Student Personal Information and the Freedom of Information and

advertisement
Student Personal Information and
the Freedom of Information and
Protection of Privacy Act
(FIPPA)
The University of Western Ontario
Freedom of Information and Privacy Office
June 2007
Overview
•
Description of the statutory requirements for
handling student information at the University and
the new access rights given to students
•
Advice on some best practices for handling
personal information
2
FIPPA
Two main purposes:
•
To provide a right of access to information under
the University’s custody or control
•
To protect the privacy of individuals with respect
to personal information about them that is held by
the University AND to provide individuals with a
right of access to that information
3
STUDENT PERSONAL INFORMATION
- name
- photograph
- home address
- home telephone number
- personal email address
- student number
- medical certificates
- educational history
- academic record
- student responses on
assignments, tests, exams
4
- student grades
- evaluative comments about
student or student’s work
(e.g. academic counselling
files; Dept. Chair’s files;
faculty member’s files)
- letters of reference
- financial information
- scholarships, awards,
bursaries
- criminal record check
information
“PUBLIC” PERSONAL INFORMATION
Some personal information is considered “public”
by the University and will be provided to third
parties upon request:
– Full Name
– Degree(s) awarded by Western and date(s) conferred
– Faculty(ies)/Schools in which student is/was enrolled,
with major field of study
– Academic or other University awards or distinctions*
*Official Student Record Information Privacy Policy, S.03-30
http://www.uwo.ca/univsec/handbook/general/privacy.pdf
5
“PUBLIC” PERSONAL INFORMATION
Exception: The student has the right to request
that this information not be publicly available
by contacting the Office of the Registrar or the
Faculty of Graduate Studies*
*Official Student Record Information Privacy Policy, S.03-30
http://www.uwo.ca/univsec/handbook/general/privacy.pdf
6
STATUTORY REQUIREMENTS
1. Personal information should normally be
collected directly from the affected student and
only where necessary to administer a University
program or activity
2. Students must be told why the information is
being collected and what will be done with it
7
STATUTORY REQUIREMENTS
3. The personal information should subsequently
be used or disclosed only for the purpose for
which it was collected, for a consistent purpose,
or with consent.
4. Only individuals who need the student’s
personal information for the performance of their
duties should have access to it
8
STATUTORY REQUIREMENTS
5. The University must institute measures to
prevent unauthorized access to students’
personal information
6. The University must retain records containing
students’ personal information for at least one
year after last use (unless student consents to
earlier disposal) and must dispose of the
records securely
9
RESPONSIBILITY FOR COMPLIANCE
•
Deans, Department Chairs, Directors, and
administrative unit heads are responsible for
compliance
•
All faculty and staff are responsible for ensuring
that they are collecting, using, and/or disclosing
student personal information in accordance with
FIPPA
10
.
WHAT HAPPENS IF WE DO NOT COMPLY?
• Student may complain to the Office of the Information and
Privacy Commissioner of Ontario (IPC)
• IPC may assign a mediator to attempt a settlement
• Mediator may prepare a report with recommendations and
follow up with institution to ensure that recommendations
are implemented
• The report may be released to the media
• IPC may order an institution to cease certain collection
practices and destroy collections of personal information
that contravene the Act
11
RECOMMENDED PRACTICES
12
PERSONAL INFORMATION
COLLECTION NOTICE
• The University must give notice to students of the
purposes for which it is collecting and using their
personal information
• A standard Personal Information Collection
Notice is posted on Student Services’ website
and in Academic Calendar
• http://www.registrar.uwo.ca/Security.cfm#privacy
13
PERSONAL INFORMATION
COLLECTION NOTICE
• If this standard Notice does not cover a current or
anticipated use or disclosure of student personal
information by a Faculty, then a special notice of
collection may be required
• Faculty and staff should bring all non-standard uses or
disclosures to the attention of the Faculty’s FOIP Liaison
Officer
• It is particularly important that students are made aware of
any disclosures to individuals or institutions outside the
University
• The University’s Freedom of Information and Privacy
Coordinator will assist with the drafting of FIPPAcompliant notices
14
PERSONAL INFORMATION
COLLECTION NOTICE
• If a student provides personal information to the Faculty
on a form (electronic or paper), a FIPPA-compliant
collection notice may have to be added to the form
• All such forms should be sent to the Faculty’s FOIP
Liaison Officer and the University’s FOIP Coordinator to
determine if a notice is required
15
ELECTRONIC POSTING OF STUDENT
PERSONAL INFORMATION
(e.g. publicly accessible websites, password protected sites accessible to faculty and
students, etc.)
