Student Personal Information and the Freedom of Information and Protection of Privacy Act (FIPPA) The University of Western Ontario Freedom of Information and Privacy Office June 2007 Overview • Description of the statutory requirements for handling student information at the University and the new access rights given to students • Advice on some best practices for handling personal information 2 FIPPA Two main purposes: • To provide a right of access to information under the University’s custody or control • To protect the privacy of individuals with respect to personal information about them that is held by the University AND to provide individuals with a right of access to that information 3 STUDENT PERSONAL INFORMATION - name - photograph - home address - home telephone number - personal email address - student number - medical certificates - educational history - academic record - student responses on assignments, tests, exams 4 - student grades - evaluative comments about student or student’s work (e.g. academic counselling files; Dept. Chair’s files; faculty member’s files) - letters of reference - financial information - scholarships, awards, bursaries - criminal record check information “PUBLIC” PERSONAL INFORMATION Some personal information is considered “public” by the University and will be provided to third parties upon request: – Full Name – Degree(s) awarded by Western and date(s) conferred – Faculty(ies)/Schools in which student is/was enrolled, with major field of study – Academic or other University awards or distinctions* *Official Student Record Information Privacy Policy, S.03-30 http://www.uwo.ca/univsec/handbook/general/privacy.pdf 5 “PUBLIC” PERSONAL INFORMATION Exception: The student has the right to request that this information not be publicly available by contacting the Office of the Registrar or the Faculty of Graduate Studies* *Official Student Record Information Privacy Policy, S.03-30 http://www.uwo.ca/univsec/handbook/general/privacy.pdf 6 STATUTORY REQUIREMENTS 1. Personal information should normally be collected directly from the affected student and only where necessary to administer a University program or activity 2. Students must be told why the information is being collected and what will be done with it 7 STATUTORY REQUIREMENTS 3. The personal information should subsequently be used or disclosed only for the purpose for which it was collected, for a consistent purpose, or with consent. 4. Only individuals who need the student’s personal information for the performance of their duties should have access to it 8 STATUTORY REQUIREMENTS 5. The University must institute measures to prevent unauthorized access to students’ personal information 6. The University must retain records containing students’ personal information for at least one year after last use (unless student consents to earlier disposal) and must dispose of the records securely 9 RESPONSIBILITY FOR COMPLIANCE • Deans, Department Chairs, Directors, and administrative unit heads are responsible for compliance • All faculty and staff are responsible for ensuring that they are collecting, using, and/or disclosing student personal information in accordance with FIPPA 10 . WHAT HAPPENS IF WE DO NOT COMPLY? • Student may complain to the Office of the Information and Privacy Commissioner of Ontario (IPC) • IPC may assign a mediator to attempt a settlement • Mediator may prepare a report with recommendations and follow up with institution to ensure that recommendations are implemented • The report may be released to the media • IPC may order an institution to cease certain collection practices and destroy collections of personal information that contravene the Act 11 RECOMMENDED PRACTICES 12 PERSONAL INFORMATION COLLECTION NOTICE • The University must give notice to students of the purposes for which it is collecting and using their personal information • A standard Personal Information Collection Notice is posted on Student Services’ website and in Academic Calendar • http://www.registrar.uwo.ca/Security.cfm#privacy 13 PERSONAL INFORMATION COLLECTION NOTICE • If this standard Notice does not cover a current or anticipated use or disclosure of student personal information by a Faculty, then a special notice of collection may be required • Faculty and staff should bring all non-standard uses or disclosures to the attention of the Faculty’s FOIP Liaison Officer • It is particularly important that students are made aware of any disclosures to individuals or institutions outside the University • The University’s Freedom of Information and Privacy Coordinator will assist with the drafting of FIPPAcompliant notices 14 PERSONAL INFORMATION COLLECTION NOTICE • If a student provides personal information to the Faculty on a form (electronic or paper), a FIPPA-compliant collection notice may have to be added to the form • All such forms should be sent to the Faculty’s FOIP Liaison Officer and the University’s FOIP Coordinator to determine if a notice is required 15 ELECTRONIC POSTING OF STUDENT PERSONAL INFORMATION (e.g. publicly accessible websites, password protected sites accessible to faculty and students, etc.) • Recommended best practice: – Determine that the posting is necessary / desirable for the purposes of a particular program or activity, – Post no more personal information than is necessary for those purposes, – Provide prior notice to the students, and – Obtain written consent or provide clear opportunity to opt-out 16 ELECTRONIC POSTING OF STUDENT PERSONAL INFORMATION This recommended Best Practice also applies to posting of student UWO email addresses, Faculty/program of study, and information on Scholarship/Award recipients 17 SHARING STUDENT ACADEMIC INFORMATION WITHIN THE UNIVERSITY • All members of faculty and staff have an obligation to protect the privacy of student personal information in their custody • Personal information should only be shared with faculty and staff who need the information to do their job 18 SHARING STUDENT ACADEMIC INFORMATION WITHIN THE UNIVERSITY • Current Senate regulations and the Official Student Records Information Privacy Policy limit the accessibility of some