Electronic Records

As time progresses and technology grows at an exponential rate, electronic record management is certainly on the minds of most Mount Royal employees.

Electronic technology is continuously changing with constant improvements to that same technology practically every year. These improvements, more often than not, require a degree of tenacity in regards to keeping up with the most up-to-date machine readable formats and the latest electronic records best practices.

That being said, the electronic age is upon us and avoiding this challenge is simply not a logical course of action when one considers the many advantages associated with adopting electronic records.

As a matter of fact, electronic record keeping actually improves efficiencies in the workplace and facilitates greater access to records when compared to utilizing their paper counterparts.

Overall, the key to implementing any electronic records management program is to ensure that the electronic process also takes "records management best practices" into account so that Mount Royal University can still fulfill its operational and legal obligations.

Electronic records management topics are as follows:

Electronic records projects - initial evaluation

Mount Royal best practices - electronic records projects
Mount Royal best practices - emails and records on personal computers
Mount Royal best practices - electronic file folder structure
Mount Royal best practices - cloud computing
Mount Royal best practices - social media
Mount royal best practices - mobile devices (iphones)

Social media and protecting privacy online

Cloud computing - general information
Cloud computing - benchmarking
Cloud computing - other provincial privacy legislation
Cloud computing - Alberta privacy legislation
Cloud computing - relevant privacy implications
Cloud computing - the University of Alberta

Laptop and portable digital device security

Digital recordings, photographs, and social media
Public event recordings

Password protocols - best practices
Password protocols - 25 worst passwords for 2015

Shared drives - common problems
Email accounts and protecting privacy (case study)
Student audio recordings of lectures and privacyElectronic records projects - initial evaluation

Prior to commencing upon any electronic records project, a department or area should evaluate whether it is worth converting their records into an electronic format by discussing the following questions:

• Precisely what records should be electronic?
• Are there certain records that are accessed on a regular basis?
• Do the records under consideration need to be accessed by multiple employees or areas?
• Are the records being considered the "final version" or will there be further revisions?
• How long are the records supposed to be retained by Mount Royal University?
• Is there a large amount of work associated with handling the paper records?
• How will the data be migrated to new formats as time progresses?
• Are the records worth maintaining and upgrading in electronic format?

As only an example, a common electronic records management project often involves scanning a select type of paper documents into PDF file format.

Organizations that take on such a process typically utilize an electronic records management database, which allows an individual to search for the electronic record based on key searchable fields and manages security requirements.

Mount Royal University is currently reviewing several electronic records management systems at this time.

Below are electronic records management best practices to consider in any kind of electronic records project at Mount Royal University.

Back to top

Mount Royal best practices - electronic records projects

1. Determine how the electronic record will be protected from being changed or tampered with

According to archival principles, the electronic record must maintain its authenticity and reliability characteristics so that it can act as trustworthy evidence for the activities they are about.

Similarly to paper records, electronic records must always bear authentic testimony regarding the activities, processes, and procedures that brought them into being. An electronic record should provide evidence regarding the end result of an action or decision made by Mount Royal University.

For reliability, the electronic records management system must protect the record from any unnecessary or unmonitored revisions so that it can provide a trustworthy account of the particular actions that were documented.

Industry practices - recommendations:

2. Determine if the electronic record is actually deemed the "original"

According to archival principles, an original is a complete document that is able to produce the consequences wanted by its author.

One consideration that must be taken into account is whether the process will deem the electronic record as the "original" record upon which Mount Royal University will treat as evidence for the activity the record was about.

Industry practices - recommendations:

3. Determine the appropriate University Retention Code
   
   According to the Alberta Freedom of Information and Protection of Privacy Act, Mount Royal University is a public body and is required to routinely destroy any records it produces, electronic or paper, by using the Mount Royal University Records Retention Schedule.

Mount Royal University is also obligated to document the destruction of electronic records and provide evidence of such destruction in the event of a FOIP request.

The documented routine destruction of records provides valuable legal defense for Mount Royal University.

Industry practices - recommendations:

4. Determine the document type belonging to the electronic record

Many organizations create electronic records that are so large in scale, and are indexed so generally, that the data inside the electronic record still requires a long dedicated search by an individual.

A practical example would be if all of the paper documents in a file folder were all converted into one large PDF file (one PDF file containing 100 pages). The large PDF file might be indexed at the folder level, but an individual would still have to search through several electronic pages to find the specific data required.

Industry practices - recommendations:

Document Types:
Consist of a "grouping" of certain documents, typically found within a paper file folder, that are usually recognized by either their format or, on occasion, their common purpose. Document types are often implemented during digitization projects as "drop downs" within prescribed indexing fields. Document types allow the searching of electronic records based on specific and controlled search criteria.

5. Determine indexing standards and the utilization of full text searching

Indexing the electronic records may be one of the most important items to be discussed in any digitization project as the ultimate goal of retaining electronic records is to promote access.

Industry practices - recommendations

Below are common indexing fields in the electronic records management industry:

Full Text Searching:
Is the ability for the electronic search tool to seek out any term or word contained within the text located in the pages of an electronic record. This capability is typically achieved when the paper document is first scanned into PDF file format.

Optical Character Recognition:
Is the mechanical or electronic translation of scanned images of handwritten, typewritten, or printed text into machine encoded text.

6. Determine destruction mechanisms and auditing

Mount Royal University must manage electronic records according to both its legal obligations and records management best practices.

The management of any electronic records must ensure that the records are only retained for a specified time period and destroyed based on the legal requirements set out by the Mount Royal University Records Retention Schedule.

