Guidelines

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 regulates the disclosure of personal information by Athabasca University (AU) employees. The FOIP Act defines personal information as recorded information about an identifiable individual, including anyone else's opinions about the individual.

Section 40(1)(d) of the FOIP Act states that AU may disclose an individual's personal information only if the individual has identified the personal information and consented, in the prescribed manner, to the disclosure.

Section 6 of the FOIP Regulation states that the consent must be in writing and must specify to whom the personal information may be disclosed and how the personal information may be used.

Employees who provide written or verbal references must obtain the individual's written consent.

Two forms have been drafted for employees to use when an individual requests a reference. One is for when another employee asks you to provide a reference and the other is for when a student asks you to provide a reference. A letter or email from the individual is acceptable, so long as the letter or email specifies to whom the personal information may be disclosed and how the personal information may be used.

Section 40(1)(x) of the FOIP Act allows an employee of AU to disclose personal information about another employee or former employee for the purpose of providing a reference within AU without obtaining the consent of the employee or former employee.

Any recorded information provided with the request for a reference (e.g., letter of reference) must be kept for one year and may be accessible under FOIP Act in certain situations. It is highly recommended that the employee providing the reference keep a copy of the consent for one year.

It is preferable that an individual agree to have his or her consent in effect for a specified period (one year is recommended).

• Reference Letter Request Form (Students)
• Reference Letter Request Form (Employees)

When Athabasca University (AU) collects personal information directly from an individual, the Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25, requires AU to inform the individual of:

• the purpose for which the information is collected
• the specific legal authority for the collection
• the title, business address and business telephone of an officer or employee of AU who can answer the individual's questions about the collection

All AU forms that collect personal information must be reviewed to ensure they comply with the FOIP Act. Forms should be reviewed and revised at every reordering or reprinting stage.

What personal information is being collected and why

Review each form and determine what personal information is being collected and why. For each piece of personal information being collected ask why it is being collected. Include on the form or on a separate sheet, a definition statement for each piece of personal information that clearly states what and why each piece of personal information is being collected.

Purpose for which the information is collected

Once a definition statement for each piece of personal information being collected is completed, determine the purpose or purposes for which the personal information will be used. In most cases the purpose(s) will be the same as the definition statement for that piece of personal information.

Legal Authority for the Collection

Determine what is the authorization for collection of the personal information on the form.

The FOP Act allows for only the following authorizations:

• collection specially authorized by an enactment of Alberta or Canada
• collection for the purpose of law enforcement
• collection relates directly to and is necessary for an operating program or activity of the public body

If the collection is authorized by an enactment of Alberta or Canada, that particular enactment must be stated.

If the collection is related directly to and is necessary for an operating program or activity of AU, the Post-Secondary Learning Act, S.A. 2003, c. P-19.5 and the FOIP Act (Section 33 (c)) will be stated.

Contact Information

Determine what position will be responsible for answering questions about the collection and use of the personal information. It is suggested to use only a position title, instead of employee name on the form.

If the address is already on the form, you may just list the title of the position and telephone number.

Example of a definition sheet

Personal information requested on AU's Undergraduate General Application Form:

1. Name: Identification of documents and records
2. Former Name: Identification of documents and records
3. Mailing Name: Identification of documents and records
4. Mailing Address: University mailing purposes
5. Email Address: Contacting purposes
6. Telephone: Contacting purposes
7. Are you a person with a disability? Optional question to identify if student requires assistance and what aids AU can provide
8. Gender: University research and planning
9. Current Occupation: Used to determine the 10 year restriction on transfer credit
10. Date of Birth: Admission and identification purposes
11. Citizenship: Admission
12. Are you an aboriginal person? Optional question for University aggregate reporting
13. Level of education: Admission, transfer, evaluation, and enrolment purposes
14. S.I.N.: For funded students authorizing AU to act on their behalf with provincial student funding and/or financial institutions

Example of determined purposes

Purposes for the collection of the personal information requested on AU's Undergraduate General Application Form include:

• Admission
• Registration
• Issuing income tax receipts
• Scholarships and awards
• Convocating
• Sending education materials
• University research and planning
• Reporting to Statistics Canada and Alberta Learning
• Athabasca University Student Association
• Athabasca University Alumni Association

The Freedom of Information and Protection of Privacy Act defines a record as a record of information in any form and includes books, documents, maps, drawings, photographs, letters, vouchers and papers and any other information that is written, photographed, recorded or stored in any manner.

Confidential information is information that one person entrusts to another person with the expectation that privacy will be maintained. A record that contains confidential information is considered a confidential record.

Confidentiality is determined by the following factors:

• the existence of a statement or agreement of confidentiality
• evidence of an understanding of confidentiality
• past practices of Athabasca University in regard to keeping this type of information and records confidential
• the type of personal information being supplied

Information being supplied in confidence should be stamped, marked, or include a statement that it is confidential or being supplied in confidence. It is not sufficient to stamp information confidential and then treat it as any other general information. Confidential records must be consistently treated in a confidential manner. Sufficient evidence must exist to support the assertion of confidentiality.

The following guidelines should be considered for confidential records:

• Store confidential records in secure cabinets. Cabinets should always be kept lock when not in use, not located in a public area, and access to the cabinets limited to only authorized employees.
• Access to the confidential records should be restricted only to those employees that require the information.
• Confidential records should be placed in a file folder, envelope or other form of cover when out of the secure cabinet. When the record is not in use, it should be returned to the cabinet.
• Confidential records should never be left in an open area such as an in basket or on a desk. The record should be returned to the cabinet when not in use.
• Confidential records must be destroyed by confidential shredding only.
• Confidential records should be stored separate from other similar records. An example would be to have two personnel files for each employee. One file that contains general and accessible personal information and the other that contains only confidential information. The same could apply to student records.
• For electronic records, store confidential records in separate directories or files, restrict access to these directories or files, and remove by deletion only.

Examples of types of confidential records and information are:

• Reference letters
• Student Records
• Personnel Records
• Library Patron Records
• Evaluations of performance
• Counsellors Client Files
• Student Advisor's Client Files
• Grievance Files
• Appeal Files
• Payroll Records

Personal information is defined in the Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 as recorded information about an identifiable individual, including, but not limited to:

• the individual's name, home or business address or home or business telephone number
• the individual's race, national or ethnic origin, colour, or religious or political beliefs or associations
• the individual's age, sex, marital status or family status
• an identifying number, symbol or other particular assigned to the individual
• the individual's fingerprints, other biometric information (e.g., voice print), blood type or inheritable characteristics
• information about the individual's health and health care history, including information about a physical or mental disability
• information about the individual's educational, financial, employment or criminal history, including criminal records where a pardon has been given
• anyone's opinion about the individual
• the individual's personal views or opinions, except if they are about someone else

The Athabasca University (AU) shall only collect personal information if:

• the collection of that information is expressly authorized by an enactment of Alberta or Canada
• that information is collected for the purposes of law enforcement
• that information relates directly to and is necessary for an operating program or activity of AU

AU shall collect personal information directly from the individual unless:

• another method of collection is authorized by that individual, another Act or regulation under another Act, or the Alberta Information and Privacy Commissioner
• the information may be disclosed to AU under provisions of Part 2 the FOIP Act
• the information is collected in a health or safety emergency where the individual is not able to provide the information directly, or direct collection could reasonably be expected to endanger the mental or physical health or safety of the individual or another individual
• the information concerns an individual who is designated as a person to be contacted in an emergency or other specified circumstances
• the information is collected for the purpose of determining suitability for an honour or award, including an honorary degree, scholarship, prize or bursary
• the information is collected from published or other public sources for the purpose of fundraising
• the information is collected for the purpose of law enforcement
• the information is collected for the purpose of collecting a fine or a debt owed
• the information is collected for use in the provision of legal service
• the information is necessary to determine the eligibility of an individual to participate in a program of or receive a benefit, product or service from the Government of Alberta or a public body and is collected in the course of processing an application made by or on behalf of the individual the information is about, or to verify the eligibility of an individual who is participating in a program of or receiving a benefit, product or service from the Government of Alberta or the University and is collected for that purpose
• the information is collected for the purpose of managing or administering personnel

When collecting personal information directly from an individual, AU shall inform the individual of:

• the purpose for which the information is collected
• the specific legal authority for the collection
• the title, business address and business telephone number of an officer or employee of AU who can answer the individual's questions about the collection

When Athabasca University (AU) collects personal information directly from an individual, the Freedom of Information and Privacy and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 requires AU to inform the person of:

• the purpose for which the information is being collected
• the specific legal authority for the collection and,
• the title, business address and business telephone number of an officer or employee of AU who can answer the individual's questions about the collection.

Once an individual is informed (in print or verbally), there is no need to provide further notification statements to that individual when they contact you or you contact them unless the purpose or use of that personal information changes. If the purpose or use of that personal information changes, you will then need to notify that individual again.

Notification Statements

The three components of a notification statement are:

1. Purpose

Clearly state why the personal information is being collected and how it will be used.

Some examples of purpose statements are:

• The personal information collected on this form will be used for the purpose of processing your request for library materials.
• The personal information collected on this form will be used for the purpose of processing your payment(s).

2. Authority

Section 33(c) of the FOIP Act states that no personal information may be collected by or for a public body unless:

• the collection of that information is expressly authorized by or under an Act of Alberta or Canada,
• that information is collected for the purposes of law enforcement, or
• that information relates directly to and is necessary for an operating program or activity of the public body.

AU's legal authority to collect personal information is generally the Post-Secondary Learning Act, S.A. 2003, c. P-19.5 and section 33(c) of the FOIP Act. In some situations, it may be another Act of Alberta or Canada, such as Canada's Income Tax Act.

An example of an authority statement is:

• This information is collected under the authority of the Post-Secondary Learning Act, S.A. 2003, c. P-19.5 that mandates the programs and services offered by AU and section 33 (c) of the Freedom of Information and Protection of Privacy Act, R.S.A. 2000 c. F-25.

3. Contact

The title, business address and business telephone number of an officer or employee of AU who can answer questions an individual has about the collection and use of personal information must be included in the notification statement.

If the business address is already printed on the form, you may consider listing only the title of an officer or employee, and business telephone number in the notification statement.

An example of a contact statement is:

• Supervisor, Academic Records, Athabasca University, 1 University Drive, Athabasca, AB Canada T9S 3A3 Telephone: (780) 675-6100. Toll Free: 1-800-788-9041.

Placement and Use of Notification Statements

1. Forms (print, electronic, voice)

Every form that collects personal information must have a notification statement. The notification may be placed directly on the form collecting the personal information or on a separate sheet or in a brochure accompanying a form. It is recommended that the notification be placed directly on the form, preferably at the top of the form. For electronic forms, it is recommended having a notification box appear before the individual accesses the form. For Telephone touch-tone forms, it is recommended a notification statement be provided before the individual accesses the form.

