identifying and implementing safeguards for Internal and Restricted Data.
• Communicating and providing education on the required minimum safeguards for protected data to authorized data users and data custodians.
• In cases where there are physical records, data owners are responsible for maintaining the physical security of those records as appropriate to the classification level of the data in their custody.

In cases where multiple data owners collect and maintain the same restricted data elements, the data owners must work together to implement a common set of safeguards.

2.05 Data Custodians

Data Custodians are ICT or computer system administrators responsible for the operation and management of systems and servers which collect, manage, and provide access to University data. Data Custodians must be authorized by the appropriate Data Owner and ICT. Data Custodian responsibilities include:

• Maintaining physical and system security and safeguards appropriate to the classification level of the data in their custody.
• Complying with applicable University computer security standards.
• Managing Data Consumer access as authorized by appropriate Data Owners.
• Following data handling and protection policies and procedures established by Data Owners and ICT.

2.06 Data Consumers

Data Consumers are the individual University community members who have been granted access to University data in order to perform assigned duties or in fulfilment of assigned roles or functions at the University. This access is granted solely for the conduct of University business. Data Consumer responsibilities include:

• Following the policies and procedures established by the appropriate Data Owner, ICT and the University.
• Complying with applicable federal and provincial laws, regulations, and policies.
• Implementing safeguards prescribed by appropriate Data Owners for Restricted Data.
• Reporting any unauthorized access or data misuse to ICT, the Privacy Officer or the appropriate Data Owner for remediation.

2.07 Open Data (Type 1)

Information that is readily available to any member of the University community or to the general public, either by request or by virtue of its being posted or published by the university through proper administrative procedures. This type of information has no legal restriction on access or usage. It may include personal information collected for the express purpose of public release with the knowledge and consent of the individuals the information is about.

By way of illustration only, some examples of Open Data include:

• Publicly posted press releases.
• Publicly posted schedules of classes.
• Publicly posted interactive University maps, newsletters, newspapers and magazines, faculty and staff directory.
• Audited financial statements.

2.08 Internal Data (Type 2)

Information whose unauthorized release could reasonably be expected to cause minor, short-term harm to individuals or to the University and is intended for only limited dissemination. Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, distribution, storage or other use. Protection of such information may be required by university policy and/or provincial or federal legislation. Access to Type 2 information is restricted to those who have a legitimate purpose for accessing such information. It is important to note that Type 2 information in the aggregate may migrate to Type 3, particularly with respect to personal information about an individual. Information must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure.

By way of illustration only, some examples of Internal Data include:

• Employment data such as payroll, job grades, personal contact information.
• Official Student File including grades, program of study.
• Student Co-curricular record, personal contact information.
• Student appeals and petitions records.
• Alumni Contact information.
• Internal project reports.
• Departmental Budget Information.
• Accounting information.
• Student Financial Accounts including, awards, OSAP, and bursaries.

2.09 Restricted Data (Type 3)

Information that, if compromised, could reasonably be expected to result in significant and/or lasting harm to an individual or the University such as identity theft, or reputational risk. This type of information is strictly protected by provincial or federal statutes or regulations, University policy, or contractual agreement(s) and must be protected from unauthorized access, modification, distribution, storage, destruction, or use. Access to type 3 information is restricted to those who have a legitimate purpose for accessing such information.

By way of illustration only, some examples of Restricted Data include:

• Specific categories of employee and student information, and information protected by legal privilege.
• Medical/health information/Accessible Learning, Counseling, as well as clinical patient data.
• Labour relations data including negotiation information and grievances.
• Internal Systems Information such as administrative passwords, encryption methodologies, technical infrastructure design.
• PCI-DSS information.
• In-Camera discussions.
• Financial and Procurement information including Requests for Proposals (RFPs) during a purchasing process.

Jurisdiction/Scope

3.01 This policy and associated appendices apply to all records within the custody and/or control of the University, including those relating to the operation and administration of the University and those records containing personal information relating to faculty, staff and students.

3.02 This policy and associated appendices do not apply to research and study notes, teaching materials, reports, manuscripts, publications and personal communications of individual faculty, staff and students (unless specifically commissioned or prepared under contract for the University or prepared in the context of administrative work).

