Date and Instance of Approval:
June 29, 2016
Administration Committee
Amendments:
October 23, 2024
Responsible Service:
Office of the Secretary General
PURPOSE
1. This Policy describes the classification levels for University Information and it outlines responsibilities and information safeguards to protect University Information.
APPLICATION
2. This Policy must be read in conjunction with Policy 116 - Use and Security of Information Technology Assets; Policy 90 - Access to Information and Protection of Privacy; and Policy 23 – Policy on Information Management and any other University policy, procedure or other directive relevant to the handling of University Information.
3. This Policy applies to all University Information and to all information systems and resources that are used by or on behalf of the University to create, enter, process, communicate, transport, disseminate, store or dispose of University Information. It also applies in situations where University Information is created, entered, processed, transmitted or stored by third party service providers and their subcontractors.
DEFINITIONS AND INTERPRETATION
4. For the purposes of this Policy and any procedures established pursuant to it:
a) “Information Custodian” means the University employee or other engaged by the University responsible for securing the University Information according to its sensitivity classification;
b) “Information Owner” means the University employee who holds a University position with the highest level of managerial decision-making authority of a Unit who is the final authority and decision-maker with respect to sensitivity classification of the University Information created by their Unit. In the context of research, an Information Owner is the researcher responsible for the research and for the management, protection, and use of research data resulting from such research (for example, the principal investigator);
c) “Information Users” refers to all those who are authorized to receive or gain access to University Information for the purposes of carrying out their University employment duties or otherwise carrying out their mandate or engagement with the University.
d) “University Information” refers to a large diversity of information, regardless of the format or medium, to support the University’s academic, research, administrative and other activities that is created, received or held by or on behalf of the University, whether such information, is at rest, in transit or in use;
e) “Unit” means a University faculty, school or other academic unit, administrative service or office of the University.
5. The Secretary-General is responsible for the interpretation of this Policy.
UNIVERSITY INFORMATION SENSITIVITY CLASSIFICATION
6. University Information is classified based on its sensitivity level and should be assigned one of the following three classifications: confidential, internal or public.
| Classification | Sensitivity Level | Description | Examples (not exhaustive |
| Confidential | High | University Information should be classified as “confidential” when unauthorized disclosure has a potential to cause serious damage or harm to the interests of the University, its activities, reputation or to the privacy of an individual. | • personal information as defined by the Freedom of Information and Protection of Privacy Act (FIPPA) or other applicable access and privacy legislation • personal health information as defined by Personal Health Information Protection Act (PHIPA) • customer payment card information when University is in a merchant capacity • government-issued identification (e.g. health card, driver's license, passport) • social insurance number • student numbers and records • employee numbers and records • video surveillance security footage • information supplied to the University in confidence (e.g. complaints) • identification authenticators (e.g. digital authentication tools, passwords. pins, tokens, fobs) • University intellectual property • research data involving identified human subjects • research data classified as confidential by funding agencies/research ethics board |
| Internal | Medium | University Information relating to internal affairs, business process, operational decisions should be classified “internal” when unauthorized disclosure has a potential to cause some damage or harm to the interests of the University, its activities, or its reputation. | • internal operational procedures and guides • data involving hazardous materials • audit or assessment findings and mitigations • reports, plans, contracts • budgets and financial information • diagrams for network, architecture, technical design, and configurations • system logs and transactional diagrams • anonymous information (e.g., survey) where no identifiers were collected. • non-public but non-sensitive research data |
| Public | Low | University Information should be classified as “public” when it is to be used for the public domain and unauthorized disclosure has no potential to cause any damage or harm to the interests of the University, its activities, or to its reputation and there is no confidentiality or privacy risk to individuals. | • open or publicly accessible data • blank resources, templates, forms, and applications • pre-enrollment course information (e.g. curriculum, fees, learning outcomes) • compensation schemes and benefits programs • the University’s public website • final press releases • schedules of classes or course catalog • identifiable information which the data subject explicitly consented to make publicly available or has no expectation for privacy. • published research data not subject to embargo or beyond embargo period. |
7. Some types of University Information may have little or no sensitivity on their own or when they are isolated from other information, but they may have high sensitivity when associated with other information or when in an aggregate form (for example, association of a student ID number with the identity of an individual). Generally, the sensitivity classification of “confidential” should be assigned to University Information if there is a potential for information aggregation of that University Information.
8. A collection of University Information—whether stored, in transit, or during electronic transfer (such as files, databases, emails and attachments, filing cabinets, backup media, electronic memory devices, sensitive operation logs, or configuration files)—that has varying University Information sensitivity classification levels within it must be classified collectively at the highest sensitivity level present within that collection. If any subset of University Information within such collection is separated from the original collection of University Information and has been assigned its own sensitivity classification level, it should be protected according to that classification. If no classification is assigned to such subset, the subset retains the sensitivity classification level assigned to the collection of University Information.
INFORMATION OWNER RESPONSIBILITIES
9. The Information Owner is responsible for assigning one of the three sensitivity level classifications set out in this Policy to University Information created within their Unit. The sensitivity level classification should be assigned as soon as possible. University Information maintains its initial sensitivity classification until the Information Owner reclassifies it, as needed.
