Skip to main content
Information Access and Privacy

 

Information Access and Privacy

Q1: What do I do if I suspect a privacy breach?

A:  Ryerson University ("Ryerson") has a privacy incident notification process.

Q2: What are the fundamental principles of FIPPA?

A:    FIPPA is provincial legislation that has applied to Ontario universities, including Ryerson University ("Ryerson) since June 10, 2006. FIPPA is composed of two principles of equal weight:  

  • Transparency: Access to information is an essential value
  • Privacy: Personal information and privacy must be protected and doing so is integral to the dignity and the integrity of the individual

FIPPA applies to any records in Ryerson's custody or control. Certain records are excluded from FIPPA including:

  • Private donations to Ryerson's archives
  • Labour relations and employment-related records leading to agreements
  • Research and teaching materials
  • Records not in the custody or control of Ryerson

There are specific exemptions to the obligation to disclose records, for example:

  • Personal information
  • Closed meetings
  • Solicitor-client documents
  • Economic and other interests of Ryerson
  • Third-party information
  • Advice and recommendations
  • Danger to health and safety
  • Publicly-available documents
  • Law enforcement
  • Relations with governments

FIPPA contains particular requirements for the collection, use, protection and disclosure of personal information.  Individuals have the right to ask for your own personal information and to request a correction of records containing your own personal information.

Q3: Are there any general guiding principles that will help me make appropriate decisions when it comes to freedom of information and privacy?

A:    FIPPA both provides for transparency and it requires that personal information and privacy must be protected. When it comes to creating records (including email and paper documents) consider the possibility that what you are writing could be subject to an access request and therefore could be made public—what would the impact be on your reputation or Ryerson’s? When someone asks you for another person’s information, consider whether it is personal information, and if so, don’t provide it. When you are using, storing, duplicating or destroying personal information, take reasonable steps to secure the information, e.g. password protection, locked file cabinets, shredding, personal and confidential envelopes rather than email, not leaving documents sitting out on a desk where unauthorized people might have access. Review your files and emails regularly. If you have documents that you don’t need and are under no policy or legal obligation to keep, then destroy them. Use common sense and good judgment. If you have specific questions ask your Chair or email the Information and Privacy Officer

Q4: What are some best practices I can follow to minimize security and privacy breaches?

A:    Take the following actions:

  • review employee procedures in the Information Protection and Access Policy for Restricted Information
  • take Information Security Awareness Training (contact Information System Security Officer to arrange 416.979.5000 ext 3077)
  • if you are collecting, using, and/or storing other individuals’ personal information (i.e. students or research subjects)
    o use a password-protected and encrypted memory stick to store data if access is required off site
    o password protect your laptop.  Consider not storing data directly on the machine
  • use extra precaution when sharing personal information via email – make sure the address is correct; include only the minimal information necessary to complete the task.
Q5: I've lost my laptop and it contained student records, my lectures and some research. What do I do?

A:    Call security to report at 416.979.5040.  Tell them if your computer contained personal information on the hard drive, whether the machine was password protected and whether the data was encrypted.  

If there was data on the machine that consists of personal information (student grades, assignments, employee records, research containing other individuals’ personal information) you are required by university policy to call the Information and Privacy Officer IMMEDIATELY at 416.979.5000 ext 4676.  This is a suspected privacy breach.

If the machine was password protected and the personal information data was encrypted this is not a breach and no further action is required.  If you did not use these precautions then you will be involved in notifying all affected individuals about the breach.

Q6: Who is responsible when material intended for shredding is involved in a privacy breach?

A:    If you are the source, user, or keeper of the record then you are responsible for ensuring the information’s secure return or destruction once you are finished with it – think “cradle to grave” responsibility.

  • talk to your department to find out about access to a shredder or to arrange for shredding of confidential records through Campus Facilities.
Q7: What should I do if I am asked to provide information that I believe is protected under FIPPA?

A:    In general, if you are asked for information that you would normally provide, such as a course syllabus or outline, a reading list, or a copy of an article you should provide that information. You must also provide information that is about the requestor, such as grades on tests and papers. You should not provide a third party with any personal information. You also do not need to provide such things as exam questions, teaching materials or research notes, as these are excluded. If you have a question you may contact Ryerson’s Information and Privacy Officer at fippa@ryerson.ca. If you choose not to honour a request for information, the requestor has a right to file a Freedom of Information request. In the latter case, it will be Ryerson's General Counsel, in conjunction with the Information and Privacy Officer, who determines access to the information.

