FIPPA - Some Basics for Faculty and Staff
I. What is FIPPA?
II. General Impact
1. Record (section 2.1 of the Act)
2. Personal Information (section 2.1 of the Act)
B. Some Specific Issues:
1. Communicating Grades to Students
3. Teaching Materials and Course Notes
4. Research Records
5. Protection of Student Information - University Policies and Recommended Best Practices
IV. Where to go for help
There are two main governing principles behind FIPPA:
- With a few notable exclusions and specific exemptions, the records of public institutions should be available to members of the public.
- The privacy of individuals should be protected.
Many of the provisions of FIPPA are very similar to provisions that were already in place in the University’s Guidelines on Access to Information and Protection of Privacy. The University makes a great deal of information publicly available and has established criteria for situations in which access needs to be restricted. Similarly, the University already has policies and practices in place to protect the personal information of faculty, staff and students.
In terms of access to information, there is no need for faculty and staff to restrict access to information that would have been readily available prior to June 10, 2006 and we should continue to respond to informal requests as we have always done. However, if information is sought that would normally not be given out, or the records contain personal information about someone other than the person making the query, a formal access request may be required. Information about how to make a formal access request can be found on the privacy website www.uwo.ca/privacy.
With respect to the privacy provisions of FIPPA, again, we should proceed for the most part on a “business as usual” basis. For instance, there is no need to suddenly restrict access to personal information among University units that have shared information in the past for particular purposes or where the sharing of information is needed to accomplish a legitimate University business task.
To begin, a couple of definitions may be helpful:
“record” means any record of information however recorded, whether in printed form, on film, by electronic means or otherwise, and includes,
(a) correspondence, a memorandum, a book, a plan, a map, a drawing, a diagram, a pictorial or graphic work, a photograph, a film, a microfilm, a sound recording, a videotape, a machine readable record, any other documentary material regardless of physical form or characteristics, and any copy thereof, and
(b) subject to the regulations, any record that is capable of being produced from a machine readable record under the control of an institution by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the institution.
Note the breadth of this definition. There is no distinction between official and unofficial records, and the means by which the information is recorded does not affect whether it is covered by the Act. For example, handwritten notes (or post-it notes) that you might keep in your course file with respect to a discussion with a student, critical comments taken down during student presentations in class, e-mail or voicemail messages from or to students that relate to their performance or refer to other personal information would all be captured by the Act.
“personal information” means recorded information about an identifiable individual, including,
(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
(b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information related to financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, telephone number, fingerprints or blood type of the individual,
(e) the personal opinions or views of the individual except where they relate to another individual,
(f) correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
(g) the view or opinions of another individual about the individual, and
(h) the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.
Again, this is very broad. Note particularly the references to information regarding education history, identifying numbers (such as a student number) and personal opinions of or about an individual.
The Act does not speak specifically to the issue of posting student marks in a public place or site. However, a student’s mark is clearly covered by the definition of “personal information” as is his/her student number. Therefore, posting a student’s mark along with his/her name and student number would be a clear contravention of the Act. Similarly, posting a student's mark with his/her student number may be a contravention of the Act if the student can reasonably be identified. This might arise if a student has a unique student number or in smaller classes.
Departments may inform students of final grades from an examination period subsequent to final approval of the grades by the Department Chair or Dean, but are responsible for ensuring that grades are communicated in a confidential manner.
Lists of student grades with personal identifiers (e.g., student identification numbers) must not be posted electronically. Faculty and staff wishing to communicate marks electronically to students must do so on an individual basis only. For optimal security, WebCTVista is the recommended mechanism for doing so.
For large classes, a paper list of student grades linked to student identification numbers may be posted in a Department location for a limited time provided that the grades cannot reasonably be linked to individual students. Such postings should contain truncated student identification numbers (last five digits) listed in random order. For classes with fewer than 15 students, public posting must always be avoided. Faculties have the discretion to establish higher thresholds based on local needs and concerns.
*Timing of Submission of Final Grades - Informing Students of Grades http://www.uwo.ca/univsec/handbook/exam/finalgrades.pdf
It is highly recommended as a best practice that faculty and staff apply the Senate policy on final grades to communication of interim grades and marks as well. Information about effective use of WebCTVista and other instructional tools can be obtained from ITS at http://www.uwo.ca/its/itrc/resources.