2. Telephone or In–person

A notification may be given verbally over the telephone or in–person. When notification is given verbally, ensure that the individual is fully informed of the purpose(s). If confirmation of a telephone collection of personal information is required, follow up with a mailing or handout of the notification statement.

3. Notices on the wall or desk

A notification may be placed on the wall or desk when personal information is being collected in–person from an individual. It is recommended copies of the notification be available for distribution upon request from individuals.

4. E-mail

If personal information is being collected by e-mail a notification must be provided in the e-mail if it is the initial collection of that personal information. If the personal information being collected by e-mail is only to verify or correct personal information, then no notification statement is necessary.

5. Fax

If personal information is being collected by fax a notification must be provided in the fax if it is the initial collection of that personal information. If the personal information being collected by fax is only to verify or correct personal information, then no notification statement is necessary.

Examples of Notification Statements

FORM – Undergraduate General Application

The personal information collected on this form and any other personal information collected and maintained as part of a student's record will be used for the purposes of admission, registration, issuing income tax receipts, scholarships and awards, convocating, sending educational information and for university research and planning. Certain personal information will also be disclosed to Statistics Canada (as required by the Statistics Act, R.S. 1985, c. S-19) and Alberta Advanced Education (as required by the Post-Secondary Learning Act, S.A. 2003, c. P-19.5) to meet reporting requirements, and by agreement, to the Athabasca University Students' Association and the Athabasca University Alumni Association for the purposes of membership, fee collection and contacting students. This information is collected under the authority of the Post-Secondary Learning Act that mandates the programs and services offered by Athabasca University and section 33 (c) of the Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, C. F-25. It will be protected by the provisions of the FOIP Act. If you have any questions about the collection and use of this information, contact Supervisor, Academic Records, Athabasca University, 1 University Drive, Athabasca, AB Canada T9S 3A3 Telephone: (780) 675-6100/Toll Free: 1-800-788-9041.

FORM – Visa, MasterCard or American Express

The personal information collected on this form will be used for the purpose of processing payments, and is collected under the authority of section 33(c) of the Freedom of Information and Protection of Privacy Act, R.S.A. 2000, c. F-25. If you have any questions about the collection and use of this information, contact the Senior Accountant, Athabasca University, 1 University Drive, Athabasca, AB Canada T9S 3A3 Telephone (780) 675–6100/Toll Free: 1-800-788-9041.

FORM – Library Information Desk Request

The personal information collected on this form will be used for the purpose of processing your request for library materials(s). This personal information is collected under the authority of section 33 (c) of the Freedom of Information and Protection of Privacy Act, R.S.A. 2000, C. F-25. If you have any question about the collection and use of this information, contact the Director, Library Services, Athabasca University. Telephone (780) 675-6254/Toll Free: 1-800-788-9041 ext. 6254.

PHONE – Library Information Desk requests received over the phone

New Library Patrons

"To register you with the library, I need the following personal information from you."

Registered Library Patrons

"To process your request for library materials, I need the following personal information from you."

"To check the due dates of your library materials, I need the following personal information from you."

"To check the status of your request for library materials, I need the following personal information from you."

PHONE – Information Centre request for information over the phone

"To send you a viewbook, I need the following personal information from you."

"To check your midterm exam mark, I need the following personal information from you."

E-MAIL– Staff using e-mail to collect personal information.

To ensure the library sends your library materials to the correct address, please e-mail back the address you wish to have the library material sent to.

FAX – Staff using fax to collect personal information

The library received your request for library materials. To process this request, the Library needs your student number and address.

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000 c. F-25 requires Athabasca University (AU) to ensure that the personal information it collects and maintains is accurate and complete. The FOIP Act also provides employees with the right to examine information held about them by AU and to request corrections of that information.

Requests from employees for routine changes, such as name, address, banking information, benefit information, leaves, and other similar personal information shall follow current processes and employees do not need to file a FOIP request for correction of personal information.

If an employee believes there is an error or omission in the personal information held about him or her by AU, they should be first encouraged to review their personnel record to determine if the error or omission actually exists. If an error or omission does exist, then they should be encouraged to follow current processes to have the correction or change made as outlined in the appropriate collective agreement(s) or AU Human Resources Policy and Procedures Manual.

If current processes do not satisfy an employee, then they shall be informed they may file a FOIP request to correct personal information. The FOIP request must be writing and must be directed to the FOIP Coordinator.

Under Section 36 of the FOIP Act, AU will:

• not correct an opinion, including a professional or expert opinion
• if correction is refused or cannot be made, annotate or link to the personal information with that part of the requested correction which is relevant and material to the record in question
• if necessary, notify any other public body or third party to whom that information has been disclosed during the one year before the correction was requested that a correction, annotation or linkage has been made
• within 30 days of receiving the request, provide written notice to the individual requesting the correction of the AU's decision.

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c.F-25 requires Athabasca University (AU) to ensure that the personal information it collects and maintains is accurate and complete. The FOIP Act also provides students with the right to examine information held about them by AU and to request corrections of that information.

Requests from students for routine changes, such as name, address and grade changes, shall follow current processes and students do not need to file a request under the FOIP Act for correction of personal information.

If a student believes there is an error or omission in the personal information held about him or her by AU, they should be first encouraged to review their student record to determine if the error or omission actually exists. If an error or omission does exist, then they should be encouraged to follow current processes to have the correction or change made as outlined in the Student Confidentiality Policy, or another existing AU policy or procedure.

If current processes do not satisfy a student, then they shall be informed that they may file a request under the FOIP Act to correct personal information. The request must be writing and must be directed to the Privacy and Policy Advisor.

Under Section 36 of the Alberta FOIP Act, AU will:

• not correct an opinion, including a professional or expert opinion
• if correction is refused or cannot be made, annotate or link the personal information with that part of the requested correction which is relevant and material to the record in question
• if necessary, notify any other public body or third party to whom that information has been disclosed during the one year before the correction was requested that a correction, annotation or linkage has been made
• within 30 days of receiving the request, provide written notice to the individual requesting the correction of AU's decision

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 provides students with a right to access personal information about themselves held by Athabasca University (AU). This right is limited by specific exceptions.

The FOIP Act also requires AU to protect personal information against risks of unauthorized access, collection, use, disclosure or destruction.

Many AU employees disclose a student's personal information to the student over the telephone when conducting AU business. When disclosing a student's personal information over the telephone, the employee must be reasonably certain that the person they are talking to is the student. It is recommended that employees complete the following steps to verify the identity of the student before disclosing the personal information the student is requesting:

• Ask for the student's name
• Ask for the student's ID#
• Ask for their mailing/home address
• Ask for their telephone number (work and/or business)
• Ask for the course name and number they are registered in.

Once you are reasonably satisfied that the individual you are talking to is in fact that individual, then proceed with handling their request for information following established procedures regarding disclosing personal information to a student. If the request is for information that is not normally disclosed, inform them that you cannot release that information right now, and you will call them back. If the information can not be released, inform them that they may make a request under the FOIP Act for access to the information.

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 defines personal information as: recorded information about an identifiable individual, including but not limited to:

• the individual's name, home or business address, or home or business telephone number
• the individual's race, national or ethnic origin, color, or religious or political beliefs or associations
• the individual's age, sex, marital status or family status
• an identifying number, symbol or other particular assigned to the individual
• the individual's fingerprints, other biometric information, blood type or inheritable characteristics
• information about the individual's health and health care history, including information about a physical or mental disability
• information about the individual's educational, financial, employment or criminal history, including criminal records where a pardon has been given
• anyone else's opinion about the individual
• the individual's personal views or opinions, except if they are about someone else.

The FOIP Act provides employees with a right to access personal information about themselves held by Athabasca University (AU). This right is limited by specific exceptions.

The following guidelines are to assist AU employees to make appropriate decisions respecting the disclosure of personal information.

You may routinely disclose the following records to an employee:

• their official employee record (paper and electronic) that is deemed to be accessible to them
• information supplied by the employee
• information copied to the employee
• performance evaluations written by the supervisor
• as outlined in the collective agreement(s).

AU may withhold information from the employee under the following circumstances:

• if the disclosure of the information could reasonably be expected to threaten anyone else's safety or mental or physical health or interfere with public safety
• when, in the opinion of a qualified professional, disclosure of the information could reasonably be expected to result in immediate and grave harm to the employee's health and safety
• when, the information reveals the identity of an individual who has provided information to AU in confidence about a threat to an individual's safety or mental or physical health
• when the information consists of a confidential evaluation compiled for the purpose of determining the employee's suitability, eligibility or qualifications for employment, awarding of contracts or other benefits
• when the information consists of advice or recommendations relating to the performance or conduct of the employee
• when the disclosure could reasonably harm a law enforcement matter or harm the effectiveness of investigative techniques and procedures.

The following categories of information should not be routinely released:

• letter of reference supplied in confidence
• evaluative comments provided by anyone other than the supervisor in a formal evaluation process
• documents relating to a grievance or appeal process
• documents relating to legal or administrative investigations
• letters of complaints.

If an employee record contains information that cannot be routinely disclosed, inform the employee that they may make a request under the FOIP Act for access.

If you are unsure whether specific documents should be disclosed, contact the FOIP/Policy Coordinator.

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 defines personal information as recorded information about an identifiable individual, including but not limited to:

• the individual's name, home or business address, or home or business telephone number
• the individual's race, national or ethnic origin, color, or religious or political beliefs or associations
• the individual's age, sex, marital status or family status
• an identifying number, symbol or other particular assigned to the individual
• the individual's fingerprints, other biometric information, blood type or inheritable characteristics
• information about the individual's health and health care history, including information about a physical or mental disability
• information about the individual's educational, financial, employment or criminal history, including criminal records where a pardon has been given
• anyone else's opinion about the individual
• the individual's personal views or opinions, except if they are about someone else.

The following guidelines are to assist Athabasca University (AU) employees to make appropriate disclosure decisions.

You may disclose an employee's personal information to a third party if the disclosure is not an unreasonable invasion of the employee's personal privacy. The following information is considered not to be an unreasonable invasion of an employee's personal privacy:

• employment status
• business address, telephone number, email address
• job title and description
• classification level and salary range
• discretionary benefits
• relevant educational qualifications
• attendance at or participation in a public event or activity related to AU
• personal information already in the public domain.

Certain personal information of an employee may be restricted in specific cases for security reasons. If the information is included on the staff directory, in a publication produced by AU, or on the Web, it is not restricted and can be released. If you are unsure about disclosing some information, call the employee and confirm before releasing the information.