Industry practices - recommendations:

7. Determine user security and access - Freedom of Information and Protection of Privacy

Another aspect of implementing an electronic records management system is designing user security access for the captured records.

Mount Royal University is obligated to protect personal information contained within the electronic records it has under its custody and control. In addition, some electronic records may contain sensitive business information that need to be protected as well.

Security protocols need to be determined and established prior to the implementation of any electronic records management system.

Industry practices - recommendations:

8. Determine imaging standards and manage server storage space

Prior to imaging documents, determine a standard when it comes to scanning the document. An imaging standard prevents electronic documents from getting large and taking up storage space on the server.

Industry practices - recommendations:

Back to top

Mount Royal best practices - emails and records on personal computers
The most common electronic records that are handled by Mount Royal employees on a daily basis consist of emails and electronic documents saved on personal computers.

Currently, Mount Royal University has not formally adopted a universal electronic records management system that stores, indexes, and classifies email created through Lotus Notes. Similarly, such a system would also manage those electronic documents created and stored on personal computers as well.

Electronic records management systems are currently under review; therefore, at this time employees should follow the "best practice" processes below to manage electronic documents they create on a daily basis until such time that a system is adopted.

There is an Email Best Practices that follows the guidelines below.

1. Determine which e-mails or electronic documents are transitory (short-term value)

A transitory document is a document that is only required for a limited time period for the completion of a routine action. These documents are considered by their author to have "short term" business value because they do not provide evidence to activities that are considered important or crucial to University operations.

Determining whether an email or electronic document saved on your personal computer is transitory largely depends on the judgment of the individual who created it. However, some examples that are transitory documents include:

Transitory records with short-term value can be deleted by the owner at their discretion. No formal destruction documentation is required.

2. Determine which emails or electronic documents are not transitory (have long-term value)

Some emails and electronic documents saved on your personal computer actually do have long- term value in that they provide valuable evidence regarding the decisions and activities they are about.

Examples of emails and electronic documents with long-term value:

E-mails and electronic documents that are identified to have long-term value should be printed in their final form and filed in a paper file folder that has been assigned a University Records Retention Code.

By printing the electronic records:

Although your personal computer creates a large quantity of electronic records on a daily basis, it does not meet best practices when it comes to records management requirements for Mount Royal University.

Back to top

Mount Royal best practices - electronic file folder structure
(1) File Folder = by Business Function or Category (Retention Code)

Create an (electronic folder) based on a Broad Business Function or Category that pertains to the type of records being managed.

In addition, also include the alpha-numeric code based on the MRU Records Retention Schedule that will help govern how long to retain that type of record.

Folder Structure Example:

• FOIP Requests (LR030)

Note: MRU Records Retention Schedule LR030 is states records in this category must retained for 5 years

(2) File Folder = by Year

Create an (electronic sub-folder) based on Year.

By grouping the electronic records in folders by years will help determine when the electronic folders need to be deleted in accordance with the MRU Records Retention Schedule.

Folder Structure Example:

• FOIP Requests (LR030)
• 2015

Note: Electronic records filed under this file structure above may be deleted after 5 years

(3) File Folder = by File Name

Create an (electronic sub-folder) based on File Name such as, Incident Number, Name (Last,First), Student Number, Contract Number.

For example, the MRU FOIP Office relies on Incident Numbers.

Folder Structure Example:

• FOIP Requests (LR030)
• 2015
• 2015-G-0001

(4) File Folder = by Document Type (Optional)

Create an (electronic sub-folder) based on Document Type, which comprises of the kinds of records that are typically used for the broader business function.

This sub-folder is "optional", but it may be beneficial if there are a high volume of electronic records and it helps expedite the retrieval of the electronic records for business operations.

For example, Document Types based on the MRU FOIP Office business operations include:

• Original Records
• Redacted Records (Applicant)
• Notification Letters
• Third Party Notices
• Privacy Commissioner
• Resources

Folder Structure Example:

• FOIP Requests (LR030)
• 2015
• 2015-G-0001
• Original Records

Back to top

Mount Royal best practices - cloud computing

The implementation of any cloud computing should not only strive to utilize technology, but must also make every effort to protect the personal information in the custody and control of Mount Royal University in accordance with the Alberta Freedom of Information and Protection of Privacy Act.

The following below outlines Cloud Computing Best Practices for your project, while the Cloud Computing Contract Checklist provides a quick list of privacy requirements before signing a contract with the Cloud Computing Services vendor.

1. Determine what personal information and how much will be retained in the cloud

Prior to implementing any cloud computing technology, assume that the data you will be managing in the cloud will undoubtedly be stored in a foreign country. Therefore, always limit the risk by questioning how much personal information, and what information, absolutely needs to be stored in the cloud to fulfill your purposes.

Limiting the amount and type of personal information that is being stored in the cloud will help manage some of the risk in the event that a privacy breach does occur.

In addition, such an analysis can be documented in the PIA (Privacy Impact Assessment), which will demonstrate to the public that privacy legislation was taken into consideration.

2. Determine the vitality of the electronic records being managed
   
   Take an account of the Mount Royal University data that you wish to store in a foreign country. Keep in mind that there is always a risk involved with storing "vital" information with another company or country when it comes to the retrieving the data.

Always evaluate the value of the data you wish to submit to the cloud and consider the risks involved regarding retrieval implications or possible third party access to sensitive business records.