As noted above, the means by which information is received makes no difference as to whether it is subject to FIPPA. Personal information provided through e-mail correspondence must be treated in the same way as if it were provided in paper format.
Personal information that is provided by students via e-mail and that is used in any way must be retained for a minimum of one year. An example would be a student asking by e-mail for an extension on a paper because of a personal issue. The e-mail itself does not need to be retained, but the information contained in it does. In such cases, the best course of action may be to print off the e-mail and put it in the appropriate paper file. Personal information received via e-mail that is unsolicited and/or that is not used can be deleted.
E-mail correspondence can be problematic because the medium is not secure. It is recommended that you password protect or encrypt e-mail that is used for obtaining, sharing or discussing sensitive personal information (such as, for example, extension requests that contain information about a student’s private situation, or messages with evaluative opinions of a student’s academic performance).
A final point with respect to e-mail addresses: often faculty members will provide students in a class with a list of the e-mail addresses for all those enrolled in order to facilitate group work or out-of-class discussions. Students should expect that their UWO e-mail addresses may be shared in a class. However, for other contact information (such as phone number or personal e-mail address) it is better to have students share this information voluntarily with their classmates when they are in their assigned groups.
For answers to some commonly asked questions about e-mail, please see the Frequently Asked Questions page.
One of the amendments made to the Act to adapt it to the university context was to exclude teaching materials from the Act. The intent of the amendment is to protect the intellectual property of those responsible for developing and teaching courses. However, FIPPA does not provide a precise definition of what “teaching materials” are. After consultation with universities in other jurisdictions that have been under similar legislation for some time, a working definition is:
- Materials created and maintained by faculty members to produce and deliver a course, such as: lesson plans, lecture notes, reading lists, reading schedule, assignment topics, overhead slides, case studies, exercises, assignments, quizzes, tests, and other instructional material.
Note, however, that the answers in completed assignments, exercises, exams, etc., are considered to be the personal information of the student. Senate regulations require that examination papers and other work not returned to the student must be retained for a minimum of one year from the date of last use. “Last use” is defined as the date of the last class if there is no final examination, the date that the marks were submitted after the final examination, or, if an appeal has been made, the date the student is informed of the decision on the appeal, whichever is later.
In addition to the Senate policies, provisions in FIPPA require that other course related materials, such as notes that have been made about student performance throughout the course, or notes of discussions with a student about progress in the course must be retained for a minimum of one year after last use.
Again, the important thing is to retain the information. The format in which it is retained does not matter. Electronic materials may be downloaded and filed in paper format or paper records can be scanned and stored electronically.
A similar amendment as for teaching materials was made to the Act with respect to records "respecting or associated with research". Again, the Act is not very helpful in terms of defining the breadth of this exclusion, it simply says that it does not apply to such records. However, the subject matter (as distinct from the title) of a research project and the amount of funding received are not excluded from the Act’s provisions.
- Do not place graded examinations and assignments in a public place for pick up. Examinations and assignments should be returned directly to the student who prepared the work. As a general rule, students should not handle exams or assignments other than their own.
- Write grades, comments and evaluations on an inside page where they are not immediately visible to others.
- Retain any student personal information “used” by the University for a period of one year from date of last use (includes students' personal information in faculty and staff files).
- Do not post lists of student grades if the posted information could identify individual students.
- Use WebCTVista (or other ITS-recommended programs) to communicate grades to students on a confidential basis.
- Do not post personal information on websites without notice, consent or an opt-out option, depending on the context.
- Do not provide information to a third party for reference purposes without the consent of the student.
- Ensure adequate security of personal information (e.g. student exams) both on campus and off-campus.
- Do not leave detailed personal information on voice-mail (e.g. results of an appeal); ask for a call back.
- Remember that e-mail is not secure unless it is encrypted or password-protected -- use caution when sending personal information or asking students to send sensitive information by e-mail.
- When corresponding with students, use their UWO e-mail address rather than a personal e-mail account.
Each major unit within the University has appointed an individual to act as the FIPPA Liaison Officer. A list of liaison officers can be found at www.uwo.ca./privacy/liaison.html.
The University’s Information and Privacy Coordinator is Paul Eluchok in the University Secretariat. He can be reached at firstname.lastname@example.org or at extension 84541. The Director of the Information and Privacy Office is Terry Morrissey. She can be reached at email@example.com or at extension 84543.
FIPPA Basics, June 2006; Rev. 06/09