As time progresses and technology grows at an exponential rate, electronic record management is certainly on the minds of most Mount Royal employees.
Electronic technology is continuously changing with constant improvements to that same technology practically every year. These improvements, more often than not, require a degree of tenacity in regards to keeping up with the most up-to-date machine readable formats and the latest electronic records best practices.
That being said, the electronic age is upon us and avoiding this challenge is simply not a logical course of action when one considers the many advantages associated with adopting electronic records.
As a matter of fact, electronic record keeping actually improves efficiencies in the workplace and facilitates greater access to records when compared to utilizing their paper counterparts.
Overall, the key to implementing any electronic records management program is to ensure that the electronic process also takes “records management best practices” into account so that Mount Royal University can still fulfill its operational and legal obligations.
Electronic records management topics are as follows:
Electronic records projects - initial evaluation
Mount Royal best practices - electronic records projects
Mount Royal best practices - emails and records on personal computers
Mount Royal best practices - electronic file folder structure
Mount Royal best practices - cloud computing
Mount Royal best practices - social media
Mount royal best practices - mobile devices (iphones)
Social media and protecting privacy online
Cloud computing - general information
Cloud computing - benchmarking
Cloud computing - other provincial privacy legislation
Cloud computing - Alberta privacy legislation
Cloud computing - relevant privacy implications
Cloud computing - the University of Alberta
Laptop and portable digital device security
Digital recordings, photographs, and social media
Public event recordings
Password protocols - best practices
Password protocols - 25 worst passwords for 2015
Shared drives - common problems
Email accounts and protecting privacy (case study)
Student audio recordings of lectures and privacyElectronic records projects – initial evaluation
Prior to commencing upon any electronic records project, a department or area should evaluate whether it is worth converting their records into an electronic format by discussing the following questions:
- Precisely what records should be electronic?
- Are there certain records that are accessed on a regular basis?
- Do the records under consideration need to be accessed by multiple employees or areas?
- Are the records being considered the “final version” or will there be further revisions?
- How long are the records supposed to be retained by Mount Royal University?
- Is there a large amount of work associated with handling the paper records?
- How will the data be migrated to new formats as time progresses?
- Are the records worth maintaining and upgrading in electronic format?
As only an example, a common electronic records management project often involves scanning a select type of paper documents into PDF file format.
Organizations that take on such a process typically utilize an electronic records management database, which allows an individual to search for the electronic record based on key searchable fields and manages security requirements.
Mount Royal University is currently reviewing several electronic records management systems at this time.
Below are electronic records management best practices to consider in any kind of electronic records project at Mount Royal University.
- Determine how the electronic record will be protected from being changed or tampered with
According to archival principles, the electronic record must maintain its authenticity and reliability characteristics so that it can act as trustworthy evidence for the activities they are about.
Similarly to paper records, electronic records must always bear authentic testimony regarding the activities, processes, and procedures that brought them into being. An electronic record should provide evidence regarding the end result of an action or decision made by Mount Royal University.
For reliability, the electronic records management system must protect the record from any unnecessary or unmonitored revisions so that it can provide a trustworthy account of the particular actions that were documented.
Industry practices – recommendations:
- Creating electronic audit trails that track changes by the user
- Limited access to users or groups
- Providing read-only user access
- Tracking any “necessary” record revisions made to the document through the electronic records management system
- Saving the electronic record in a unchangeable format, such as PDF file format
- Determine if the electronic record is actually deemed the “original”
According to archival principles, an original is a complete document that is able to produce the consequences wanted by its author.
One consideration that must be taken into account is whether the process will deem the electronic record as the “original” record upon which Mount Royal University will treat as evidence for the activity the record was about.
Industry practices – recommendations:
- Discern whether the electronic record will be considered the “final” unchanged record for the activity it is about.
- Always ask if the electronic record could fulfill business obligations on its own without a paper copy. Accounts Payable Invoices provides a good example of such a record.