• Recommended best practice:
– Determine that the posting is necessary /
desirable for the purposes of a particular
program or activity,
– Post no more personal information than is
necessary for those purposes,
– Provide prior notice to the students, and
– Obtain written consent or provide clear
opportunity to opt-out
16
ELECTRONIC POSTING OF STUDENT
PERSONAL INFORMATION
This recommended Best Practice also applies
to posting of student UWO email addresses,
Faculty/program of study, and information on
Scholarship/Award recipients
17
SHARING STUDENT ACADEMIC
INFORMATION WITHIN THE UNIVERSITY
• All members of faculty and staff have an
obligation to protect the privacy of student
personal information in their custody
• Personal information should only be shared with
faculty and staff who need the information to do
their job
18
SHARING STUDENT ACADEMIC
INFORMATION WITHIN THE UNIVERSITY
• Current Senate regulations and the Official Student
Records Information Privacy Policy limit the accessibility
of some student records:
– Academic Counselling files are confidential and only accessible to
specified staff
– Information in the Official Student Record is restricted to faculty
and staff who have a legitimate need for the information to carry
out their responsibilities relating to the administration of student
affairs and services
See: Academic Records and Student Transcripts, S.98-246
http://www.uwo.ca/univsec/handbook/general/records.pdf
and Official Student Record Information Privacy Policy,
http://www.uwo.ca/univsec/handbook/general/privacy.pdf
19
SHARING STUDENT ACADEMIC
INFORMATION WITHIN THE UNIVERSITY
• Ordinarily an instructor would not have access to
a student’s academic record unless:
– the student provides a copy to the instructor, or
– the student provides written consent, or
– the instructor is carrying out administrative functions or
specific duties that necessitate review of portions of a
student’s academic record (e.g. membership on a
committee that is reviewing applications to a program)
20
SHARING STUDENT PERSONAL
INFORMATION IN THE CLASSROOM
• Sharing student personal information as part of class
activities is permissible if academically or administratively
necessary
• If attendance is mandatory, circulating an attendance
sheet is permissible*
• If class participation is recorded, requiring the display of
name cards is permissible*
• Sign-up sheets are permissible*
* However, student numbers should NOT be displayed or
circulated with corresponding student names/signatures
21
SHARING STUDENT PERSONAL
INFORMATION IN THE CLASSROOM
• Avoid circulating lists with students’ contact information to
the entire class
• If the sharing of contact information is necessary for the
purposes of a course, it is preferable to advise students
that they should supply the necessary information directly
to the students with whom they will be working
22
SHARING STUDENT PERSONAL
INFORMATION IN THE CLASSROOM
• If a course will require students to share certain
types of personal information that would not
reasonably be anticipated by students, then the
course outline should provide notice of this
requirement
23
RETURNING STUDENT
ASSIGNMENTS / TESTS / EXAMS
• Senate regulation:
“All student assignments, tests and exams will be
handled in a secure and confidential manner.
Particularly in this respect, leaving student work
unattended in public areas for pickup is not permitted.”
