Knowledgebase: IT Security
Privacy, Confidentiality, Security and IT
Updated: 16 April 2018 11:30 AM

Your privacy and confidentiality are extremely important to us in IT Services. We work hard to put services in place that align with relevant privacy, security and accessibility legislation at the Provincial and Federal levels, and OCAD U's Academic and Non-Academic Policies. OCAD IT Services strives to protect the privacy of system users, and will respect the privacy of correspondence between individuals and will not engage in unwarranted inspection of user account emails, files or other communication.

Relevant Policies

In general, these policies and agreements govern our practices in IT Services:

  • OCAD U Academic and Non-Academic Policies
  • Provincial and Federal Legislation
    • FIPPA (Freedom of Information and Privacy Protection Act)
    • AODA (Accessibility for Ontarians with Disabilities Act) 
    • Personal Health Information Protection Act
  • Vendor
    • Contracts
    • Privacy Policies
    • License agreements
    • Terms of Use

Who has access to my data?

  • You
  • Anyone who you share data with, by sending copies of files, or provide delegate access to, intentionally or otherwise
  • Authorized IT Services System Administrators
  • Authorized Service Provider System Administrators
  • Anyone who gains unlawful physical or electronic access to your data via compromised accounts, weak passwords, transmitting or storing data using unencrypted means, physical access or otherwise

Are IT Staff bound by confidentiality agreements?

Yes, all IT Services staff sign and are bound by Confidentiality Agreements with their employment at OCAD U that includes language restricting the relaying of confidential data to anyone not directly related to the work being perfomed, except required by law. Staff not adhering to this policy are subject to discipline that may include dismissal or legal action.

Under what circumstances does someone in IT Services access my data?

OCAD IT Services strives to protect the privacy of system users, and will respect the privacy of correspondence between individuals and will not engage in unwarranted inspection of user account emails, files or other communication.

The University may examine, interrupt, or monitor email, files or other communication in the following circumstances:

  • To diagnose and troubleshoot issues
  • In response to a suspected violation of an OCAD U or vendor Acceptable Use Policy
  • In response to a FIPPA or FOI request

How private and confidential is my email, file shares and other communications?

Users should be aware that email or other communications sent and received, or files shared with others cannot be considered wholly private nor confidential given the limitations of technology, relevant policy, and user error.

Files: on cloud service

  • Files stored with a cloud service that we have negotiated contracts with are encrypted in transit and at rest.

Laptops and Desktops

  • Laptops and desktops that OCAD U owns or manages have full disk encryption. However, when the machine is logged in, the files are live and accessible

Removable Media: USB keys and hard drives

  • In general, removable media such as USB keys and hard drives are not encrypted, and should not be used or used with extreme caution.

 

Email

Users often believe that their communication in email is private and confidential because no other end users have access to their account, and the nature of content is private and confidential, therefore it's private and confidential. It simply is not true.

For example:

  • Emails sent between @ocadu.ca users are encrypted and you have some expectation of privacy and security because it does not traverse the public internet. However, this does not mitigate the risk of sending email to the wrong recipient, compromised passwords or lost devices.
  • Emails sent to or sent from @ocadu.ca accounts to public email accounts are not encrypted. You should not have any reasonable expectation of privacy and security of those communications because they are not encrypted and traverse the internet via untrusted servers. 

From Wikipedia:https://en.wikipedia.org/wiki/Email_privacy

"Email has to go through potentially untrustworthy intermediate computers (email servers, ISPs) before reaching its destination, and there is no way to tell if it was accessed by an unauthorized entity. This is different from a letter sealed in an envelope, where, by close inspection of the envelope, it might be possible to tell if someone opened it. In that sense, an email is much like a postcard whose contents are visible to everyone who handles it."