Knowledgebase: IT Security
Practical Guide to Data Privacy, Confidentiality & Security at OCAD U
Updated: 14 August 2019 10:50 AM

This article contains practical guidelines for following the Information & Data Classification Policy at OCAD U

As referenced in the policy, there are 3 classifications of data handled by staff members of the university:

  • Public
    Information in the public domain. E.g. annual reports and public announcements
  • Internal
    Information in which loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or serious damage to credibility. E.g. internal memos, minutes of meetings, unit budgets and accounting information, internal project reports.
  • Confidential
    Information that is available only to authorized persons where loss could seriously impede the organization's operations and disclosure could have legal repercussions. E.g. employee records, student personal information, recruitment records,  legal suits, medical/health information, appeals and grievances and any information protected by law.

Below you will learn how to properly create, label (where applicable), store, share and dispose of institutional data based on classification. 

Public

Access Restrictions: No restrictions on access

Storage: Store anywhere (though the OCAD U 365 environment is recommended as it is backed up.) Here is an Introduction to SharePoint and OneDrive

Transmission: No special handling required

Disposal: Can be recycled

Internal

Access Restrictions: Access limited to employees and other authorized users

Storage: Stored within the OCAD U 365 environment* Here is an Introduction to SharePoint and OneDrive

Transmission: Use the "Share" function in the OCAD U 365 environment set with access restrictions.   Here is the Practical Guide to Sharing Documents

Disposal: Deleted from the OCAD U 365 environment (recycle bin clears automatically every 90 days)

* In some cases, various departments or collaborative processes may involve other institutionally approved cloud-based or on-prem data storage locations.

Confidential

Access Restrictions: Access limited to those with a demonstrated need to know

Storage: Stored within the OCAD U 365 environment*  Here is an Introduction to SharePoint and OneDrive

Transmission: Use the "Share" function in the OCAD U 365 environment set with access restrictions (here is the Practical Guide to Sharing Documents) or an encrypted drive (here are instructions for how to encrypt a removable device.)

DisposalDeleted from the OCAD U 365 environment (recycle bin clears automatically every 90 days)

Labelling: Please see this guide  properly and clearly labelling confidential documentation and communications. This includes OCAD U branded templates.

* In some cases, various departments or collaborative processes may involve other institutionally approved cloud-based or on-prem data storage locations  

Confidential records are created with an expectation that they will not be disclosed to anyone except those persons requiring the records for a legitimate purpose.

Confidentiality is demonstrated in the following ways:

an explicit statement of confidentiality,

a written request for confidentiality,

the university’s treatment of the record as sensitive and confidential.

Confidential Document Sharing

To be in compliance with the OCAD U Data Classification Policyno confidential documents are to be emailed as an attachment. All confidential documents are to be shared or transmitted via an encrypted method such as using the share function (see above) with the "Specific People" option. 

If a document is deemed to be an exceptionally high risk document that may result in very serious repercussions, you may decide to share by not only using the "Specific People" share function but also by password protecting the document as an added measure. If you choose this method, be sure to provide the password for the document via a separate means of communication than email. This can be via Teams, SMS text message or phone call for instance. 

If you are concerned about sharing a confidential document please don't hesitate to contact itsecurity@ocadu.ca or ocadu365@ocadu.ca for assistance and guidance from our on-staff security and 365 function experts between the hours of 9am and 5 PM Monday - Friday. 

Note that email or other communications sent and received or files shared with others cannot be considered wholly private nor confidential given the limitations of technology, relevant policy, and user error. 

Users often believe that their communication in email is private and confidential because no other end users have access to their account, and the nature of content is private and confidential, therefore it's private and confidential. It simply is not true.

For example:

  • Emails sent between @ocadu.ca users are encrypted (not including attachments) and you have some expectation of privacy and security because it does not traverse the public internet. However, this does not mitigate the risk of sending email to the wrong recipient, compromised passwords or lost devices.
  • Emails sent to or sent from @ocadu.ca accounts to public email accounts are not encrypted. You should not have any reasonable expectation of privacy and security of those communications because they are not encrypted and traverse the internet via untrusted servers.

Confidential Paper Record Handling

Before printing any confidential documents, confirm that printing is absolutely necessary. Please consider sustainability and risk when printing, distributing and storing confidential document. Hard copy confidential documents pose a great risk to the institution is they cannot be encrypted or password protected and can easily be left in an insecure area. 

If printing us required, follow these minimum guidelines:

  • Always print to a secure printer - This means it is in a locked room or safeguarded with "Print Release" where you require an OCAD U ID card to access.
  • Ensure each page has a watermark and confidential header or footer
  • Always collect and shred all printed confidential documents when they are no longer neede
  • Always store in secure cabinets (locked when not in use, not in a public area, with limited access to staff
  • Always provide with a file/record cover when out of the secure cabine
  • Always return to the secure cabinet if the employee is called away while working on the record

A Note on Passwords: 

Staff, students and faculty are encouraged to never use their OCAD U password for any other services on the web. If you are someone who handles confidential documents, this is especially necessary. Given the amount of high profile data breaches that occur, it is very risky to use the same password for anything that contains sensitive information. One way to do this easily is to use a password manager (such as LastPass or Dashlane) so that you do not have to remember many different passwords for different services.