(Senate Regulation S.03-081)
• Material must not be returned in a manner that
would reveal personal information of a student
24
RETURNING STUDENT
ASSIGNMENTS / TESTS / EXAMS
• Should be returned directly to the student (unless
student gives consent for another individual to
pick up his or her work)
• Students should not handle exams, tests or
assignments other than their own
• Where possible, the papers should be returned in
class, under supervision of the instructor
25
RETURNING STUDENT
ASSIGNMENTS / TESTS / EXAMS
• Avoid writing a student’s grade on the outside of
an exam, test, or assignment
• Consider folding and stapling or taping papers
closed where possible, to ensure that grades or
comments are not visible to others when
materials are returned
• Consider returning tests and assignments in
sealed envelopes where practicable, with
students’ names on front
26
RETURNING STUDENT
ASSIGNMENTS / TESTS / EXAMS
• An alternative to returning the material in class
would be to store assignments in central files in
Department office and have office staff retrieve
them for students
• Open mailboxes should be avoided unless
graded work is in a sealed envelope
• Other alternatives may be used as long as
personal information is protected
27
POSTING LISTS OF STUDENT GRADES
A. What to post:
– Never post student name with grade
– Student identification number and grade may be posted in limited
locations within a Faculty if the Faculty/Department is satisfied
that posted marks cannot reasonably be linked to individual
students
– However, posting should be avoided in smaller classes or
professional or graduate programs where use of student
identification number may not sufficiently protect the identity of
individual students
– If class/section has fewer than 15 students, public posting should
always be avoided
– Post grades in randomized fashion or numerically – not in
alphabetical order of the class list
– If some students in a course have unusual student identification
numbers, all numbers should be truncated before posting -- use
last 5 digits only
28
POSTING LISTS OF STUDENT GRADES
B. Where and when to post:
– Acceptable to post student identification numbers and grades on
instructor’s door or in a department office for a limited period of
time
– Do not post class lists with student identification numbers and
grades on a website
– Do not send class lists with student identification numbers and
grades by email
Best practice: Use WebCTVista to communicate grades
to students on a confidential basis
29
USE OF EMAIL
• Remember that email is not secure unless it is
encrypted
• Do not require students (or others) to send
sensitive information (e.g., family or medical
information) by email
• Where possible, avoid sending sensitive
information by email (e.g., results of an appeal)
• If it is necessary to send sensitive information to
students by email, use UWO email accounts -avoid using students’ personal email accounts
30
USE OF EMAIL
• Instructors should advise students to use their
UWO or Faculty email account when
corresponding with their instructors
• If a student uses a personal email account, the
instructor should use his/her best judgment in
deciding whether it is appropriate in the particular
circumstances to reply to that email address
31
USE OF EMAIL
• Be professional in all email communications
• Remember that emails relating to students would
ordinarily be considered University records and
could be the subject of an access request under
FIPPA
32
REFERENCE LETTERS
• It is recommended that faculty members or staff
ordinarily obtain written consent from a student
before writing a letter of reference or providing an
oral evaluation
• Ensure that the student has clearly explained
what he or she wants the faculty or staff member
to discuss (e.g. entire academic record,
performance in one course, etc.)
33
SECURITY OF PERSONAL INFORMATION
• Staff and faculty are responsible for the security
of students’ personal information in their custody
• The level of security depends on the type,
sensitivity, and volume of information and the
medium on which it is recorded, stored or
transmitted
34
SECURITY OF PERSONAL INFORMATION
Some best practices:
- ensure that sensitive student information is not left in an
unattended area and is stored securely when not in use
- take special care to protect the data collected through
the use of personal response systems (“clickers”)
- ensure that all storage devices for sensitive information
require passwords for access: power-on passwords,
screensaver passwords, account passwords
35
SECURITY OF PERSONAL INFORMATION
More best practices:
- avoid carrying sensitive personal information on a mobile
device
(e.g. lap tops, USB drives) unless absolutely necessary
- if sensitive personal information is stored on a laptop or
mobile computing device, it should be encrypted to protect
against unauthorized access if the device is lost or stolen
36
SECURITY OF PERSONAL INFORMATION
More best practices:
- save sensitive files to the network while ensuring that
access is restricted
- take extra precautions when working off campus
- avoid leaving records containing sensitive personal
information in a locked vehicle unless the records are
either encrypted or cannot be linked to a particular student
- send paper documents in a secure manner
- use official UWO email addresses when communicating
with students
- avoid email when communicating sensitive information
37
SECURITY OF PERSONAL INFORMATION
• More best practices:
- take appropriate precautions to protect the identity of
students when returning student assignments and posting
grades
- only share student personal information with other
faculty and staff on a need-to-know basis
- verify identity of person seeking access to his/her own
personal information before giving access
- dispose of documents containing student personal
information in a secure manner (e.g. shredding)
38
RETENTION OF PERSONAL INFORMATION
• All student personal information that is “used” by the
University and not returned to the student must be retained
for at least one year after last use (unless the student
consents to a shorter retention period)
• This includes information in emails, medical certificates,
advice and opinions of academic counsellors, academic
appeal correspondence, completed exams and
assignments
• An email containing personal information could be retained
in electronic form or printed and filed with paper records.