student records: – Academic Counselling files are confidential and only accessible to specified staff – Information in the Official Student Record is restricted to faculty and staff who have a legitimate need for the information to carry out their responsibilities relating to the administration of student affairs and services See: Academic Records and Student Transcripts, S.98-246 http://www.uwo.ca/univsec/handbook/general/records.pdf and Official Student Record Information Privacy Policy, http://www.uwo.ca/univsec/handbook/general/privacy.pdf 19 SHARING STUDENT ACADEMIC INFORMATION WITHIN THE UNIVERSITY • Ordinarily an instructor would not have access to a student’s academic record unless: – the student provides a copy to the instructor, or – the student provides written consent, or – the instructor is carrying out administrative functions or specific duties that necessitate review of portions of a student’s academic record (e.g. membership on a committee that is reviewing applications to a program) 20 SHARING STUDENT PERSONAL INFORMATION IN THE CLASSROOM • Sharing student personal information as part of class activities is permissible if academically or administratively necessary • If attendance is mandatory, circulating an attendance sheet is permissible* • If class participation is recorded, requiring the display of name cards is permissible* • Sign-up sheets are permissible* * However, student numbers should NOT be displayed or circulated with corresponding student names/signatures 21 SHARING STUDENT PERSONAL INFORMATION IN THE CLASSROOM • Avoid circulating lists with students’ contact information to the entire class • If the sharing of contact information is necessary for the purposes of a course, it is preferable to advise students that they should supply the necessary information directly to the students with whom they will be working 22 SHARING STUDENT PERSONAL INFORMATION IN THE CLASSROOM • If a course will require students to share certain types of personal information that would not reasonably be anticipated by students, then the course outline should provide notice of this requirement 23 RETURNING STUDENT ASSIGNMENTS / TESTS / EXAMS • Senate regulation: “All student assignments, tests and exams will be handled in a secure and confidential manner. Particularly in this respect, leaving student work unattended in public areas for pickup is not permitted.” (Senate Regulation S.03-081) • Material must not be returned in a manner that would reveal personal information of a student 24 RETURNING STUDENT ASSIGNMENTS / TESTS / EXAMS • Should be returned directly to the student (unless student gives consent for another individual to pick up his or her work) • Students should not handle exams, tests or assignments other than their own • Where possible, the papers should be returned in class, under supervision of the instructor 25 RETURNING STUDENT ASSIGNMENTS / TESTS / EXAMS • Avoid writing a student’s grade on the outside of an exam, test, or assignment • Consider folding and stapling or taping papers closed where possible, to ensure that grades or comments are not visible to others when materials are returned • Consider returning tests and assignments in sealed envelopes where practicable, with students’ names on front 26 RETURNING STUDENT ASSIGNMENTS / TESTS / EXAMS • An alternative to returning the material in class would be to store assignments in central files in Department office and have office staff retrieve them for students • Open mailboxes should be avoided unless graded work is in a sealed envelope • Other alternatives may be used as long as personal information is protected 27 POSTING LISTS OF STUDENT GRADES A. What to post: – Never post student name with grade – Student identification number and grade may be posted in limited locations within a Faculty if the Faculty/Department is satisfied that posted marks cannot reasonably be linked to individual students – However, posting should be avoided in smaller classes or professional or graduate programs where use of student identification number may not sufficiently protect the identity of individual students – If class/section has fewer than 15 students, public posting should always be avoided – Post grades in randomized fashion or numerically – not in alphabetical order of the class list – If some students in a course have unusual student identification numbers, all numbers should be truncated before posting -- use last 5 digits only 28 POSTING LISTS OF STUDENT GRADES B. Where and when to post: – Acceptable to post student identification numbers and grades on instructor’s door or in a department office for a limited period of time – Do not post class lists with student identification numbers and grades on a website – Do not send class lists with student identification numbers and grades by email Best practice: Use WebCTVista to communicate grades to students on a confidential basis 29 USE OF EMAIL • Remember that email is not secure unless it is encrypted • Do not require students (or others) to send sensitive information (e.g., family or medical information) by email • Where possible, avoid sending sensitive information by email (e.g., results of an appeal) • If it is necessary to send sensitive information to students by email, use UWO email accounts -avoid using students’ personal email accounts 30 USE OF EMAIL • Instructors should advise students to use their UWO or Faculty email account when corresponding with their instructors • If a student uses a personal email account, the instructor should use his/her best judgment in deciding whether it is appropriate in the particular circumstances to reply to that email address 31 USE OF EMAIL • Be professional in all email communications • Remember that emails relating to students would ordinarily be considered University records and could be the subject of an access request under FIPPA 32 REFERENCE LETTERS • It is recommended that faculty members or staff ordinarily obtain written consent from a student before writing a letter of reference or providing an oral evaluation • Ensure that the student has clearly explained what he or she wants the faculty or staff member to discuss (e.g. entire academic record, performance in one course, etc.) 33 SECURITY OF PERSONAL INFORMATION • Staff and faculty are responsible for the security of students’ personal information in their custody • The level of security depends on the type, sensitivity, and volume of information and the medium on which it is recorded, stored or transmitted 34 SECURITY OF PERSONAL INFORMATION Some best practices: - ensure that sensitive student information is not left in an unattended area and is stored securely when not in use - take special care to protect the data collected through the use of personal response systems (“clickers”) - ensure that all storage devices for sensitive information require passwords for access: power-on passwords, screensaver passwords, account passwords 35 SECURITY OF PERSONAL INFORMATION More best practices: - avoid carrying sensitive personal information on a mobile device (e.g. lap tops, USB drives) unless absolutely necessary - if sensitive personal information is stored on a laptop or mobile computing device, it should be encrypted to protect against unauthorized access if the device is lost or stolen 36 SECURITY OF PERSONAL INFORMATION More best practices: - save sensitive files to the network while ensuring that access is restricted - take extra precautions when working off campus - avoid leaving records containing sensitive personal information in a locked vehicle unless the records are either encrypted or cannot be linked to a particular student - send paper documents in a secure manner - use official UWO email addresses when communicating with students - avoid email when communicating sensitive information 37 SECURITY OF PERSONAL INFORMATION • More best practices: - take appropriate precautions to protect the identity of students when returning student assignments and posting grades - only share student personal information with other faculty and staff on a need-to-know basis - verify identity of person seeking access to his/her own personal information before giving access - dispose of documents containing student personal information in a secure manner (e.g. shredding) 38 RETENTION OF PERSONAL INFORMATION • All student personal information that is “used” by the University and not returned to the student must be retained for at least one year after last use (unless the student consents to a shorter retention period) • This includes information in emails, medical certificates, advice and opinions of academic counsellors, academic appeal correspondence, completed exams and assignments • An email containing personal information could be retained in electronic form or printed and filed with paper records. Alternatively, the email could be deleted so long as the personal information in the email is retained elsewhere for the minimum retention period • Transitory emails (unsolicited and not used) should be deleted immediately 39 STUDENT ACCESS TO THEIR OWN PERSONAL INFORMATION • Current Senate regulations give students the right to review their marked exams under supervision • Under FIPPA, students have the right to review and request copies of most (but not necessarily all) of their personal information held in files within Deans’ Offices, Academic Counselling Offices, Program Offices, Department Offices, AND in faculty members’ files 40 STUDENT ACCESS TO THEIR OWN PERSONAL INFORMATION • Care should be taken to ensure that student files contain only necessary information • Ensure that any annotations on a document are necessary and objective • Unless there are concerns about releasing the content of a particular file, students should normally not be required to make formal FIPPA access requests to see their personal information • Do not provide access to records that contain the personal information of other individuals • Contact the University’s Freedom of Information and Privacy Office if you have questions or concerns about releasing portions of a file to a student on an informal basis 41 DENIAL OF STUDENT ACCESS TO THEIR OWN PERSONAL INFORMATION Under FIPPA, the University may refuse access in some cases, including: a) if the record includes personal information of another individual and release would constitute an unjustified invasion of another individual’s personal privacy b) if disclosure could seriously threaten the safety or health of an individual c) if the record contains medical information the disclosure of which could prejudice the mental or physical health of the requester 42 DENIAL OF STUDENT ACCESS TO THEIR OWN PERSONAL INFORMATION d) if the information is supplied in confidence and is evaluative or opinion material compiled solely for the purpose of determining suitability, eligibility or qualifications for admission to an academic program of an educational institution or determining suitability for an honour or award to recognize outstanding achievement 43 STUDENT ACCESS TO LETTERS OF REFERENCE • Access to reference letters can be denied if they were received in confidence for the purpose of determining suitability, eligibility or qualifications for admission to a program or to the University • The exemption may also permit denial of access to faculty members’ copies of reference letters that they wrote and sent to another institution at the request of the student (this interpretation has not yet been tested) 44 STUDENT ACCESS TO LETTERS OF REFERENCE • It is also important to understand that the University has no control over what happens to a reference letter once it is received by another institution, particularly one outside Ontario; local laws or policies apply • If a reference letter is sent to another institution and a faculty member is concerned about the student’s access to it, he or she could ask the student sign an acknowledgement that it is being sent in confidence to the other institution; this may assist in protecting the contents 45 Where to go for advice? • Coordinator, Western’s Freedom of Information and Privacy Office (ext. 84543) • Western Archives for advice on records management issues (including disposal of records) http://www.lib.uwo.ca/archives/records.shtml • Check FOIP Office website at http://www.uwo.ca/privacy/index.html 46