Policy

4.01 The University Community shall manage records in their possession and control in such a way that they can be readily accessed and retrieved when needed.

4.02 Access, Storage, Disposal and Retention of Records

All members of the University Community creating, sharing or using University records must comply with the following instructions. Failure to do so may be in violation of provincial acts and/or regulations.

Type 1 Data

• Access Restrictions: No restrictions on access.
• Distribution: No special handling required.
• Storage: No special safeguards required.
• Disposal: Can be recycled.
• Retention: As needed or required.

Type 2 Data

• Access Restrictions: Access limited to employees and other authorized users when needed to do their job.
• Distribution: Sealed envelope, note any restrictions on distribution (eg. not to be forwarded, internal use only) in the first line or subject line of e-mails, password protect all files included in transmission unless sent within a centrally supported standard e-mail solution, encryption for transferring of the file (see Appendix B: Explanation of Encryption and Instructions on Use). Type 2 data must not be posted on any public website.
• Storage: Stored within a controlled access system, e.g. password protected file or file system or stored in a closed container (i.e. file cabinet, closed office, or department where physical controls are in place to prevent disclosure) when not in use.
• Disposal: Hard Copy materials must be destroyed by secure shredding. Electronic storage media shall be sanitized appropriately by overwriting prior to disposal.
• Retention: See Appendix A: Schedule of Retention Periods.

Type 3 Data

• Access Restrictions: Access limited to authorized users with a demonstrated reason to need the information.
• Distribution: For distribution and storage, Type 3 Data must be protected in the same manner as outlined above for Type 2 information; plus: All information regardless of medium must be denoted clearly as confidential. Encryption is required for external networks such as VPN, HTTPS, SFTP (see Appendix B: Explanation of Encryption and Instructions on Use). Hardcopies must use secure methods for external transportation (eg. bonded courier service). If sent via confidential fax, the record should be sent only to a previously established and used address or one that has been verified; If printed, the record is not to be sent to an unattended printer, with the hard copy being retrieved immediately with no delay. Use secure print options should be used where possible.
• Storage: Stored within a controlled access system (e.g. password protected file or file system or locked file cabinet). For any portable medium such as USB drives or notebooks, or mobile devices encryption is required. If in an electronic format, records must be protected with strong passwords (see Appendix B: Explanation of Encryption and Instructions on Use) and on servers that have protection to guard against loss, theft, unauthorized access and unauthorized disclosure; if in a hard copy format, records must be stored in a locked drawer, room or an area where access is restricted to afford adequate protection, and to prevent unauthorized access by members of the public, visitors, or unauthorized employees. Information Records are not to be stored in non-University controlled storage systems unless such storage systems have been authorized and are subject to University approved security agreements.
• Disposal: Hard Copy materials must be destroyed by secure shredding. Electronic storage media shall be sanitized appropriately by overwriting prior to disposal.
• Retention: See Appendix A: Schedule of Retention Periods.

4.04 Data Breaches

The Privacy Office must be notified in a timely manner if data classified as Internal (Type 2) or Restricted (Type 3) is lost, disclosed to unauthorized parties or suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the University's information systems has taken place or is suspected of taking place. Please refer to Policy 10.1.

Relevant Legislation

• Freedom of Information and Protection of Privacy Act of Ontario

Related Policies, Procedures and Documents

• Information Availability and Privacy Protection (10.1)
• Information Technology, Policy Governing the Use of (9.1)
• Publication of Information via the World-Wide Web (3.3)
• Student Records (10.2)
• Appendix A: Schedule of Retention Periods
• Appendix B: Explanation of Encryption and Instructions on Use
• Implementing Policy 3.4: Steps for Data Owners

Appendix A: Schedule of Retention Periods

The University is subject to both federal and provincial legislation regarding the retention of records. The list below gives examples of legislative requirements which govern records frequently held by units/departments. For some areas that handle specialized documents, additional requirements may apply.

Legislative Requirements

Broader Public Sector Purchasing Directive: (sec. 7.2.23)

All procurement documentation, as well as any other pertinent information must be retained for seven years.