- If an electronic record is considered final and unchanged, there may be enough justification to destroy the paper copy and deem the electronic copy as the original. (Revision to the Mount Royal University Retention Schedule required to formalize the process)
- Occasionally, industries do maintain both a paper and electronic copy, where the electronic record provides a quick reference while the paper record is treated as the true original copy. An example would be contracts where the document signed in ink is “perceived” to have higher legal value than its electronic counterpart.
- If business activities require that an electronic record be revised, some industries utilize electronic records management systems that track the revisions made to the record. Using such a system retains the most current record, while also saving earlier versions for future reference.
- Determine the appropriate University Retention Code
According to the Alberta Freedom of Information and Protection of Privacy Act, Mount Royal University is a public body and is required to routinely destroy any records it produces, electronic or paper, by using the Mount Royal University Records Retention Schedule.
Mount Royal University is also obligated to document the destruction of electronic records and provide evidence of such destruction in the event of a FOIP request.
The documented routine destruction of records provides valuable legal defense for Mount Royal University.
Industry practices - recommendations:
- Assign the electronic record a University Retention Code
- If the electronic record requires a new retention code added to the University Records Retention Schedule, contact University Records.
- Retention codes can be used as search criteria for electronic records
- Electronic records management systems and/or processes should:
* Assign University Retention Codes to electronic records
* Create an audit trail that documents when a record was deleted or destroyed. The electronic records management system is often able to capture this data digitally.
- Determine the document type belonging to the electronic record
Many organizations create electronic records that are so large in scale, and are indexed so generally, that the data inside the electronic record still requires a long dedicated search by an individual.
A practical example would be if all of the paper documents in a file folder were all converted into one large PDF file (one PDF file containing 100 pages). The large PDF file might be indexed at the folder level, but an individual would still have to search through several electronic pages to find the specific data required.
Industry practices – recommendations:
- Take account of the paper records you wish to digitize. Typically, one paper file folder will contain many kinds of documents.
- Consider creating document types, which will index each kind of document found within the file folder. Document types based on controlled drop-down lists will allow efficient searches for specific digital records.
Consist of a “grouping” of certain documents, typically found within a paper file folder, that are usually recognized by either their format or, on occasion, their common purpose. Document types are often implemented during digitization projects as “drop downs” within prescribed indexing fields. Document types allow the searching of electronic records based on specific and controlled search criteria.
- Determine indexing standards and the utilization of full text searching
Indexing the electronic records may be one of the most important items to be discussed in any digitization project as the ultimate goal of retaining electronic records is to promote access.
Industry practices – recommendations
Below are common indexing fields in the electronic records management industry:
- Object ID #: a unique number auto-generated number assigned to the record
- File Number: enter the file number that the record pertains to
- File Description: enter the description of the record, placing any data that can be sorted alphabetically or numerically on the left-hand-side of the field
- Document Type: usually a drop-down list, enter the document type
- Created By: usually auto-generated by the system based on user login name
- Created Date: usually auto-generated by the system based on computer date
- Edited By: usually auto-generated by the system
- Edit Date: usually auto-generated by the system based on computer date
- Start Date: enter the start date of the record
- End Date: enter the end date of the record where applicable
- Retention Code: usually a drop-down list, select the appropriate retention code
- Version Number: auto-generated and only applies to digital records that need to be revised where the old version needs to be retained along with the new version of the record.
- Determine whether the electronic records need to have “full text” search capability that utilizes OCR (Optical Character Recognition) technology.
- Establish drop-down lists in the search and indexing forms to limit typo’s
Full Text Searching:
Is the ability for the electronic search tool to seek out any term or word contained within the text located in the pages of an electronic record. This capability is typically achieved when the paper document is first scanned into PDF file format.
Optical Character Recognition:
Is the mechanical or electronic translation of scanned images of handwritten, typewritten, or printed text into machine encoded text.
- Determine destruction mechanisms and auditing
Mount Royal University must manage electronic records according to both its legal obligations and records management best practices.