3. Determine the mechanisms that will obtain the consent necessary from the individuals the personal information is about

The Alberta Freedom of Information and Protection of Privacy Act guides Mount Royal University on how to collect, use, and disclose personal information in its custody and control.

At the point of signed consent, the individual must also be informed of the purpose for the collection of their information.

A contract signed and agreed to by the cloud network provider must specify the use of the personal information and ensure that the information will be used for the agreed purpose.

Contracts need to be signed with the cloud provider to ensure that personal information is not inavertedly disclosed to a third party including for commercial purposes. Such a disclosure would result in a privacy breach with legal implications for Mount Royal University.

4. Determine the security arrangements that need to be put in place by the company supplying the cloud

Mount Royal University must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, or destruction (Section 38).

If personal information is going to be stored in the cloud, legal contracts should be implemented to protect Mount Royal University in the event of unauthorized collection, use, or disclosure by the company providing the cloud computing network.

Discussions should be conducted with the cloud network provider in regards to what security measures have been put in place to protect the personal information from unauthorized collection, use, or disclosure.

Document the security protocols in the PIA (Privacy Impact Assessment) to demonstrate that privacy was considered prior to implementation.

5. Involve Mount Royal University Legal Counsel, Privacy Office, and Information Technology Services when negotiating a contract with a cloud provider
   
   Protect Mount Royal University in the event of a privacy breach by having the cloud provider sign a service contract that ensures privacy provisions are followed.

Include the Mount Royal Legal Counsel, Privacy Office, and Information Technology Services when drafting a legal contract with the cloud provider in order to determine that the contract protects the University.

The contract should include provisions with the cloud provider agreeing to terms on the following topics in mind:

6. Complete a provincial PIA (Privacy Impact Assessment) for your cloud computing project

A PIA (Privacy Impact Assessment) is a document or template provided by the Government of Alberta that can be systematically completed in order to aide a project identify and mitigate privacy concerns.

University of Alberta completed a PIA and submitted the document to the Alberta Information and Privacy Commissioner prior to their cloud computing project implementation.

A privacy impact assessment form is advantageous in the following ways:

7. Determine how the data will be systematically destroyed in the cloud

Processes must be put in place by the cloud provider to systematically destroy electronic records that are retained in the cloud.

Electronic records should be assigned a retention code according to the Mount Royal University Records Retention Schedule and routinely destroyed at a time determined by the schedule.

In addition, any destruction of the electronic records needs to be documented in order to provide evidence that the records were, in fact, routinely destroyed. Documentation of the destruction of the records is necessary in order to formally respond to a FOIP request at the University.

Back to top

Mount Royal best practices - social media

Mount Royal University supports the use of social media for informational and promotional purposes.

When identifying yourself as a Mount Royal University employee, student, or group online, there are certain guidelines and practices directed towards Marketing and Communication to keep in mind. These Social Networking Guidelines are provided by the Mount Royal Social Networking Committee.

There is a Social Media Best Practices, which summarizes the recommendations provided by the Committee and also provides guidance regarding social media under the FOIP Act.

Be aware of relevant institutional policies - Users must abide by all applicable institutional policies such as those covering Acceptable Use Policy for Mount Royal Computer Resources, Code of Ethics, Conflict of Interest, Copyright legislation, Freedom of Information and Protection of Privacy (FOIP) legislation, and for students, the Code of Student Conduct.

Think before you post - Be courteous and respectful of those using the space. Always ask the question: "Would I say this to their face?" Don't post when you are angry or upset. And remember, private conversations and social networking sites do not go hand-in-hand. Finally, keep in mind that you will relinquish copyright ownership of any information you post on a social networking site, to the site.

Add value not noise - Ensure what you write would be considered beneficial to your audience. Information should be engaging, timely, and relevant. Don't spam others or use social networking as a personal promotional blow horn. Ensure your communication is direct and strategic.

Legal considerations - Your comments, posts, and links (peruse and validate all links before posting) must not contain defamatory, obscene, or illegal material. Comments must abide by Canadian law such as libel, slander, copyright, and FOIP legislation. If you are posting images and photos, ensure you have the proper permissions.

Be transparent and authentic - Be open and honest at all times. If you commenting on behalf of your department or area - say so. Never pretend to be someone else and post/comment about Mount Royal University. If you are posting your personal opinion (not necessarily the department you represent) say so. Use "I" versus "we".

Protect your identity - Transparency is a necessary trait of social networking, but do not share personal documents or information such as your home telephone number, address, or employee/student ID. Not properly protecting yourself and your identity is risky.

Maintain confidentiality - Never post confidential or proprietary information about Mount Royal, its staff, its students, or its alumni. Don't post anything you wouldn't be comfortable with seeing on the cover of your local newspaper.

Negative feedback always needs to be responded to - Negative feedback is an opportunity to identify items or services your audience is unhappy with and to fix it within a public forum. Respond as quickly as possible and in the voice and tone of the institution or your area, not personally. Your response can be a reminder of acceptable usage of the social networking site and/or guidelines and consequences if they are not adhered to (delete comments that contain profanity or threats); or correcting statements that have incorrect/inflammatory information. However, there is a difference between a negative opinion that users are entitled to have and voice - and threatening, harassing, profane comments that are not acceptable.

Consistent communication - Social networking is about entering into a long term conversation. Avoid creating an account, posting once or twice and then not use it again for months. Ensure you have a plan that will allow for regular communication over a long period of time, one year as a minimum is a good rule of thumb (e.g. staff dedicated to social networking)

Big picture - Mount Royal University has an institutional social networking strategy. When developing a department/area plan one should consider the impact on the campus-wide plan. For more information contact Marketing and Communications.

