Notice to McGill Community
Information Security Reminder
September 17, 2012
I would like to take this opportunity to remind all academic, administrative and support staff who have access to student information about their obligations under Quebec and Canadian laws and under the University’s policies with regard to maintaining the confidentiality of student information.
The University is governed by the An Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information ("Access Act") which generally declares confidential the records, documents and information concerning staff and students. Users agree to respect and enforce such confidentiality and not to use information without authorization or to subvert any information to which they have access during the performance of their assigned duties at McGill.
Users of all McGill systems are also bound by the "Policy on the Responsible Use of McGill Information Technology Resources" which is available here: www.mcgill.ca/files/secretariat/Responsible-Use-of-McGill-IT-Policy-on-the.pdf.
What data elements are confidential?
All of a student’s record is confidential. This includes personal information such as name, student identification number, permanent code, address data, citizenship information, social insurance number, birth date, immigration information, as well as academic data such as degree obtained, course registration, grades, grade point average, etc. Documents that are stored in the imaging systems normally contain personal, hence confidential, information.
Access to student data:
Student data are confidential and should only be accessed in support of legitimate business processes or with the explicit permission of the student. For example: you are not allowed to look up the advising transcript of a student in your class because you are curious to see how well she or he is doing in other classes. Users who may have administrative rights to student records should never use those rights to access their own records. Changing your own record is a clear offence.
Handling of student data:
Student data, including grades, marked examinations, etc. should never be posted or shared in any public forum (via the Web, on office doors, in classrooms, or otherwise).
E-mail containing confidential data should be used only with the greatest care, as it can be easily misdirected or forwarded to unintended recipients. In general, e-mail that is sent between McGill users on the McGill Exchange server is secure as the e-mail never leaves the server. In general, e-mails sent to or from other mail servers are considered vulnerable. Confidential data should never be stored on local hard drives of personal computers. This includes Minerva reports, ad-hoc requests, data from the Web query form, lists generated from the data warehouse, lists from Banner or Minerva forms, documents stored on the imaging system, etc. If it is necessary to store or download data, secure central servers (such as those housed at Network Communication Systems - NCS) should always be used. Only designated University offices are permitted to transmit student data to bodies or agencies outside of the University. For example: unless you are one of the authorized offices, you may not confirm that a student is registered at McGill without the student’s explicit permission. You may not provide any lists or reports containing any student data to outside agencies.
Alternatives for posting grades:
We would like to draw your attention to alternatives for posting students’ grades. The grade book in myCourses can be used to communicate grades on assignments and examinations and for the course in a timely manner. In addition, when final grades are uploaded into Minerva (Banner), they become visible to students online through Minerva.
Users should never share their Userids or passwords for any system (Banner, Minerva, data warehouse, etc.). If you no longer need access to certain student data, you should ask for the relevant permissions to be withdrawn. If you become aware of particular unsafe practices or system vulnerabilities, you should notify your department or faculty security delegate.
If you have any questions or concerns, please contact Enrolment Services or send an e-mail to sis-security [at] mcgill [dot] ca.
University Registrar and Executive Director