You may disclose an employee's personal information to a third party if the employee has consented, in writing, to the disclosure. The following situations may apply:

• providing exact salary information to a bank
• home address and telephone number
• providing a potential employer with performance evaluation information
• providing a potential employer with employment history.

You may disclose an employee's personal information to a third party if the disclosure is authorized under section 40 of the FOIP Act. Some common situations are:

• for the purpose for which the information was collected or compiled
• for a use consistent with the purpose for which it was collected or compiled
• for any purpose in accordance with an enactment of Alberta or Canada that authorizes or required the disclosure
• for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body that has the jurisdiction to produce such an item
• to an officer or employee of AU if the information is necessary for the performance of his or her duties
• for the purpose of enforcing a legal right that AU has against any person
• for the purpose of collecting a fine or debt owing by the individual to AU
• for the purpose of determining or verifying an individual's suitability or eligibility for a program or benefit
• for audit purposes
• for the purpose of complying with a collective agreement
• for the purpose of contacting the spouse, relative or friend of an injured, ill, or deceased employee
• to an expert for the purposes of protecting the individual or public from harm
• for the purpose of managing or administering personnel of AU.

Consult section 40 of the FOIP Act for a complete listing.

Athabasca University (AU) will continue to provide access to records that do not contain confidential or personal information, and that are now released routinely. Access will be provided according to those procedures used in the office that has custody of the information. Some fees may apply.

As new records are created, offices will review them to determine if they could be subject to routine release.

Information that is routinely released is considered to be information that is available for distribution upon request, and does not contain confidential or personal information.

If the general information is not normally or routinely released, the individual must be informed that they have the right to request access to the information under the Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 and access will be provided according to the procedures established for processing a FOIP request.

The following guidelines are to assist AU employees to make appropriate disclosure decisions regarding disclosure of general information.

You may routinely disclose the following common categories of records:

Information available on the AU Website (Internet) that the general public hs access to

• Published Annual reports
• Published Annual Financial report
• Published Strategic Plan
• Calendar
• Published reports and studies
• Some AU committee meeting minutes
• Collective Agreements
• Organizational Chart
• Program brochures and pamphlets
• Student Services brochures and pamphlets
• Staff Phone List
• AU Newsletters
• Position Descriptions.

You may not routinely release the following categories of records:

• Information available on the AU Website (Intranet) that is not accessible to the general public, but only to staff
• Draft versions of reports and studies
• Department Staff Phone lists that include more personal information than that of the Public version Staff Phone List
• Documents stamped or labeled "For Internal Use Only"
• Some AU Committee meeting minutes (In camera sessions)
• Administrative Files
• Draft Planning Reports and Documents
• Draft versions of any document
• Contracts and Agreements between AU and a Third Party for goods and services
• Records that contain personal information
• Governing Authorities Confidences
• Third Party Commercial Information
• Information that may harm the business interests of AU
• Testing or audit procedures
• Information considered to be advice from official relating to AU planning
• Information that will be made available to the Public.

If you are unsure whether specific documents or records should be disclosed, contact the Privacy and Policy Coordinator.

The Alberta Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 defines personal information as recorded information about an identifiable individual, including but not limited to:

• the individual's name, home or business address, or home or business telephone number
• the individual's race, national or ethnic origin, color, or religious or political beliefs or associations
• the individual's age, sex, marital status or family status
• an identifying number, symbol or other particular assigned to the individual
• the individual's fingerprints, other biometric information, blood type, genetic information, or inheritable characteristics
• information about the individual's health and health care history, including information about a physical or mental disability
• information about the individual's educational, financial, employment or criminal history, including criminal records where a pardon has been given
• anyone else's opinion about the individual
• the individual's personal views or opinions, except if they are about someone else.

Section 40 (1) of the FOIP Act lists the only circumstances under which Athabasca University (AU) may disclose personal information. This is reflected in the Student Confidential Policy: Office of the Registrar.

Section 40 enables disclosure; it does not require disclosure.

The following guidelines are to assist AU employees to make appropriate disclosure decisions.

You may disclose a student's personal information to a third party if the disclosure is not an unreasonable invasion of the student's personal privacy. The following information is considered not to be an unreasonable invasion of a student's personal privacy:

• admission to AU
• enrolled in a particular program
• received an honour or award (including a degree, diploma, or certificate)
• attended or participated in a public event or activity related to AU
• graduated from AU
• if already available in the public domain.

However, if a student has requested AU not disclose any or all of the information above, then AU must make reasonable security arrangements to accommodate this request.

You may disclose a student's personal information to a third party if the student has consented, in writing, to the disclosure. The following situations may apply:

• reference letters to potential employers or admission to a graduate program
• acknowledgment letter to an employer that the student has successfully completed the course/program
• reference letter to another institution acknowledging that the student has been admitted to AU and is entitled to services offered by that institution under a contractual agreement.

You may disclose a student's personal information to a third party if the disclosure is authorized under Section 40 of the FOIP Act. Some common situations are

• for the purpose for which the information was collected or compiled
• for a use consistent with the purpose for which it was collected or compiled
• for any purpose in accordance with an enactment of Alberta or Canada that authorizes or requires the disclosure
• for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body that has the jurisdiction to produce such an item
• to an officer or employee of AU if the information is necessary for the performance of his or her duties
• for the purpose of enforcing a legal right that AU has against any person
• for the purpose of collecting a fine or debt owing by the individual to AU
• for the purpose of determining or verifying an individual's suitability or eligibility for a program or benefit
• for audit purposes
• for the purpose of complying with a collective agreement
• for the purpose of contacting the spouse, relative or friend of an injured, ill, or deceased student
• to an expert for the purposes of protecting the individual or public from harm.

Consult Section 40 of the FOIP Act for a complete list of authorities.

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 defines personal information as recorded information about an identifiable individual, including but not limited to:

• the individual's name, home or business address, or home or business telephone number
• the individual's race, national or ethnic origin, color, or religious or political beliefs or associations
• the individual's age, sex, marital status or family status
• an identifying number, symbol or other particular assigned to the individual
• the individual's fingerprints, other biometric information, blood type, genetic information, or inheritable characteristics
• information about the individual's health and health care history, including information about a physical or mental disability
• information about the individual's educational, financial, employment or criminal history, including criminal records where a pardon has been given
• anyone else's opinion about the individual
• the individual's personal views or opinions, except if they are about someone else.

The FOIP Act provides students with a right to access personal information about themselves held by Athabasca University (AU). This right is limited by specific exceptions.

AU's Confidential Policy Collection, Use, Disclosure, and Disposal of Student Personal Information and Records outlines what information will be disclosed to a student.

The following guidelines are to assist AU employees to make appropriate disclosure decisions.

You may routinely disclose the following records to a student:

• transcripts
• letters of certification
• their official student record (paper and electronic)
• information supplied by the student
• information copied to the student
• graded assignments and exams.

AU may withhold information from the student under the following circumstances:

• if the disclosure of the information could reasonably be expected to threaten anyone else's safety or mental or physical health or interfere with public safety
• when, in the opinion of a qualified professional, disclosure of the information could reasonably be expected to result in immediate and grave harm to the student's health and safety
• when, the information reveals the identity of an individual who has provided information to AU in confidence about a threat to an individual's safety or mental or physical health
• when the information consists of a confidential evaluation compiled for the purpose of determining the student's suitability, eligibility or qualifications for employment, awarding of contracts or other benefits
• when the information consists of advice or recommendations relating to the performance or conduct of the student
• when the disclosure could reasonably harm a law enforcement matter or harm the effectiveness of investigative techniques and procedures.

The following categories of information should not be routinely released:

• letter of reference
• evaluative comments provided in a formal evaluation process
• documents relating to a grievance or appeal process
• documents relating to legal or administrative investigations
• letters of complaints.

If a student record contains information that cannot be routinely disclosed, inform the student that they may make a request under the FOIP Act for access.

If you are unsure whether specific documents should be disclosed, contact the Privacy and Policy Coordinator.

Section 38 of the Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 requires Athabasca University (AU) to protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or destruction.

Student examinations and assignments fall under the definition of personal information in the FOIP Act. Reasonable security arrangements need to be taken when receiving or returning examinations and assignments.

• Examinations and assignments should not be left in a public area.
• Examinations and assignments should not be placed in a public area for pickup.
• Other students should not be allowed to handle exams or assignments other than their own.

Suggested ways to receive examinations and assignments include:

1. Encourage students to submit examinations and assignments directly to the individual that will be marking the examination or assignment. Outside of a classroom setting, the student should place his or her exam or assignment in an envelope and seal it before submitting. The envelope should only have the name of the individual that will be receiving the examination or assignment.
2. If students submit their examinations or assignments to a department or administrative unit, the staff in the department or administrative unit should immediately place the examination or assignment in an envelope, seal the envelope, and write only the receiver's name on the front.
3. When students write an examination or assignment at a location other than AU, such as an invigilation centre, the individual invigilating the exam or assignment should be informed of the necessary procedures that need to be followed to protect the personal information of the student. Clearly written instructions should be provided to the invigilator with the examination or assignment.
4. If examinations or assignments are submitted electronically, precautions need to be taken to ensure only authorized individuals have access to the electronic file, and only the examinations or assignments that are required to be retained for one year are kept and no other copies made or stored.

Suggested ways to distribute examinations and assignments include:

1. Return examinations and assignments in a sealed envelope directly to the student.
2. Return examinations and assignments through electronic means ensuring proper transmittal has occurred and access is restricted only to authorized individuals.
3. Return examinations and assignments during class time.
4. Place examinations and assignments in sealed envelopes and allow students to retrieve them from a designated office area.
5. Establish a central area and have administrative staff retrieve the examination or assignment for the student.

Exceptions are permitted only if each student gives her/his prior written consent to openly distribute their examination or assignment. A method of collecting and administering this consent would also be needed.

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 allows any individual the right to request access to records in the custody or under the control of Athabasca University (AU), subject to limited and specific exceptions. The FOIP Act also requires AU to make every reasonable effort to assist individuals and to respond to each individual openly, accurately, and completely.

The FOIP Act is in addition to and does not replace other methods of obtaining information. If the information is already or can be made routinely available, an individual should be provided access to or a copy of the information without having to make a request under the FOIP Act.

All AU employees should make reasonable effort to assist individuals and to respond openly, accurately, and completely to an individual who has made a request for information or access to records. If you are unsure whether or not the information should be disclosed, contact your Supervisor, Manager or the Privacy and Policy Coordinator.

An individual does not have to state why they want the information.

Every request should be handled quickly, efficiently and in a professional manner.

If the request is for personal information of another individual or general information that would not normally be released, inform the requestor of the reasons for denying access to this information and that they may make a request under the FOIP Act.

