Examples of FIPPA-Compliant Practices
The practices listed on this page are intended as suggestions and are not the only way to be compliant with FIPPA.
Please contact the Privacy Co-ordinator at firstname.lastname@example.org if you have questions that are not addressed in this list, or have ideas for other ways University practices can be compliant with the Act.
E-mail addresses of non-employees should not be disclosed outside the university. When sending mass e-mails to non-employees, care should be taken to ensure that recipients cannot see the addresses of other recipients by using the bcc: function
Disclosing students’ names in the classroom.
Instructors are free to disclose students’ names orally, and in written form, in the classroom for purposes appropriate to teaching. Examples of this are taking attendance, assigning topics, organizing students for group work, assessing classroom participation, facilitating classroom discussion, organizing tutorials, and returning assignments It is suggested that instructors should warn students, in their syllabi and verbally, that identities will be disclosed in class. Instructors should also invite students with serious concerns about the use of their names, to visit during office hours and investigate the possibility of alternatives in these special cases.
The following is an example of a warning that might be included in a syllabus:
Students’ names may be divulged in the classroom, both orally and in written form, to other members of the class. Students who are concerned about such disclosures should contact the course instructor to identify whether there are any possible alternatives to such disclosures.
Retention of final examinations.
The university should retain for at least one year, all work collected from students that is not meant to be returned to the students after grading (final examinations for example). There are also cases where other material collected for evaluation is not intended for return. This material should also be retained for at least one year.
Disclosure of Personal Information to Petitions and Other Committees.
The disclosure of personal information submitted by petitioners, to members of the petitions committee, should be limited to what is necessary for the committee to know, given the nature of the petition. Since petitioners are asking for special consideration, they must expect that the committee considering their requests will have access to their personal information. There is no right to anonymity at committee hearings. Indeed, in some cases it may be impossible for the committee to consider relevant issues without knowing the identity of the petitioner. Nevertheless, there are good reasons for restricted disclosure, so long as it does not impair the functioning of the committee. The possibility of disclosure to members of the committees should be noted on the form by which a student files a petition. Similar practices should be followed in other committees reviewing student information.
Retention of Video from Security Cameras.
Videotape or other electronic information created from security cameras contains personal information. However, this information is not used by the university unless an incident is later under investigation. When the information is not reviewed, it need not be retained. It can be “recorded over” at any time. However, if the information is reviewed as part of an investigation, the personal information has been used. It must, then, be retained for at least one year from the conclusion of the investigation.
Personal Information on Desktop Computers.
Files containing large amounts of personal information should be stripped of identifiers or on a secured shared drive on the network. If stored on a desktop, laptop, or other electronic storage device the relevant files must be encrypted. Smaller files containing personal information such as class lists and spreadsheets for grades, must be protected when stored electronically. Office computers should be set to time-out when unused.
Transporting Personal Information.
Where practical, employees should refrain from removing records containing personal information from the university. Great care should be taken with personal information that is stored in an electronic file saved on a portable data storage device, such as a CD, DVD, memory stick or laptop computer. In such cases Laurier’s ITS guidelines statethat the information must be encrypted if the media are not secure. Locked offices and vehicles are not considered secure. Instruction on encryption techniques is available through Information and Technology Services. To reduce the risk of theft, hard copies containing personal information, such as examinations, admissions dossiers and petitions files, should be kept in a secure area. Records of personal information should not be stored in a vehicle overnight.
If devices or other media such as hard copies containing personal information are lost, stolen or otherwise accessed by unauthorized persons, it should be reported immediately to the Privacy Co-ordinator, for assessment and response.
Destroying Records Containing Personal Information.
Personal information must be retained for one year after its last use by the university. Secure destruction is required for discarded records containing personal information. Paper records must be crosscut shredded. DVDs and CDs should be shredded or cut into small pieces. Media for magnetic storage, such as hard drives, should be physically destroyed, or wiped and overwritten using software designed for this purpose. For further information seeITS’s Guidelines for Information Security
The material submitted by students in assignments, term tests and essays, is their personal information and should therefore be treated with care. Nevertheless, within the classroom, students cannot normally expect to remain anonymous. You may, for example, return these items in class by means such as reading out names or allowing students to go through piles of papers at the front of class, or you might allow them to access a pile of papers during your office hours. Supervised access to piles of assignments through departmental or decanal offices, would comply with the Act. Assignments and the like should not be left unattended in halls, classrooms, or other similar venues.
Informing students about their grades.
Grades earned by students are their personal information. This information should not be accessible by other students. The most secure and efficient way to inform students about their grades is to use the MyLearningSpace. If this is not possible you might consider informing each student directly. For example, grades might be written on assignments handed back to students. These grades should not be easily visible to other students and might, therefore, be on a page other than the front page, where the student’s name is displayed. Grades should not be sent via e-mail.
Releasing personal information in emergencies.
FIPPA allows for communication within the University where there are serious concerns about a student's health or safety. If you are concerned a student may harm him/herself or others, immediately contact Special Constable Services at ext. 3333. A student's consent is not needed. Any disclosures to parents or other third parties will ordinarily be handled through Special Constable Services or Student Affairs.