Privacy - Rules
The following are a series of rules TRU community members are obliged to respect:
1. Procuring Cloud Computing Services:
Cloud computing is “the practice of using the Internet to process, manage and store data on remote network servers.” The increased use of on-line services has resulted in the migration of University information from on-site storage to off-site servers controlled by service providers. If you are looking at using an online service it is likely a cloud service and there are legal requirements under the FIPPA that must considered.
To determine if there are any privacy risks to TRU for the on-line/cloud service you are considering:
A. Review TRU’s Cloud Security Standard: This document outlines the processes and responsibilities of procuring a cloud service. If your project does not involve any personal information, the privacy office takes no position.
B. If your project involves personal information (PI) in any manner, you must complete the TRU Preliminary Privacy Impact Assessment Tool (PPIA). This tool can usually be completed in less than 10 minutes, and will assist in determining the risk of your project with respect to the type of information that will be used and stored in the cloud. Email the completed PPIA tool to email@example.com.
Please note that any project that involves personal information to be stored or accessed from outside of Canada (including backup data), will require notification to the affected individuals and their consent as outlined in the FIPPA. Please contact the privacy office for assistance.
Questions to consider when procuring a cloud service:
- Is the data (personal information) stored and/or accessed outside of Canada? If yes, complete the PPIA tool.
- Are backups stored/accessed outside of Canada? If yes, complete the PPIA tool.
Questions you should be able to answer about your cloud service provider:
- Is the data encrypted on their server?
- Is the data encrypted in transit to their server?
- Who owns the data once it is on the server?
- Does the service provider agree not to access, use or disclose TRU data (sell or use the data) for their own purposes?
- What is the service provider’s retention policy for TRU data?
- Is TRU data returned or destroyed at the end of the service agreement?
- What happens if the service provider becomes insolvent?
- If the service provider experiences an information security/privacy breach that affects TRU data, are they required to advise TRU of the incident?
- Ask for a copy of the service provider’s data breach plan.
2. TRU Policies and Standards that assist with FIPPA Compliance
TheInformation Classification Standard explains the different classes of university information based on its sensitivity, and how each class of information should be transmitted, stored and disposed.
TRU’s Password Standards provide direction on minimum password strength requirements for accessing TRU systems.
TRU's Mobile Device Standards explain how to protect university information on any mobile electronic storage media such as notebooks, USB drives, CD's, etc.
TRU’s Records Retention/Destruction Policy sets out the period of time for which records must be retained before they can be destroyed.
The Responsible Use of Information Technology Policy applies to all members of the university community and explains requirements and responsibilities when using TRU’s computing resources including technology applications and facilities.
3. Confidentiality of Email and Emailing Personal Information
Emails sent between TRU work email accounts are relatively secure. It is acceptable to include small amounts of personal information (and other information of a confidential or sensitive nature) in the body of these emails. However, when you are sending large volumes of personal information, or when the information is highly confidential (e.g. personal health information), you should place this information in an encrypted attachment to the email.
Emails sent from TRU work email accounts to external email accounts are not a confidential and secure method of communication. Therefore, you must exercise extreme caution when emailing personal information (and other information of a confidential or sensitive nature) outside the TRU email system.
Depending on the nature of the information being sent to external email accounts, it is recommended that you encrypt your PDF and Word/Excel files. Encryption is a process of scrambling” information to make it unreadable to anyone who does not possess a key.