A: FIPPA is provincial legislation that has applied to Ontario universities, including Ryerson University ("Ryerson) since June 10, 2006. FIPPA is composed of two principles of equal weight:
FIPPA applies to any records in Ryerson's custody or control. Certain records are excluded from FIPPA including:
There are specific exemptions to the obligation to disclose records, for example:
FIPPA contains particular requirements for the collection, use, protection and disclosure of personal information. Individuals have the right to ask for your own personal information and to request a correction of records containing your own personal information.
A: FIPPA both provides for transparency and it requires that personal information and privacy must be protected. When it comes to creating records (including email and paper documents) consider the possibility that what you are writing could be subject to an access request and therefore could be made public—what would the impact be on your reputation or Ryerson’s? When someone asks you for another person’s information, consider whether it is personal information, and if so, don’t provide it. When you are using, storing, duplicating or destroying personal information, take reasonable steps to secure the information, e.g. password protection, locked file cabinets, shredding, personal and confidential envelopes rather than email, not leaving documents sitting out on a desk where unauthorized people might have access. Review your files and emails regularly. If you have documents that you don’t need and are under no policy or legal obligation to keep, then destroy them. Use common sense and good judgment. If you have specific questions ask your Chair or email the Information and Privacy Officer.
A: Take the following actions:
A: Call security to report at 416.979.5040. Tell them if your computer contained personal information on the hard drive, whether the machine was password protected and whether the data was encrypted.
If there was data on the machine that consists of personal information (student grades, assignments, employee records, research containing other individuals’ personal information) you are required by university policy to call the Information and Privacy Officer IMMEDIATELY at 416.979.5000 ext 4676. This is a suspected privacy breach.
If the machine was password protected and the personal information data was encrypted this is not a breach and no further action is required. If you did not use these precautions then you will be involved in notifying all affected individuals about the breach.
A: If you are the source, user, or keeper of the record then you are responsible for ensuring the information’s secure return or destruction once you are finished with it – think “cradle to grave” responsibility.
A: In general, if you are asked for information that you would normally provide, such as a course syllabus or outline, a reading list, or a copy of an article you should provide that information. You must also provide information that is about the requestor, such as grades on tests and papers. You should not provide a third party with any personal information. You also do not need to provide such things as exam questions, teaching materials or research notes, as these are excluded. If you have a question you may contact Ryerson’s Information and Privacy Officer at email@example.com. If you choose not to honour a request for information, the requestor has a right to file a Freedom of Information request. In the latter case, it will be Ryerson's General Counsel, in conjunction with the Information and Privacy Officer, who determines access to the information.
A: An access request must be made to Ryerson's Information and Privacy Officer and requires a $5.00 initial filing fee. The Privacy Officer determines where the requested information is held and will work with the contact in that area to find the records requested and to determine if any exclusions or exemptions apply. Fees are charged to the requestor for the time taken to search for and, if appropriate, prepare records for release. If the information is to be given to the requestor, the Privacy Officer expunges any personal information, or other excluded information from the record before it is disclosed.
A: FIPPA applies to records that are in the custody and control of the University. It should not apply to records that are personal to you (including business activities unrelated to the University). However, if you don’t keep those records separate from your University records, it is possible that confusion could occur as to what is actually the University’s and what is yours. A best practice is to keep separate and apart and clearly mark those files that do not belong to the University (e.g. separate file cabinet, separate folders on computer and email).
The following are considered to be transitory records and can be and indeed should be routinely disposed of when no longer needed:
Official records are distinct from transitory records. Official records serve important business functions, such as supporting program delivery or policy development, or meeting legal, financial and other needs. They may also provide important evidence of institutional decisions and actions. These should only be destroyed consistent with Ryerson’s Record Retention Schedule (see Records Management Policy).