10. The Information Owner is also responsible for the following:
a) ensuring that the use and protection of University Information is consistent with the sensitivity classification level assigned to the University Information and to all applicable University policies, standards, procedures, regulations, and applicable laws;
b) establishing guidelines, procedures, or other requirements to appropriately handle and protect the University Information used by their Unit that are consistent with the provisions of this Policy (and any procedure adopted pursuant to it) or that exceed or are more restrictive than this Policy;
c) consulting with Information Users regarding the type of University Information handled on a regular basis to maintain the appropriate sensitivity level of classification of the University Information and to ensure adequate control measures remain appropriate with the classification assigned by the Information Owner;
d) working with Information Custodians, University IT staff and others involved on University projects related to creating, maintaining, and using or otherwise handling University Information;
e) authorizing access to University Information classified as confidential or as internal;
f) ensuring that those who are authorized to access University Information classified as confidential or as internal agree in writing to maintain the confidentiality or any other limitations on access to the University Information;
g) assigning operational responsibility for University Information to one or more Information Custodian;
h) ensuring that Information Custodians provide reasonable security controls to protect the University Information and automated systems, and that Information Users comply with procedures established for such protection;
i) documenting variances from IT general control practices and promptly initiating corrective action.
INFORMATION CUSTODIAN RESPONSIBILITIES
11. An Information Custodian is responsible for the oversight and implementation of appropriate safeguards necessary to protect the University Information at the classification level assigned to the University Information by the Information Owner.
12. An Information Custodian is also responsible for the following within the context of the University Information classification assigned to the University Information:
a) understanding and complying with this Policy (and any procedure policy and procedures adopted pursuant to it) and any other applicable University policy, procedure or applicable laws for the appropriate use and protection of University Information;
b) understanding the flow of University Information in relevant operational processes, both manual and automated;
c) implementing and maintaining physical and logical controls to enforce University policies, procedures;
d) granting and revoking access to University Information, under the direction of the Information Owner;
e) enabling the timely detection, reporting, and analysis of incidents where circumvention, or attempted circumvention, of controls related to University Information takes place;
f) following the Information Owner requirements regarding the handling of University Information.
INFORMATION USERS’ RESPONSIBILITIES
13. Information Users are responsible for handling University Information in a way that is appropriate to the University information sensitivity classification and in accordance with the responsibilities outlined in Procedure 20-12 – Handling Confidential and Internal Information.
CHIEF INFORMATION SECURITY OFFICER RESPONSIBILITIES
14. The University’s Chief Information Security Officer (“CISO”) is responsible for the coordination, development, implementation and the maintenance of a University-wide information security program.
15. The CISO is also responsible for the following:
a) defining the university's overall approach to managing information risks and ensuring that the security measures in place are appropriate to protect university information based on its sensitivity level;
b) determining the risk tolerance to threats that affect the security of the University Information;
c) developing, maintaining, and circulating policies, standards, guidelines and procedures relating to information security;
d) designing and implementing secure computing environments;
e) Assisting with the response to breaches involving unauthorized use of University Information.
INFORMATION SAFEGUARDS
16. This section outlines a list of non-exhaustive and minimum information safeguards for protecting University Information classified as confidential, as internal or has varying classifications in order to mitigate the risk of its potential loss, theft, unauthorized disclosure, access or use.
a) University Information classified as confidential:
i. may only be disclosed to those who need the University Information in the performance of their University duties and where disclosure is necessary and proper in the discharge of the University’s functions, as determined by the Information Owner;
ii. must be protected with strong passwords when stored in an electronic format, in compliance with Schedule D – Password Protection and stored on servers or databases that have appropriate protection measures;
iii. must be protected by sufficiently access control measures when stored in a physical location to detect and prevent unauthorized access by members of the public, visitors, or other unauthorized persons;
iv. regarding social insurance numbers, personal health information, customer payment card information, these types of University Information must not be communicated using unsecure communication tools or platforms (for example, email, chat, SMS text, social media).
v. must not be published or posted on any website or otherwise made publicly available without prior written authorization from the Information Owner;
vi. must be securely destroyed in accordance with Procedure 20-4 – Disposition of Information, Schedule J - IT Asset Disposal or if in hard copy format, must be securely shredded or incinerated and in accordance with the University’s records retention schedule.
b) University Information classified as internal:
i. must be protected by sufficiently access control measures when stored in a physical location to detect and prevent unauthorized access by members of the public, visitors, or other unauthorized persons;
ii. must not be published or posted on any website or otherwise made publicly available without prior written authorization from the Information Owner.
iii. must be securely destroyed in accordance with Procedure 20-4 – Disposition of Information, Schedule J - IT Asset Disposal or if in hard copy format, must be securely shredded or incinerated and in accordance with the University’s records retention schedule.
APPROVAL AND AMENDMENTS
17. The Secretary-General is responsible for periodic review of this Policy and for recommending to the Administration Committee any amendments to it.
18. Amendments to this Policy require the approval of the Administration Committee.
19. The Secretary-General of the University may establish, amend or abrogate procedures for purposes of the effective implementation of this Policy, provided that such procedures are consistent with the provisions of this Policy.
20. Notwithstanding section 18, the Secretary-General may amend this Policy without the need to submit such amendment to the Administration Committee for approval if such amendment is required to:
a) update or correct the name or title of a position, unit, law, bylaw, policy, procedure or authority; or
b) correct punctuation, grammar, typographical errors, revisions to format and other technical revisions, where appropriate, if the correction does not change the meaning of a provision, or make such other correction if it is clear both that an error has been made and what the correction should be; or
c) correct the form of expression of a provision in French or in English to be more compatible with its form of expression in the other language; or
d) make consequential amendments to conform with or arising from another University bylaw, resolution, policy or procedure.