Dedicated Resources - Establishing, monitoring, and maintaining a current and relevant social networking presence is time-consuming and requires significant time and attention. Do not start the process unless you have made provisions to dedicate the appropriate human resources towards it.

Accuracy - Check and double check your facts. If you are not sure an item is correct, do not post it. If you make an error, correct it - and let others know it has been corrected.

Style Guide Adherence - No matter which social networking tool you are using, spelling and grammar are important, but different applications may call for different approaches, naming conventions and tone (Twitter as an example). For specific guidelines visit Mount Royal University's Style Guide, which can be found on MyMRU under Quick Links for Employees (Employee Resources Tab).

Training Opportunities - Take advantage of available training and professional development opportunities. For example, Marketing and Communications hosts workshops and "how to" sessions on specific social networking sites periodically. If you are ever in doubt, check with your team leader or contact Marketing and Communications.

More on social media and privacy

The FOIP Act outlines how Mount Royal must collect, use, disclose, and protect personal information.

Prior to using social media consider the following aspects of the FOIP Act:

Personal Information: is defined under the Act as recorded information that can identify an individual such as, name (or username), address, e-mail, and phone numbers. This definition also includes opinions/viewpoints belonging to an identifiable individual.

If the information does not readily identify an individual (such as a statistic or anonymous information) than the FOIP Act's provisions on collection, use, or disclosure no longer applies.

In other words, try to collect information that does not identify individuals to fulfill your purpose. For example, the Office of the Privacy Commissioner of Canada has a Twitter account that simply posts (pushes out) information about events and related news rather than collecting or disclosing personal information.

Collection: the FOIP Act provides that personal information may only be collected if that information relates directly to and is necessary for an operating program or activity of Mount Royal University. Necessary means that the University must have a "demonstrable" need for the information.

Always ensure that you are collecting only that personal information, which is absolutely necessary to fulfill the requirements to meet the Mount Royal University activity.

Transparency and Privacy Statements: If personal information is being collected (such as via social media or through the internet) Mount Royal University must "inform" the individual of the purpose for which the information is collected; the legal authority for the collection 33(c), and the contact information of a University employee who can answer questions about the collection.

Be a good public citizen and be transparent in your social media community regarding what personal information you are collecting and the purpose of the collection (especially if the Social Media site represents Mount Royal University).

A common misconception is that personal information posted publicly on the internet is no longer considered "private" and therefore can be freely collected by public bodies. However, section 34 of the FOIP Act still states that any collection of personal information must be collected directly from the individual the information is about. This requirement means that individuals should be notified or made aware of University collection activities. Notification of the collection can be done either through online registration or posted on the social media profile page.

Note: The FOIP Act does provide limited exceptions under 34(1) that outline when indirect collection can occur by the University, such as for the from public sources for the purpose of fundraising.

Use: The FOIP Act provides three allowances that provide when Mount Royal University may use personal information it has collected. The most applicable section regarding use in the context of social media would be section 39(1)(a). In this section, the University may use personal information only for the purpose for which the personal information was collected or compiled or for a use consistent with that purpose.

If your department has established that the collection of personal information is necessary and you have been transparent by providing a Privacy Statement then the use of the personal information would be consistent with what you have told the community. Section 39(1)(a) would be fulfilled, also keeping in mind section 39(4) that the University may use personal information only to the extent necessary to enable the University to carry out its purpose in a reasonable manner.

Disclosure: The FOIP Act lists the circumstances concerning when Mount Royal University may disclose personal information in section 40. The most applicable section regarding disclosure in the context of social media would be section 40(1)(c). In this section, the University may disclose personal information only for a purpose for which the information was collected or compiled or for a use consistent with that purpose.

If your department has established (using the steps above) that the collection of personal information is necessary and you have been transparent by providing a Privacy Statement (including the prescribed disclosure) than the disclosure of personal information would then be consistent with what you have told the community. Section 40(1)(c) would be fulfilled, also keeping in mind section 40(4) that the University may disclose personal information only to the extent necessary to enable the University to carry out its purpose in a reasonable manner.

Protection: Mount Royal University must manage and protect personal information using reasonable security arrangements under the FOIP Act.

Promote privacy awareness among your social media community by including links regarding how to protect privacy when using social media. The Privacy Commissioner of Canada provides a best practices guide regarding protecting privacy when using social media that recommends doing the following:

• Read and understand site privacy policies
• Use privacy controls when available
• Do not interact with people you do not know
• Limit personal information posted online
• Choose difficult passwords and change them on a regular basis

Back to top

Mount Royal best practices - mobile devices (iphones)
The Office of the Privacy Commissioner of Canada recommends doing the following in order to protect privacy when using mobile devices.

1. Educate yourself about your mobile devices and how to enable or add privacy and security tools.
2. Limit the personal information that is stored on mobile devices to that which is absolutely necessary.
3. Ensure that mobile devices are protected with hard-to-guess passwords. Never rely on factory setting passwords.
4. Use an automatic lock feature so that a password is required to access information on mobile devices.
5. Consider using an up-to-date encryption technology to provide added protection for personal information on mobile devices. Without encryption, personal information is vulnerable to unauthorized access. Encryption involves using an algorithm to transform information into text that is unreadable without a "key" to read the code.
6. Install and run anti-virus; anti-spyware and firewall programs on your mobile device - and keep those programs up-to-date. Attacks against mobile devices - from spam, viruses, spyware and theft - are on the rise. For example, downloading an infected program could infect a mobile device.
7. Don't send personal data over public wireless networks - at cafés, for example - unless you have added security such as a Virtual Private Network (VPN). Public wireless networks may or may not be secure and there is a risk that others may be able to capture data sent over these networks.
8. Never leave your mobile device unattended in a public place or a vehicle. Across North America, hundreds of thousands of mobile devices are lost or stolen every year. One survey by an information security and privacy research centre suggest that a laptop has a 5 to 10 per cent chance of going missing over a three-year period.
9. Ensure that data stored on mobile devices that are no longer needed is purged prior to disposal.
10. These tips are intended only as an introduction to protecting personal information in a mobile workplace. Check the user manuals for your mobile device for further information.

