Managing Student Information: Best Practices for Faculty

What is FIPPA

Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) applies to Ontario Colleges. FIPPA defines what is considered personal information, establishes standards for handling personal information, and prescribes how personal information can be used to accomplish College academic, pedagogical and operational activities.

In general, FIPPA’s requirements with respect to personal information include:

• Collecting only the personal information you need to perform your duties;
• informing students about the collection and what you intend to do with their personal information;
• only using personal information for the purpose(s) for which it was collected, or a consistent purpose;
• not disclosing personal information other than to the individual to whom it relates (except in limited circumstances as specified in FIPPA); and
• taking appropriate steps to protect the confidentiality of personal information in our custody and control.

What Student Information is Included in FIPPA?

Under FIPPA, personal information is recorded information about an identifiable individual and includes but is not limited to:

• Ethnic origin, race, religion, age, sex, sexual orientation, marital or family status;
• information regarding education (including an individual’s grades), financial employment, medical, psychiatric, psychological or criminal history;
• identifying numbers, such as Social Insurance Number or student number;
• home address, telephone number or personal email address;
• personal opinions of, or about, an individual (including faculty member’s evaluative comments on a student’s work);
• correspondence sent to the institution by an individual that is of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence;
• the views or opinions of another individual about the individual; and
• the individual’s name where it appears with or reveals other personal information.

Policies at Durham College

This resource has been developed to provide faculty with some guidance regarding how to manage Student Information during faculty/student interactions within the course of conducting College business in all delivery modes.

It should be read in the context of the following College Policies and Procedures:

• ADMIN 206: Acceptable Use of Information Technology
• ADMIN 222: Access to Records and Protection of Privacy
• ADMIN 242: Information Management
• ADMIN 276: Information Security
• ADMIN 279: Student Data Governance
• ACAD 129: Learning Management System Course Retention

Best Practices in Managing Student Information

Use Durham College Email and/or Chat Account

Faculty are to use their Durham College email account when communicating with students and should only communicate with students via their student DC Mail account.

Email is a useful method for communicating with students about course-related information. However, please remember that Durham College owns the emails contained in your Durham College email account and can access them at any time. If email or chat messages relate to the operation or administration of the College, they may be subject to access to information requests (and may be disclosed) under FIPPA. The following best practices should be observed:

• Be aware that email messages sent to non-Durham College email accounts are not secure for transmitting personal, sensitive or confidential information.
• Maintain a professional tone in email and chat communications – email and/or chat communications may be forwarded to or retained by others, or inadvertently transmitted to unauthorized recipients, and could be requested under FIPPA;
• Always be cautious about including others’ personal information in email and/or chat messages; and
• Unless encrypted, email and chat are not recommended for transmitting highly sensitive or confidential personal information (such as educational history, and financial information). However, secure methods for transmitting sensitive information, such as large files, are available, if required, faculty are encouraged to securely share files containing personal information using Microsoft OneDrive, or contact ITS service desk for additional DC-approved secure-transfer tools.

As per policy ADMIN-206 Acceptable Use of Information Technology Item 4.4: Employees are expected to store their College email and chat communication only on College-assigned devices and/or computers. Faculty who do not have a DC-issued device can manage their College email using a browser on their personal device by going to https://email.durhamcollege.ca. By using this to access email, you are ensuring that College records are not stored on your personal device and are backed up as per institutional requirements. Do not use personal email accounts or chat tools to communicate with students.

The full use of email and chat communication retention can be found in the Information Management Policy and Procedure (ADMIN 242).

Use Durham College Approved Technology

Durham College Information Technology Services (ITS) and Department leadership conduct thorough reviews of data, privacy and security when acquiring technology for the institution. The Acceptable Use of Information Technology policy (ADMIN 206) highlights that users, such as faculty, cannot store confidential information in cloud services not approved by the college. According to item 4.5, When employees store data in cloud-based services, confidential information shall only be stored in cloud services approved by the college. The cloud services approved for teaching and learning purposes will be listed on CTL’s Educational Technology webpage, and all the other approved cloud services will be listed on IT Services’ ICE pages. For example, a classroom recording (in compliance with the Recording of Learning Activities policy, ACAD 128) should be stored on a college-approved cloud service, such as Microsoft Stream. Not only does this ensure the privacy and security of faculty and student data, but it also ensures that faculty can receive support from the institution (ITS and CTL).

Examples of College-Approved Technology:

1. DC Connect is Durham College’s Learning Management System. This is a tool that is used to manage course-specific announcements, course outlines, course content, assignments, rubrics and feedback, grades and other class materials. Durham College’s Learning Management System Usage policy (ACAD 118) outlines the use of DC Connect for consistent and effective teaching and learning, and academic communications, such as making announcements to broadcast relevant class information and input grades. Not only does using DC Connect align with policy, but its use also ensures faculty are compliant with FIPPA as grades and student feedback are tracked to the correct individual. For further information about how to utilize DC Connect please visit DC Connect Support.
2. Microsoft Office 365 provides access to cloud-based applications and storage for faculty, staff, and students. Microsoft Office 365 includes tools such as Word, Excel, PowerPoint, OneDrive, Teams, Planner, Stream and OneNote. Faculty are to avoid using non-Microsoft products for Durham College work.
   • Microsoft OneDrive allows for online document collaboration and provides one terabyte of secure storage (see Microsoft OneDrive resource). With Microsoft OneDrive faculty can restrict access to specific individuals, or anyone within our ITS ecosystem.
   • Microsoft Stream allows faculty to record and share video files securely with DC students (see Microsoft Stream resource).
   • Instruction will cover how to use the applications as well as tips and tricks for incorporating Office 365 into teaching. For more information on how to access Office 365, view the Accessing Office 365 Guide. For additional tips and resources, see Microsoft Office 365 Tools.

Collecting, Sharing, Storing and Retaining Student Information

Information Management - Retention of Records

If faculty collect student information, it must be stored and retained in a secure manner that aligns with Durham College Information Management Policy (ADMIN 242), and retained according to the Durham College Common Records Retention Schedule.

Privacy Breach Protocol

Please refer to Access to Records and Protection of Privacy Policy and Procedure (ADMIN-222) item 5.12 Privacy Breach Protocol. This protocol applies to all personal information held by the institution, regardless if the record is covered by FIPPA or PHIPPA. For details on Privacy Breach Protocol, please visit the Records Management page on ICE.

Students Questions About FIPPA

If students have questions about FIPPA, the following public resources are available:

• FIPPA and Its Application to Durham College
• Records and Information Management
• How to Access Records
• Student Data Governance

This information was developed to support good practices and procedures for frequently asked questions and should not be considered to be comprehensive. Questions? Contact Freedom of Information and Protection of Privacy Coordinator by telephone 905.721.2000 ext. 3292 or email infoandprivacy@durhamcollege.ca