Q8: What happens when Ryerson receives a request under FIPPA for access to information?

A:    An access request must be made to Ryerson's Information and Privacy Officer and requires a $5.00 initial filing fee. The Privacy Officer determines where the requested information is held and will work with the contact in that area to find the records requested and to determine if any exclusions or exemptions apply. Fees are charged to the requestor for the time taken to search for and, if appropriate, prepare records for release.  If the information is to be given to the requestor, the Privacy Officer expunges any personal information, or other excluded information from the record before it is disclosed.

Q9: Can someone use FIPPA to access my professional records created as part of consulting work I do outside my regular employment with the University?

A:    FIPPA applies to records that are in the custody and control of the University. It should not apply to records that are personal to you (including business activities unrelated to the University). However, if you don’t keep those records separate from your University records, it is possible that confusion could occur as to what is actually the University’s and what is yours. A best practice is to keep separate and apart and clearly mark those files that do not belong to the University (e.g. separate file cabinet, separate folders on computer and email).

Q10: What types of student and general records do I need to retain and for how long?

A:    

Transitory Records

The following are considered to be transitory records and can be and indeed should be routinely disposed of when no longer needed:

  • duplicate stocks of publications, printed literature or blank forms, including those associated with computer-based information systems;
  • duplicate records within the same media retained solely for convenient reference or future distribution (examples include branch-wide memos; "All Staff" e-mails; notices of holidays, special events or routine administrative matters; and personal desk copies of such items as program studies or committee minutes);
  • broadly distributed materials (such as manuals, directives, bulletins and guidelines) used to communicate policies and practices for internal administration (other than original copies kept by the office from which the materials were issued);
  • phone messages, personal messages, and records documenting activities such as holiday parties or charitable fund drives unconnected to program functions;
  • unsolicited advertising materials;
  • publications such as books, journals, magazines, newspapers, newsletters, and published reports which form or will form part of a library's catalogued holdings or are stored within branch libraries or reference shelves;
  • publication extracts which have no significant value in documenting how program data was collected or decisions reached, and which have not therefore been integrated within program files;
  • temporary working papers such as rough notes or informal drafts that are of no value in documenting data collection or in showing how Ryerson policies or programs were developed or implemented. (That is, they represent no significant steps in the preparation of a final document, were not reviewed by other persons, do not record program decisions, and do not contain important research or background data.)
  • Managers should ensure that all transitory items are deleted or destroyed immediately when no longer needed.


Official Ryerson Records

Official records are distinct from transitory records. Official records serve important business functions, such as supporting program delivery or policy development, or meeting legal, financial and other needs. They may also provide important evidence of institutional decisions and actions. These should only be destroyed consistent with Ryerson’s Record Retention Schedule (see Records Management Policy).

Records Containing Personal Information

Anything which has personal information must be retained for a minimum of one year under FIPPA. Personal information includes, but is not limited to: name, home address, home phone number, student’s email address (home or Ryerson), identifying numbers (e.g. student number, employee number or social insurance number), education history (grades, degrees received, academic misconduct) health history, or opinions about an individual.  Your professional contact information is generally not perceived as personal information (faculty’s business phone number, Ryerson email, business mailing address). See the definition of “personal information” in the Freedom of Information and Protection of Privacy Act available on the General Counsel’s Information Access and Privacy website at http://www.ryerson.ca/gcbs/accessprivacy.html.

According to Ryerson's Course Management Policy 145, all student work is to be returned to the student before the end of the academic term.  Final exams and unclaimed assignments are the only type of student work that, under FIPPA, will need to be retained for the one-year period because these are not returned to students.  

You should also retain all documents and correspondence that may be part of the academic or academic conduct appeals process. You are required by the Course Management Policy to submit a copy of your grade sheet to the Department/School.

Q11: What should be my e-mail protocol and retention in regard to correspondence with students?

