Law, policy and practice require that personal, health and other confidential information, be protected from unauthorized access.
This practice supports protection of electronic and hard copy records, consistent with law, policy and risk management practice. It does not supersede University IT security standards or measures such as those under the Chief Information Officer, but is intended to work with them.
The objective is to protect confidential information from unauthorized access, without disrupting University operations, and with measures appropriate for each type of record.
Know which records in your work are confidential and require protection; e.g. records that contain personal or health information.
Keep hard-copy confidential records in a secure institutional environment, locked in a non-public area when not in use or you are not present.
Only take hard-copy confidential records out of a secure, institutional environment as necessary for immediate work.
Protect hard-copy confidential records with strong security, including:
keeping records out of sight
keeping records securely locked up
keeping electronic records of confidential information in a secure-server environment.
Only take confidential records out of secure environments if you have:
official authorization
operational need
and no other reasonable means to accomplish the task.
To take confidential electronic records out of a secure-server environment:
encrypt your drive, memory stick or mobile device with the latest version of commercially available and supported encryption software
or de- identify the information.
When work permits, use depersonalized records, not personally identifiable ones.
Access confidential electronic records remotely using encrypted secure means, such as virtual private network (VPN) or encrypted remote desktop connection.
Encrypt attachments that contain personal or confidential information before emailing them to non-utoronto.ca addresses
do not email or forward unencrypted personal or confidential information out of the utoronto.ca email system, because it could be viewed by third parties if intercepted
Communicate passwords by phone, not by email.
Excerpted from FIPPA - General and Administrative Access and Privacy Practices (June 23, 2011).