The management of any electronic records must ensure that the records are only retained for a specified time period and destroyed based on the legal requirements set out by the Mount Royal University Records Retention Schedule.
Industry practices – recommendations:
- Assign the electronic record a University retention code or contact University Records to make revisions
- Ensure that the University records retention code is part of the indexing process
- Capture an audit trail of when the electronic record was destroyed
- Have the audit trail track who destroyed the electronic record
- Create a user access security to ensure destruction is authorized
- Determine user security and access – Freedom of Information and Protection of Privacy
Another aspect of implementing an electronic records management system is designing user security access for the captured records.
Mount Royal University is obligated to protect personal information contained within the electronic records it has under its custody and control. In addition, some electronic records may contain sensitive business information that need to be protected as well.
Security protocols need to be determined and established prior to the implementation of any electronic records management system.
Industry practices – recommendations:
- Determine the sensitivity of the electronic records and assess if restrictions to access need to be put in place
- Investigate whether no restrictions are required and if there should be University wide access
- Evaluate the levels of user access required and the following user capabilities
* Read-only access for certain individuals
* Read-only access for the entire organization
* Create or edit capability
* Administrator capability
- Assess how to administer the security access of the users
* Access level granted by group
* Access level granted by individual
* Access level granted based on record
* Access level granted based on department
* Always consider that access by groups presents less administrative work than security levels based by person.
- Determine imaging standards and manage server storage space
Prior to imaging documents, determine a standard when it comes to scanning the document. An imaging standard prevents electronic documents from getting large and taking up storage space on the server.
Industry practices – recommendations:
- Scan documents in black & white, not color
- Scan documents with a lower DPI (Example 300 dpi)
- Consider a regular monitoring or auditing process to ensure that standards are followed
Mount Royal best practices - emails and records on personal computers
The most common electronic records that are handled by Mount Royal employees on a daily basis consist of emails and electronic documents saved on personal computers.
Currently, Mount Royal University has not formally adopted a universal electronic records management system that stores, indexes, and classifies email created through Lotus Notes. Similarly, such a system would also manage those electronic documents created and stored on personal computers as well.
Electronic records management systems are currently under review; therefore, at this time employees should follow the “best practice” processes below to manage electronic documents they create on a daily basis until such time that a system is adopted.
There is an Email Best Practices that follows the guidelines below.
- Determine which e-mails or electronic documents are transitory (short-term value)
A transitory document is a document that is only required for a limited time period for the completion of a routine action. These documents are considered by their author to have “short term” business value because they do not provide evidence to activities that are considered important or crucial to University operations.
Determining whether an email or electronic document saved on your personal computer is transitory largely depends on the judgment of the individual who created it. However, some examples that are transitory documents include:
- A copy of an electronic document where it has been revised and saved under another name
- A rough draft of an electronic document
- Emails that do not provide evidence for decisions or activities related to University Business:
* Helpdesk emails
* Professional association emails
* Administrative emails
* Meeting invite emails
* Special event emails
* Human Resources training emails
Transitory records with short-term value can be deleted by the owner at their discretion. No formal destruction documentation is required.
- Determine which emails or electronic documents are not transitory (have long-term value)
Some emails and electronic documents saved on your personal computer actually do have long- term value in that they provide valuable evidence regarding the decisions and activities they are about.
Examples of emails and electronic documents with long-term value:
- The final version of a document
- The final report concerning an investigation
- Emails that provide evidence that a decision was made
- Emails that prove that there was a communication between two parties
E-mails and electronic documents that are identified to have long-term value should be printed in their final form and filed in a paper file folder that has been assigned a University Records Retention Code.
By printing the electronic records:
- The record cannot be changed or corrupted
- The record can be filed and assigned a retention code
- The record can be searchable University wide
- The record can be identified for destruction
Although your personal computer creates a large quantity of electronic records on a daily basis, it does not meet best practices when it comes to records management requirements for Mount Royal University.
- Your personal computer…does not track changes or revisions
- Your personal computer…does not easily identify the original “finalized” record unless the creator is around to identify the correct record.