A:   Generally speaking, all emails from and to students that contain personal information as described above and that you use for the purpose of evaluating their contributions during a course or for advising regarding their educational path should be retained for one year under FIPPA (a definition of personal information is provided in the previous question).  Particular emphasis is placed upon retaining correspondence that reveals something personal about the student beyond their email address (student ID, educational or medical history, financial information, questions about course work, evaluations, etc.).  This also includes any correspondence that may pertain to an appeal.  You should only correspond with students on their “ryerson.ca” email accounts as per Ryerson’s policy for the Establishment of Student Email Accounts for Official University Communication 157.

You should be careful about the content of e-mails as they may be retained not only by you but by others, and they can be requested as part of an FOI request. Generally, the “reply all” response should be avoided unless it is necessary. You can never be assured of what is retained on the computers of others; so, even if you have deleted an email, that’s no guarantee it will not end up being released as a result of an FOI request.

Q12: Can I send multiple students one email using their Ryerson email address given that the email address is considered their personal information by identifying them as Ryerson students?

A:    A Ryerson student’s email address is considered their personal information and as such faculty should take care in the judicious use of the address. 

All students are provided with an official Ryerson email address, as per Senate Policy #157, Establishment of Student Email Accounts for Official University Communication, as a means by which Ryerson employees can communicate with students.  The address is also a means by which Ryerson can foster a collaborative learning environment such as through student discussion groups on D2L Brightspace, accessible through the official Ryerson email address account.  There are no restrictions on how students can use their email address, such as for personal communications, or for communications outside Ryerson. 

Faculty and staff, however, should take care in using student email addresses.  Be cautious in sending group emails; disclosing personal information such as grades, internship placements, home contact information, or details about an academic appeal to other students as these situations would all constitute a privacy breach and Ryerson's Privacy Officer must be notified immediately.  If you want to send a group email and the text does not identify individuals, consider using the blind-copying function. Refrain from disclosing the student’s email address to non-Ryerson personnel unless you have the consent of the student.  

Using D2L Brightspace to post general information messages to students is one low-risk option.  For messages aimed at a specific group of students within a course try using the blind-copying function on your email system; in this way students can only see their own address and cannot see who else received the message.  It is important to note that it is the content of the message that should dictate the method used to communicate information to students; the more sensitive the information, the less appropriate group communication, including email will be.

Q13: What should be my e-mail protocol and retention in regard to correspondence with other faculty and administration?

A:    The same general advice applies as regards emails with students. Email is generally not considered secure or an appropriate vehicle for the transmission of highly sensitive information. Emails that contain personal information that you have used needs to be retained at a minimum of one year.

Q14: Am I entitled to access to students’ academic records for any reason?

A:    In general, you do not have the right to consult a student’s academic record. Faculty who serve on appeals panels or who are charged with academic advising may confidentially access these records for that purpose only. Chairs/Directors and their specified administrative staff may access records for administrative purposes only and are not authorized to share that record with faculty. If you have questions regarding whether you may access an academic record for a particular purpose speak to the Associate Registrar, Enrollment Services.

Q15: What should I do with students’ work?

A:    The Course Management Policy states that students’ work must be returned to them confidentially. Putting work in a box outside your office is not permitted. The policy also requires that you retain final exams for one year, at which point the work is shredded. Departments /Schools are required to develop policies on the confidential disposal of work.  Under FIPPA you must retain all unclaimed student work, including final exams, for one year from the date received.  Student grades and evaluation comments should be kept confidential.  It is advisable not to put the mark and comments on the front page of the document.

Q16: Can I have students working in groups hand in one assignment together with their names and their Ryerson Student Identification Numbers on the first page? How else can I be sure that I know which students are working in a group since it is possible that I could have more than one student in a class with a very similar if not identical first and last name?

A:    The concern is that name plus student ID number permits someone else with enough information to impersonate another student.  The more information disclosed, the better able some one would be in committing fraud.  A similar approach to that outlined in the Course Management Policy Section 2.2(f) should be followed where only part of the student number is included. It is recommended that the last 4 digits be used.  In other words, professors can request that students working on group assignments hand in projects listing a portion of the student ID number and no names.  In this way the other students in the group will not be privy to the entire student ID number.

Q17: How can I now take students’ attendance at weekly classes and final exams? What if the student doesn’t have their OneCard?

A:    Attendance at lectures, seminars and labs can still be taken, but professors should be sensitive to how this information is gathered. The student’s full name and complete student ID number should not be circulated. 