Anything which has personal information must be retained for a minimum of one year under FIPPA. Personal information includes, but is not limited to: name, home address, home phone number, student’s email address (home or Ryerson), identifying numbers (e.g. student number, employee number or social insurance number), education history (grades, degrees received, academic misconduct) health history, or opinions about an individual. Your professional contact information is generally not perceived as personal information (faculty’s business phone number, Ryerson email, business mailing address). See the definition of “personal information” in the Freedom of Information and Protection of Privacy Act available on the General Counsel’s Information Access and Privacy website at http://www.ryerson.ca/gcbs/accessprivacy.html.
According to Ryerson's Course Management Policy 145, all student work is to be returned to the student before the end of the academic term. Final exams and unclaimed assignments are the only type of student work that, under FIPPA, will need to be retained for the one-year period because these are not returned to students.
You should also retain all documents and correspondence that may be part of the academic or academic conduct appeals process. You are required by the Course Management Policy to submit a copy of your grade sheet to the Department/School.
A: Generally speaking, all emails from and to students that contain personal information as described above and that you use for the purpose of evaluating their contributions during a course or for advising regarding their educational path should be retained for one year under FIPPA (a definition of personal information is provided in the previous question). Particular emphasis is placed upon retaining correspondence that reveals something personal about the student beyond their email address (student ID, educational or medical history, financial information, questions about course work, evaluations, etc.). This also includes any correspondence that may pertain to an appeal. You should only correspond with students on their “ryerson.ca” email accounts as per Ryerson’s policy for the Establishment of Student Email Accounts for Official University Communication 157.
You should be careful about the content of e-mails as they may be retained not only by you but by others, and they can be requested as part of an FOI request. Generally, the “reply all” response should be avoided unless it is necessary. You can never be assured of what is retained on the computers of others; so, even if you have deleted an email, that’s no guarantee it will not end up being released as a result of an FOI request.
A: A Ryerson student’s email address is considered their personal information and as such faculty should take care in the judicious use of the address.
All students are provided with an official Ryerson email address, as per Senate Policy #157, Establishment of Student Email Accounts for Official University Communication, as a means by which Ryerson employees can communicate with students. The address is also a means by which Ryerson can foster a collaborative learning environment such as through student discussion groups on D2L Brightspace, accessible through the official Ryerson email address account. There are no restrictions on how students can use their email address, such as for personal communications, or for communications outside Ryerson.
Faculty and staff, however, should take care in using student email addresses. Be cautious in sending group emails; disclosing personal information such as grades, internship placements, home contact information, or details about an academic appeal to other students as these situations would all constitute a privacy breach and Ryerson's Privacy Officer must be notified immediately. If you want to send a group email and the text does not identify individuals, consider using the blind-copying function. Refrain from disclosing the student’s email address to non-Ryerson personnel unless you have the consent of the student.
Using D2L Brightspace to post general information messages to students is one low-risk option. For messages aimed at a specific group of students within a course try using the blind-copying function on your email system; in this way students can only see their own address and cannot see who else received the message. It is important to note that it is the content of the message that should dictate the method used to communicate information to students; the more sensitive the information, the less appropriate group communication, including email will be.
A: The same general advice applies as regards emails with students. Email is generally not considered secure or an appropriate vehicle for the transmission of highly sensitive information. Emails that contain personal information that you have used needs to be retained at a minimum of one year.
A: In general, you do not have the right to consult a student’s academic record. Faculty who serve on appeals panels or who are charged with academic advising may confidentially access these records for that purpose only. Chairs/Directors and their specified administrative staff may access records for administrative purposes only and are not authorized to share that record with faculty. If you have questions regarding whether you may access an academic record for a particular purpose speak to the Associate Registrar, Enrollment Services.
A: The Course Management Policy states that students’ work must be returned to them confidentially. Putting work in a box outside your office is not permitted. The policy also requires that you retain final exams for one year, at which point the work is shredded. Departments /Schools are required to develop policies on the confidential disposal of work. Under FIPPA you must retain all unclaimed student work, including final exams, for one year from the date received. Student grades and evaluation comments should be kept confidential. It is advisable not to put the mark and comments on the front page of the document.