Back to top

Social media and protecting privacy online

All too often, people utilize online tools and social media without taking the necessary precautions that would protect themselves from possible identity theft.

Identify theft occurs when a third party acquires portions of your personal information, which gradually allows them to impersonate your identity. For example, a perpetrator may use the personal information acquired to request a credit card in your name. The motivation behind identify theft is typically to aide with criminal activity or for personal financial gain.

Generally, individuals are usually complacent when it comes to sharing personal information online.

According to the Calgary Police Service, the following personal information can provide identity thieves enough information to steal your identity:

• Name
• Address
• Date of Birth
• Social Insurance Number or Social Security Number

In addition, Mount Royal University Marketing & Communications provides a list of social networking guidelines.

When using online tools or social media, protect your personal information by doing the following (based on the Office of the Privacy Commissioner of Canada website):

1. Give out as little information about you as possible

2. Only provide sensitive personal information, such as financial information, through secure means
   
   
   • Secure online forms will usually have a padlock icon in the bottom right corner of the screen.
     
3. Be careful with that information you are sending over the web

Hypertext Transfer Protocol Secure (https): utilizes a combination of Hypertext Transfer Protocol and Secure Sockets Layer (SSL). The use of https creates a secure channel over insecure networks. This system provides "reasonable" protection against information being intercepted through authentication processes.

4. Protect your social insurance number

5. Utilize online privacy controls

6. Create difficult passwords

7. Do not communicate with people you do not know in real life

8. Always consider what you are posting online

9. Read and understand the privacy policies

Back to top

Cloud computing - general information

Cloud computing refers to the delivery of scalable IT resources over the Internet as opposed to hosting and operating those resources locally through the Mount Royal University network. These resources can include applications and services, as well as the infrastructure on which they operate.

In a cloud computing system, there are networks of computers that run applications and store data. These computers are typically located in another country and allow local computers maintained within the organization to interface with the cloud network.

By deploying IT infrastructure and services through "the cloud", an organization can purchase these resources on an as needed basis and also avoid the capital costs associated with software and hardware administration.

In addition, there is a considerable advantage related to being part of cloud computing in that technology is constantly being advanced largely due to the motivation to improve service to obtain a larger profit by those supplying the cloud.

Yet another advantage is that cloud computing allows an organization's IT department to quickly adjust to the changes that take place with technology in the workplace. If the cloud maintains specified IT components for an organization, it will give more time for the IT department to dedicate to more pressing matters.

Current examples of cloud computing:

• Hotmail
• Yahoo
• Gmail
• Facebook
• Google (Buzz)
• Kijiji
• Survey Monkey

The common concern related to cloud computing is the fact that an organization's data can be stored anywhere in the world. Questions arise on how privacy will be protected or secured in another jurisdiction. If data is stored in another country, such as in the United States, how will an individual's personal privacy be protected considering that another country's legislation may run counter to Canadian privacy laws.

One law that has received considerable attention by Canadian privacy advocates of late is that of the Patriot Act (2001) in the United States. The U.S. Patriot Act can authorize the American government or its agencies access to personal information belonging to Canadians that is being stored in the United States.

Coincidentally, the concepts contained within the Patriot Act are not entirely new, but simply amend the U.S. Foreign Intelligence Surveillance Act passed back in 1977.

Some post-secondary institutions (such as the University of Alberta) have implemented cloud computing by striking a balance between taking advantage of this technology, while also adhering to the Alberta Freedom of Information and Protection of Privacy Act.

Back to top

Cloud computing - benchmarking

Cloud computing is a considerably new phenomena throughout various industries and the outcomes related to privacy and records management best practices are not yet fully realized.

However, the following gives a representation of how Canadian privacy legislation, legal action, and other post-secondary institutions have approached cloud computing in recent past.

Back to top

Cloud Computing - other provincial privacy legislation
The province of British Columbia's Freedom of Information and Protection of Privacy Act (Section 30) requires all public bodies to store records that contain personal information in its custody and control to be stored in Canada.

Nova Scotia's Personal Information International Disclosure Protection Act (Section 5) also requires that a public body that has personal information in its custody or control must store that information in Canada.

Back to top

Cloud computing - Alberta privacy legislation

The Alberta Freedom of Information Act is designed to not only protect the privacy of individuals, but also allow access to most records in the custody and control of Alberta public bodies, such as Mount Royal University.

The Alberta FOIP Act does not instruct public bodies to only store their personal information in Canada.

However, the Act still has the following provisions based on the collection, use, and disclosure of personal information retained by a public body:

• A public body must collect personal information directly from the individual the information is about and inform the individual of the purpose (Section 34)
  
• A public body must use personal information only for the purpose it was collected for in a consistent manner (Section 39(1)a, b)
  
• A public body must only use an individual's personal information if the individual has identified and consented to that prescribed use (Section 39(1)b)
  
• A public body must disclose personal information only if the individual the information is about has identified the information and consented to the disclosure (Section 40(d))
  
• A public body must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, or destruction (Section 38).