- Your personal computer…does not automatically assign a retention code, thus limiting an ability to manage the timely destruction of records according to legal and operational requirements
- Your personal computer…does not allow electronic records to be assigned document types making a search for a particular document difficult for you and the organization
- Your personal computer…does not provide standardized indexing fields upon which to find your electronic records.
Although a personal computer can search for words or terms contained within an electronic record, you are probably the only individual that knows the exact term to use to complete the search.
- Your personal computer…does not provide University-wide access to your electronic records
- Your personal computer…is not designed to destroy electronic records according to records management best practices.
i. It does not systematically destroy electronic records in groups
ii. It does not assign retention codes to the electronic records
iii. It does not provide a formal audit trail that proves who destroyed the record and when to help respond to a FOIP request.
iv. There is a risk that the electronic record was not actually destroyed. For example, the electronic record could be in the trash can and restored at any time.
- Your personal computer…has a limited ability to administer security access to the electronic records it stores.
In other words, a personal computer allows the owner of the electronic records to login and access their records, but it does not provide secure organization wide access to the same electronic records it holds.
If you ever leave Mount Royal University any electronic records will probably be passed on to another individual who will have a limited understanding on their value.
“A common testimony by Mount Royal University employees is that they took over a role and adopted records from their predecessor that have no meaning or use to the newcomer in that role”
Create an (electronic folder) based on a Broad Business Function or Category that pertains to the type of records being managed.
In addition, also include the alpha-numeric code based on the MRU Records Retention Schedule that will help govern how long to retain that type of record.
Folder Structure Example:
- FOIP Requests (LR030)
Note: MRU Records Retention Schedule LR030 is states records in this category must retained for 5 years
(2) File Folder = by Year
Create an (electronic sub-folder) based on Year.
By grouping the electronic records in folders by years will help determine when the electronic folders need to be deleted in accordance with the MRU Records Retention Schedule.
Folder Structure Example:
- FOIP Requests (LR030)
Note: Electronic records filed under this file structure above may be deleted after 5 years
(3) File Folder = by File Name
Create an (electronic sub-folder) based on File Name such as, Incident Number, Name (Last,First), Student Number, Contract Number.
For example, the MRU FOIP Office relies on Incident Numbers.
Folder Structure Example:
- FOIP Requests (LR030)
(4) File Folder = by Document Type (Optional)
Create an (electronic sub-folder) based on Document Type, which comprises of the kinds of records that are typically used for the broader business function.
This sub-folder is "optional", but it may be beneficial if there are a high volume of electronic records and it helps expedite the retrieval of the electronic records for business operations.
For example, Document Types based on the MRU FOIP Office business operations include:
- Original Records
- Redacted Records (Applicant)
- Notification Letters
- Third Party Notices
- Privacy Commissioner
Folder Structure Example:
- FOIP Requests (LR030)
- Original Records
The implementation of any cloud computing should not only strive to utilize technology, but must also make every effort to protect the personal information in the custody and control of Mount Royal University in accordance with the Alberta Freedom of Information and Protection of Privacy Act.
The following below outlines Cloud Computing Best Practices for your project, while the Cloud Computing Contract Checklist provides a quick list of privacy requirements before signing a contract with the Cloud Computing Services vendor.
- Determine what personal information and how much will be retained in the cloud
Prior to implementing any cloud computing technology, assume that the data you will be managing in the cloud will undoubtedly be stored in a foreign country. Therefore, always limit the risk by questioning how much personal information, and what information, absolutely needs to be stored in the cloud to fulfill your purposes.
Limiting the amount and type of personal information that is being stored in the cloud will help manage some of the risk in the event that a privacy breach does occur.
In addition, such an analysis can be documented in the PIA (Privacy Impact Assessment), which will demonstrate to the public that privacy legislation was taken into consideration.
- Determine the vitality of the electronic records being managed
Take an account of the Mount Royal University data that you wish to store in a foreign country. Keep in mind that there is always a risk involved with storing “vital” information with another company or country when it comes to the retrieving the data.
