Under Policy 46 – Information Management, all University records – including transitory records – are subject to information confidentiality classification, with increasing levels of confidentiality requiring increasing levels of security to safeguard the information from unauthorized use or disclosure. Records are either public or confidential, and confidential records requiring heightened security safeguards are classified as either restricted or highly restricted. Consult Policy 46 for the approved definitions of these four categories.
Authorization to access and use confidential information can arise directly from an employee’s work responsibilities, or it can be obtained from an information custodian with that authority or from the information steward with overall responsibility for the information.
The WatClass records retention schedules are the University community’s primary resource for learning of the information confidentiality classification for University records. Each retention schedule includes a section documenting the confidentiality classification of records within the records class.
If a records class or sub-category of records within the class is confidential (or restricted/highly restricted), this means that one can routinely expect to find confidential (or restricted/highly restricted) information within these records.
The information confidentiality classification is based on the following criteria:
- Information is Public if the information steward or an information custodian with the appropriate authority has explicitly approved making the information available to the public.
- Public information is typically made available through University publications, websites which do not require authentication, or some other means: e.g., social media channels.
- Information is Confidential if the above condition does not hold.
- You should treat information as Confidential unless you are certain that it is public. To confirm the confidentiality classification, contact the appropriate information custodian or the University Records Manager, or consult the WatClass records retention schedules.
- Please note that preliminary drafts or versions of documents are transitory records that may differ significantly in their content from the final approved versions of the documents (the official records). They are therefore classified as Confidential even if the official record is public, unless the above criterion for public information applies to these preliminary versions.
- Confidential information is Restricted if the University has legal or contractual obligations to protect the information from unauthorized disclosure or use. The most common examples of restricted information are:
- Personal information protected under the Freedom of Information & Protection of Privacy Act or the Personal Information Protection and Electronic Documents Act.
- Suppliers’ confidential or commercially sensitive information provided to the University during procurement processes and protected under the Broader Public Sector Procurement Directive.
- Confidential information is Highly Restricted if it contains one or more of the following types of information, which have been designated as highly restricted by the University Secretary and CIO:
- Social Insurance Numbers.
- Bank Account Numbers.
- Credit Card Numbers.
- Driver’s License Numbers.
- Personal Health Information, including Health Insurance Identification Numbers.
- Information considered itself to be controlled technology as regulated by Controlled Goods Regulations, and technical data as defined by Technical Data Control Regulations under the authority of the Defence Production Act.
- Information related to contracts governed by regulations of Public Services and Procurement Canada's Contract Security Program.
Information Security Safeguards
For guidance on security safeguards for restricted records containing personal information, consult the Information & Privacy website.
For guidance on security safeguards for highly restricted records, contact IST’s Information Security Services.
For guidance on the appropriate methods and technologies for sharing and communicating confidential information, see the Guidelines for secure data exchange.