Information Security Reminder

Information Security Reminder

Notice to McGill Community

Information Security Reminder
September 2020


I would like to take this opportunity to remind all staff with access to student information of their obligations under Quebec and Canadian laws and under University’s policies with regard to maintaining the confidentiality of student information.

Legislation and Policy:

The University is governed by An Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information ("Access Act"), which protects the confidentiality of personal information and generally declares confidential the records, documents and information concerning staff and students. (Last updated on June 1st, 2020.)

Users agree to respect and enforce such confidentiality and not to use information without authorization, the consent of the person to whom the information relates, or to subvert any information to which they have access during the performance of their assigned duties at McGill.

Users of all McGill systems are also bound by the "Policy on the Responsible Use of McGill Information Technology Resources" and other related IT use policies.

What information is confidential?

Under the Access Act any information in any document concerning a natural person which allows the person to be identified is personal information and is confidential.

All elements of a student’s record are confidential. These include, for example:

  • name,

  • student identification number,

  • permanent code,

  • address data,

  • citizenship information,

  • social insurance number,

  • birth date,

  • immigration information,

  • photographs for McGill student identification, and

  • academic data such as degree obtained, course registration, grades, grade point average, etc.

  • Documents that are stored in the imaging systems normally contain personal, hence confidential, information.

 Access to student information:

Student information is confidential and should only be accessed in support of legitimate McGill business processes or with the explicit permission of the student. Having access to data does not mean you should view it or change it.

For example:

  • Teaching staff and professors may not look up the advising transcript of a student to see how the student is doing in other classes.

  • Staff who have administrative rights to student records and are taking courses or are former students, may not use those rights to modify or update their own records.

  • Changing one's own record is a clear offense (and could lead to disciplinary measures).

  • Students may not participate on admission selection committees or academic progression meetings, as it would give them inappropriate access to academic and other personal information regarding their peers.

  • It is not good practice to allow students who are employed as a work study or casual to access student information. 

Handling of student information:

Student information, including grades, marked examinations, etc. should never be posted or shared in any public forum (via the Web, on office doors, in classrooms, or otherwise).

  • E-mails containing confidential data must be handled with the greatest care, as email notes can be easily misdirected or forwarded to unintended recipients.

  • Confidential data must not be saved on local or removable drives, including USB keys. This includes Minerva reports, ad-hoc requests, data from the Web query form, lists generated from the data warehouse, lists from uApply, Banner or Minerva forms, documents stored on the imaging systems, student photographs, etc.

  • If it is necessary to store or download data, secure IT Services’ servers intended for this purpose must always be used.

  • Documents containing student information, such as reports, transcripts, advising materials, etc must be kept out of public sight and put away in locked cabinets at the end of the workday.

  • Only designated University offices, such as Enrolment Services, may transmit official student information to bodies or agencies outside of the University.

  • Unless you work in an authorized office such as Enrolment Services, you may not confirm that a student is registered at McGill or has graduated from McGill. This confirmation may not occur without the student’s permission.

  • Exceptionally, Enrolment Services and a small number of other designated University offices may be required by law to release such information, even without a student’s permission. For example, the courts occasionally subpoena the Registrar to obtain student information.

Alternatives for posting grades:

We would like to draw your attention to alternatives for posting students’ grades. The grade book in myCourses may be used to communicate grades on assignments, examinations and courses in a timely manner. Note that when final grades are uploaded into Minerva (Banner), they become visible to individual students online through Minerva.

Access policies:

Please follow these additional requirements when accessing databases or student information:

  • Do not share or communicate your user credentials including passwords for any system (Banner, Minerva, data warehouse, email, etc.).

  • Change your passwords for these systems regularly.

  • If you no longer require access to certain student information, you and your supervisor should request that the relevant permissions be withdrawn.

  • Validate the identity of individuals who claim to be students before discussing their own McGill student record with them. 

If you become aware of unsafe practices or system vulnerabilities, notify your department or faculty security delegate immediately.

If you have any questions or concerns, please contact Enrolment Services or send an e-mail to sis-security [at]

Thank you,

Gillian Nycum
University Registrar and Executive Director
Enrolment Services
McGill University


Back to top