Freedom of Information and Protection of Privacy Act: (sec. 5(1))

All records containing personal information must be kept for a minimum period of one year after their use.

Exams, Essays and Other Student Work

Exams, essays and other student work should be kept as long as is necessary for the student to exhaust all avenues of appeal. This is generally a period of two years.

Emails

Emails are considered records and should be kept as long as necessary for employers. Best practice is to archive messages to make them more permanent.

Employment Standards Act: c. 41 sec 15

In general, employee records should be kept for at least three years (see the Employment Standards Act for specific details)

Income Tax Act: Canada Revenue Agency

All of the records and supporting documents that are required to determine your tax obligations and entitlements for a period of six years from the end of the last tax year to which they relate. Historical information such as records and supporting documents concerning long-term acquisitions and disposal of property must be kept indefinitely.

Litigation

When there is a belief that litigation may occur, all related records should be kept for at least two years.

In addition to the above legislative requirements, each area should develop a records management plan appropriate for the particular records it maintains, in cooperation with ICT and the University Secretariat (see below).

Retention and Maintenance of Records

The University requires its records be maintained in a consistent and logical manner, and that the University:

1. Meets its legislative requirements for protection, storage and retrieval;
2. Protects the privacy of faculty, staff and students;
3. Optimizes the use of space;
4. Minimizes the cost of record retention; and
5. Destroys outdated records in an appropriate manner.

Areas that maintain University records are responsible for establishing appropriate records management procedures. Each unit’s administrative manager or equivalent must:

1. Be familiar with Policy 3.4 Data Classification and Information Management;
2. Develop records management procedures, consistent with this policy;
3. Educate those within the unit who utilize these records in understanding the procedures and related policies;
4. Restrict access to confidential records and information; and
5. Coordinate the proper destruction of records.

The University Secretariat and ICT are available to work with individual areas to implement these requirements. Faculty and staff should feel free to address questions about retention and destruction schedules to either of these offices. For steps in how to become compliant with policy 3.4, please see Implementing Policy 3.4: Steps for Data Owners.

Appendix B: Encryption of Confidential Data

The ICT department would like to advise the Laurier community that confidential information saved on laptops, USB flash drives and home computers must be encrypted to avoid disclosure due to theft, loss or malware.

All laptop computers and home computers that are used to store Laurier confidential information should be password protected and it is proper to put passwords on important files. However, neither of these measures provides enterprise level protection for confidential information. Hard drives can be removed from computers and document passwords are relatively easy to crack.

We recommend standard Windows XP folder encryption for Laurier confidential information stored on laptops and home computers. Encryption requires the NTFS file system. Most systems installed in the last five years will be using NTFS.

A Windows (for Windows xp, Windows 7, and Windows 8) folder is encrypted as follows:

1. Right click on any Windows folder (we recommend creating a special windows folder in directory C:\Documents and Setting\username\My Documents).
2. Click on Properties.
3. Click on Advanced.
4. Check Encrypt contents to secure data.
5. Click on OK.
6. Click on OK.

For Mac OSX+ computers:

1. Open Disk Utility.
2. Click File, choose New, select Disk Image from folder.
3. Choose the folder that you want to encrypt.
4. Select Encryption method (256-bit AES for more secure, but slow encryption / 128-bit AES for a regular security but faster encryption).
5. Write your password and uncheck remember password in keychain, in order to keep the computer from remembering your password to this secure folder. Click OK and you’re done.
6. The resultant secure folder will be a DMG file, which upon being clicked will prompt you for a password. Without entering the required password, all the information inside the folder will be digitally scrambled, rendering it useless for someone trying gain unauthorized access to it. Once a folder has been configured as encrypted, any file created in or moved to that folder will also be encrypted. The files will be unreadable if your disk drive is removed and connected to another third party computer.

Only place important files in a confidential folder, there is usually no reason to encrypt pictures or music.

We recommend that Laurier confidential information should only be saved on a USB flash drive if that drive has hardware encryption. One such device is called IronKey. Ironkey flash drives can be ordered from the Bookstore. A hardware encrypted USB flash drive can be used securely on any computer.

Questions: please contact gli@wlu.ca.