Each office should review the information and record it collects and maintains to determine what can be routinely released, how it should be released, and what would not be released without a FOIP request.

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 applies to all records in the custody or under the control of Athabasca University (AU). If you store some of your personal records or records of an organization you are a member of in your office or at your workstation, you need to be aware of the possible FOIP impacts.

Custody means the possession of a record by AU, including situations where the records of a third party are stored on the premises of AU.

Control means when AU has the authority to manage the record, including restricting, regulating and administrating its use, disclosure and disposition.

Your personal records are not covered by the FOIP Act if:

• they were not created in the course of your AU duties and responsibilities
• the content does not relate to the AU mandate and functions
• they are not integrated with AU records.

Your personal records are covered under the FOIP Act if:

• they consist of records relating to the operational functions of AU
• the records are used in making decisions relating to AU business
• the records were created in the course of conducting your duties and responsibilities as an AU employee
• they are integrated with other AU records in your office filing cabinet or on your computer.

Some suggested guidelines to follow:

• do not store your personal records on AU premises
• clearly label the records
• file and store the records separate from AU records
• do not integrate the records with other AU records
• do not use AU resources to control and maintain the records
• if you have in your custody the records of another organization and you use AU resources to control and maintain them then you should inform the AU that they are in your custody, the length of time you expect to have them on the premises, if any conditions apply to their control and maintenance, and clearly make note that they are not AU records.

Section 38 of the Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 requires Athabasca University (AU) to protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or destruction.

To comply with the privacy rules of the FOIP Act, and to ensure confidential or personal information transmitted or received by fax is protected, the following security precautions will be taken:

Sending

• Include on the cover page the sender's name, telephone and fax numbers, the recipient's name, telephone and fax numbers, the number of pages being sent, and a confidentiality statement.
• Mark the document "Confidential."
• Notify the recipient when the fax will be transmitted and confirm with them that the fax machine receiving the document(s) is in a secure area, that they are or will be available to receive the fax immediately, or that the material will be secured upon arrival. If they are not or will not be available to receive the fax, or that the material will not be secure upon arrival, you should consider arranging a time and date when they are available to send the fax.
• Visually verify the correct fax number is displayed on the screen before proceeding with a manual transmission.
• When using preprogrammed fax numbers, double-check the fax number(s) before sending. If necessary, phone to confirm the destination fax number and recipient.
• For very sensitive material, consider confirming receipt of the faxing information by calling the recipient or having the recipient call the sender upon receipt of the document(s).
• Check the fax transmission report to confirm the transmission was dispatched properly.
• Ensure fax number master lists and pre-programmed lists are current and accurate.

Receiving

• Locate fax machines in a secure area with controlled access.
• Check the number of pages actually received to ensure the number recorded on the fax cover sheet is the same.
• Notify a sender immediately of a fax received in error and return or destroy the received document.
• If a computer is used to receive faxes, automatically route faxes to a directory that can only be access by authorized persons.

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 allows for the collection of personal information if:

• The collection is authorized by an enactment of Alberta or Canada
• The collection is for law enforcement purposes
• The information relates directly to and is necessary for an operating program or activity of Athabasca University (AU).

AU offers services to students that require the collection of certain personal information that would not normally be collected and maintained. To provide a particular service, an employee may collect certain personal information directly from an individual or from another source (usually authorized by the student) to enable the employee to provide or arrange the required or necessary service(s) for the student. Most times, the information is provided in a manner that would be considered "supplied in confidence" to a particular employee even though no written statement stating it was provided in confidence was involved.

Some employees have the authorization to collect and maintain certain types of personal information that would be disclosed to other employees of AU. These same employees may also have the authority to request or authorize special services for a particular individual. In these incidents, it is important to inform the rest of the AU community of the roles and responsibilities these particular employees have, and the ability to authorize or make requests for service beyond what normally would be provided by another AU office.

In these circumstances, the individual that the personal information is being collected directly from will be informed of the purpose for the collection, the authority under which it is being collected, and whom they can contact if they have any questions regarding the collection and use of this information. If the personal information is to be collected from a third party, then the individual's written consent is usually required before the employee may contact and collect the personal information from a third party. Contact the Privacy and Policy Coordinator for guidance whether consent must be obtained.

The FOIP Act requires AU to protect personal information by making reasonable security arrangements against such risks as unauthorized access, use, or disclosure.

AU shall make reasonable security arrangements to protect access, use and disclosure of this personal information. This may include not placing the information on the student information database, coding the information before placement on the student information database, or establishing a separate student file that would contain only this type of personal information.

Access, use or disclosure to other AU offices and employees would be only on a "need to know" basis to fulfill their responsibilities. In some incidents, the office or employee may only be informed of the service(s) that are required or necessary for the individual, but not the reason why the service is being requested.

Section 38 of the Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 requires Athabasca University (AU) to protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or destruction.

The practice of posting student grades in an identifiable form such as by name or student identification number sorted in alphabetical order is considered an unreasonable invasion of privacy and not appropriate under the FOIP Act.

If it is necessary to post student grades, the student's name should be stripped from the list and the marks given in non–identifiable form sorted in numeric sequence by student number. If a list, even in non–identifiable form, enables others to identify an individual student, it is recommended that no list be produced and posted.

An exception to this practice is possible only if each student gives her/his prior written consent to disclose his or her grades in identifiable form. A process of collecting and administering this consent would also be needed.

1. Don't keep and file transitory records

Transitory records are records that have only short–term, immediate value to your office, or that you will not need again in the future.

(See the Guideline – Transitory Records for more information)

Under the Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25, all records in the custody or under the control of Athabasca University (AU) are subject to the Act. This includes transitory records.

Keeping and filing transitory records results in a waste of staff and funding resources for filing, storing, searching and disposing of records that should not of been kept or filed in the first place. In the event of a FOIP request, these records would have to be reviewed the same as any other records found in the custody or under the control of AU. In some cases, this could result in a lot of extra work for staff during the reviewing of records process when handling a FOIP request.

It is recommended that transitory records only be kept for the time they are required, not filed, and disposed of accordingly.

2. Manage your E-mail

Under the FOIP Act, e-mail is considered to be a record and should be managed as any other record. It is best to manage them as you receive or create them. Depending on your office file management procedures, file the e-mail into its electronic file folder, or print out, file in paper file folder and delete it from the system.

E-mails that are considered to be transitory records, should be deleted after they serve their purpose.

Practicing good records management with e-mails lessens the impact of having to search and retrieve e-mails in the event of a FOIP request.

3. Manage your incoming mail

Incoming mail received from internal and external sources needs to be opened, reviewed and dealt with in a timely manner. It is very possible that any staff member in AU could receive a FOIP request. If this is the case, the request needs to be forwarded to the Privacy and Policy Coordinator ASAP and dealt with in a specific time period as outlined by the FOIP Act.

It is strongly recommended that each and every staff member open, review and determine what is required for each piece of incoming mail in a timely manner (each working day) or arrange for someone else to deal with your mail when you are away.

Upon opening and reviewing, it is best to determine what is the value the record, what needs to be done, and what the final disposition of the record is. Many items may be considered to be transitory and can be disposed of upon review. Some items, you may wish to refer to later, and therefore, should be filed. Again, dealing with the items as they arrive will save you time later, and in the event of a FOIP request will lessen the amount of records that need to be reviewed.

4. Creating records

When creating a record (writing a memo, a letter, an e-mail, a report) always keep in mind that the record could be subject to a FOIP request.

Organize the information in the record to enable severing when personal information is involved.

If the information is confidential, clearly label the document as such.

If the information is draft, clearly label the document as such.

Avoid quoting another individual unless they have consented to you quoting them.

Do not create a record unless there is a need for the creation.

5. Recording meeting minutes

Meeting minutes are considered to be a record under the FOIP Act and could be subject to a FOIP access request.

Meeting minutes should not record every discussion as verbatim. They should only include concise statements about each issue discussed. Don't quote anyone unless they have asked to have their point recorded in the minutes.

6. Applying reasonable security measures to records that contain personal information

If you have records that contain personal information, are sensitive or of a confidential nature, you must apply reasonable security measures to protect the privacy of individuals or AU.

If you receive such documents, store them in a manner that does not allow for unauthorized access.

If you are sending such a document, place it in an envelope and seal it. If the document is being sent by internal mail, place it in a sealed envelope first. Clearly label the envelope to be confidential.

Do not leave this type of document in open filing trays or areas that anyone walking by can access at a glance the information in the document.

7. Dealing with records considered to have value

Deal with the records you receive and create in a timely manner. If the records are deemed to have value, decide on the disposition of the record and file accordingly. Organize your area to accommodate the records you receive and create. If necessary create a filing list to assist you in the future with filing records.

8. Annual inventories of records should be conducted to ensure information and records that no longer have any value are not being retained and taking up storage space.

Sort, organize, and file records regularly. The longer you put it off, the harder it is to remember what the value is or if it had a value.

Regular filing enables staff to locate and retrieve information and records in a timely manner. Also, it avoids records having to be duplicated each time someone requires the information.

Student examinations and other assignments that are not returned to the student are records of Athabasca University (AU) and fall under the definition of personal information in the Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25. They document decisions made by AU staff, that directly affect the student.

Section 35 of the FOIP Act states that any personal information used by AU to make a decision that directly affects an individual must be retained for at least one year. The intention is to ensure that the individual has a reasonable opportunity to obtain access to it.

Student examinations and other assignments not returned to the student must be retained for at least one year after using it so that the student has a reasonable opportunity to obtain access to it.

If an examination or assignment is used as evidence in a grade appeal or some other dispute resolution procedure, it must be kept for one year from the date that it was last used.

After the one year retention period, student examinations and other assignments are to be disposed of by shredding.

At Athabasca University (AU), the Office of the Registrar is responsible for maintaining the official student record. Other AU offices and employees may have or receive copies of certain records to enable them to carry out their responsibilities and provide service to the student.

For a complete list of student records maintained by the Office of the Registrar see Schedule A of the Student Confidentiality Procedures.

The Office of Registrar will maintain the official student record according to the Athabasca University Student Confidentiality Policy – Schedule A.

Other AU offices and employees will maintain the copy in their custody according to their needs and requirements.

If an AU office or employee maintains a student record that is not part of the official student record in the office of the Registrar, then they must determine what the retention and disposition of these records will be.

Records that are used by employees to make a decision affecting an individual must be retained for one year from the date it was used.

Information and records that only have short–term, immediate or no value, and that you won't need in the future are called transitory records.

If the information in the record will have some future administrative, financial, legal, research or historical value to your job, office or Athabasca University (AU), then you should file the record.

The decision on what is and is not a transitory record comes down to an individual judgement by each employee. If you have any doubt about whether recorded information will have any future reference value, file the record. If in the future the record has proven to have no value, it can be removed and disposed of then.

