Quick Links

Information Security Reminder

Information Security Reminder

Notice to McGill Community

Information Security Reminder
February 5, 2015

Introduction:

I would like to take this opportunity to remind all staff with access to student information about their obligations under Quebec and Canadian laws and under the University’s policies with regard to maintaining the confidentiality of student information.

Legislation and Policy:

The University is governed by the An Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information ("Access Act"), which protects the confidentiality of personal information and generally declares confidential the records, documents and information concerning staff and students

Users agree to respect and enforce such confidentiality and not to use information without authorization, the consent of the person to whom the information relates, or to subvert any information to which they have access during the performance of their assigned duties at McGill.

Users of all McGill systems are also bound by the "Policy on the Responsible Use of McGill Information Technology Resources" which is available here: www.mcgill.ca/files/secretariat/Responsible-Use-of-McGill-IT-Policy-on-the.pdf.

What information is confidential?

Under the Access Act any information in any document concerning a natural person which allows the person to be identified is personal information and is confidential.

All elements of a student’s record are confidential. These include, for example:

  • name,

  • student identification number,

  • permanent code,

  • address data,

  • citizenship information,

  • social insurance number,

  • birth date,

  • immigration information,

  • photographs for McGill student identification, and

  • academic data such as degree obtained, course registration, grades, grade point average, etc.

  • Documents that are stored in the imaging systems normally contain personal, hence confidential, information.

 Access to student information:

Student information is confidential and should only be accessed in support of legitimate McGill business processes or with the explicit permission of the student. Having access to data does not mean you should view it or change it. For example:

  • You are not allowed to look up the advising transcript of a student in your class because you are curious to see how well the student is doing in other classes.

  • Individuals who may have administrative rights to student records should never use those rights to access their own records.

  • Changing your own record is a clear offence.  

  • Students may not participate on admission selection committees or academic progression meetings, as it would give them inappropriate access to academic and other personal information regarding their peers.

Handling of student information:

Student information, including grades, marked examinations, etc. should never be posted or shared in any public forum (via the Web, on office doors, in classrooms, or otherwise).

  • E-mails containing confidential data should be used only with the greatest care, as email notes can be easily misdirected or forwarded to unintended recipients.

  • Confidential data should never be saved on local or removable drives, including USB keys. This includes Minerva reports, ad-hoc requests, data from the Web query form, lists generated from the data warehouse, lists from uApply, Banner or Minerva forms, documents stored on the imaging systems, student photographs, etc.

  • If it is necessary to store or download data, secure IT Services’ servers intended for this purpose should always be used.

  • Documents containing student information, such as reports, transcripts, advising materials, etc must be out of public sight and put away in closed cabinets at the end of the workday.

  • Only designated University offices, such as Enrolment Services, are permitted to transmit student information to bodies or agencies outside of the University.

  • Unless you work in one of the authorized offices such as Enrolment Services, you may not confirm that a student is registered at McGill or has graduated from McGill. This confirmation may not occur without the student’s permission.

  • Exceptionally, Enrolment Services and a small number of other designated University offices may be required by law to release such information, even without a student’s permission. For example, the courts occasionally subpoena the Registrar to obtain student information.

Alternatives for posting grades:

We would like to draw your attention to alternatives for posting students’ grades. The grade book in myCourses can be used to communicate grades on assignments, examinations and for the course in a timely manner. In addition, when final grades are uploaded into Minerva (Banner), they become visible to the individual students online through Minerva.

Access policies:

Please follow these additional requirements when accessing databases or student information:

  • Do not share or communicate your user credentials including passwords for any system (Banner, Minerva, data warehouse, email, etc.).

  • Change your passwords for these systems regularly.

  • If you no longer need access to certain student information, you and your supervisor should ask for the relevant permissions to be withdrawn.

  • Validate the identity of individuals who claim to be students before discussing their own McGill student record with them. 

If you become aware of unsafe practices or system vulnerabilities, you should notify your department or faculty security delegate immediately.

If you have any questions or concerns, please contact Enrolment Services or send an e-mail to sis-security [at] mcgill [dot] ca.

Thank you,

Kathleen Massey
University Registrar and Executive Director
Enrolment Services
McGill University