A: The concern is that name plus student ID number permits someone else with enough information to impersonate another student. The more information disclosed, the better able some one would be in committing fraud. A similar approach to that outlined in the Course Management Policy Section 2.2(f) should be followed where only part of the student number is included. It is recommended that the last 4 digits be used. In other words, professors can request that students working on group assignments hand in projects listing a portion of the student ID number and no names. In this way the other students in the group will not be privy to the entire student ID number.
A: Attendance at lectures, seminars and labs can still be taken, but professors should be sensitive to how this information is gathered. The student’s full name and complete student ID number should not be circulated.
For final exams, invigilators should walk around the room to verify student photo ID cards on a student-by-student basis, noting the attendance on a sheet of names and numbers, and students should sign their individual exams.
According to the Senate’s Examination Policy 135, Section III (B)(5) students must present relevant photo identification; the policy does not specify that only the OneCard will suffice. There is no need to take a student’s photograph at an exam. It is the student’s responsibility to ensure that he/she brings proper identification. If a student does not have any photo ID, the instructor should first try to confirm that the student is in the class, and the student should be required to bring identification with a signature to the instructor’s office as soon as possible after the exam.
A: Students’ answers, student images – these are the personal information of students. The actual lecture is the teaching material of the instructor and is not meant to be publicly available without his/her consent; indeed teaching materials are protected against disclosure from a formal access request under FIPPA. The image of the instructor is his/her personal information. Both the instructor’s lecture and image would require the instructor’s consent for capture. If notice about the intent to capture the lecture by audio or visual recording is provided in advance to the instructor and students, no one’s privacy would be violated. Students with concerns could approach the instructor in advance. If the request to record the lecture stems from an Access Centre request, then these concerns would be relayed to the Access Centre. Ryerson is obliged under the Ontario Human Rights Code and the Accessibility for Ontarians with Disabilities Act (Bill 118) to seek a reasonable accommodation so that students with disabilities are not at a learning disadvantage because of their special needs. Please contact the Access Centre for further information (ext. 5290). See also the Senate policy Academic Accomodation of Students with Disabilities 159.
A: For awards applied through Ryerson’s Student Financial Assistance as of April 2008 there is a notice of collection in place that covers this use (http://www.ryerson.ca/financialaid/contact/privacy/index.html). For all other awards, or other kinds of student achievements, departments are advised to contact students in advance to obtain their permission to use their personal information.
A: The letter is comparable in purpose to a professor's feedback on an assignment and therefore the student has a right to see it.
A: Yes, if you would have done so prior to FIPPA you should do it now. FIPPA exempts evaluative or opinion material of the type that assesses the teaching materials or research of an employee, or determines eligibility or qualification for admission to an academic program, or determines the qualification for an honour or award to recognize achievement. If the person who is being evaluated uses FIPPA to request access to their own personal information in that evaluation or opinion material, Ryerson has the discretion to refuse that request.
A: Generally speaking, research and teaching materials are excluded from FIPPA. That means that if someone were to make an FOI request for your research notes on a project, the University would advise the requestor that those records are not subject to FIPPA. However, FIPPA specifies that the subject matter and amount of funding for research (but not the source of funding) is information that must be made available if requested. If you have more detailed questions, speak with the Office of Research Services.
A: FIPPA exempts evaluative or opinion material of the type that assesses the teaching materials or research of an employee, or determines eligibility or qualification for admission to an academic program, or determines the qualification for an honour or award to recognize achievement. If the person who is being evaluated uses FIPPA to request access to their own personal information in that evaluation or opinion material, Ryerson has the discretion to refuse that request.
A: The hiring, promotion and tenure review processes are governed by the collective agreement between Ryerson University and the Ryerson Faculty Association. Collective agreements are accessible under FIPPA and are available for public view at: http://www.ryerson.ca/hr/policy/index.html. The collective agreement itself provides for certain access to information rights. For more information you should speak with Vice Provost, Faculty Affairs.