Back to top

Cloud computing - relevant privacy implications

On July 2, 2010 Donald J. Woliogroski of Winnipeg Manitoba filed a class-action privacy lawsuit against the social networking site Facebook. The suit accuses Facebook of breaching privacy by using Woliogroski's personal information for commercial purposes.

In September of 2010, Google decided to settle a class action lawsuit for a total of $8.5 million due to privacy concerns regarding their new social networking site named Google Buzz. The suit, which was based in California, alleges that Google Buzz made personal information belonging to the users "public" without their knowledge.

April, 2011 Best Buy had 2,500 of their customers have their privacy breached when their personal information was accessed by an unauthorized individual. It was discovered that the stored data was not encrypted by Epsilon Marketing, the company responsible for storing the personal information belonging to Best Buy customers.

Sony experienced a privacy breach in April, 2011 where an unauthorized person obtained names, billing addresses and credit card numbers held within the PlayStation Network located in the Cloud. Sony waited a full week to inform users of the privacy breach.

Back to top

Cloud computing - the University of Alberta

In December, 2010 the University of Alberta successfully concluded legal negotiations with Google in regards to having gmail support the University's e-mail and calendar services. Google has signed a legally binding contract with the institution not to data mine information or share university data with third parties. In addition, Google will allow the U of A to keep their ualberta.ca tags.

The contract negotiations took 15 months to complete as Google had to fulfill Alberta Freedom of Information and the Protection of Privacy requirements. A PIA (Privacy Impact Assessment) was also completed and submitted to the Office of Information and Privacy Commissioner of Alberta who "accepted" the PIA. The University of Alberta argued for the use of gmail based on the fact that e-mail is considered "utility" computing, which means the technology contains common data. In addition, they managed privacy risks by entering into a contract with Google that enables them to pursue legal action in the event of a privacy breach.

Back to top

Laptop and portable digital device security

• Limit the amount of personal information that is stored in a portable digital device
• Do not leave portable digital devices unattended in vehicles
• Enable passwords or encryption to limit access to the portable digital device
• Sever or remove the personal information from the portable digital device
• Consider not transporting personal information on a portable digital device and eliminate the risk entirely

Back to top

Digital recordings, photographs, and social media

If you are capturing individuals either as an audio-visual recording, through photographs, or posting images on social media such as, YouTube or Facebook, use the following best practices as a guide to fulfill the Alberta FOIP Act.

1. Consider that the Alberta FOIP Act applies to the digital audio-visual recordings and photographs.
   
   According to section 4(1) of the Alberta FOIP Act, the Act applies to all records in the custody or under the control of a public body.
   
   Notably, depending on "where" the digital recording resides online is one aspect that can determine whether the public body has custody or control of the record. If the public body has either custody or control then the FOIP Act applies and a standard FOIP Notification Statement under 34(2) would be required under the Act to notify individuals of the collection, use, and disclosure of the personal information contained in the digital recording.
   
   Under the Act, "custody" refers to the physical possession of a record; while "control" refers to the authority of a public body to manage, even partially, what is done with a record. For example, control could include such abilities as the public body's right to demand possession of a record or the right to either authorize or forbid access to a record all point to a public body having control of a record.
   
   The Privacy Commissioner of British Columbia supplies the following example that, if while working, a public body employee posts photos of their vacation on their personal social networking profile, it is unlikely those photos would be considered under the custody and control of the public body. In contrast, if the public body employee posts photos of people reading magazines in a public body building on the public body's social networking page, it is likely that those photos would be considered to be in the custody or under the control of the public body.
   
   Yet another example may involve recordings completed by students that are posted on Youtube where a link to the Youtube site is then posted on the public body website. If students are doing the recording and posting the recording on Youtube, then the record is not under the custody or control of the public body at all. However, supplying a link on the Mount Royal University website may fall under the FOIP Act depending on the circumstances particularly based on the collection and use of the recording by the public body. For example, the Privacy Commissioner of Canada hosts a Twitter account, but only posts future events or trends on privacy rather than collecting and using personal information. Returning back to the Youtube example, if the public body used the video for academic marks, or for marketing, the recording would likely be considered under the custody or control of the public body because collection regarding the personal information in the recording has occurred. In contrast, a link on a public body website that simply re-directs individuals externally to Youtube where recordings are posted would make the consideration for the public body to have custody or control is less likely.
   
   If the recordings are not deemed to be under the custody or control of the public body, it may be best practice to notify individuals in the interest of transparency. An example of such a notification where the FOIP Act does not apply may go as follows:
   
   "Individuals participating in this activity will be required to record events, occurrences, and other individuals. These digital recordings are completed by student participants and are posted on Youtube, which is a public online social media site. Although the public body will provide a link to the recording through the public body website the recording remains with YouTube and is not under the custody or control of the public body. For further inquiries contact Title - Name - Address - Phone Number - E-mail"

Note: If your activity involves communication rather than a recording of personal information (Example= video teleconferencing) then consent is not required because the Alberta FOIP Act only applies to records within a public body. However, signs should be used to inform individuals that such a communication is taking place.

2. Consider that video recordings and photographs capture personal information.

According to an Investigation Report 2000-IR-007 by the Alberta Office of the Information and Privacy Commissioner, it was decided that video tapes record an individual's characteristics or personal information.

