Guidelines on Secure Handling of Confidential Information

GUIDELINES ON SECURE HANDLING OF CONFIDENTIAL INFORMATION

The College is committed to protecting the security and privacy of Confidential Information entrusted to the College by its employees, students, external clients and partners, during the course of business. 

These guidelines serve to summarize the principles governing the secure handling of the College's Confidential Information. Employees/consultants found to be in violation of these guidelines, by either unintentionally or deliberately using or otherwise compromising corporate or personal information may face sanction. Employees may be subject to discipline, up to, and including, dismissal.

Confidential Information

Confidential Information includes personal information as defined in the Freedom of Information and Protection of Privacy Act (FIPPA) and personal health information as defined in the Personal Health Information Protection Act, 2004 (PHIPA). It also includes information regarding the strategic plans and operation of the College that, if disclosed, may cause damage to the College. Examples include, but are not limited to, student records, personnel files, trade secrets, financial budgets, significant innovation ideas yet to be patented, data and results of significant research projects yet to be published, etc. All references to Confidential Information in this Privacy Policy include personal information but references to personal information do not apply to Confidential Information. 

Scope of Access

The "need to know" principle shall apply to all Confidential Information, meaning that employees and agents may only access Confidential Information that they require to carry out their assigned duties.

Personal Information

The College and its employees or agents shall endeavour to limit access to, and the use of, Confidential Information. Where employees or agents require access to personal information in order to carry out their employment duties the College shall, where practicable,  anonymize such information using masking techniques such as encryption, ID re‐sequencing, etc. so that associated personal information (e.g. birthday, grade) is not readily linked to the identifiable individual.

However, in some situations it will be necessary for employees or agents to have access to personal information in its original format in order to carry out their employment duties where anonymized personal information is not available or its use would unduly frustrate the performance of employment duties. Employees and agents are encouraged to seek their supervisor's affirmation that the use of personal information is necessary to carry out the employment duties before accessing it. 

Determining whether access to personal information is necessary shall be done by considering the employee or agent's duties as defined by their job functions (or in the case of external consultants, to provide the goods and services as defined in the service agreement signed between The College and the vendor representing/employing the external consultants). 

The release of personal information to external consultants must have written approval from the business owner (Director/Chair level or above), including a description of the information to be released.

Employees and agents who receive access to personal information shall not share personal information or make it available unless doing so is necessary in order to carry out their employment duties where anonymized personal information is not available or its use would unduly frustrate the performance of employment duties. Additionally, employees or agents shall not make personal information available unless doing so falls within their duties or responsibilities. 

Data Protection

STORAGE

Employees and agents shall take all reasonable steps to ensure that Confidential Information shall not be stored on any personally owned devices. Employees and agents shall not access personal information on a personally owned device unless an alternative means of access, including accessing the personal information at a later time, is not available or practicable and the access is necessary for the performance of employment duties. 

Employees and agents shall take all reasonable steps to store Confidential Information securely when it is maintained on a mobile device (e.g. USB drive, laptop, etc.).

Where Confidential Information is to be hosted by a third-party service provider, the College will attempt to negotiate contractual provisions which establish that:

  1. Confidential Information is encrypted for the duration of the agreement and securely erased upon conclusion of the agreement or when it is no longer needed by the College (e.g. when the retention window of the information has expired as per applicable retention policy that governs it).
  2. Confidential Information will not be used by the service provider for any purposes other than to deliver service unless explicit consent is obtained from the College.
  3. Access to Confidential Information by personnel working for the service provider is limited to those who need such access to deliver service and such personnel must have entered into an agreement with the service provider requiring them to be bound by applicable privacy and confidentiality provisions.
  4. The College is the owner of its information and that the service provider's role is to process/store/manage it on our behalf.
  5. The College must be notified as soon as the service provider becomes aware of a potential or actual breach of the information it is hosting/storing on behalf of the College.
  6. The service provider shall fully co‐operate with the College in any investigation into any breaches of information it is hosting/storing on behalf of the College.
  7. If the service provider becomes legally compelled to disclose the College's Confidential Information, it will provide the College with prompt notice to that effect in order to allow the College to seek one or more protective orders or other appropriate remedies to prevent or limit such disclosure, and shall co‐operate with the College and its legal counsel to the fullest extent.
  8. If such protective orders or other remedies are not obtained, the service provider will disclose only Confidential Information which it is legally compelled to disclose, and only to such person or persons to which the Party is legally compelled to disclose.

Confidential Information will primarily be stored and processed in Canada but the College may use third party vendors to store and process information in the United States. 

The College will retain Confidential Information for the period of time for which it is needed for the purpose for which it was collected or provided. For personal information that is no longer needed, the College will endeavour to destroy the personal information after a period of one year unless required or permitted by law to retain it. 

TRANSMISSION

Employees and agents shall ensure that Confidential Information is encrypted prior to transmission. Where possible, the corresponding password for an encrypted transmission containing Confidential Information shall be sent via a different medium where possible (i.e. if an encrypted file is sent by email, the password could be relayed by phone or via a secure instant messaging platform). 

Confidential Information cannot be sent in an email to an external email account. 

DISPOSAL

External consultants who have control or custody of the College Confidential Information stored on non‐College owned IT equipment must ensure the secure and irreversible deletion of such information when it is no longer required.

Employees and agents whose employment with the College ends shall notify a supervisor about the Confidential Information to which they had access prior to their departure. Departing employees and agents must provide all information available for the College to secure, transfer or dispose of Confidential Information to which they had access. 

Any College IT equipment that has Confidential Information stored on it must be securely wiped before disposal and a certificate of disposal must be produced.