Following are some guidelines for staff to use when making decisions on what is and is not a transitory record.

1. Solicited and unsolicited information you receive from organizations and individuals advertising their products.

Some of this material may be relevant to your operation and you may want to file it for future reference. However, some may be considered junk mail and you can routinely discard it.

2. Publications obtained from sources outside your organization.

These may include books, magazines, brochures, journals, newsletters, pamphlets, software documentation, and newspapers. If they have no future value, they can be discarded according to your office guidelines, once you are finished with them, or routinely discarded.

3. Duplicates of exact reproductions of a master document.

They may include photocopies or extra copies of a report, staff meeting minutes, meeting agendas, discussion papers, or notices for events. After filing the master document, you can discard duplicates that are no longer required. If a duplicate copy has been altered by someone adding handwritten comments, notes or initials, it is considered to be a new record. If the added information will have future value, file the document.

4. Draft documents and working materials.

These may include materials used in the preparation of documents and earlier versions of the final document. Usually, drafts and working materials do not have future value and can be discarded as transitory records once the final version is produced. If some draft documents and working materials relate to development or preparation of policy, standards, guidelines, budgets, or legal documents, and your office is responsible for their creation, you may wish to file the records as they may have future value.

5. Temporary Information

Temporary information such as telephone messages, routing slips, self–adhesive notes, memos, notes, messages, and envelopes are usually considered to have only immediate or short–term value and may be discarded as transitory records. Some temporary information may have future value and should be filed. Some examples would be an envelope with a date stamp that record the date the item was received, a telephone message slip providing evidence of an individual calling at a certain time and date, and a self-adhesive note giving you authorization to carry out an activity or providing you instruction.

Guidelines for Disposal of the two most common formats of transitory records include:

• Paper records containing confidential, sensitive, or personal information should be shredded.
• Electronic records containing confidential, sensitive or personal information should be deleted.
• Records, in any other physical format (video, cassette, and microform), containing confidential, sensitive or personal information should be disposed in a manner that the information cannot be retrieved.
• Records, of any physical format, not containing any confidential, sensitive or personal information could be recycled or placed in regular garbage bins.

Social Insurance Numbers were originally introduced in 1964 for the purpose of providing an individual a file number to record that individual's contributions and entitlements for the Canada/Quebec Pension Plans, Old Age Security and Unemployment Insurance. In 1967, it also became a file identifier for Revenue Canada. Over the years, the use of Social Insurance Numbers has expanded both inside and outside of government.

A Social Insurance Number (SIN) is considered to be personal information of an individual.

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 requires when personal information is collected directly from an individual, the person be informed of the purpose for which the information is being collected and the specific legal authority for the collection.

Athabasca University (AU) needs to review each and every collection of personal information to define the purpose(s) for the collection and under what legal authority it is collecting this information. This applies when collecting an individual's SIN.

AU cannot collect an individual's SIN for the purposes of:

• using it as a identifier
• using it as a file number
• undetermined future needs
• the needs of a third party such as a bank or funding organization.

AU will only collect an individual's SIN for payroll purposes (Income Tax, Unemployment Insurance, Canada Pension Plan). AU may disclose an individual's SIN to a third party (e.g., bank or funding organization) if the individual's consent is obtained.

Legislated uses of the SIN include:

• Alberta Personal Income Tax Act
• Budget Implementation Act (Canada Education Savings Grants)
• Canada Elections Act
• Canada Labour Standards Regulations (Canada Labour Code)
• Canada Pension Plan Regulations (Canada Pension Plan)
• Canada Student Financial Assistance Act
• Canada Student Loans Regulations (Canada Student Loans Act)
• Canadian Wheat Board Act
• Employment Insurance Act
• Excise Tax Act (Part IX)
• Garnishment Regulations (Family Orders and Agreements Enforcement Assistance Act)
• Farm Income Protection Act
• Gasoline Excise Tax Regulations (Excise Tax Act)
• Income Tax Act (Canada)
• Labour Adjustment Benefits Act
• Old Age Security Regulations (Old Age Security Act)
• Tax Rebate Discounting Regulations (Tax Rebate Discounting Act)
• Veterans Allowance Regulations (War Veterans Allowance Act).

Other authorized uses of the social insurance number include:

• Income and Health Care Programs (Veterans Affairs Canada)
• Immigration Adjustment Assistance Program (Citizenship and Immigration Canada)
• Labour Adjustment Review Board (Human Resources Development Canada)
• National Dose Registry for Occupational Exposures to Radiation (Health Canada)
• Rural and Native Housing Program (Canada Mortgage and Housing Corporation)
• Social Assistance and Economic Development Program (Indian and Northern Affairs Canada)
• Income Tax Appeals and Adverse Decisions (Revenue Canada).

When sending and using email to communicate with others ensure that the address or addresses are correct. The occurrence of emails being sent to a wrong address is becoming more frequent and senders of email must be more cautious especially when the email contains sensitive or confidential information.

When sending an email that contains sensitive or confidential information, consider including a statement at the beginning of the message to alert the receiver that the information in the message is sensitive or confidential. You may also wish to include direction on what the receiver may do with the message.

If you have any doubts about an email address, verify the address first before sending the email.

Sending email messages to an unknown address is also becoming more common. Again, if an email contains sensitive or confidential information, check or confirm the address(es) before clicking the send button.

Examples

This message contains information that is considered to be sensitive or confidential.

This message is intended only for the addressee(s) and contains information that is considered to be sensitive or confidential.

This message contains information that is considered to be sensitive or confidential and may not be forwarded or disclosed to any other party without the permission of the sender.

This message contains information that is considered to be sensitive or confidential and may not be forwarded or disclosed to any other party without the permission of the sender. If you have received this message in error, please notify me immediately so that I can correct the error and delete the original email. Thank you.

AU Employees may receive a request from an individual to release certain personal information about them to another organization or person that would not normally be disclosed or no process exists that enables you to release the information.

A Release of Personal Information Form has been drafted for employees to use in these circumstances. This form may be amended to accommodate your needs.

The Office of Registrar uses a Release of Information Wavier form and has existing procedures in place to accommodate disclosing a student's educational information. Requests for release of educational information that is maintained by that office should be forwarded to that office.

The completed Release of Personal Information Form must be kept for one year from the date of the disclosure and then should be shredded.

It is also recommended that a specific time period be noted on the form for the consent to be in effect. A one-year period is suggested. See also Guidelines - AU Employees Providing Reference Written and Verbal References for Other Employees and Students.

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 was introduced in the Alberta Legislature in the spring of 1994 and came into force for Alberta's post-secondary institutions on September 1, 1999.

Purposes of the FOIP Act

• to allow the public, subject to limited and specific exceptions, a right of access to records held by Athabasca University (AU)
• to control the manner in which personal information may be collected from individual(s), and to control the use of and disclosure of that information
• to allow individuals, subject to limited and specific exceptions, the right to have access to information about themselves held by AU
• to allow individuals the right to request corrections to information about themselves which is held by AU
• to provide an independent review of decisions made by AU under the FOIP Act.

Scope of the FOIP Act

• the FOIP Act is in addition to and does not replace existing procedures for access to information or records and should be viewed as a last resort for gaining access to information or records
• the FOIP Act does not affect access to records deposited in the archives of AU that were unrestricted before the coming into force of the FOIP Act
• the FOIP Act does not limit the information otherwise available by law to a party to legal proceedings
• the FOIP Act does not affect the power of any court or tribunal to compel a witness to testify or to compel the production of document

What the FOIP Act Applies To

The FOIP Act applies to all records in the custody or under the control of AU created both before and after the FOIP Act came into force except for the records defined in section 4(1) of the FOIP Act.

Record:

means a record of information in any form and includes notes, images, audiovisual recordings, x-rays, books, documents, maps, drawings, photographs, letters, vouchers and papers and any other information that is written, photographed, recorded or stored in any manner, but does not include software or any mechanism that produces records;

Custody:

means AU has possession of the record.

Control:

means AU has the authority to manage the record.

Each and every staff member creates, receives, uses, and maintains records in conducting the business of AU. These records are considered to be AU records and are subject to the FOIP Act. Your personal records or records of another organization/business that you have in your custody are not subject to the FOIP Act. It is recommended that you organize and store AU records separately to avoid confusion, and to provide easy access to the university records in the event of a request for the records in your possession.

Obtaining Access to Records

There are two methods for gaining access to records held by AU:

• Non-FOIP requests or general inquiries for information. This method will satisfy the information needs of most information seekers
• FOIP requests. A method of seeking access to information that is not otherwise available

The FOIP Act sets out the rules for access to records of AU and should not replace existing procedures for access to information of AU that is normally available to the public.

In the event of receiving a request to access the records in your custody or under your control, follow established policies and procedures relating to what information you may or may not release and what is the preferred method of communicating the information. If the request is to access records that are not normally routinely released or if you are unsure about releasing the record, contact your supervisor, the centre you or the records are associated with, or the Privacy and Policy Advisor.

If an applicant is not satisfied with the information AU makes available through routine disclosure processes he or she may make a request for the information under the FOIP Act. The FOIP Act requires the request to be written. Oral requests may be made when the applicant's ability to read or write in English is limited, or a physical disability or condition impairs the applicant's ability to make a written request. The applicant may either ask for a copy of the record or to examine the record.

Sometimes only part of the record is accessible because of the exceptions to disclosure under the FOIP Act. As much of the record must be released, as long as the disclosed portions of the record can be reasonably severed from the excepted portions.

An applicant may request to have the request under FOIP continue for a period of up to two years.

A FOIP request must be responded to within thirty calendar days unless the time limit has been extended or the request transferred to a more appropriate public body for response. An applicant must be told whether or not access will be given and if access will be given, when and how it will be given. If access is refused, the applicant must be given reasons for the refusal as well as the name and address of a person who can answer questions about the refusal, and that they may request a review of the decision by the Information and Privacy Commissioner.

Exceptions to Disclosure

The FOIP Act recognizes that an absolute rule of openness would impair the ability of AU to discharge its responsibilities effectively. This is reflected in the FOIP Act by very specific and limited exceptions. There are exceptions that set out when a record "must not" be released, and there are exceptions that set out when a record "may not" be disclosed.

Most of the "may not" disclosure exceptions are based on a harms test. The harms test is based on a determination of whether the disclosure of all or part of a record could reasonably be expected to have a detrimental effect on a particular public or private interest.

The FOIP Act sets out the rules that must be considered when determining if a disclosure of personal information constitutes an unreasonable invasion of a third party's personal privacy.

Fees

The FOIP Act and Regulation allows AU to charges fees for certain services when responding to a FOIP request.