These characteristics include an individual's skin color, gender, and other identifiable traits for that person. The same principles apply to photographs.

3. Consider the legal authority to collect personal information through video recording or photographing individuals

Prior to any video recording or photographing activity, a public body must determine the legal authority for such a collection.

This authority is found under section 33, whereby it states that no personal information may be collected by or for a public body unless

In most cases, the legal authority to collect by a public body falls under subsection 33(c). Notably, the legal authority to collect must be disclosed in the consent form directed to the individual authorizing the recording.

4. Consider the audience of who will be viewing the recording

Before drafting a form to obtain consent from the individual being recorded, consider the audience that will be accessing the collected personal information. In the digital age of social media tools, such as YouTube, Facebook, etc, personal information can now be presented to a world-wide audience.

According to section 17(2)a, disclosure of personal information to any third party must be given consent by the individual the recording is about.

Other audience considerations

5. Use a consent form to collect personal information in the video-recording. Indicate how the information will be used and disclosed.

The consent form presents to an individual an opportunity to sign or authorize your collection of their personal information. This form should also describe how an individual's personal information will be used and disclosed.

A public body must collect personal information directly from the individual is about (section 34(1) of the Act).

According to section 34(2) of the Act, a public body must collect personal information directly from the individual the information is about and must inform the individual:

Note: If your digital recording has a hyperlink on a Mount Royal University web page, include the contact information of the Mount Royal University employee who can answer the individual's questions about the recording to demonstrate transparency.

In addition, according to section 17(2)a of the Act, the individual the information is about must consent to any disclosure to a third party. The consent form must include to whom the personal information will be disclosed to.

There is an example of both a video recording and photograph collection form on the external FOIP website.

Back to top

Public event recordings
At times, due to the nature of recording devices, personal information can often be video taped, photographed, or digitally recorded at a public event. One example of such an event would be at convocation.

Based on a discussion paper regarding School Promotional Videos by the provincial government, it is recommended that notice be given to those attending the event that the recording will be used for a future purpose, such as in promotional material.

A notification to the audience would demonstrate transparency and help inform the audience as to what the personal information will be used for. The example given in the report would be if the master of ceremonies announced that the event is being recorded at the beginning of the ceremony.

According to section 17(2)j(iii) of the Act, a disclosure of personal information is not considered an unreasonable invasion of a third party's personal privacy if the disclosure is not contrary to the public interest and reveals only the attendance at or participation in a public event or activity related to a public body, including a graduation ceremony, sporting event, cultural program or club, or field trip.

However, the recorder needs to also consider 17(3) of the Act, which states that a disclosure of personal information under subsection 17(2)j is considered an unreasonable invasion of personal privacy if the third party whom the information is about has requested that the information not be disclosed.

When it comes to using recording devices, having a signed consent form allowing the public body to collect, use, and disclose personal information is the best course of action.

The consent form demonstrates openness and transparency by the public body. It also allows the individual being recorded to give formal consent prior to the collection and use by the public body.

If the recording is of a large group of individuals attending a public event and appropriate notification has been given regarding the collection, use, and disclosure of the recorded personal information than consent is not necessary.

However, if the group of individuals who will be recorded is small enough that the individuals are readily identifiable, than consent form should be obtained from each individual.

Back to top

Password protocols - best practices

A strong password is a simple, but vital way to provide a first line of defense against unauthorized access to personal information held in electronic format.

Password protocol best practices include changing your password on a regular basis and ensuring your password:

• is at least eight characters long
• does not contain a complete word in a dictionary
• is not obvious, such as a name or company name or simply "password"
• is not similar to previous passwords (Password1, Password2)
• contains a combination of:
  • Uppercase letters
  • Lowercase letters
  • Numerals
  • Symbols (%,$,*,@)

Back to top

Password protocols - 25 worst passwords for 2015
According to Time Magazine (online) the following were considered the top 25 worst passwords for 2015. These passwords are easy to guess or hack, which significantly increases the risk of your account being compromised.

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
11. welcome
12. 1234567890
13. abc123
14. 111111
15. 1qaz2wsx
16. dragon
17. master
18. monkey
19. letmein
20. login
21. princess
22. qwertyuiop
23. solo
24. password
25. starwars

Back to top

Shared drives - common problems

The following are common problems with shared drives that can lead to a disorganized shared drive:

1. Uncertainty regarding what electronic documents are actually considered the "final effectual" document

Common causes:

• More than one document with similar file names
• More than one document with similar content within each document
  

2. Duplication, Duplication, Duplication

Common causes:

• Saving a different copy of the electronic document after each and every revision
• Saving a separate copy for your own personal use, while revisions are completed by your team members on another electronic document
• Saving a separate copy on another drive as simply a "back-up" or "just in case" measure
  

3. Inconsistent naming conventions that make electronic documents hard to find for your team

Common causes:

Files saved using various naming conventions.

111111 Contract Number - (Unique Identifier is 111111)

Contract Number 1111111

Smith, Bob Employee Record - (Unique Identifier is Smith)

Employee Record, Bob Smith

Computers have a natural tendency to order electronic files and folders either alphabetically or numerically. Placing unique identifying information at the front of your file name helps utilize this natural tendency and keeps your electronic files organized for retrievals purposes.

4. Naming an electronic document file name "Miscellaneous" or "General"

Assigning an electronic document file or folder name such as, "Miscellaneous" or "General" can be confusing to team members you are collaborating with.

Furthermore, a naming convention such as "miscellaneous" attracts a wide-range of record types to be saved under one location, therefore, making routine destruction extremely difficult to implement.