Prior to disposing of any device containing personal information, the individual must submit an "Authorization for the Disposal of Personal Information" form [TM4] to The College's Diversity, Equity, Human Rights and Equity Services, Privacy Office for approval. In addition, personal information that has been used by the College must be retained for at least one year after use unless the individual to whom the information relates consents to its earlier disposal.

DATA ACCESS

An authentication mechanism must be put into place to ensure that only authorized personnel can have access to Confidential Information.

Access to Confidential Information shall be restricted to employees or agents who require the information to carry out their duties as defined by their job functions or to external consultants who require the information to successfully provide goods and services as defined in the service agreement signed between the College and the vendor representing/employing the external consultants.

In limited situations, Confidential Information may be accessed and used in order to carry out duties required by the employee or agent's job functions if the use of anonymized personal information or a similar alternative would unduly frustrate the performance of employment duties.

The College will only grant the minimum level of access to Confidential Information (e.g. read only) depending on what is required by staff to carry out their duties as defined by their job functions or by external consultants to successfully provide goods and services (as defined in the service agreement signed between the College and the vendor representing/employing the external consultants).

Employees and agents are responsible for informing their supervisor of their need to access Confidential Information. Supervisors, employees and agents shall regularly review their need to access PI and notify the College of their access needs and of situations where they no longer need access to Confidential Information. The College may audit employee and agent access to Confidential Information to assess compliance with this policy. 

Written approval from the Freedom of Information & Privacy Officer or above is required for all external requests for access to Confidential Information.

DATA AUDIT

An audit trail shall be created and maintained to provide evidence about when Confidential Information is accessed, by whom and from where. Any employee or agent who provides another person within the College access to Confidential Information shall ensure that a record exists to document the request, permission and/or need (as appropriate) to access that information. The appropriate form of the record and the content of the record will vary depending on the sensitivity and volume of the Confidential Information at issue. For example, an email to a supervisor may suffice in some situations while it may be appropriate to create and maintain a formal tracking document in situations involving a higher sensitivity or volume of Confidential information. 

In the case of external consultants having access to Confidential Information, a written report setting out the name of each representative who has had, or may have, access to personal information in connection with the provision of services shall be provided by the vendor on a recurring basis (at least once every 6 months) or at any other time upon the College's request.

CONFIDENTIALITY AGREEMENT

A confidentiality agreement shall be signed by College employees before any access to Confidential Information can be granted during the course of business.

A confidentiality agreement must be signed by the authorized College representative before any access to Confidential Information can be granted to external consultants. A confidentiality agreement must be signed by a College administrator (Chair or higher) and the external consultants and/or their representative(s).

DEALING WITH REQUESTS TO ACCESS CONFIDENTIAL INFORMATION

Below is a minimum set of questions that must be put to the requestor and documented by the request reviewer/approver whenever an external voluntary request is made to access Confidential Information. The requester may be asked to provide:

  • A business justification of the access request
  • An itemized list of what needs to be accessed (if known)
  • A list of individuals requiring access to requested information, their roles, reason for access, what they will do with the data, and if there is any specific timeframe that they'll need to have access to such data
  • Proof of existence of signed confidentiality agreement if requestor is an external consultant (e.g. confirmation email from the College project sponsor (director/chair level or above))

DATA BREACH

Any individual who knows or suspects that personal information in the College's custody has been lost or stolen or accessed, disclosed, copied, used or modified without authorization must immediately report the incident to the Diversity, Equity and Human Rights Services office, Freedom of Information & Privacy Officer at privacyoffice@georgebrown.ca or 416-415-5000 ext. 4646.

The Freedom of Information & Privacy Officer will have the authority to take all steps to address the report and is responsible for preliminary assessment, containment, investigation, notification and communication and remediation as appropriate and without delay. The Freedom of Information & Privacy Officer shall receive input from listed departments with day-to-day responsibility for the affected information. 

The process for responding to any reports that the Freedom of Information & Privacy Officer confirms are associated with significant risk of any kind should be multi-disciplinary. The following departments are responsible for supporting the Freedom of Information & Privacy Officer:

Legal 

Hicks Morley Hamilton Stewart Storie LLP
77 King St W., 39th Floor, Box 371, TD Centre, Toronto, ON M5K 1K8 

Information and Technology

Manager, Information Technology Security George Brown College                                     
200 King Street East. Toronto, Ontario M5A 3W8

Human Resources

Human Resources, George Brown College
500 MacPherson Avenue 1st Floor, Room 101 Toronto, Ontario M5R 1X1
Email: hr@georgebrown.ca

All individuals who receive information about a report shall keep information that is not formally communicated to potentially affected individuals and others stakeholders as confidential. 

The process followed in responding to any report shall incorporate:

  • a timely and reliable assessment of the risks to affected individuals and reasonable steps to mitigate the same, in iterations as required;
  • action (including containment, communication and remediation) that is based on the company's legal duties and its other interests and risks (e.g., reputational or employee relations interests and risks);
  • a communication and stakeholder management plan that is appropriate in the circumstances; and
  • a root cause analysis that includes recommendations for remedial action that are in keeping with the company's commitment to due diligence.

When entering into contracts with vendors who handle personal information on behalf of the College, the Freedom of Information & Privacy Officer shall ensure that vendors are contractually obligated to immediately report incidents of suspected loss or theft of personal information and unauthorized access, disclosure, copying, use, or modification of personal information to the Freedom of Information & Privacy Officer. Any such reports shall be managed in accordance with this policy as set out above.

Failure to follow this policy may result in discipline up to and including discharge.

Questions and concerns

For further information, contact the Freedom of Information & Privacy Officer at privacy@georgebrown.ca or 416-415-5000 ext. 4646