Information Security Reminder
Notice to McGill Community
All academic, administrative, and support staff with access to student information are reminded of their obligations under Quebec and Canadian law and under University policy with regard to maintaining the confidentiality of student information.
Legislation and Policy:
The University is governed by An Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information ("Access Act"), which protects the confidentiality of personal information and generally declares confidential the records, documents, and information concerning staff and students. (Last updated on April 1, 2022.)
Under the Act, All persons involved in Processing Personal Information for a University purpose must protect the Personal Information and must respect these six (6) principles:
- Personal information must be Processed fairly, lawfully and in a transparent manner;
- Personal Information must only be used for limited, specified stated purposes; and shall not be used or disclosed in any way incompatible with such purposes;
- Personal Information must be relevant and limited to what is necessary;
- Personal Information must be accurate, and where necessary, up-to-date;
- Personal Information must not be kept for longer than is necessary; and
- Personal Information must be kept safe and secure.
Users of all McGill systems are also bound by the "Policy on the Responsible Use of McGill Information Technology Resources", and the “Secure Use of McGill Administrative Systems Directive”, which specifically highlights the protections required when working from home, and other related IT use policies.
What information is confidential?
Under the Access Act, any information in any document concerning a natural person which allows the person to be identified is personal information and is confidential.
All elements of a student’s record are confidential. These include, for example:
- student identification number,
- permanent code,
- citizenship information,
- social insurance number,
- birth date,
- immigration information,
- photographs for McGill student identification, and
- academic data such as degree obtained, course registration, grades, grade point average, etc.
- Documents that are stored in the imaging systems normally contain personal, therefore confidential, information.
Access to student information:
Student information is confidential and should only be accessed in support of legitimate McGill business processes or with the explicit permission of the student. Having access to data does not mean you should view it or change it.
- Teaching staff and professors may not look up the advising transcript of a student to see how the student is doing in other classes.
- Staff who have administrative rights to student records and are taking courses or are former students, may not use those rights to modify or update their own records.
- Changing one's own record is a clear offense (and could lead to disciplinary measures).
- Students may not participate on admission selection committees or academic progression meetings, as it would give them inappropriate access to academic and other personal information regarding their peers.
- It is not good practice to allow students who are employed as a work-study or casual to access student information.
Handling of student information:
Student information, including grades, marked examinations, etc. should never be posted or shared in any public forum (via the Web, on office doors, in classrooms, or otherwise).
- E-mails containing confidential data must be handled with the greatest care, as email notes can be easily misdirected or forwarded to unintended recipients.
- Confidential data must not be saved on local or removable drives, including USB keys. This includes Minerva reports, ad-hoc requests, data from the Web query form, lists generated from the data warehouse, lists from uApply, Banner, or Minerva forms, documents stored on imaging systems, student photographs, etc.
- If it is necessary to store or download data, secure IT Services servers intended for this purpose must always be used.
- Documents containing student information, such as reports, transcripts, advising materials, etc. must be kept out of public sight and put away in locked cabinets at the end of the workday.
- Only designated University offices, such as Enrolment Services, may transmit official student information to bodies or agencies outside of the University.
- Unless you work in an authorized office such as Enrolment Services, you may not confirm that a student is registered at McGill or has graduated from McGill. This confirmation may not occur without the student’s permission.
- Exceptionally, Enrolment Services and a small number of other designated University offices may be required by law to release such information, even without a student’s permission. For example, the courts occasionally subpoena the Registrar to obtain student information.
Alternatives for posting grades:
We would like to draw your attention to alternatives for posting students’ grades. The grade book in myCourses may be used to communicate grades on assignments, examinations, and courses in a timely manner. Note that when final grades are uploaded into Minerva (Banner), they become visible to individual students online through Minerva.
Please follow these additional requirements when accessing databases or student information:
- Do not share or communicate your user credentials, including passwords, for any system (Banner, Minerva, data warehouse, email, etc.).
- Change your passwords for these systems regularly.
- If you no longer require access to certain student information, you or your supervisor should request that the relevant permissions be withdrawn.
- Validate the identity of individuals who claim to be students before discussing their own McGill student records with them.
If you become aware of unsafe practices or system vulnerabilities, notify your department or faculty security delegate immediately.
If you have any questions or concerns, please contact Enrolment Services or send an e-mail to sis-security [at] mcgill.ca.
University Registrar and Executive Director