Rights of Third Party

If a FOIP request involves records containing personal or commercial information about a third party, the third party must be notified and provided with a copy of the record that is being considered for disclosure. The third party has 20 days to respond. The applicant must be informed that third party interests may be affected.

Public Interest Override

The FOIP Act includes a public interest provision that obligates AU, whether or not a request is made, to disclose information about a risk of significant harm to the environment or to the health and safety of the public or to other matters clearly in the public interest.

Protection of Privacy

The FOIP Act establishes conditions and obligations that AU must meet in protecting the privacy of individuals whose personal information is in its custody or under its control.

• Personal information means recorded information about an identifiable individual, including:
• the individual's name, home or business address or home or business telephone number
• the individual's race, national or ethnic origin, colour or religious or political beliefs or associations
• the individual's age, sex, marital status or family status
• an identifying number, symbol or other particular assigned to the individual
• the individual's fingerprints, other biometric information, blood type, genetic information or inheritable characteristics
• information about the individual's health and health care history, including information about a physical or mental disability
• information about the individual's educational, financial, employment or criminal history, including criminal records where a pardon has been given
• anyone else's opinions about the individual
• the individual's personal views or opinions, except if they are about someone else

Collection of Personal Information

Personal information cannot be collected by AU from an individual unless it is:

• expressly authorized by or under an Act of Alberta or Canada
• for the purposes of law enforcement, or
• it is directly related to and is necessary for an operating program or activity of AU

Generally, personal information must be collected directly from the individual the information is about, unless other legislation authorizes the collection, or it is necessary for an operating program or activity of AU.

When information is collected directly from the individual, the individual must be told the purpose for which the information is collected, the specific legal authority for the collection, and the title, business address and phone number of an employee who can answer the individual's questions about the collection.

AU will only collect the personal information that is necessary for an operating program or activity. The collection of personal information will be directly from the individual that the personal information is about unless the individual has consented to indirect collection or the indirect collection is possible under section 34 of the FOIP Act.

When personal information is collected from an individual, that individual must be informed of the purpose for the collection of personal information. That personal information may only be used for the purposes indicated when it was collected or for purposes that are consistent with the original reason it was collected. If you need to or want to use the personal information for another purpose that is not consistent with the original reason, then you must obtain the consent of the student to do so.

The notes or comments you record about a student are considered to be the personal information of that student and the student has the right to request access to the notes or comments. Create documentation that contains personal information in a manner that enables release or reasonable severing in an event of a request to access the record. An example would be to separate the comments of more than one student in one memorandum into separate paragraphs or better yet into separate memorandums.

When an individual's personal information is used by AU to make a decision that directly affects the individual, AU must make every reasonable effort to ensure that the information is accurate and complete, and retain the personal information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it.

An individual has the right of access to his or her own personal information and to request a correction of information that the individual believes may contain an error or omission. AU must either make the correction or make note of the request for correction on the data subject file, and notify the individual within 30 days of the action taken.

Use of Personal Information

AU may use personal information only for the purpose for which it was collected or compiled or for a use consistent with that purpose, for another purpose with the consent of the individual, or for purposes allowed under the disclosure section of the FOIP Act.

Disclosure of Personal Information

The FOIP Act sets out specific rules about disclosure of personal information. There are limitations on third parties obtaining access to the personal information of another individual, what AU may disclose without a FOIP access request, and what may not be released to an individual that the personal information is about.

The common disclosures include: upon the consent or request of the student, to other staff to enable them to fulfill their responsibilities, to departments to provide their services, and to provincial and federal governments as directed by other legislation. Disclosure to another staff member or department is limited to personal information that is required for them to fulfill their responsibilities.

Information and Privacy Commissioner

An applicant has a right to an independent review of decisions made by AU. The FOIP Act establishes an Information and Privacy Commissioner to monitor compliance with its legislative provisions by public bodies.

Offences

A person must not willfully collect, use or disclose personal information in violation of the FOIP Act; make a false statement to, or mislead or attempt to mislead, the Commission or another person in the performance of the duties, powers or functions of the Commissioner or other person under the FOIP Act; obstruct the Commissioner or another person in the performance of the duties, powers or functions of the Commissioner or other person under the FOIP Act; fail to comply with an order made by the Commissioner; or destroy any records subject to the FOIP Act with the intent to evade a request for access to the records.

A person who is guilty of an offence is liable to a fine of not more than $10,000

An individual who willfully discloses personal information pursuant to a subpoena, warrant or order issued or made by a court, person or body having no jurisdiction in Alberta to compel the production of information is guilty of an offence and liable to a fine of not less than $2000 and not more than $10,000. In the case of a corporation, the fines are substantially increased - not less than $200,000 and not more than $500,000.

Managing Records

You are responsible for maintaining AU records in your custody and under your control according to AU policies, procedures, retention and disposition schedules. If you have any questions regarding these issues, contact the centre you are associated with regarding the records for that program or activity, the department that the records are associated with, the Office of the Registrar regarding student records as the Office of the Registrar maintains the official student record, or the Records and Information Coordinator.

Upon termination of employment with AU, the records in your possession are considered to be AU records and must be dealt with according to AU policies and procedures. The most common procedure would be to dispose of all transitory records and forward all other records to the centre you were associated with.

Duplicate copies of certain records may be created and retained by staff, departments and centres for the purpose of easy access to information about a student or his/her activity relating to a particular course or program. These types of records are considered to be transitory records and once the records no longer have any value or use, they can be destroyed.

Records considered to be transitory records:

• announcement of conference
• announcement of new staff member
• email from student confirming they received the marked assignment
• email to student stating the assignment was placed in the mail today
• email to staff member requesting a form be sent to a particular student

If the records you have are only a copy and considered to be transitory, but you have made notes on the document, you will need to determine if the notes on the document have value and what that value is. You may have to retain the copy as an original.

The most common types of records relating to a student that employees completing tutorial functions may receive, create and maintain include tutor marked exercises, student profiles, emails, correspondence, notes, assignments, contact logs, and mail returned labeled address unknown.

Some of the records will be considered the original because no other copies exist or are maintained by AU. These records may include:

• copies of correspondence between a tutor and a student
• emails between a tutor and student
• copies of correspondence sent to another individual or institution upon the request of the student such as a reference letter
• handwritten notes made by a tutor during a conversion with a student or about a student
• completed assignments not returned to a student or sent to the Centre

Records considered an original record should be retained according to a centre's or department's retention and disposition schedules. Contact the appropriate centre or department for more information about the records if in doubt. Schedule A of the Student Confidentiality Policy of the Office of the Registrar lists the retention and disposition schedules for student records received and maintained by that office. The policy and schedule are available from the online policy manual.

Records that are used to make a decision about an individual must be retained for one year from the date the records were last used to comply with the FOIP Act. If copies of the record exist, the copies may be disposed accordingly, as the "original" will be maintained for the required period by the department having custody of the original record.

Some records will be copies with the original being maintained by the centre the tutor is associated with or a department of AU. The records may include student profiles, completed tutor marked exercises, correspondence or email from an AU centre or department that a tutor was copied on, or class lists. These records should be retained as required and then disposed of accordingly.

Examples of retention and disposition periods for some records:

Examples of retention and disposition periods for some records

Record Type	Retention Period	Disposition
Assignments (original returned to student and a copy retained by tutor)	If the copy is retained only for the purpose of reviewing the assignment with the student or for an appeal process, then the assignment can be destroyed after the review or appeal period is completed. If the copy is retained for a longer period of time then it should be retained for at least one year from the date the record was used.	Shredding
Assignments not returned to the student as in the case of received assignments with no identifying information (name, address, ID number)	One year from the date the record was used.	Shredding
Exams (original returned to AU and a copy retained by tutor)	If the copy is retained only for the purpose of reviewing the exam with the student or for an appeal process, then the exam can be destroyed after the review is completed. If the copy is retained for a longer period of time then it should be retained for at least one year from the date the record was used.	Shredding
TMEs (copy retained by tutor)	As required if a copy was forwarded to the Centre or for one year if no copy was forwarded to the Centre.	Shredding
TMEs (copy retained by Centre)	One year.	Shredding
Emails about university social activities	As required. These would be considered to be a transitory record.	Deletion
Emails from and to a student that relate to the course and provide direction or decision	If the information is transferred to the student database or a log record then the email may be deleted. If the information is not recorded elsewhere then the email (paper or electronic) must be retained for one year from the date the record was used.	Deletion
Student profiles (copy provided to tutor)	As required. Usually only for the course contract period.	Shredding
Correspondence - reference letters written by tutor upon request from a student	One year from the date the record was used.	Shredding
Correspondence - that provides direction or decision	If the information is transferred to the student database or a log record then the correspondence may be destroyed. If the information is not recorded elsewhere then the correspondence must be retained for one year from the date the record was used.	Shredding
Notes about the student	One year from the date the record was used.	Shredding
Class lists	As required.	Shredding

Disposition of records that contain personal information should be shredded. If you do not own a shredder, return the records to Tutorial Services or Learning Centres for shredding. Clearly label the package as records for shredding.

General Considerations

Privacy protection requires authentication of identity. Authentication of identity is the process of ensuring that someone is who he or she purports to be.

Authentication typically relies on one or more of the following:

• something you know (e.g. password, security question, mother's maiden name)
• something you have (e.g. identification card, key)
• something you are (e.g. biometric data such as fingerprints, iris scans, voice patterns)

The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A 2000, c. F-25 requires that Athabasca University (AU) protect personal information against unauthorized use or disclosure by making reasonable security arrangements. The degree of authentication must be appropriate to the nature of the use or disclosure and the sensitivity of the personal information involved. In circumstances requiring a higher level of authentication, AU should use multi-factor authentication (i.e., two or more forms of authentication to confirm identity).

When AU interacts with a person exercising the rights of another person under Section 84 FOIP Act, AU must authenticate the identity of the person exercising the right. Authentication requires that AU obtain a copy of the document granting the person the right to act for another (e.g., guardianship order, personal directive, power of attorney).

Providing Information to Students Over the Telephone

Before disclosing a student's personal information (e.g., grades) to a caller who purports to be the student, AU must verify that the person is who they say they are. Various methods may be used; for example a "shared secret" where the person provides some information know only to him or her and AU, such as information about a previous transaction, a case number or password created for the purpose of authentication. So long as there is no reason to distrust the caller, a student identification number can be accepted as proof of authentication. If for whatever reason, you doubt the truthfulness of the caller, use a second form of authentication. For example, ask the caller what was the last course he or she completed.

Acknowledgement

AU wishes to acknowledge its reliance on publications issued by the Access & Privacy Branch, Alberta Government Services, which were used in the preparation of this guideline.

