Policy 46 - Information Management

The policies found on the website of the Secretariat are compulsory rules for the University community. The authoritative copies of the policies are held by the Secretariat and bear the seal of the University. The online version accessible through the website of the Secretariat is available for information purposes only. In case of discrepancy between the online version and the authoritative copy held by the Secretariat, the authoritative copy shall prevail. Please contact the Secretariat for assistance if necessary.

Established:	11 July 2016
Revised:	7 December 2022
Supersedes:	Statement on Information Management Policy 8 – Information Security Policy 12 – Records Management Policy 13 – Archives Policy 19 – Access to and Release of Student Information
Class:	G
Responsible/Originating Department:	Secretariat Information Systems & Technology
Executive Contact:	University Secretary Chief Information Officer

Related Policies, Guidelines & Procedures:

1. Policy 11 – University Risk Management
2. Policy 73 – Intellectual Property Rights
3. Policy 75 – Official Employment Files of Regular Faculty Members
4. Guidelines for Managing Student Information for Faculties, Academic Departments and Schools
5. Guidelines: Human Resource Records

1. Introduction 

Information is a vital asset, supporting academic and research excellence, and efficient management of services and resources. Effective management of information facilitates achievement of the University’s strategic objectives by

• increasing transparency and accountability while protecting the privacy of individuals;
• enabling decision-making and performance management;
• enhancing the efficiency and efficacy of programs and services; and,
• managing risk to the University by protecting its information assets and ensuring compliance with appropriate legislation, regulations, and standards.

It is therefore of paramount importance to ensure that appropriate standards, procedures, and accountabilities are in place to provide a robust framework for information management.

Information management encompasses records management, where “records” are the recorded information made or received by the University in the course of its administrative activities and kept as evidence of those activities, often to meet statutory requirements. In key places, this policy mentions records as well as information, to emphasise the full scope of this policy or to indicate where specific requirements exist for managing University records.

2. Scope 

The University’s information exists in many formats and media, including electronic and hard-copy textual documents, structured data, graphic images, sound and video recordings, or a combination of these. This policy addresses management of the following types of information:

• Records created and used in support of the University’s administrative activities, as documented in the University records classification scheme and retention schedules.
• Published information resources and archival collections owned or licensed by the University, used in support of the University’s teaching and research programs.
• Research data, reports, and other scholarly works (as defined in Policy 73 – Intellectual Property Rights) created and owned by University researchers, students, and employees which are made available to the University community through the University’s information management and IT infrastructure.

This policy applies to all individuals who are responsible for or use this information. University and ​Affiliated and Federated Institutions of Waterloo employees, contractors, students, visitors, volunteers, and all other individuals permitted to access and use the University’s information, must manage, use, share and safeguard this information in accordance with the principles described below, and the procedures and guidelines which supplement this policy.

3. Legal Framework 

The University’s records and information management responsibilities relate to a wide set of statutes and regulations, in particular, those monitored through the University’s Statutory Compliance Program.

These statutes include, amongst others:

• Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31 (“FIPPA”);
• Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A (“PHIPA”);
• Accessibility for Ontarians with Disabilities Act, 2005, S.O. 2005, c. 11;
• Broader Public Sector Accountability Act, S.O. 2010, c. 25;
• Income Tax Act, R.S.C., 1985, c. 1 (5th Supp.);
• Copyright Act, R.S.C., 1985, c. C-42;
• Employment Standards Act, 2000, S.O. 2000, c. 41;
• Employment Equity Act, SC 1995, c 44.

If any of these legal provisions are modified, abrogated, superseded, or added to, the policy shall be interpreted in accordance with the new legal framework.

 4. Purpose

This policy defines the framework of principles and practices which underpin the University’s approach to managing information throughout its lifecycle. These principles and practices guide individuals affiliated with the University in meeting the responsibilities of the roles associated with information management:

• Information Stewards are the owners of information in the custody of the University, or the senior-level employees who have been delegated responsibility, on behalf of the University, for the creation, maintenance, protection, and use of a collection of information, and for approving the disposal or destruction of information when it is no longer needed by the University.
• Information Custodians are the individuals with operational responsibility delegated by the information steward for a collection of information.
• Information Users are individuals who access and use information that is in the custody or control of the University.
• Information Service Providers are the employees or contractors who design, manage, and support the systems and services required by information stewards, custodians, and users to manage and use the University’s information. The information service provider’s work may sometimes require access to the information stored in the systems they support, to facilitate information systems and service design and improvements.

