How We Use, Collect, and Protect Your Information
How we use your information
Required uses
Most uses of personal student information are necessary to the operation of the University – i.e., to deliver and improve core services to you and to meet our reporting obligations to government and other stakeholders. Because of this, you cannot opt out of the collection of this information, nor can you opt out of those essential uses and disclosures.
Where use of personal student information is essential, the Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) requires that the University notifies you of:
(a) the University’s legal authority for collecting this information
(b) the principal purposes for collecting and using your [no-glossary]personal informationpersonal information
Any factual or subjective information, whether recorded or not, about an identifiable individual.[/no-glossary] and
(c) the title, business address and telephone number of a University employee who can answer your questions about the collection of your [no-glossary]personal informationpersonal information
Any factual or subjective information, whether recorded or not, about an identifiable individual.[/no-glossary]
Examples of when the University meets these obligations by providing specific notices of collection at key points where your information is collected:
The University has established guidelines regarding who can assess your official academic record.
Optional uses
Some collection or uses of your [no-glossary]personal informationpersonal information
Any factual or subjective information, whether recorded or not, about an identifiable individual.[/no-glossary] are optional and require your consent.
Examples:
- Use of your contact information for optional surveys
- Use by clubs and many student groups
- Some student mailing lists
Your decision to provide your [no-glossary]personal informationpersonal information
Any factual or subjective information, whether recorded or not, about an identifiable individual.[/no-glossary], or not, for these activities will not affect any official University outcomes, such as your grades, and will not appear on your transcript.
If you have any questions about optional uses, please ask the department, instructor or student group requesting the information. You may also contact the Freedom of Information and Protection of Privacy Office.
Your rights and the University’s responsibilities
You have rights and the University has obligations regarding your [no-glossary]personal informationpersonal information
Any factual or subjective information, whether recorded or not, about an identifiable individual.[/no-glossary]. Your rights and the University’s obligations arise from and are subject to law, policy, and practice.
In some instances, the University’s obligations may require disclosures of your [no-glossary]personal informationpersonal information
Any factual or subjective information, whether recorded or not, about an identifiable individual.[/no-glossary]. For example: individual [no-glossary]personal informationpersonal information
Any factual or subjective information, whether recorded or not, about an identifiable individual.[/no-glossary] rights may be limited in circumstances that pertain to safety, or codes of behaviour with respect to academic integrity and other conduct; the University may also need to release your information if required by law (e.g., statutory requirement, subpoena, warrant, etc.)
How we collect your information
The University may collect information about you through various sources:
- Directly from you such as when you register for a course
- From faculty and staff such as when a professor enters your grade for a course in which you are registered
- When you interact with the University’s systems such as when you log onto a university computer terminal or when you use a web-based application, data is generated and logged based on visits and interactions with the application); or
- In limited instances, from external sources (e.g., admission information from the Ontario Universities’ Application Centre)
How we protect your information
The University takes numerous steps to protect the security and confidentiality of your information. These [no-glossary]protectionsprotections
Ways of securing data from unauthorized access and use of from data loss or corruption. Physical protections are things like locked doors and closed-circuit TV cameras. Technical protections are things like data encryption. Procedural protections are things like reviewing of formal data access requests.[/no-glossary] align with the University’s Policy on Information Security and the Protection of Digital assets and the Information Security Standard that were developed through the Information Security Council. The University has also developed guiding principles for [no-glossary]data governancedata governance
The processes and controls that ensure that data (information) are of high quality and used responsibly, following privacy laws and norms. [/no-glossary].
The University continually refines its security and privacy [no-glossary]protectionsprotections
Ways of securing data from unauthorized access and use of from data loss or corruption. Physical protections are things like locked doors and closed-circuit TV cameras. Technical protections are things like data encryption. Procedural protections are things like reviewing of formal data access requests.[/no-glossary] through a comprehensive information security program that involves continual review and enhancement of existing capabilities. This is done both proactively and in response to known and emerging threats. We run security awareness campaigns to equip staff, faculty and students with knowledge needed to protect themselves against security threats. The University also continues to expand the availability of security tools like:
- Multi-factor authentication (MFA)
- Office 365 security [no-glossary]protectionsprotections
Ways of securing data from unauthorized access and use of from data loss or corruption. Physical protections are things like locked doors and closed-circuit TV cameras. Technical protections are things like data encryption. Procedural protections are things like reviewing of formal data access requests.[/no-glossary] to staff, faculty and students
Additionally, the University partners with the Canadian Shared Security Operations Centre (CanSSOC) to detect and respond to evolving cyber threats facing the higher education community.
Access to and use of student data
An important part of keeping your information safe is managing who has access to it.
To provide University services and for other routine purposes, specific University employees are authorized to access the sections of your record that are needed to fulfill those administrative processes. Faculty and staff who access these personal details respect and are accountable for protecting your confidentiality and will share this information with others only when necessary, consistent with law and University policy.
Certain information (e.g., gender identity, race and ethnicity, income) is considered to be more sensitive. Also, sometimes new or non-routine uses of information (e.g. scholarly research) are proposed. In cases like these, the University has established processes to ensure that your information is used responsibly and ethically, and that the purposes and analyses are appropriate. These processes include the University’s Data Request Review process and, for scholarly research, Research Ethics Board review.
Learn more about access to and use of student information for program evaluation and for scholarly research.
Suppliers, vendors, and third-party service providers
When contracting institutional services with outside service providers, the University completes privacy and risk assessments to ensure that information will only be used for agreed purposes, and that there is no selling, renting or other [no-glossary]commercial usecommercial use
To sell, lease, licence, or transfer for financial gain.[/no-glossary] of student information.
Storage
Student information is held in institutional data systems on campus and in [no-glossary]cloud-basedcloud-based
Cloud storage is a model of computer data storage in which the digital data are stored on multiple computer servers (databases) owned and managed by a third-party company (host). [/no-glossary] data storage systems that have gone through security and privacy risk assessments.
Retention and destruction
The length of time that student information is retained depends on several factors, including:
- A student’s status with the University (admission, registration, graduation, etc.)
- Level of study (e.g., undergraduate, graduate)
- Engagement with other University programming (e.g., campus/student life)
For example, the student transcript and the records of doctoral students are kept forever. All other records are disposed of securely following the University’s retention, archiving, and destruction schedules.
Who should I contact if I have further questions?
If you have any questions about the University’s data practices, please contact the University Registrar’s Office. Your particular question may be better answered by another official at the University, but the University Registrar’s Office will direct your inquiry to the appropriate official at the University.
You may also wish to contact the Freedom of Information and Protection of Privacy Office.