February 1, 2012
Endorsed by Graduate Operations Committee, Undergraduate Operations Committee and Deans’ Council
Scope and Purpose
Student information maintained in faculties, academic departments, and schools may include information on which the admission decision was based; information regarding performance in classes and the completion of program milestones; information related to academic advising and information related to accommodation for special circumstances, petitions, discipline, grievances, and appeals. The information which the university collects, creates, and maintains about students is personal information under Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA).
These guidelines are a resource for faculty and staff members who manage student information. They are intended to promote awareness of the university’s obligations under FIPPA, to highlight university policies and procedures relevant to student information, and to provide recommendations and best practices for managing student information.
Statutory and Policy Requirements
Faculty and staff who create or maintain student information should be familiar with the following legislation, university policies, and breach response procedure:
The Registrar’s Office and the Graduate Studies Office are responsible for managing the university’s general, contractual relationship with undergraduate and graduate students respectively. These offices are responsible for the official student academic record maintained in the student information system (Quest).
Faculties, academic departments and schools, and associated academic support units such as Cooperative Education and the Centre for Extended Learning are responsible for managing the university’s relationship with the student as a learner. They create the supporting information that documents the student’s academic career including achievement in individual courses, fulfilment of program milestones and other requirements, and program completion. This information is often forwarded to the Registrar’s Office or the Graduate Studies Office to authorise updates to the core student record in Quest.
Faculty associate deans, directors of schools, and chairs of academic departments are responsible for ensuring that student information created and/or maintained in their departments is kept securely and retained and disposed of according to the university’s approved policies and procedures. This responsibility extends to information such as class grades, assignments, and examination papers that are often managed on a day to day basis by individual faculty members and other course instructors.
All faculty and staff are responsible for ensuring that they are managing student personal information in accordance with FIPPA and the university policies listed above. New faculty and staff members, including part-time instructors and teaching assistants, should be made aware of their responsibilities regarding privacy and retention of student information.
The only information about a student that is considered publicly available by the university (see Policy 46) is name, degrees received and date of graduation, faculty or college of enrolment, programs of study, merit-based awards and scholarships, and directory information used to facilitate communication among students. Individual students may request that this information not be released. See below for information about access to and disclosure of student information.
All other personally identifiable information about a student must be kept confidential according to the requirements of university policies, FIPPA, and any other legislation relevant to particular types of records. Confidential information includes:
- student ID and other identification numbers
- biographical information, such as home address and telephone number, personal e-mail address
- educational history including classes taken or enrolled in
- assessments or opinions about the student including marks and grades, comments on student work, and reference letters
- needs-based scholarships, bursaries, or awards
- health information
Student information must be kept in secure facilities and equipment (e.g., locked rooms and filing cabinets, password protected computer systems) accessible only to staff and faculty whose work requires them to have access. The university’s policy with regard to information security is Policy 46: Information Management.
Extra care must be exercised if student information is taken off-campus. The use of encryption is strongly recommended to prevent or minimize the potential for a breach. See: IST’s Security Standards for Desktops and Laptops, and Data Encryption pages for more information.
Keeping student information on personal equipment is discouraged. Any student information maintained on personal equipment is subject to the same security, breach response, retention, and destruction requirements as that maintained on university equipment.
Student information stored offsite or in other parts of the university must not have personal information such as names or ID numbers on the outside of the storage containers.
Most student information is subject to a security classification of “restricted.” Some information might be “highly restricted” (see Policy 46). Any security breach of student information (unauthorized access or disclosure, such as the loss or theft of files, laptops, or flash drives containing student information, or misdirected e-mail, etc.) must be reported immediately to the appropriate university officer (see Information Security Breach Procedure). The Information Custodian will work with the Privacy Officer who will advise whether notice to affected individuals and the Office of the Information and Privacy Commissioner of Ontario (IPC) is required. If notice is required, the Privacy Officer will provide guidance to the Information Custodian about the contents of the notice to the individuals and will laise with the IPC.
Access to Student Information
Faculty and Staff: Access to student information should be limited to faculty and staff who need the information to do their job. Information regarding accommodation for medical reasons, information related to disciplinary procedures, and needs-based financial information is considered particularly sensitive and should be accessible strictly on a need to know basis.
Students: Under FIPPA students have the right to access most personal information pertaining to them. This right extends not only to formal student files but to personal information wherever it is maintained, including in e-mail messages. The university may refuse a student access to certain types of information, for example, evaluative material received in confidence to determine suitability, eligibility, or qualifications for admission to an academic program or suitability for an honour or award.
Students do not have the right to access the personal information of individuals other than themselves. Returning assignments or exams to students or posting grades must be done in a way which does not reveal personal information to other students in the class. For more information, see Guidelines on Returning Assignments and Posting Grades.
It is also recommended that information which pertains to multiple students, such as grade revision forms, be filed separately rather than in the files of individual students.
Disclosure of Student Information
Disclosure refers to releasing student information to any party or agency (including parents, spouses, employers, and landlords) other than the student and university faculty and staff with a legitimate need to know.
Electronic posting of student personal information (including photographs) on publicly available websites (including social media sites such as Facebook) or websites available to faculty, staff, and students requires prior notice to the students who must consent to the use of their personal information in this way.