5. Saving electronic documents with long file names causing them not to open at all

Always try to keep your file name a reasonable length and test that your file will open after it is saved on the shared drive.

6. No retention code assigned or retention code grouping to help quickly determine destruction.

Electronic records have a tendency to multiply and overrun folders, thus making the more important documents difficult to find among the many (and sometimes unnecessary) saved files.

Common causes:

• Electronic documents have not been assigned an appropriate retention code resulting in having to open each document to determine what the document pertains to. In addition, the meaning of the electronic document also tends to become lost over time making records classification more difficult.

Consider assigning retention codes at the point of document creation when the subject- matter of the document is more recent to the author of the document.

• Electronic documents that have gradually become semi-active (used only on an occasional basis)

Consider printing the final record and file it in the paper file folder to be formally managed. However, be sure to remember to delete the electronic document, which would then be considered transitory as the official version would be in paper file format.

7. Saving electronic documents on the shared drive that are not even meant to be shared with the group.

Refrain from saving electronic documents on the shared drive when the file is not meant to be shared with the group as these documents ultimately create clutter on the shared drive for your team.

The shared drive is designed to save electronic documents that require team collaboration or universal access for your team.

The H:// Drive (on the other hand) is the best place to maintain your backed-up personal work documents, when team collaboration is not required.

8. Saving electronic documents that are eventually submitted to another department for processing.

These electronic documents would ultimately be considered "transitory" records as the original document is maintained by another department.

Back to top

Email accounts and protecting privacy (case study)

There are various kinds of email accounts that can consist of either an institutional or a personal nature.

For example, an @mtroyal.ca account is utilized in the context of completing the daily business activities of the University, whereas accounts with domain names such as, @shaw.ca or @gmail.com are typically used more for personal interactions.

The Alberta Freedom of Information and Protection of Privacy Act outlines those records upon which the Act applies. According to section 4(1), the FOIP Act "applies to all records in the custody or under the control of [the] public body[.]"

Based on section 4(1), the FOIP Act would apply to information held within email accounts that have the domain name @mtroyal.ca as this information is in the custody or control of Mount Royal University.

However, information retained in an email account with a domain name belonging to a particular person would "generally" not be considered in the custody or control of the public body.

Notably, there are several possible implications if a public employee elected to use a personal email account to complete University business activities.

Firstly, in the event of a formal FOIP request the employee may be required to provide that information to the University Privacy Office to fulfill an access request submitted by an applicant.

Secondly, and probably most importantly, maintaining information outside the custody and/or control of the public body can lead to suspicion that the public body employee is hiding information (willingly or not) that would normally be accessible to the public under the FOIP Act.

Information held within a personal e-mail account would not be in the custody or control of the public body, hence the FOIP Act would not apply, which would ultimately impede access by the public.

Case Study

In the fall of 2011, CBC News reported that "Alberta Progressive Conservative leadership candidate was using a covert email [address] for his internal communications while he was a government minister to evade public scrutiny documents confirm".

Morton used his formal first and middle name (Frederick Lee) to create an email account for internal communications with his staff.

The Office of the Information and Privacy Commissioner of Alberta launched an investigation into whether Ted Morton was in contravention of section 92(1)(e,g) of the Act.

According to section 92(1)(e,g), a "person must not willfully (e)alter, falsify, or conceal any record, or direct another person to do so, with the intent to evade a request for access to the record…or…(g) destroy any records subject to this Act, or direct another person to do so, with the intent to evade a request for access to the records".

The Alberta Privacy Commissioner concluded that Ted Morton did not use the secondary email account to evade or impede access. Notably, the secondary email account had the domain name @gov.ab.ca, which meant it was under the government's custody and/or control.

Although the investigation concluded that Ted Morton did not evade access to government records in this case, the investigation still provides an example of how suspicion can develop in regards to using secondary emails.

Back to top

Student audio recordings of lectures and privacy

There are times or circumstances within the University Community when a student may be required to record a lecture in a class they are registered in. For example, when the student has special needs/circumstances and requires accommodation by the University based on their individual needs.

Does the FOIP Act apply when it comes to a student recording a lecture in a classroom?

No - The Alberta FOIP Act only pertains to how a public body (not a student) must collect, use, disclose, and protect personal information. Under definitions within section 1 of the Act, a student is not defined as part of the public body and, therefore, the FOIP Act does not apply in this circumstance.

According to section 4(1), the Act "applies to all records in the custody or under the control of a public body[.]"

Under section 1 of the FOIP Act regarding the definition of a public body

Section 1(p)(vii) of the Act, a public body means a local public body.

Section 1(j)(i) of the Act, a local public body is an educational body.

Section 1(d)(i) of the Act, an educational body means a university as defined in the Post-Secondary Learning Act

Does a student need to ask permission to record a lecture in a classroom?

Mount Royal University's POL 505 on the Recording and Distribution of Academic Presentations and Materials states that prior permission from the faculty member must be obtained prior to a student proceeding with recording academic material belonging to a faculty member.

The Mount Royal University Copyright Advisor is available as an additional resource regarding the Canada Copyright Act.

Additionally, depending on the circumstances, other students may need to be informed of the recording to protect their rights to privacy through the instructor generally notifying the class in advance of the recording.

If, however, formal accommodation is required by a student due to their circumstances there are policies and procedures in place at the University to facilitate accommodation on behalf of students.

Academic Accommodations for Students with Disabilities Policy - Policy 0517

Accessibility Services Department

Diversity and Human Rights Department

Back to top