Always evaluate the value of the data you wish to submit to the cloud and consider the risks involved regarding retrieval implications or possible third party access to sensitive business records.
- Determine the mechanisms that will obtain the consent necessary from the individuals the personal information is about
The Alberta Freedom of Information and Protection of Privacy Act guides Mount Royal University on how to collect, use, and disclose personal information in its custody and control.
- Mount Royal University must collect personal information directly from the individual the information is about and inform the individual of the purpose (Section 34).
An individual must give signed consent or click on an acknowledgement box so that they are notified prior to having their personal information stored in the cloud. The personal information selected for cloud computing must be presented to and identified by the individual the personal information is about.
- Mount Royal University must use personal information only for the purpose it was collected for in a consistent manner (Section 39(1)a, b).
At the point of signed consent, the individual must also be informed of the purpose for the collection of their information.
A contract signed and agreed to by the cloud network provider must specify the use of the personal information and ensure that the information will be used for the agreed purpose.
- Mount Royal University must disclose personal information only if the individual the information is about has identified the information and consented to the disclosure (Section 40(d)).
Contracts need to be signed with the cloud provider to ensure that personal information is not inavertedly disclosed to a third party including for commercial purposes. Such a disclosure would result in a privacy breach with legal implications for Mount Royal University.
- Determine the security arrangements that need to be put in place by the company supplying the cloud
Mount Royal University must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, or destruction (Section 38).
If personal information is going to be stored in the cloud, legal contracts should be implemented to protect Mount Royal University in the event of unauthorized collection, use, or disclosure by the company providing the cloud computing network.
Discussions should be conducted with the cloud network provider in regards to what security measures have been put in place to protect the personal information from unauthorized collection, use, or disclosure.
Document the security protocols in the PIA (Privacy Impact Assessment) to demonstrate that privacy was considered prior to implementation.
- Involve Mount Royal University Legal Counsel, Privacy Office, and Information Technology Services when negotiating a contract with a cloud provider
Protect Mount Royal University in the event of a privacy breach by having the cloud provider sign a service contract that ensures privacy provisions are followed.
Include the Mount Royal Legal Counsel, Privacy Office, and Information Technology Services when drafting a legal contract with the cloud provider in order to determine that the contract protects the University.
The contract should include provisions with the cloud provider agreeing to terms on the following topics in mind:
- Guidelines for the collection, use, disclosure, and protection of the personal information
- Audit and security protocols
- Company bankruptcy
- Changeable terms of service
- Termination of service
- Location of cloud data and applicable law
- Subpoena responses
- Destruction processes
- Complete a provincial PIA (Privacy Impact Assessment) for your cloud computing project
A PIA (Privacy Impact Assessment) is a document or template provided by the Government of Alberta that can be systematically completed in order to aide a project identify and mitigate privacy concerns.
University of Alberta completed a PIA and submitted the document to the Alberta Information and Privacy Commissioner prior to their cloud computing project implementation.
A privacy impact assessment form is advantageous in the following ways:
- It provides a template that aides in a systematic analysis of privacy implications
- The PIA can be formally submitted to the Office of the Information and Privacy Commissioner for “acceptance”
- A submitted PIA provides evidence to the public that privacy was taken into account
- Determine how the data will be systematically destroyed in the cloud
Processes must be put in place by the cloud provider to systematically destroy electronic records that are retained in the cloud.
Electronic records should be assigned a retention code according to the Mount Royal University Records Retention Schedule and routinely destroyed at a time determined by the schedule.
In addition, any destruction of the electronic records needs to be documented in order to provide evidence that the records were, in fact, routinely destroyed. Documentation of the destruction of the records is necessary in order to formally respond to a FOIP request at the University.
Mount Royal University supports the use of social media for informational and promotional purposes.