References: Be aware that information contained in references or recommendations for students is considered the personal information of the student and therefore faculty and staff members should not provide references without the consent of the student. An email from the student asking for a reference or the student naming the referee in an application can be considered consent. Students are advised to seek the agreement of potential referees before naming them in an application.
Responding to information requests
Requests from students for letters confirming their status or other academic information must be directed to the Registrar’s Office or the Graduate Studies Office. Employees should be cautious about responding to requests for student information even on an informal basis. Employees may seek advice from the Registrar’s Office, the Graduate Studies Office, or the university’s Privacy Officer.
Retention and Disposal of Student Information
Retention: Under FIPPA the university is required to keep personal information about students for a minimum of one year.
Beyond the one year minimum, student information must be kept only as long as necessary to complete the contractual obligations between the university and the student, to provide information on the academic achievements (such as transcripts) of the student to employers, educational institutions, licensing/regulatory bodies, and to the student him/herself, and to provide the student with appropriate support and other services.
In practice, this means that different types of student information are subject to different retention periods.
The core academic record in Quest, which includes data on a student’s identity, years of study, grades and academic milestones, and degrees and certificates earned, is the only record that the university retains indefinitely in relation to individual students.
Disposal: Under FIPPA, the university is also required to dispose of personal information securely and to keep a record of the disposal. Disposal must be authorized by the unit head or his/her delegate. For more information see Records Disposal Procedures.
Copies and Non-Official Information: Faculty and staff managing student information should make a clear distinction between official records and copies and other non-official information (for more information, see Managing Transitory Records).
The following are common types of non-official student information:
- Copies of forms and other documents sent to the Registrar’s Office or the Graduate Studies Office
- Copies provided to members of committees
- Database extracts
- Locally maintained databases, SharePoint sites, and other electronic collections of student information
Copies and other types of non-official student information are subject to the same security and destruction requirements as official records. Non-official information should be retained only as long as necessary for current work.
Anonymous data may be preserved. If a unit wishes to keep a database (for analysis or trend purposes, for example) which is otherwise scheduled for destruction, it may do so if all identifying information of individuals is removed from it. Assistance may be sought from the university’s Privacy Officer.
Electronic versus paper documents: A common misperception is that retention and disposal rules apply only to paper documents. In fact, the same rules apply regardless of the format in which the information is maintained. Therefore, when it is time to dispose of the paper copy of a document, it also time to dispose of the electronic version and vice versa.
Legal action: Student information that is related to actual or pending litigation or a government investigation must not be destroyed even if the retention period has expired. This restriction begins from the moment when a legal action or a government investigation is reasonably foreseeable, and remains in effect until removed by the Secretary of the University. Any member of faculty or staff who suspects a legal action or investigation may be pending should ensure their department head is aware of the matter. The department head should inform the Secretary of the University. The Secretary will notify you when records should be retained.
For questions or concerns regarding retention and disposal of student information, contact the University Records Manager.
Be aware that under FIPPA a student may request to see any e-mail about him/her sent by a faculty or staff member.
Most e-mails, such as correspondence between an instructor and a student relating to a course or relating to routine inquiries, should be retained for one year and then deleted. E-mails documenting a significant decision about a student’s academic career should be retained as part of the student file.
E-mail is not secure unless encrypted. Avoid use of e-mail to transmit sensitive personal or confidential information. If you must use e-mail to communicate, consider how to minimize the consequences of unintended disclosure (e.g., by disclosing only some information or by deleting personal identifiers). If you frequently use email to send sensitive information, consider whether there are other ways to deliver the information, such as use of a SharePoint site, or a secured, shared network drive. It may be better to communicate some types of information by telephone or in person.
To minimize the potential for a breach, instructors are encouraged to correspond with students only through the students’ Waterloo email addresses. It is suggested that instructors indicate on course outlines that they will only respond to emails sent from students’ Waterloo email addresses. See the university’s Guidelines on Use of E-mail for more information.
Best Practices for Managing Student Information
- Centralize student files where possible; this ensures that all substantive records relating to a student’s academic history are located in one easily accessible location, and will mean that personal information about a student can more easily be protected as well as retrieved in the case of an information access request, dispute, or some other emergency.
- When working away from campus, access student information through central systems such as Quest or OnBase or using remote desktop, rather than by removing files.
- Include information on privacy, security, retention, and disposal of student information as part of the orientation for new faculty and other course instructors, teaching assistants, and staff members.
- Make arrangements for departing course instructors such as sessional lecturers who are leaving the university and faculty members who are retiring to leave their course records (class grades, examinations and assignments, etc.) with the academic department or school.
- File students’ academic information separately from employment information (e.g., records of teaching or research assistantships, co-op or work study positions). Employment information has different retention requirements than student academic information.
- File information about multiple students separately rather than in individual student files (e.g., grade revision forms, ELPE result lists). Students may access much of their own information, but must not have access to information relating to other students.
- Keep particularly sensitive information such as discipline cases or medical information separately or in the file in a sealed envelope with access restricted only to those with a legitimate need to know.
- Make copies of student information only when absolutely necessary. Copies create extra work and extra responsibility since they are subject to the same security and destruction requirements as the official record.
Securely destroy expired student information on a regular basis – once a year or once a term is usually best – following the university’s records disposal procedures