5. Principles and Practices

The following principles and practices are the framework for effective information management at the University:

• Accountability and Accessibility
  • In recognition of its public accountability, non-confidential information about the University and its programs, services, and governance is available to the public.
  • The University establishes and maintains guidelines to be followed by University employees in responding to requests for information from members of the public.
  • Students, employees, and other individuals have access to their personal information (as defined in FIPPA) collected by the University, in accordance with applicable laws, University policies and guidelines.
  • Employees have access to the information they need to meet their responsibilities on behalf of the University in a timely manner, having secured the proper permissions in advance and consistent with the requirements of FIPPA and PHIPA.
• Privacy and Confidentiality
  • While meeting its accountability responsibilities, the University also safeguards the confidentiality of personal information, commercially sensitive information, and other information, consistent with the provisions of FIPPA, PHIPA, and other applicable laws, regulations, contracts and agreements.
  • The University establishes and maintains procedures for the secure and appropriate sharing of confidential information within the University, and, when necessary, with government and other agencies authorized to access and use that information.
• Compliance
  • The University complies with the records and information requirements of all laws, regulations, contracts and agreements applicable to its operations, and adheres to generally accepted records and information management standards and best practices.
  • The University establishes and maintains the records and information management guidelines and procedures required to comply with laws, regulations, and University policies.
  • The University provides information stewards, custodians, users, and information service providers with the support they need to meet their information management responsibilities and to achieve improvements in compliance, security, and risk management.
  • The University promotes compliance with this policy and associated guidelines and procedures by making available to the University community suitable educational resources and training opportunities, as the need arises.
• Information Quality
  • The University establishes and maintains procedures for ensuring information quality, tailored to the requirements of the activities and processes in which the information is created and used.
  • Information quality is assured at the point of collection, and administrative records are created within a reasonable time of the transactions or events they document, to the greatest degree possible.
  • Authoritative sources of information and the official versions of records are known and accessible. Transitory records and information which the University does not need to retain to meet operational, legal, regulatory, fiscal or other requirements, are securely destroyed on a routine basis.
• Information Security
  • The University establishes and maintains procedures and other controls to ensure the security of its information, including prevention of unauthorized access to its systems and controls over third party and remote access.
  • The University maintains a security classification scheme, used to classify all of its information. This security classification guides appropriate practices related to: labeling, storing, transmitting and sharing information; disposing of unneeded information; protecting the integrity of information; and, allowing appropriate use and disclosure of information.
  • The University establishes and maintains security incident reporting procedures and investigates breaches of confidentiality and security.
• Information Lifecycle Management
  • The University establishes and maintains procedures to manage the entire lifecycle of its information, from the time of creation or collection and for as long as it is kept by the University.
  • The University maintains a records classification scheme, used to classify all University records by the functions and activities in which they are used, and records retention schedules, documenting the administrative units responsible for different classes of records, the required retention periods for records, and their final disposition (disposal, destruction, or long-term archival preservation).
  • The University establishes and maintains procedures to ensure that information and records are accessible and usable throughout their lifecycle, and available within the timeframe required by the activities in which they are used.
  • While most of the University’s information will be securely destroyed or disposed of when it becomes obsolete, some information assets are of enduring or permanent value to the University. The University establishes and maintains procedures to identify and ensure the continuing preservation of these information assets of long-term value.    

6. Roles and Responsibilities  

As noted above, the University’s information is managed by its information stewards, information custodians, information users, and information service providers. The relationship between information stewards, custodians, and users typically corresponds to the organizational or accountability hierarchy of the unit responsible for a collection of information.  The stewards of the University’s administrative information, for example, are the executive-level administrators with responsibility for one or more functional areas of the University; the information custodians are the managers and supervisors reporting up the administrative hierarchy to these stewards, as depicted in the University’s organization charts; and, information users are most often the university staff reporting to these managers and supervisors. The role of “information user,” however, extends to any person affiliated with the University who uses information in the custody or control of the University.

The University’s Information Stewards are responsible for the following:

• Reviewing and approving the standards, procedures, and other controls required for security, lifecycle management, risk management, and quality assurance of the information they steward.
• Ensuring that the management, use and protection of information are consistent with this policy, its associated guidelines and procedures, as well as relevant legislation, contracts and agreements.
• Assigning operational responsibility for information to one or more Information Custodians.