When identifying yourself as a Mount Royal University employee, student, or group online, there are certain guidelines and practices directed towards Marketing and Communication to keep in mind. These Social Networking Guidelines are provided by the Mount Royal Social Networking Committee.
There is a Social Media Best Practices, which summarizes the recommendations provided by the Committee and also provides guidance regarding social media under the FOIP Act.
Be aware of relevant institutional policies - Users must abide by all applicable institutional policies such as those covering Acceptable Use Policy for Mount Royal Computer Resources, Code of Ethics, Conflict of Interest, Copyright legislation, Freedom of Information and Protection of Privacy (FOIP) legislation, and for students, the Code of Student Conduct.
Think before you post - Be courteous and respectful of those using the space. Always ask the question: "Would I say this to their face?" Don't post when you are angry or upset. And remember, private conversations and social networking sites do not go hand-in-hand. Finally, keep in mind that you will relinquish copyright ownership of any information you post on a social networking site, to the site.
Add value not noise - Ensure what you write would be considered beneficial to your audience. Information should be engaging, timely, and relevant. Don't spam others or use social networking as a personal promotional blow horn. Ensure your communication is direct and strategic.
Legal considerations - Your comments, posts, and links (peruse and validate all links before posting) must not contain defamatory, obscene, or illegal material. Comments must abide by Canadian law such as libel, slander, copyright, and FOIP legislation. If you are posting images and photos, ensure you have the proper permissions.
Be transparent and authentic - Be open and honest at all times. If you commenting on behalf of your department or area - say so. Never pretend to be someone else and post/comment about Mount Royal University. If you are posting your personal opinion (not necessarily the department you represent) say so. Use "I" versus "we".
Protect your identity - Transparency is a necessary trait of social networking, but do not share personal documents or information such as your home telephone number, address, or employee/student ID. Not properly protecting yourself and your identity is risky.
Maintain confidentiality - Never post confidential or proprietary information about Mount Royal, its staff, its students, or its alumni. Don't post anything you wouldn't be comfortable with seeing on the cover of your local newspaper.
Negative feedback always needs to be responded to - Negative feedback is an opportunity to identify items or services your audience is unhappy with and to fix it within a public forum. Respond as quickly as possible and in the voice and tone of the institution or your area, not personally. Your response can be a reminder of acceptable usage of the social networking site and/or guidelines and consequences if they are not adhered to (delete comments that contain profanity or threats); or correcting statements that have incorrect/inflammatory information. However, there is a difference between a negative opinion that users are entitled to have and voice - and threatening, harassing, profane comments that are not acceptable.
Consistent communication - Social networking is about entering into a long term conversation. Avoid creating an account, posting once or twice and then not use it again for months. Ensure you have a plan that will allow for regular communication over a long period of time, one year as a minimum is a good rule of thumb (e.g. staff dedicated to social networking)
Big picture - Mount Royal University has an institutional social networking strategy. When developing a department/area plan one should consider the impact on the campus-wide plan. For more information contact Marketing and Communications.
Dedicated Resources - Establishing, monitoring, and maintaining a current and relevant social networking presence is time-consuming and requires significant time and attention. Do not start the process unless you have made provisions to dedicate the appropriate human resources towards it.
Accuracy - Check and double check your facts. If you are not sure an item is correct, do not post it. If you make an error, correct it - and let others know it has been corrected.
Style Guide Adherence - No matter which social networking tool you are using, spelling and grammar are important, but different applications may call for different approaches, naming conventions and tone (Twitter as an example). For specific guidelines visit Mount Royal University's Style Guide, which can be found on MyMRU under Quick Links for Employees (Employee Resources Tab).
Training Opportunities - Take advantage of available training and professional development opportunities. For example, Marketing and Communications hosts workshops and "how to" sessions on specific social networking sites periodically. If you are ever in doubt, check with your team leader or contact Marketing and Communications.
More on social media and privacy
The FOIP Act outlines how Mount Royal must collect, use, disclose, and protect personal information.