Unsolicited Résumés

If there is no job open, then you are not making a decision using the personal information in unsolicited résumés and the one-year retention requirement described below does not apply. Even if you do not keep unsolicited résumés when you receive them, you should take reasonable care when disposing of them so that no one can misuse the personal information they contain. You should shred paper copies and delete electronic copies.

Keep a résumé for a year if you use it to make a decision. If you use it to make a decision to hire or not hire the individual, you have to keep the résumé for at least a year so the individual can obtain access to it.

If you use information in a résumé (or simply hold onto to it for possible future use), you are responsible for protecting the personal information in it and for responding to the individual's enquiries about how her or his personal information has been used or disclosed.

Types of Personal Information that can be Collected in the Hiring Process

The FOIP Act allows an employer to request any personal information that is necessary to the hiring decision. Typically, that might include relevant qualifications, experience, knowledge, skills and abilities as well as answers to interview questions and skill tests. It would not be necessary for an employer to require personal information for any purpose other an assessing suitability for the job and establishing an employment relationship.

You have to be able to show your collection and use of the personal information is reasonably required to determine the job applicant's suitability for the position. For example, credit checks on a job applicant should only be conducted if you can establish that the information is both relevant and necessary to verify the applicant's ability to perform the job functions and that the verification cannot be done through less intrusive means.

Once you have made a hiring decision, you can use and disclose employee personal information without consent if doing so is reasonable for the purpose of establishing or managing an employment relationship. Canada Revenue Agency registrations for income tax purposes or enrollment in employee benefit plans are two examples of post-hiring use of employee personal information.

Reference Checks

Assume the job applicant's consent for contact with listed references. An applicant who has listed references in a job application or résumé implicitly consents to your contacting listed references, but only so you can collect reference information that is reasonably related to the job requirements. Although not strictly required when you conduct a reference check on a job applicant, it is a good practice to first confirm that the applicant has authorized the referee to talk to you. Although you do not need the job applicant's consent, notify applicants about reference inquiries from persons other than those the job applicant lists as references. If the applicant objects, the FOIP Act would not stop you from inviting him or her to withdraw from the hiring process or from weighing the refusal to consent in determining the applicant's suitability for the position.

Confidentiality of Information Received from a Referee

Confirm confidentiality with referees. If you prefer not to reveal a referee's comments to the job applicant, it is best to make it clear to the referee in advance that his or her opinions will be received in confidence, document this agreement, and tell the applicant that all references will be received in confidence. However, there is no guarantee that job applicants will not be able to access comments by referees to prospective employers, as the FOIP Act gives individuals a right of access to their own personal information. Any factual information obtained about a job applicant and referees' opinions about an applicant are the applicant's personal information. Referees' opinions about a job applicant are the applicant's personal information and, therefore, you cannot guarantee that referees' comments will remain confidential. As for a referee's identify, the referee's name is the personal information of the referee and may be withheld.

Use of Personal Information Collected During the Hiring Process for Other Purposes

You can use personal information you collect during the hiring process for another purpose only if that other purpose has a reasonable and direct connection to the original purpose. Orientation and training can be considered part of the hiring process, so it is reasonable to assume that personal information collected from job applicants might be used for that purpose.

If the other purpose is not reasonably and directly connected to the original purpose, then you have to tell the job applicant what the other purpose is and get the applicant's consent. For example, it would not seem obvious that you would send someone's résumé to another employer who might be hiring, even though that might appear to benefit the applicant. When in doubt, give notice and get consent.

Protect and Retain Personal Information Collected During the Hiring Process

Section 38 of FOIP requires an organization to make "reasonable security arrangements" to protect personal information from "unauthorized access, collection, use, disclosure or destruction". In other words, you should at the very least take the same precautions you might use for any document you want to protect from improper use by staff or anyone else. The greater the sensitivity of the employee personal information, the greater the need for protection. For example, it is reasonable to expect a higher level of security for an employee's medical information than for a résumé. If you use an individual's personal information to make a decision that directly affects him or her (like hiring or not hiring), you have to keep it for at least a year after you make the decision, so that the individual has a reasonable opportunity to obtain access to it. This would include interview notes and other information about or related to the assessment of candidates. If an individual requests her or his own information of this kind, personal information of other candidates found in records containing the applicant's information would have to be withheld from the applicant. If you do not use personal information for a decision, you either have to destroy it or else make it anonymous by removing any information that would identify a particular individual. You need to do this as soon as the purpose for which it was collected is no longer being served and you no longer need it for legal or business purposes.

Other FOIP Obligations that Apply to Personal Information Collected During the Hiring Process

Know when information can not be given out. The bottom line is that anyone - including an employee and an unsuccessful job applicant - has a right to be given access to his or her own personal information, to know how it is being used or has been used, and to know to whom and in what situations it has been disclosed. However, the FOIP Act permits or requires you in certain circumstances to deny someone access to their own personal information - for example, where disclosure would harm someone else, harm an investigation or legal proceeding, result in the disclosure of someone else's personal information, or disclose confidential business information. If such information can be removed from a document, you have to give access to the rest of the document after the information is removed. Make sure information is accurate and complete. Respond to requests for correction. Anyone who believes there is an error or omission in his or her personal information can ask the organization to correct it. If the information needs correction, you must make the correction as soon as possible. If, on the other hand, you decide the information needs no correction, you must annotate the personal information to record the correction that was requested but not made. Like all the FOIP Act requirements, this applies to paper and electronic records. If you do make a requested correction, you must send the corrected information to every organization to which you have disclosed the information during the year before the correction date. And if you are notified by another organization that it has corrected an individual's personal information that was disclosed to it, you must also correct that personal information if it is under your organization's control. If you need more information or have questions about situations not covered by this document, you can call the Privacy and Policy Coordinator.

Acknowledgement

AU wishes to acknowledge its reliance on information published by the Office of the Information and Privacy Commissioner for British Columbia, which was used in the preparation of this guideline.

We live in a complex world with a multitude of rules and regulations. From the moment we wake to the moment we sleep, our actions are regulated by tens of thousands of laws. If this wasn't enough, our actions as employees of Athabasca University (AU) are subject to additional regulation, specifically laws governing access to information and privacy. Fortunately, you only have to remember two key principles:

• most of the records you create are accessible by the public; and
• personal information is protected.

History

The Government of Alberta proclaimed the Freedom of Information and Protection of Privacy (FOIP) Act in October 1995. At that time, the FOIP Act was applicable to all provincial departments. The FOIP Act was extended to include post-secondary institutions on September 1, 1999.

The FOIP Act did not fundamentally change the way AU manages records. However, it did give persons who have been denied information an additional avenue for access and a process to adjudicate concerns about protection of personal information.

Fundamental Principles

The FOIP Act is based on five fundamental principles:

• Allow any person access to records in the custody or control of AU, subject to limited and specific exceptions.
• Control the manner of collection, use and disclosure of personal information.
• Allow individuals, subject to limited and specific exceptions, access to their own personal information.
• Allow individuals to request corrections to their own personal information.
• Provide for an independent review of decisions made by AU.

Accessing Information

Access to information is the first component of the FOIP Act. The access provisions apply to all records for which AU has custody or control. This includes material that is written, photographed, recorded or stored in any manner. Documents may be in hard-copy, electronic, digital, audio or visual formats.

Some records are excluded from the FOIP Act. Questions to be used in an examination, teaching materials and research information are some pertinent examples of excluded records.

Keep in mind that records you create in the course of your employment are AU records and can be potentially viewed by an unlimited audience. Embarrassment is not a reason to withhold records, so please rely on both your good sense and taste when recording records. Since AU has limited discretion when disclosing records, the rule of thumb to follow is to assume that all records you create will appear on the front page of a major newspaper.

AU has always made information available to students, employees, and community members. In most cases, records can and should be disclosed. Caution is necessary when the record in question contains sensitive/confidential information or when a person requests information about another person. If you have doubts about disclosure, please contact the FOIP Coordinator. It is better to delay disclosure and seek confirmation than to inappropriately/illegally disclose information.

Protection of Privacy

Protection of an individual's personal information is the second component of the FOIP Act. Personal information held by AU is protected from unauthorized collection, use and disclosure. Personal information, for the purposes of the FOIP Act is defined as any recorded information about an identifiable individual. Some examples of types of personal information include name, marital status, age, educational history and student identification number.

The FOIP Act requires that reasonable measures and safeguards be maintained by AU to ensure that personal information is secure and access within AU is restricted to a "need to know" basis only.

FOIP and Information Management

The FOIP Act places accountability on AU for how records and information management systems are maintained. When responding to requests, records will have to be retrieved in an accurate and timely manner. Requests made under the FOIP Act have a specific time limitation within which AU must respond.

AU has a Records Management Program that provides services as follows:

• storage and retrieval of inactive records;
• records retention scheduling;
• records disposition; and
• record systems consultation.

Additional Information

For information on FOIP, contact the FOIP Coordinator. Further FOIP information and applicable policies are also found on the AU FOIP website at www.athabascau.ca/foipp. Information about records management practices can be obtained from the University Archivist.

General Considerations

Laptop and portable device (e.g. memory sticks, pen drives, mobile phones, blackberries, CDs, disks, etc.) use is a common practice in conducting Athabasca University (AU) business. Theft of such devices is also common. The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 requires that AU protect personal information against unauthorized use or disclosure by making reasonable security arrangements. This responsibility falls on all members of the AU community to safeguard these items from theft and to prevent the loss of personal information held on such devices. Access to confidential and private information can result in embarrassment, loss of business, loss of creditability, or legal action for AU and, potentially, the individual.

How do thieves do it?

The National Institute of Standards and Technology Special Publication 800-30 “Risk Management Guide for Information Technology Systems” has determined that there are various levels of threats posed by other individuals. The level of threat is determined by the individuals’ motivation and potential actions that can be taken. Levels include anyone from insiders who may be seeking information for curiosity, ego, monetary gain or revenge to computer criminals, hackers and crackers to terrorists, who may be looking to blackmail, destroy or exploit and industrial espionage (companies or foreign governments) who are seeking a competitive advantage or are following programs developed for homeland security.

Access can be gained by:

• laptop theft and theft of other portable electronic computing devices;
• careless information and hardware handling;
• data sharing or sale;
• internet trolling;spoof sites on the internet;
• visiting non-secure internet sites;
• unprotected servers;
• war-driving, hacking;
• key loggers;
• wireless surveillance; and
• internal privileged access.

Physical Requirements

Laptops and portable devices should not be left unattended in unsecure environments. Items should be locked and secured to an immovable object when available. Special locking mechanisms for laptops can be obtained through the Computing Services Help Desk.

Laptops and portable devices should be stored under lock and key in a locked office or locked filing cabinet with restricted access.

Never leave your laptop or portable device in an unattended vehicle.