Information Custodians are responsible for the following:

• Understanding – and, when required, developing and recommending to the Information Steward – standards, procedures, and other controls for lifecycle management, risk management, quality assurance, appropriate use and security of information.
• Implementing and maintaining the information security controls that enforce the rules and procedures for information and records management.
• Granting and revoking Information Users’ and Information Service Providers’ access to information and, when necessary, instructing them on the authorized uses of that information, as approved by the Information Steward.
• Enabling the timely detection, reporting, and analysis of security incidents where circumvention, or attempted circumvention, of controls takes place.

Information Users are responsible for the following:

• Complying with the rules and procedures approved by the Information Steward for the use of information and records.
• Complying with controls implemented by Information Custodians, and reporting information security breaches they become aware of to the appropriate Information Custodian as quickly as possible.

The University’s Information Service Providers are responsible for the following:

• Delivering and supporting the systems, services, and information technology infrastructure required to manage and use the University’s information.
• Assisting Information Custodians in implementing and maintaining information security controls.
• Complying with these controls in their own work, and reporting information security breaches they become aware of to the appropriate Information Custodian as quickly as possible.
• Performing generally accepted system administration tasks including: physical site security; administration of security and authorization systems; backup and recovery procedures; capacity planning; and system performance monitoring.

The following administrative positions and bodies provide guidance and support to information stewards, custodians, users and service providers, to assist them in meeting the responsibilities described above:

• The University Secretary acts as chief records officer and is responsible for overseeing freedom of information and protection of privacy through authority delegated by the University President. The University Secretary is also generally responsible for monitoring statutory and regulatory compliance across all of the University’s activities. The University Secretary is assisted by:
  • The University Records Manager, responsible for developing and promoting compliance with the University’s records management program. This program includes the records management procedures, guidelines, educational resources, classification scheme and retention schedules described under the Compliance, Information Quality, and Information Lifecycle Management sections of the Principles and Practices of this policy.
  • The Privacy Officer, responsible for guidance concerning the statutory requirements for freedom of information and the protection of privacy, including guidance in response to information security breaches. The Privacy Officer provides advice and assistance in determining the appropriate information privacy and confidentiality classification for collections of information, and for meeting the requirements of the Accountability and Accessibility and Privacy and Confidentiality sections of the Principles and Practices, above. The Privacy Officer also reviews and approves the procedures described under the Privacy and Confidentiality section.
• The Chief Information Officer (“CIO”) is responsible for providing the University with reliable, secure, efficient, and effective centrally administered information systems and information technology infrastructure, and for managing associated risks for those systems. To support the mandates of University administrative units, the CIO authorizes and oversees the movement of information assets between University systems as required, for example, for information sharing and integration initiatives in keeping with this policy’s Principles and Practices. The CIO is assisted by:
  • The Information Security Officer, responsible for developing and maintaining standards, procedures, and other information security controls, and for coordinating the response to information security breaches, as described under the Information Security section of the Principles and Practices. The Information Security Officer maintains a directory of the categories of information in the custody or control of the University which are classified as “highly restricted.”
• The Associate Provost, Institutional Data, Analysis & Planning (“AP, IDAP”) is responsible for the provision of information and analysis to the University’s senior leadership, governance committees, and other internal stakeholders to facilitate decision-making and strategic planning. The AP, IDAP or delegates also provide information to external stakeholders including government agencies to fulfill the University’s regulatory data reporting accountabilities. The AP, IDAP may therefore authorize and oversee their unit’s access to and disclosure of authoritative information in University information systems as required for purposes within their mandate, in keeping with this policy’s Principles and Practices and in consideration of the complementary roles of other units in reporting institutional information.
• The University Librarian directs the provision of information services and resources in support of the teaching and research programs of the University. The Library’s resources include most of the published information resources, data sets, and archival collections owned or licensed by the University, including the University Archives.
• The Administrative Information Governance Committee (“AIGC”) facilitates collaboration amongst the stewards of the University’s administrative information, and is responsible for monitoring implementation of this policy with respect to this information. The AIGC maintains directories of the University’s administrative information stewards and the authoritative repositories of the University’s restricted and highly restricted administrative information.

