141 SPEC Kit 360: Learning Analytics UNIVERSITY OF WATERLOO Guidelines for Managing Student Information for Faculties, Academic Departments and Schools https://uwaterloo.ca/secretariat/guidelines/guidelines-managing-student-information-faculties- academic request that this information not be released. See below for information about access to and disclosure of student information. All other personally identifiable information about a student must be kept confidential according to the requirements of university policies, FIPPA, and any other legislation relevant to particular types of records. Confidential information includes: student ID and other identification numbers biographical information, such as home address and telephone number, personal e-mail address educational history including classes taken or enrolled in assessments or opinions about the student including marks and grades, comments on student work, and reference letters needs-based scholarships, bursaries, or awards photographs health information Security Student information must be kept in secure facilities and equipment (e.g., locked rooms and filing cabinets, password protected computer systems) accessible only to staff and faculty whose work requires them to have access. The university’s policy with regard to information security is Policy 46: Information Management. Extra care must be exercised if student information is taken off-campus. The use of encryption is strongly recommended to prevent or minimize the potential for a breach. See: IST’s Security Standards for Desktops and Laptops, and Data Encryption pages for more information. Keeping student information on personal equipment is discouraged. Any student information maintained on personal equipment is subject to the same security, breach response, retention, and destruction requirements as that maintained on university equipment. Student information stored offsite or in other parts of the university must not have personal information such as names or ID numbers on the outside of the storage containers. SSeeccuurriittyy BBrreeaacchheess Most student information is subject to a security classification of “restricted.” Some information might be “highly restricted” (see Policy 46). Any security breach of student information (unauthorized access or disclosure, such as the loss or theft of files, laptops, or flash drives containing student information, or misdirected e-mail, etc.) must be reported immediately to the appropriate university officer (see Information Security Breach Procedure). The Information Custodian will work with the Privacy Officer who will advise whether notice to affected individuals and the Office of the Information and Privacy Commissioner of Ontario (IPC) is required. If notice is required, the Privacy Officer will provide guidance to the Information Custodian about the contents of the notice to the individuals and will laise with the IPC. Access to Student Information Faculty and Staff: Access to student information should be limited to faculty and staff who need the information to do their job. Information regarding accommodation for medical reasons, information related to disciplinary procedures, and needs-based financial information is considered particularly sensitive and should be accessible strictly on a need to know basis. Students: Under FIPPA students have the right to access most personal information pertaining to them. This right extends not only to formal student files but to personal information wherever it is maintained, including in e-mail messages. The university may refuse a student access to certain types of information, for example, evaluative material received in confidence to determine suitability, eligibility, or qualifications for admission to an academic program or suitability for an honour or award.