Frequently Asked Questions
- What is a record?
- What is Western currently doing to provide access to University records?
- Do I have to make a formal request under FIPPA if I wish to see University records?
- How do I make a formal request for access to University records?
- What is personal information?
- Is any personal information considered 'public'?
- What is a personal information bank (PIB)?
- What are the general principles that govern privacy protection?
- What is Western doing to protect privacy?
- When can personal information be shared within the University?
Federal and Provincial Freedom of Information and Privacy Legislation
- Does FIPPA apply to e-mail?
- How long should e-mail be kept?
- What should I do if I receive an E-mail containing personal information?
- What should I do if I receive an e-mail with personal information not intended for me or personal information that I do not need to receive?
- Should I send e-mails containing personal information?
- Is it okay to send an e-mail message containing a student’s name and ID number?
- Is it okay for students to see the e-mail addresses of other students in their class?
- Should I use Gmail/Hotmail or other providers to conduct University business?
- Should I respond to students who contact me from a Gmail/Hotmail or other account?
- Can I access the e-mail of a faculty or staff member who is on vacation/extended leave/no longer with the University?
- I'd like to encrypt/password protect my E-mail. How can I do this?
- Does the University read my E-mail?
- Can I access my UWO E-mail upon leaving the university?
- Who do I contact if I have concerns about how Western is dealing with access to information or privacy protection?
- How do I remove myself from alumni-related mailings? How do I specify the types of alumni-related mailings I would like to receive?
Access to University Records
A record is any information however recorded, whether in printed form, on film, by electronic means or otherwise. The Freedom of Information and Protection of Privacy Act provides a more detailed definition [Section 2 - Definitions].
The University of Western Ontario routinely provides information to the public through its administrative and academic units, its Department of Communications & Public Affairs, and its web site, http://www.uwo.ca.
You may also request access to University records pursuant to the access procedures set out under the Freedom of Information and Protection of Privacy Act (FIPPA).
FIPPA does not replace existing procedures for accessing University records that would normally be made available to the public or to an individual upon request. You may use existing procedures to request access to University records. If the records you seek are not provided under existing procedures, you may make a formal request for access under FIPPA.
Personal information is factual or subjective information about an identifiable individual. It includes, but is not limited to such basic details as name, address, gender, age and marital status, as well as health information, education and employment history, and financial data. It also includes opinions about an individual (e.g. letters of reference). For a full definition of this term, see [FIPPA Section 2 - Definitions].
Business contact information, including the name, title, and business address or telephone number of an employee of an organization, is not considered personal information. In addition, unless a student requests otherwise, Western considers certain information about current and former students, such as name, any degrees awarded by Western, major field of study, and academic or other honors or distinctions received, as public.
A Personal Information Bank is a collection of personal information that is organized and capable of being retrieved by an individual’s name or other individual identifier, such as a student number or employee number. PIBs can consist of electronic files, paper files or a combination of both.
There are a number of generally accepted privacy protection principles that apply to the collection, use and disclosure of personal information. The most important of these involves providing notice: explaining why personal information is being collected, how it will be used and to whom it will be disclosed. These principles are effectively articulated in the “Model Code for the Protection of Personal Information” developed by the Canadian Standards Association. This “Model Code” forms the basis of both federal and provincial legislation.
Western strives to collect only the specific personal information that is required to carry out its academic mandate and perform related administrative functions. Once collected, access to this personal information is restricted to those who need it in order to fulfill the purpose(s) for which it was intended. Various safeguards are also put in place to ensure that the information is protected from improper use, disclosure or destruction.
The University will share information across units as needed for its operations, and individual faculty and staff will be given the personal information they require to fulfill their academic and administrative responsibilities.
As a general rule, if a particular department has had a long-standing practice of sharing information with another unit as part of the department’s normal course of operations, it is most likely that such sharing is appropriate. However, if there are concerns about sharing the information, Western’s Information and Privacy Coordinator will review those practices with the relevant units to ensure that they are compliant with current legal requirements or University policies.
In cases where an out-of-the-ordinary request for personal information is received from a faculty or staff member, it is recommended that the information not be released without consulting the relevant supervisor or unit head. Western's Information and Privacy Coordinator should be consulted if there are questions about whether release of the information is permitted under University policies or relevant privacy legislation.
