Working outside the university
These guidelines are indented to provide employees with good practices relating to the protection of records, whether paper or electronic, containing personal information (“Records”) when working outside the University. These guidelines could also be applied to records that may not contain personal information but are confidential and contain proprietary information.
The University is subject to the Freedom of Information and Protection of Privacy Act ("FIPPA") of Ontario. Consequently, all employees must comply with FIPPA whether working in their University workplace or outside University premises.
One of the purposes of FIPPA is to protect personal information maintained by the University. Personal information is defined in FIPPA as recorded information about an identifiable individual (see section 2 of FIPPA for the complete definition).
Considerations before taking Records away from the workplace or before remote access
First consider whether it is a necessary part of your job to take the Records away from your workplace or to access the Records remotely to do your job. If you need to carry records with you when travelling or if you need to take them home or access them remotely to do work, you should speak to your immediate manager or supervisor in advance. The manager/supervisor should evaluate if the personal information is necessary to be removed from the office for the performance of the employee's duties and discuss with the employee the conditions under which the Records will be removed or accessed remotely with a view to reducing risks of unauthorized access to the Records.
The manager/supervisor should have a description of the Records that the employee intends to take with him/her and if at all possible, the employee should avoid taking the original version of the Records.
Safeguarding the Records if they are taken away from the workplace or when working remotely
Employees must ensure that:
- Records stored on a USB, CD or in a laptop or other portable electronic device should remain under their control and not left unattended
- They avoid opening or viewing Records in a venue where the Records or the display panel of their portable electronic device may be seen by unauthorized individuals and avoid discussing them where they can be overheard;
- Records or the portable electronic device should be stored in a secure location at all times when they are not being used (e.g. in a locked car, drawer or safe in a hotel room);
- Electronic Records should be stored and encrypted on a password-protected USB, CD or laptop or other portable electronic device;
- Passwords are not easy to guess and are kept confidential
- If using a personal electronic devices such as a your home computer or your personal Smartphone used for viewing personal information must contain proper antivirus application (i.e. Computing and Communications Services may be contacted to assist employees with ensuring that the proper security are in place on their devices);
- They do not share the wireless devices that are used for work purposes with other individuals such as friends and family;
- They are cautious when using cell phones and avoid discussing personal information as they can be easily overheard or intercepted by those around them;
- Turn off automatic network connection from their wireless devices and only connect to trusted and secure connections (i.e. hotel, restaurants, coffee shops, etc. may not provide adequate security);
- Bluetooth devices are disconnected when not in use.
- If the copy of the records is no longer needed, ensure that it is securely destroyed (shredded) and that all copies of the information on a USB key or other electronic portable device have been deleted from the device's cache.
- The primary copy of the Record should not be stored at home or away from the University workplace and the primary copy of the Record should be updated as soon as possible with copies of any work done while away.
The list above is not meant to be a complete list but is meant to establish basic measures that an employee must take to protect the Records.
Reporting Lost, Theft or Inadvertent Disclosure of Personal Information
The lost, theft or inadvertent disclosure of the Records should be reported to the immediate manager/supervisor of the employee as well as to the University's Director, Compliance, Access to Information and Privacy and the University's Protection Services.
Tel. : 613-562-5499