This online version is for convenience; the official version of this policy is housed in the University Secretariat. In case of discrepancy between the online version and the official version held by the Secretariat, the official version shall prevail.
Approving Authority: President
Original Approval Date: July 3, 2013
Date of Most Recent Review/Revision: N/A
Office of Accountability: Assistant Vice-President: Academic Services
Administrative Responsibility: Information and Communication Technologies (ICT)
Both ICT and the Privacy Office have received numerous requests for direction regarding the collection, use, storage and destruction of data collected by the university. Additionally, there was a great deal of uncertainty about what departments’ obligations were regarding data (for example in order to comply with the Freedom of Information and Protection of Privacy Act). In order to address this, ICT and the Privacy Office worked together to create a policy which provides guidance about what records should be confidential and how all data at the university should be treated.
1.00 The purpose of this policy is to provide guidance to the University community regarding the classification, retention, storage, circulation and disposal of University records.
Any record of information created or used by the University however recorded, whether in printed form, on film, or by electronic means.
Recorded information about an identifiable individual.
Data Owners are University employees (AVP/Director level) who have direct operational-level responsibility for the management of one or more types of records, either in electronic or paper form. Data Owner responsibilities include:
In cases where multiple data owners collect and maintain the same restricted data elements, the data owners must work together to implement a common set of safeguards.
Data Custodians are ICT or computer system administrators responsible for the operation and management of systems and servers which collect, manage, and provide access to University data. Data Custodians must be authorized by the appropriate Data Owner and ICT. Data Custodian responsibilities include:
Data Consumers are the individual University community members who have been granted access to University data in order to perform assigned duties or in fulfilment of assigned roles or functions at the University. This access is granted solely for the conduct of University business. Data Consumer responsibilities include:
Information that is readily available to any member of the University community or to the general public, either by request or by virtue of its being posted or published by the university through proper administrative procedures. This type of information has no legal restriction on access or usage. It may include personal information collected for the express purpose of public release with the knowledge and consent of the individuals the information is about.
By way of illustration only, some examples of Open Data include:
Information whose unauthorized release could reasonably be expected to cause minor, short-term harm to individuals or to the University and is intended for only limited dissemination. Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, distribution, storage or other use. Protection of such information may be required by university policy and/or provincial or federal legislation. Access to Type 2 information is restricted to those who have a legitimate purpose for accessing such information. It is important to note that Type 2 information in the aggregate may migrate to Type 3, particularly with respect to personal information about an individual. Information must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure.
By way of illustration only, some examples of Internal Data include:
Information that, if compromised, could reasonably be expected to result in significant and/or lasting harm to an individual or the University such as identity theft, or reputational risk. This type of information is strictly protected by provincial or federal statutes or regulations, University policy, or contractual agreement(s) and must be protected from unauthorized access, modification, distribution, storage, destruction, or use. Access to type 3 information is restricted to those who have a legitimate purpose for accessing such information.
By way of illustration only, some examples of Restricted Data include:
3.01 This policy and associated appendices apply to all records within the custody and/or control of the University, including those relating to the operation and administration of the University and those records containing personal information relating to faculty, staff and students.
3.02 This policy and associated appendices do not apply to research and study notes, teaching materials, reports, manuscripts, publications and personal communications of individual faculty, staff and students (unless specifically commissioned or prepared under contract for the University or prepared in the context of administrative work).
4.01 The University Community shall manage records in their possession and control in such a way that they can be readily accessed and retrieved when needed.
All members of the University Community creating, sharing or using University records must comply with the following instructions. Failure to do so may be in violation of provincial acts and/or regulations.
The Privacy Office must be notified in a timely manner if data classified as Internal (Type 2) or Restricted (Type 3) is lost, disclosed to unauthorized parties or suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the University's information systems has taken place or is suspected of taking place. Please refer to Policy 10.1.
The University is subject to both federal and provincial legislation regarding the retention of records. The list below gives examples of legislative requirements which govern records frequently held by units/departments. For some areas that handle specialized documents, additional requirements may apply.
All procurement documentation, as well as any other pertinent information must be retained for seven years.
All records containing personal information must be kept for a minimum period of one year after their use.
Exams, essays and other student work should be kept as long as is necessary for the student to exhaust all avenues of appeal. This is generally a period of two years.
Emails are considered records and should be kept as long as necessary for employers. Best practice is to archive messages to make them more permanent.
In general, employee records should be kept for at least three years (see the Employment Standards Act for specific details)
All of the records and supporting documents that are required to determine your tax obligations and entitlements for a period of six years from the end of the last tax year to which they relate. Historical information such as records and supporting documents concerning long-term acquisitions and disposal of property must be kept indefinitely.
When there is a belief that litigation may occur, all related records should be kept for at least two years.
In addition to the above legislative requirements, each area should develop a records management plan appropriate for the particular records it maintains, in cooperation with ICT and the University Secretariat (see below).
The University requires its records be maintained in a consistent and logical manner, and that the University:
Areas that maintain University records are responsible for establishing appropriate records management procedures. Each unit’s administrative manager or equivalent must:
The University Secretariat and ICT are available to work with individual areas to implement these requirements. Faculty and staff should feel free to address questions about retention and destruction schedules to either of these offices. For steps in how to become compliant with policy 3.4, please see Implementing Policy 3.4: Steps for Data Owners.
The ICT department would like to advise the Laurier community that confidential information saved on laptops, USB flash drives and home computers must be encrypted to avoid disclosure due to theft, loss or malware.
All laptop computers and home computers that are used to store Laurier confidential information should be password protected and it is proper to put passwords on important files. However, neither of these measures provides enterprise level protection for confidential information. Hard drives can be removed from computers and document passwords are relatively easy to crack.
We recommend standard Windows XP folder encryption for Laurier confidential information stored on laptops and home computers. Encryption requires the NTFS file system. Most systems installed in the last five years will be using NTFS.
A Windows (for Windows xp, Windows 7, and Windows 8) folder is encrypted as follows:
For Mac OSX+ computers:
Only place important files in a confidential folder, there is usually no reason to encrypt pictures or music.
We recommend that Laurier confidential information should only be saved on a USB flash drive if that drive has hardware encryption. One such device is called IronKey. Ironkey flash drives can be ordered from the Bookstore. A hardware encrypted USB flash drive can be used securely on any computer.
Questions: please contact firstname.lastname@example.org.
We see you are accessing our website on IE8. We recommend you view in Chrome, Safari, Firefox or IE9+ instead.×