Prior to using social media consider the following aspects of the FOIP Act:
Personal Information: is defined under the Act as recorded information that can identify an individual such as, name (or username), address, e-mail, and phone numbers. This definition also includes opinions/viewpoints belonging to an identifiable individual.
If the information does not readily identify an individual (such as a statistic or anonymous information) than the FOIP Act's provisions on collection, use, or disclosure no longer applies.
In other words, try to collect information that does not identify individuals to fulfill your purpose. For example, the Office of the Privacy Commissioner of Canada has a Twitter account that simply posts (pushes out) information about events and related news rather than collecting or disclosing personal information.
Collection: the FOIP Act provides that personal information may only be collected if that information relates directly to and is necessary for an operating program or activity of Mount Royal University. Necessary means that the University must have a "demonstrable" need for the information.
Always ensure that you are collecting only that personal information, which is absolutely necessary to fulfill the requirements to meet the Mount Royal University activity.
Transparency and Privacy Statements: If personal information is being collected (such as via social media or through the internet) Mount Royal University must "inform" the individual of the purpose for which the information is collected; the legal authority for the collection 33(c), and the contact information of a University employee who can answer questions about the collection.
Be a good public citizen and be transparent in your social media community regarding what personal information you are collecting and the purpose of the collection (especially if the Social Media site represents Mount Royal University).
A common misconception is that personal information posted publicly on the internet is no longer considered "private" and therefore can be freely collected by public bodies. However, section 34 of the FOIP Act still states that any collection of personal information must be collected directly from the individual the information is about. This requirement means that individuals should be notified or made aware of University collection activities. Notification of the collection can be done either through online registration or posted on the social media profile page.
Note: The FOIP Act does provide limited exceptions under 34(1) that outline when indirect collection can occur by the University, such as for the from public sources for the purpose of fundraising.
Use: The FOIP Act provides three allowances that provide when Mount Royal University may use personal information it has collected. The most applicable section regarding use in the context of social media would be section 39(1)(a). In this section, the University may use personal information only for the purpose for which the personal information was collected or compiled or for a use consistent with that purpose.
If your department has established that the collection of personal information is necessary and you have been transparent by providing a Privacy Statement then the use of the personal information would be consistent with what you have told the community. Section 39(1)(a) would be fulfilled, also keeping in mind section 39(4) that the University may use personal information only to the extent necessary to enable the University to carry out its purpose in a reasonable manner.
Disclosure: The FOIP Act lists the circumstances concerning when Mount Royal University may disclose personal information in section 40. The most applicable section regarding disclosure in the context of social media would be section 40(1)(c). In this section, the University may disclose personal information only for a purpose for which the information was collected or compiled or for a use consistent with that purpose.
If your department has established (using the steps above) that the collection of personal information is necessary and you have been transparent by providing a Privacy Statement (including the prescribed disclosure) than the disclosure of personal information would then be consistent with what you have told the community. Section 40(1)(c) would be fulfilled, also keeping in mind section 40(4) that the University may disclose personal information only to the extent necessary to enable the University to carry out its purpose in a reasonable manner.
Protection: Mount Royal University must manage and protect personal information using reasonable security arrangements under the FOIP Act.
Promote privacy awareness among your social media community by including links regarding how to protect privacy when using social media. The Privacy Commissioner of Canada provides a best practices guide regarding protecting privacy when using social media that recommends doing the following:
- Read and understand site privacy policies
- Use privacy controls when available
- Do not interact with people you do not know
- Limit personal information posted online
- Choose difficult passwords and change them on a regular basis
Mount Royal best practices - mobile devices (iphones)
The Office of the Privacy Commissioner of Canada recommends doing the following in order to protect privacy when using mobile devices.
- Educate yourself about your mobile devices and how to enable or add privacy and security tools.
- Limit the personal information that is stored on mobile devices to that which is absolutely necessary.
- Ensure that mobile devices are protected with hard-to-guess passwords. Never rely on factory setting passwords.
- Use an automatic lock feature so that a password is required to access information on mobile devices.
