Practical Guide to Data Privacy, Confidentiality & Security at OCAD U
Updated: 14 August 2019 10:50 AM
|
|
This article contains practical guidelines for following the Information & Data Classification Policy at OCAD U. As referenced in the policy, there are 3 classifications of data handled by staff members of the university:
Below you will learn how to properly create, label (where applicable), store, share and dispose of institutional data based on classification. PublicAccess Restrictions: No restrictions on access Storage: Store anywhere (though the OCAD U 365 environment is recommended as it is backed up.) Here is an Introduction to SharePoint and OneDrive Transmission: No special handling required Disposal: Can be recycled InternalAccess Restrictions: Access limited to employees and other authorized users Storage: Stored within the OCAD U 365 environment* Here is an Introduction to SharePoint and OneDrive Transmission: Use the "Share" function in the OCAD U 365 environment set with access restrictions. Here is the Practical Guide to Sharing Documents Disposal: Deleted from the OCAD U 365 environment (recycle bin clears automatically every 90 days) * In some cases, various departments or collaborative processes may involve other institutionally approved cloud-based or on-prem data storage locations. ConfidentialAccess Restrictions: Access limited to those with a demonstrated need to know Storage: Stored within the OCAD U 365 environment* Here is an Introduction to SharePoint and OneDrive Transmission: Use the "Share" function in the OCAD U 365 environment set with access restrictions (here is the Practical Guide to Sharing Documents) or an encrypted drive (here are instructions for how to encrypt a removable device.) Disposal: Deleted from the OCAD U 365 environment (recycle bin clears automatically every 90 days) Labelling: Please see this guide properly and clearly labelling confidential documentation and communications. This includes OCAD U branded templates. * In some cases, various departments or collaborative processes may involve other institutionally approved cloud-based or on-prem data storage locations Confidential records are created with an expectation that they will not be disclosed to anyone except those persons requiring the records for a legitimate purpose. Confidentiality is demonstrated in the following ways: an explicit statement of confidentiality, a written request for confidentiality, the university’s treatment of the record as sensitive and confidential. Confidential Document SharingTo be in compliance with the OCAD U Data Classification Policy, no confidential documents are to be emailed as an attachment. All confidential documents are to be shared or transmitted via an encrypted method such as using the share function (see above) with the "Specific People" option. If a document is deemed to be an exceptionally high risk document that may result in very serious repercussions, you may decide to share by not only using the "Specific People" share function but also by password protecting the document as an added measure. If you choose this method, be sure to provide the password for the document via a separate means of communication than email. This can be via Teams, SMS text message or phone call for instance. If you are concerned about sharing a confidential document please don't hesitate to contact itsecurity@ocadu.ca or ocadu365@ocadu.ca for assistance and guidance from our on-staff security and 365 function experts between the hours of 9am and 5 PM Monday - Friday. Note that email or other communications sent and received or files shared with others cannot be considered wholly private nor confidential given the limitations of technology, relevant policy, and user error. Users often believe that their communication in email is private and confidential because no other end users have access to their account, and the nature of content is private and confidential, therefore it's private and confidential. It simply is not true. For example:
Confidential Paper Record HandlingBefore printing any confidential documents, confirm that printing is absolutely necessary. Please consider sustainability and risk when printing, distributing and storing confidential document. Hard copy confidential documents pose a great risk to the institution is they cannot be encrypted or password protected and can easily be left in an insecure area. If printing us required, follow these minimum guidelines:
A Note on Passwords:Staff, students and faculty are encouraged to never use their OCAD U password for any other services on the web. If you are someone who handles confidential documents, this is especially necessary. Given the amount of high profile data breaches that occur, it is very risky to use the same password for anything that contains sensitive information. One way to do this easily is to use a password manager (such as LastPass or Dashlane) so that you do not have to remember many different passwords for different services.
| |
|