Guidelines for creating extracts of student data

It is important that student data is protected in compliance with appropriate legislation, regulations, and standards, as outlined in Policy 46.

  • Permission is required to create an extract (typically in the form of a CSV spreadsheet) of student or course data.
  • When creating an extract, include data that is strictly necessary for your purpose and limit the use of the file to the purpose for which it was compiled. Use of a download for any other purpose must be approved by the appropriate authority.
  • You (the person who creates the downloaded extract) are responsible for keeping track and maintaining control of data extracts. There is no mechanism to keep track of downloads once they have left the system.
  • Keep the extract on a university-managed storage system, e.g., a network drive or SharePoint.
  • If you must put the file on a laptop or external disk, the laptop needs to have an encrypted hard drive and the external disk needs encryption. Use a secure password.
  • Don't put an extract on a phone, tablet, or a USB thumb drive. Don't burn it to a CD-ROM.
  • Don't send the extract via email.
  • Periodically review your extract files and delete the unneeded ones. If you keep an extract for more than a year, review the University's policy on records retention.
  • Paper copies of the data must be stored securely and shredded when no longer needed.
  • Harvesting email addresses from the extract for a mass email requires approval as follows:
    • Mass email addressed to undergraduate students within a particular faculty needs approval of the associate dean - undergraduate studies of that faculty.
    • Mass email addressed to graduate students within a particular faculty needs approval of the associate dean - graduate studies of that faculty.
    • Mass email addressed to undergraduate students in multiple faculties needs approval of the Registrar.
    • Mass email addressed to graduate students in multiple faculties needs approval of Graduate Studies and Postdoctoral Affairs.
  • The authority governing the use of student data is Policy 46, and in the case of any conflict between these guidelines and Policy 46, the latter takes precedence. Any questions or comments regarding these guidelines should be directed to the University's privacy officer.