In addition, there are two instances where additional steps are needed before information is shared:
- if an individual had been specifically informed that his/her personal information will be used only for one purpose, or he or she directed that it be used for one purpose, but now another unit is requesting the information for an entirely different purpose; or
- if at the time the individual provided the information he or she would reasonably have assumed that it would be used for a particular purpose(s), but now another unit is requesting the information for a purpose that is not reasonably related to the original purpose.
Contact Western's Information and Privacy Office if you would like advice in these circumstances.
Finally, it is important to keep in mind that there are several Senate or Board regulations or policies that limit or prohibit the sharing of certain categories of personal information within the University. For example, Senate regulations limit the sharing of information in students’ academic records and academic offence records. Supervisors should ensure that relevant staff are made aware of those regulations or policies. Staff who have questions about their application should consult their supervisor or unit head.
Federal and Provincial Freedom of Information and Privacy Legislation
Western is currently subject to the Freedom of Information and Protection of Privacy Act (FIPPA) and its health information custodians have responsibilities under the Personal Health Information Protection Act (PHIPA). The University takes steps to protect the privacy of personal information in accordance with these Acts.
FIPPA came into force in Ontario in 1988, and was extended to Ontario universities effective June 10, 2006. FIPPA provides a general right of access to university records through a formal request procedure, subject to certain limited and specific exemptions. It also requires universities to protect the privacy of university-held personal information, and includes rules for collection, use, disclosure, retention and disposal of personal information. The Act also requires universities to produce a "Directory of Records", an inventory of records held by institutions including General Records and Personal Information Banks (PIBs).
PHIPA came into force on November 1, 2004 as Ontario’s health-specific privacy legislation. This Act governs the manner in which personal health information may be collected, used and disclosed within the health care system. It also regulates individuals and organizations that receive personal information from health care professionals. For further information on how PHIPA applies at Western, please contact the Information and Privacy Office.
The federal Access to Information Act and the Privacy Act do not apply to Western; these Acts apply only to federal government institutions.
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) may apply to some activities on university campuses.
PIPEDA focuses on access to, use, and dissemination of personal information in relation to commercial activities. Since most activities associated with universities are considered to be educational, rather than commercial, its impact on universities is minimal.
FIPPA applies to e-mails. They are considered records under the Act and are subject to the same provisions, exemptions and exclusions as any other type of record. As long as the information in the e-mail does not fall into one of the exclusions outlined in the Act, this means that:
- e-mails containing personal information (e.g., academic information, medical information, SIN, financial information, home address, etc.) must be protected and dealt with in accordance with FIPPA
- e-mails are subject to access requests under FIPPA.
With respect to access requests, it is important to remember that when Western’s Information and Privacy Office has issued notice of an access request, existing e-mail records related to that request must not be deleted.
If the content of an e-mail falls within a particular exclusion (e.g., employment-related, research-related, or teaching materials) the access and privacy provisions in FIPPA will not apply. However, there are various University policies that may apply, including: Policy 1.23, The University of Western Ontario Guidelines on Access to Information and Protection of Privacy, Policy 1.30, University Records and Archives Policy, and 1.13 Computing, Technology & Information Resources, and faculty and staff should be aware of the requirements under these policies.
As with any other type of record, it depends on the nature of the information contained in the message. If the e-mail contains personal information, FIPPA requires that the information be retained for at least one year after its last use by the University unless the individual to whom the information relates agrees to a shorter period.
The key point is that the personal information must have been used (i.e., acted upon or used to make a decision or evaluation), not just received. Also, the focus is on the personal information, not the e-mail. As long as personal information that has been used is retained somewhere for one year (e.g., copied to a network drive, printed and filed, etc), the e-mail itself need not be kept.
FIPPA does not specify the maximum length that records containing personal information should be kept. FIPPA also does not specify any retention periods (minimum or maximum) for records that do not contain personal information. Decisions on how long to keep e-mails, as with any other record, should reflect the importance of the information contained in the message and the activity or function it supports, and should be in accordance with relevant University retention schedules. Contact Western Records Management services for more information.
Treat the information with the same care that you would a paper record to ensure that the information is not accessible to anyone who should not see it. In some cases, it may be preferable to create a paper record by printing the e-mail, then delete the electronic version.
What should I do if I receive an e-mail with personal information not intended for me or personal information that I do not need to receive?
Delete it and immediately empty the trash. A good practice would be to let the sender know (by phone or by “reply”, not “reply all”) that you received the e-mail containing personal information that you did not need or want and that you disposed of it securely.