7. Definitions 

“Information”: For the purposes of this policy, “information” means the recorded information, in any format or media, within the scope described in section 2 of this policy.

“Information Asset”: An information asset is a body of recorded information, defined and managed as a unit so it can be understood, shared, protected and used effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

“Use of Information” means any access to, collection, storage, transmission, copying, manipulation, or destruction of information.

“Custody of Information” means the keeping, care, watch, or security of information, approved and delegated by the steward of that information.

“Control of Information” means the power or authority to make a decision about the creation or collection, lifecycle management, risk management, use or disclosure, and destruction or disposal of information.

“Secure Destruction of Information” means that information selected for destruction is protected against theft, loss and unauthorized use or disclosure prior to its destruction. The information is destroyed or erased in an irreversible manner which ensures that the information cannot be recovered or reconstructed, by methods recommended by the Information Security Officer or the University Records Manager.

“Information Management”: The systematic, skillful control and custodianship of the University’s information and records in accordance with the principles and practices described in this policy, throughout all stages of the information lifecycle: collection or creation, and capture of information; organization and classification; storage; retrieval and dissemination to information users; and, final disposition (disposal, destruction, or long-term preservation).

“University Records”: Recorded information, regardless of format or medium, which is created, received, and maintained by the University in the course of its administrative transactions or activities, and which provides evidence of these transactions or activities. All works created by University employees as “assigned tasks” (as defined in Policy 73 – Intellectual Property Rights) are University records. University Records are the property of the University.

“Student Information”: The University records relating to a student’s admission to the University, their academic progress and achievements at the University and the University Colleges, and any other personal information of the student’s – including student identification photographs – which is collected and used by the University for administrative purposes.

• Student information does not include University records relating to cases covered by Policy 33 – Ethical Behaviour, Policy 70 – Student Petitions and Grievances, Policy 71 – Student Discipline, nor does it include students’ personal health information, as defined in PHIPA, in the custody or under the control of health care practitioners employed by the University.
• Given the fundamental importance of student information management to achieving the University’s mission, guidelines for access to and disclosure of this information are detailed in Appendix A of this policy.

“University Records Retention Schedule”: A guideline document describing a category of records associated with a University process or activity and the University’s legal and compliance recordkeeping requirements for that category. The University implements its records retention schedules to ensure that records are kept as long as legally and operationally required and that obsolete records are disposed of in a systematic and controlled manner. The records retention schedules provide employees with the information they need to adhere to approved records management requirements in a consistent manner.

“University Archives”: The University records selected for long-term preservation, after they are no longer needed for administrative purposes, due to their value as evidence and documentation of the University's history, organization, function and structures.

“Information Privacy and Confidentiality Classification”: The component of the University’s information security classification used to classify information in the custody or control of the university as either Confidential or Public.

• Information is Confidential where there is an expectation that such information will not be disclosed to anyone except those persons requiring the information for a legitimate purpose. Confidential information must be protected against unauthorized use (as “use of information” is defined, above) or disclosure.

• Restricted information is the subset of Confidential information where the protection of such information is required by law or regulation, or the university is required to provide notice to an individual or some authority if information is inappropriately used. The strength of security controls for information classified as Restricted will normally exceed those for information classified as Confidential.
• Highly Restricted information is the subset of Restricted information that presents a higher risk to the University if compromised, and is therefore subject to heightened security measures for its protection and restrictions on its use. Examples of highly restricted information include University records containing information commonly used to perpetrate identity theft, such as Social Insurance Numbers or bank account numbers.
  • Classification of information as highly restricted is subject to the approval of the University Secretary and the CIO, as advised by the appropriate Information Stewards and the Information Security Officer.
  • The Information Security Officer maintains a directory of the types of highly restricted information in the custody or under the control of the University, and assists Information Stewards and Custodians in developing and implementing the heightened security measures required for managing this information.

• Information is Public when no other security classification has been applied. The release of public information about the University by its employees is carried out in accordance with the guidelines described in the Accountability and Accessibility section of the Principles and Practices.

“Information Security Controls”: The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

An “Information Security Breach” involves one or more of: a circumvention of information security controls; the unauthorized use of information; the unintended exposure of information.