The responsibility to protect personal information when being transported is the responsibility of the employee. Laptops and portable devices must not be put through checked baggage when travelling.

Laptops and portable devices are obvious targets for theft. If a laptop is set down for any reason keep an eye on it or position it in a place where you can feel if someone grabs it. Hook the strap around your foot or hand so you can feel any movement. Vulnerable places for laptops include washrooms, check-in counters, restaurants and vehicles.

Avoid using laptop cases – use a padded briefcase, backpack or suitcase – something that does not advertise what you are carrying. Never leave passwords or access numbers with the laptop or portable device.

Be aware of your environment and the people around you. Be aware of anyone trying to hack information or paying particular attention to the information - “shoulder surfing”, etc.

Make yourself aware of the details of reported security breaches. Pay particular attention to how the information was accessed and what “tricks” were used. Remember that any paper files you may carry with you are also an important source of information.

Technological Requirements

It is the responsibility of the employee to be aware of what types of information are confidential and personal information. Keep only data that is necessary on your laptop or portable device. Do not download an entire database onto your laptop if it contains personal or confidential information. If it is required to download computer files, only download the relevant pieces. Always remember to move the information to a more secure location as soon as reasonably possible.

It is important to be aware of the contents of all emails held on your laptops or portable devices. Large amounts of personal information can be held in files of this type. Utilize good record keeping practices and regularly go through your emails to determine if records are transitory and should be stored in a more suitable location.

Pay particular attention to identifying information of students and staff – ID numbers, names, addresses, etc. Refer to the AU FOIP website at http://www.athabascau.ca/foipp for more information regarding confidential and personal information.

Do not use your laptop or portable device to store long term records. Make yourself familiar with the records retention policies relevant to your specific area and general AU retention policies. If you have any questions regarding retention you should contact Institutional Record Management. The Alberta Freedom of Information and Protection of Privacy Act requires that if personal information has been used to make a decision about a person the public body is required to retain that information for a period of one year. If you are in doubt or have questions contact the AU FOIP office.

Back up important files regularly and keep the back up in a secure location. Contact Computing Services Help Desk to assist you regarding backing up files from laptops or portable devices.

AU requires the use of log on passwords and screen saver password protection. These items are normally preconfigured by the Computing Services Help Desk. Passwords should be used for protecting specific files containing personal information. Think carefully when changing passwords. Don't use common words – the longer the password is the harder it is to guess. Make passwords alpha-numeric.

However, remember that passwords can be easily bypassed. Hard drives can be physically removed and accessed. There are free programs available on the internet that can be used to figure out usernames and passwords and to restore information that you thought had been deleted. If the will is there, information can be accessed.

Encryption is a vital technological tool and is mandatory for laptops and off-site AU owned desktops. Passwords and encryption that cannot be disabled by an unauthorized user need to be used. AU has encrypted memory keys for use by AU staff who are required to transport AU information. Contact the Computing Services Help Desk if you require these technologies.

When using a portable device, be aware of the type of internet connection you are accessing. Do not download files if the system can be remotely accessed. Avoid using unknown wireless internet connections. If you need to use a wireless internet connection, ensure identifier broadcasting on your wireless router is turned off so your computer is not signalling devices in the vicinity and disable the wireless connection when not in use. AU currently has technologies that are much more secure. If you require remote access to AU systems, contact the Computing Services Help Desk for assistance.

Be wary of phishing, pop-ups and unknown emails – don't respond or click on embedded links. Thieves can use these devices as tools to access information.

Keep firewalls, anti-virus software and operating systems up-to-date. Turn off file sharing when using your laptop or portable device. Ensure that your firewalls and anti-virus software are not disabled. The Computing Services Help Desk can provide assistance to keep your computer systems and portable devices up-to-date.

Permanently delete unnecessary files from laptops and portable devices when they are no longer required. This will involve the deletion of metadata that is stored on your device. Assistance can be obtained from the Computing Services Help Desk.

What to do if a loss is experienced?

If your laptop or portable device is stolen or lost immediately notify the FOIP/ Policy Coordinator and the Computing Services Help Desk. A list of the types of information contained on the device will need to be provided in order to assess if any privacy breaches have occurred. Report any unusual activity following the incident as soon as possible.

Always assume the worst. Passwords will need to be changed, accounts may need to be shutdown, and people may need to be officially notified. Even if the data is encrypted, assume that the thieves will be able to unencrypt the information.

Acknowledgement

AU wishes to acknowledge its reliance on publications issued by the Access & Privacy Branch, Alberta Government Services, which were used in the preparation of these best practices.

Definition Index

Identifier Broadcasting:

A sequence of characters that uniquely names a specific user that is transmitted to allow for connection of that user to a desired wireless network when multiple networks operate in a specific area. Information transmitted in this format can be intercepted.

Phishing:

In a computing context, phishing is an impersonation of a corporation or other trusted institution. The goal of the impersonation is to extract passwords or other sensitive information from the victim. It is a form of criminal activity that utilizes social engineering techniques. Phishing is typically done using e-mail or an instant messaging program. The attempt of the message is to appear to be from an authentic source so that the victim will either directly respond, or will open a URL link to a fake website run by the criminals.

Working with personal and confidential information out of the office or in home offices increases the risk of the information being lost or compromised.

As Athabasca University (AU) is covered by the Freedom of Information and Protection of Privacy Act, AU must make reasonable security arrangements to protect personal information against such risks as unauthorized access, collection, use, disclosure and destruction. AU could be held legally liable if it fails to meet these requirements. As employees of AU, it is everyone's responsibility to assist the organization in meeting these requirements. These best practices have been prepared to provide guidance on meeting these requirements.

Privacy and Security Risks

• Physical loss or theft of devices;
• Inappropriate access by unauthorized individuals;
• Communication of protected information through unprotected channels;
• Printing information without appropriate disposal options;
• Accessing or loading information on unprotected home devices;

There are a number of records management and security areas that will be addressed in these best practices: Electronic and physical records management and security of personal information, Faxing and Email.

Physical records may include correspondence, documents, hand-written notes, day timers, faxes, and paper files. Electronic records may include email, electronic calendars or word processing files.

Electronic and Physical Records Management

• Never travel outside the office with personal information unless you absolutely have to. If you have to take the information with you, take the least amount you need. Take copies instead of originals.
• While you are away from your office or home, all personal and confidential information should be stored in a locked storage container or in a location reasonably secure from theft (locked office or desk drawer).
• All computers, PDAs and other electronic devices must be password protected.
• All electronic records of personal information must be encrypted.
• Always log off your computer when you step away. Set the automatic logoff on your computer or device. Shut down your computer or device if you plan to be away for a longer length of time.
• Use security locks to secure computers and electronic devices containing personal and confidential information.
• Do not share a computer or electronic device with others if it contains personal and/or confidential information.
• Avoid accessing personal or confidential files while travelling. If you must, take precautions to prevent unauthorized access. Be aware of your surroundings and who is in the vicinity.
• Avoid using cell phones to discuss personal or confidential business where it can be easily overheard or intercepted. This also includes conversations.
• Always be in control of any personal or confidential information in your possession.
• Do not leave records in plain sight. Always store records securely.
• When working at home, personal or confidential information should be stored in a locked drawer or cabinet. The drawer or cabinet should contain only work related records and no one else should have access to it.
• Never store personal or confidential information on the hard drive of your computer or electronic device. AU has alternative solutions of storage available.
• Your home computer should have effective Internet security measures such as anti-virus software, encryption software and firewalls.
• Use the email and phone lines provided by AU for AU related business.
• Avoid emailing or faxing personal or confidential information from public locations.
• Do not ask someone else to photocopy or fax personal or confidential information.
• Destroy transitory documents regularly and “housekeep” your documents on a regular basis.
• If personal or confidential information is stolen or lost immediately notify the FOIP/ Policy Coordinator and the Computing Services Help Desk.
• Be aware of existing records management practices. Contact your supervisor or the Manager, Institutional Records/University Archivist for direction.
• Incorporate the highest level of security appropriate for the information. Example: Lock your briefcase in the trunk of your car when transporting personal or confidential information.
• Destroy copies and drafts of information when no longer needed.
• If a portion of a file is required to do the work, remove only that portion not the entire file.
• Records containing personal or confidential information must be destroyed in the appropriate method – not just thrown in the trash or recycling bin.
• Don't save electronic files with the full name, student id or a combination. Keep file names as anonymous as possible.
• Computers or electronic devices containing or used to access personal or confidential information need to be password protected.
• Change password regularly.
• Do not share memory sticks or other external devices that contain personal or confidential information.
• Position computer monitors/screens for maximum privacy.
• Never leave your computer with work displayed on the screen.
• Have a designated work space which will ensure adequate privacy to complete your work.
• Protected information should not be submitted by email or via the internet without being appropriately secured via encryption, password-protected attachments or other effective methods.
• Peer-to-peer file sharing applications should not be used in connection with records containing protected information.
• Any physical records that are no longer required need to be returned to the appropriate department or destroyed as required by the appropriate retention and destruction schedules.
• A “clean-desk” method of working should be adopted.
• Do not make or store more copies than you need.

Faxing and Emailing

• Faxes containing protected information must be removed from the fax machine as soon as possible to prevent unauthorized access.
• Always use a fax cover sheet that contains a confidentiality clause along with the sender's name, telephone and fax numbers, the recipient's name, telephone and fax numbers and the number of pages sent. Mark protected information confidential.
• If a fax contains protected information, confirm when the fax will be sent and that the appropriate recipient has received it. Confirm correct fax numbers or email addresses before sending.
• Avoid using pre-programmed numbers if faxing protected information. If you do use a pre-programmed number, confirm that it is correct.
• When faxing or emailing protected information, consider using unique identifiers or codes to protect identities, etc. If you receive a fax or email in error, notify the sender and promptly return or destroy the fax, as requested by the sender.
• When receiving a fax always check the number of pages against the number indicated on the cover sheet.
• Check the send report or confirmation sheet to confirm fax numbers and to confirm the number of pages that went through.
• If you use computer faxing, create appropriate folders and directories with password access so that only authorized people can see the files.
• If someone asks you to send protected information by fax or email, explain the possible risks involved and have them consent before emailing or faxing.
• If protected information is mistakenly faxed or emailed to the wrong person or is otherwise compromised, immediately contact the FOIP/Policy Coordinator.
• Never use an email alias to email protected information.
• Always remember that an email may be read during transmission. If you must email protected information, it should always be encrypted.
• Email mailboxes that are used to send protected information should have a secure password know only to the employee using it. However, in the case of a common mailbox, only those employees who have authority to view the contents should have the password.
• Clean the emails off your computer as often as you can. Do not retain anything that is considered transitory and do not keep emails on your computer that would be more securely stored within your centre or department.