Alternatively, the email could be deleted so long as the
personal information in the email is retained elsewhere for
the minimum retention period
• Transitory emails (unsolicited and not used) should be
deleted immediately
39
STUDENT ACCESS TO THEIR
OWN PERSONAL INFORMATION
• Current Senate regulations give students the right
to review their marked exams under supervision
• Under FIPPA, students have the right to review
and request copies of most (but not necessarily
all) of their personal information held in files
within Deans’ Offices, Academic Counselling
Offices, Program Offices, Department Offices,
AND in faculty members’ files
40
STUDENT ACCESS TO THEIR
OWN PERSONAL INFORMATION
• Care should be taken to ensure that student files contain only
necessary information
• Ensure that any annotations on a document are necessary and
objective
• Unless there are concerns about releasing the content of a particular
file, students should normally not be required to make formal FIPPA
access requests to see their personal information
• Do not provide access to records that contain the personal
information of other individuals
• Contact the University’s Freedom of Information and Privacy Office if
you have questions or concerns about releasing portions of a file to a
student on an informal basis
41
DENIAL OF STUDENT ACCESS TO THEIR
OWN PERSONAL INFORMATION
Under FIPPA, the University may refuse access
in some cases, including:
a) if the record includes personal information of another
individual and release would constitute an unjustified
invasion of another individual’s personal privacy
b) if disclosure could seriously threaten the safety or
health of an individual
c) if the record contains medical information the
disclosure of which could prejudice the mental or
physical health of the requester
42
DENIAL OF STUDENT ACCESS TO THEIR
OWN PERSONAL INFORMATION
d) if the information is supplied in confidence and is
evaluative or opinion material compiled solely for the
purpose of determining suitability, eligibility or
qualifications for admission to an academic program of
an educational institution or determining suitability for
an honour or award to recognize outstanding
achievement
43
STUDENT ACCESS TO
LETTERS OF REFERENCE
• Access to reference letters can be denied if they
were received in confidence for the purpose of
determining suitability, eligibility or qualifications
for admission to a program or to the University
• The exemption may also permit denial of access
to faculty members’ copies of reference letters
that they wrote and sent to another institution at
the request of the student (this interpretation has
not yet been tested)
44
STUDENT ACCESS TO LETTERS OF
REFERENCE
• It is also important to understand that the
University has no control over what happens to a
reference letter once it is received by another
institution, particularly one outside Ontario; local
laws or policies apply
• If a reference letter is sent to another institution
and a faculty member is concerned about the
student’s access to it, he or she could ask the
student sign an acknowledgement that it is being
sent in confidence to the other institution; this
may assist in protecting the contents
45
Where to go for advice?
• Coordinator, Western’s Freedom of
Information and Privacy Office (ext. 84543)
• Western Archives for advice on records
management issues (including disposal of
records)
http://www.lib.uwo.ca/archives/records.shtml
• Check FOIP Office website at
http://www.uwo.ca/privacy/index.html
46
Download