Appendix A - Access to and Release of Student Information

Access within the University and by Other Universities

• Access to student information is restricted to the University’s information custodians, information users, and information service providers with a job-related need, as approved by the steward for that information.
• Access to student information on financial assistance based on financial need is restricted to student awards and financial aid staff in the Registrar's Office and Graduate Studies and Postdoctoral Affairs Office, as well as systems and reporting staff in Information Systems & Technology and Institutional Analysis & Planning.
• Access to student information on scholarships and awards based on academic performance is extended to those responsible for administering such programs in the Faculties or Colleges.
• Grades, résumés, co-op work histories, and citizenship status (as required by federal employers) are provided to prospective co-op employers interviewing students for co-op work term employment.
• Student information is shared with other universities for students cross-registered or enrolled in programs offered jointly by the University of Waterloo and another university or universities.
• The University collects specific and limited personal information on behalf of the Waterloo Undergraduate Student Association and the Graduate Student Association. This information is used for membership administration, elections, annual general meetings, and the administration of student benefit plans.
• Formal records of academic achievement (e.g., transcripts, graduation diplomas) will not be provided to the student if the student has outstanding debts to the University.

Access by Government Agencies

• The University is required to disclose students’ personal information to the Minister of Training, Colleges and Universities under the Ministry of Training, Colleges and Universities Act.
• The federal Statistics Act provides the legal authority for Statistics Canada to obtain access to students’ personal information held by educational institutions.
• Relevant student information is provided to government agencies involved in the administration of scholarship or financial aid programs, and to other government agencies for purposes consistent with the reason the information was originally collected.

Public Release of Student Information

• Responsibility for releasing student information (e.g., transcripts, grade reports, letters of standing) to members of the public is restricted to the Registrar and the Associate Vice-President, Graduate Studies and Postdoctoral Affairs, or their delegates.
• “Members of the public” means any person or agency other than the student and the University employees, other universities, government agencies, and prospective co-op employers, as described above, with a legitimate need to access student information. Members of the public include a student’s parents, spouse, other relatives, employers, landlords, as well as any other agencies, associations, or educational institutions, and their representatives.
• Provided the identity of individual students is protected, an instructor may convey information about student academic performance (e.g., grades on assignments, mid-term or final examinations) by posting results in a public place such as an office door, bulletin board or course website. Final examination and final course grades shall not be posted before the final examination period ends.
• A student’s Faculty or College of enrolment, programs of study, sessions in which the student is or has been registered, awards based on academic merit, degrees received and dates of convocation (are released by staff in the Registrar's Office or the Graduate Studies and Postdoctoral Affairs Office) upon request, to authenticate a student’s current or past status at the University. Any decision to restrict access to this information is done on a case by case basis by the Registrar or Associate Vice-President, Graduate Studies and Postdoctoral Affairs (or their delegates).
• The University retains the right at all times to state that any individual does not have a degree or other credential from the institution.
• The University creates student address directories to facilitate communication among students. Students may direct the Registrar's Office or the Graduate Studies and Postdoctoral Affairs Office to suppress their names from such directories.
• All other student information is considered private and confidential and normally will not be released to members of the public, except with the student's prior written consent, or on the presentation of a court order, or otherwise as required by law. Other student information includes, but is not limited to, social insurance number, date of birth, marital status, and details of individual courses (including courses in which the student is enrolled, and grades awarded).

Information Management Guidance 

(Note: these links are provided for information, only, and are not part of Policy 46 - Information Management)

Policy 46 Guide

Directory of Administrative Information Stewards

University Guidelines

• Statement on Security of Waterloo Computing and Network Resources
• Guidelines on the Use of Waterloo Computing and Network Resources
• Statement on Electronic Business

Information and Privacy Procedures and Guidelines

• Responding to requests for information
• Student access to student information
• Record-keeping
• Records and personal information
• Guidelines for confidential records
• Guidelines on use of email
• Returning assignments and posting grades

Information Security Procedures and Guidelines

• Basic security principles for information systems development/deployment
• Information security for research
• Privacy breach response procedure

• Guidelines for secure data exchange: Choosing information transmission methods based on the security classification
• Electronic Media Disposal Guidelines

Office of Research Ethics

• Guideline for researchers on securing research participants' data
• Privacy and security risk assessment tool

University Records Management Procedures and Guidelines

• Records Classification and Retention Schedule
• Managing Transitory Records
• Recordkeeping Guidelines for University Committees
• Records Disposal and Destruction