E-mail is an inherently insecure medium and is best viewed as no more confidential than post cards. Human error is most often the cause of privacy breaches involving E-mail (for example, sending materials to the wrong recipients or attaching material inadvertently to an e-mail). If the information is particularly sensitive (e.g. financial information relating to a student account, medical information relating to a student appeal), consider whether other means of providing the information can be used.
However, if e-mail transmission is necessary, there are ways to protect privacy:
- Limit the amount of personally identifiable information to only that which is necessary
- Limit the distribution of your e-mail to only those recipients who need to know
- Ensure that the e-mail has been addressed correctly
- Carefully review the documentation you are attaching to ensure that you are only
including necessary information
- Consider encrypting the e-mail or password protecting attachments (contact WTS, your local IT support group, or see this page for details).
There are no rules in FIPPA that specifically prohibit the inclusion of student names and identification numbers in an e-mail. However, FIPPA does stipulate that only those employees who need an individual's personal information should have access to it, and that the University must take reasonable measures to prevent unauthorized access to its records.
In light of those two requirements it is important to determine if there is need to convey both names and student numbers and that e-mail is the only practicable way to do so. If it is concluded that there is such a need, then use of e-mail is acceptable, provided that steps are taken to ensure that the message is sent to the correct addressee(s) and that added security measures are considered in light of the additional personal information that may be contained in a particular message. Such security measures include password protected attachments and encrypted messages and/or attachments.
It is recommended that all staff find out if their Faculty/Unit has any local restrictions on what categories of personal information can be included in e-mail or any rules about what security measures have to be used when sending such information via e-mail. In the absence of specific rules or restrictions, before deciding to send an e-mail containing student names and identification numbers it is recommended that direction be sought from a supervisor or unit head.
The Western e-mail address is not considered personal information. In the case of faculty and staff, it is considered business information. In the case of students, the University considers the UWO e-mail address as the official means of communication and publicly viewable, although students may request not to be listed with their name and e-mail address together in the student directory.
When students need to participate with other students in their class via e-mail or OWL in order to fulfill course requirements, they should expect to share contact information.
When communicating with large groups through e-mail, there are ways of concealing the list of e-mail addresses (such as an entire class). Contact WTS or your local IT support group for information.
The University provides e-mail accounts to all faculty, staff and students to be used in conjunction with their duties or activities at the University. This centrally administered e-mail account is considered your official University e-mail address and is the address the University will use in communicating with you. The University’s e-mail policy does not prevent you from using another provider, including forwarding your UWO e-mail account to another account. However, you should be aware of the following concerns:
- The non-UWO service may not be as secure
- Servers located in foreign jurisdictions are subject to the laws of those jurisdictions
- The e-mail may be viewed, modified or otherwise compromised in transit to the non-UWO server.
It is recommended that at the beginning of a course, students be reminded to use their UWO accounts. If a student corresponds by e-mail from another service provider, you can advise the student that you will send responses only to the UWO address. Use your judgment whether to reply to the non-UWO account or whether to advise the student to use the Western address when corresponding with you. Factors to consider include:
- Whether you are satisfied as to the student’s identity (i.e., the writer is who he or she claims to be)
- Whether you would prefer to maximize the integrity of the record of the correspondence by having it contained fully within the UWO system.
Can I access the e-mail of a faculty or staff member who is on vacation/extended leave/no longer with the University?
Although it is not generally permitted, such e-mail access may be granted in very limited cases. Contact the ITS CISO (firstname.lastname@example.org) for details.
Faculty or staff members who require regular shared accessibility may wish to consider:
- Using shared drives
- Using shared e-mail folders
- Creating an e-mail address specific to a function rather than an individual faculty/staff member.
Contact WTS or your local IT support group for details.
The University does not monitor individual e-mail accounts. However, centrally-administered e-mail accounts provided on University servers are institutional property and the University reserves the right to access e-mail records in accordance with 1.13 Computing, Technology & Information Resources.
You may be able to access your e-mail for a limited period of time after you leave the University but this would depend on a number of factors. Contact WTS, your local IT support group, or see this page for details, https://wts.uwo.ca/helpdesk/index.html.
Who do I contact if I have concerns about how Western is dealing with access to information or privacy protection?
To discuss general concerns about access to information, privacy protection or specific incidents, please contact the Information & Privacy Office at email@example.com.
How do I remove myself from alumni-related mailings? How do I specify the types of alumni-related mailings I would like to receive?
To update your preferences with respect to Alumni Western, Advancement Services' contact information is available at: www.advser.uwo.ca/PrivacyStatement.htm.