For final exams, invigilators should walk around the room to verify student photo ID cards on a student-by-student basis, noting the attendance on a sheet of names and numbers, and students should sign their individual exams.   

According to the Senate’s Examination Policy 135, Section III (B)(5) students must present relevant photo identification; the policy does not specify that only the OneCard will suffice.  There is no need to take a student’s photograph at an exam.  It is the student’s responsibility to ensure that he/she brings proper identification.  If a student does not have any photo ID, the instructor should first try to confirm that the student is in the class, and the student should be required to bring identification with a signature to the instructor’s office as soon as possible after the exam.

Q18: What can an instructor do upon becoming aware that a student is taking photos or video of the lecture, other students, or discussion period? Is this a violation of student privacy? What about the instructors’ privacy?

A:    Students’ answers, student images – these are the personal information of students.  The actual lecture is the teaching material of the instructor and is not meant to be publicly available without his/her consent; indeed teaching materials are protected against disclosure from a formal access request under FIPPA.  The image of the instructor is his/her personal information.  Both the instructor’s lecture and image would require the instructor’s consent for capture.   If notice about the intent to capture the lecture by audio or visual recording is provided in advance to the instructor and students, no one’s privacy would be violated.  Students with concerns could approach the instructor in advance.  If the request to record the lecture stems from an Access Centre request, then these concerns would be relayed to the Access Centre.  Ryerson is obliged under the Ontario Human Rights Code and the Accessibility for Ontarians with Disabilities Act (Bill 118) to seek a reasonable accommodation so that students with disabilities are not at a learning disadvantage because of their special needs.  Please contact the Access Centre for further information (ext. 5290).  See also the Senate policy Academic Accomodation of Students with Disabilities 159.

Q19: In award ceremonies where donors recognize student achievements, how do we protect student privacy? Do we need students’ consent to disclose personal information about them to the donor? Photos? Announcements? Newsletters? What if the donor wants to take the information and publish it elsewhere?

A:    For awards applied through Ryerson’s Student Financial Assistance as of April 2008 there is a notice of collection in place that covers this use (http://www.ryerson.ca/financialaid/contact/privacy/index.html).  For all other awards, or other kinds of student achievements, departments are advised to contact students in advance to obtain their permission to use their personal information.

Q20: Can students see their internship or practicum evaluations submitted by third-parties (such as a doctor)?

A:    The letter is comparable in purpose to a professor's feedback on an assignment and therefore the student has a right to see it.  

Q21: Should I be agreeing to write letters of recommendation for students or colleagues?

A:    Yes, if you would have done so prior to FIPPA you should do it now. FIPPA exempts evaluative or opinion material of the type that assesses the teaching materials or research of an employee, or determines eligibility or qualification for admission to an academic program, or determines the qualification for an honour or award to recognize achievement. If the person who is being evaluated uses FIPPA to request access to their own personal information in that evaluation or opinion material, Ryerson has the discretion to refuse that request.

Q22: How is my research impacted by FIPPA?

A:    Generally speaking, research and teaching materials are excluded from FIPPA. That means that if someone were to make an FOI request for your research notes on a project, the University would advise the requestor that those records are not subject to FIPPA. However, FIPPA specifies that the subject matter and amount of funding for research (but not the source of funding) is information that must be made available if requested. If you have more detailed questions, speak with the Office of Research Services.

Q23: How is the process of peer review affected by FIPPA?

A:    FIPPA exempts evaluative or opinion material of the type that assesses the teaching materials or research of an employee, or determines eligibility or qualification for admission to an academic program, or determines the qualification for an honour or award to recognize achievement. If the person who is being evaluated uses FIPPA to request access to their own personal information in that evaluation or opinion material, Ryerson has the discretion to refuse that request.

Q24: How are the hiring and promotion and tenure review processes affected by FIPPA?

A:    The hiring, promotion and tenure review processes are governed by the collective agreement between Ryerson University and the Ryerson Faculty Association. Collective agreements are accessible under FIPPA and are available for public view at: http://www.ryerson.ca/hr/policy/index.html.  The collective agreement itself provides for certain access to information rights. For more information you should speak with Vice Provost, Faculty Affairs.

NEED MORE INFORMATION?
tel:  416-979-5000 ext. 4676
email:  fippa@ryerson.ca

Note: This information is posted on Senate's website at http://www.ryerson.ca/senate/faculty/index.html.