- Consider using an up-to-date encryption technology to provide added protection for personal information on mobile devices. Without encryption, personal information is vulnerable to unauthorized access. Encryption involves using an algorithm to transform information into text that is unreadable without a “key” to read the code.
- Install and run anti-virus; anti-spyware and firewall programs on your mobile device – and keep those programs up-to-date. Attacks against mobile devices – from spam, viruses, spyware and theft – are on the rise. For example, downloading an infected program could infect a mobile device.
- Don’t send personal data over public wireless networks – at cafés, for example – unless you have added security such as a Virtual Private Network (VPN). Public wireless networks may or may not be secure and there is a risk that others may be able to capture data sent over these networks.
- Never leave your mobile device unattended in a public place or a vehicle. Across North America, hundreds of thousands of mobile devices are lost or stolen every year. One survey by an information security and privacy research centre suggest that a laptop has a 5 to 10 per cent chance of going missing over a three-year period.
- Ensure that data stored on mobile devices that are no longer needed is purged prior to disposal.
- These tips are intended only as an introduction to protecting personal information in a mobile workplace. Check the user manuals for your mobile device for further information.
All too often, people utilize online tools and social media without taking the necessary precautions that would protect themselves from possible identity theft.
Identify theft occurs when a third party acquires portions of your personal information, which gradually allows them to impersonate your identity. For example, a perpetrator may use the personal information acquired to request a credit card in your name. The motivation behind identify theft is typically to aide with criminal activity or for personal financial gain.
Generally, individuals are usually complacent when it comes to sharing personal information online.
According to the Calgary Police Service, the following personal information can provide identity thieves enough information to steal your identity:
- Date of Birth
- Social Insurance Number or Social Security Number
In addition, Mount Royal University Marketing & Communications provides a list of social networking guidelines.
When using online tools or social media, protect your personal information by doing the following (based on the Office of the Privacy Commissioner of Canada website):
- Give out as little information about you as possible
- Refrain from providing information such as birth date or social insurance number if it is not, in fact, necessary.
- Only provide sensitive personal information, such as financial information, through secure means
- Secure online forms will usually have a padlock icon in the bottom right corner of the screen.
- Secure online forms will usually have a padlock icon in the bottom right corner of the screen.
- Be careful with that information you are sending over the web
- Information can sometimes be intercepted by hackers through e-mail or through unsecure wifi connections.
- Check that the website url address contains the acronym “https”, which demonstrates the website is utilizing a secure channel.
Hypertext Transfer Protocol Secure (https): utilizes a combination of Hypertext Transfer Protocol and Secure Sockets Layer (SSL). The use of https creates a secure channel over insecure networks. This system provides “reasonable” protection against information being intercepted through authentication processes.
- Protect your social insurance number
- Social Insurance numbers provide valuable information to identify thieves.
- Utilize online privacy controls
- Many social media sites, such as Facebook, provide privacy controls for you to control who has access to your information. For example, in Facebook click on “edit profile” and then “privacy preferences” to adjust your privacy settings. This function can limit access to your social media postings to only the individuals you permit (rather than to everyone online).
- Create difficult passwords
- Check out “Password Protocols” under Electronic Records for ideas on how to create a secure password.
- Do not communicate with people you do not know in real life
- Remember that the web is a public place that facilitates to people with both good and bad intentions alike.
- Always consider what you are posting online
- Pictures can indicate where you live and also have electronic metadata tied to the digital photograph.
- Always be cautious regarding what you post and how much information you make public. Once information is posted publicly online it is difficult to delete.
- Read and understand the privacy policies
- Most online tools and social media sites have privacy policies that are available on their websites. For example, survey monkey outlines that the company does not collect survey data from the user, but they do collect how you use their website. Become familiar and clear with how the company is using the information that is being supplied.
Cloud computing refers to the delivery of scalable IT resources over the Internet as opposed to hosting and operating those resources locally through the Mount Royal University network. These resources can include applications and services, as well as the infrastructure on which they operate.
In a cloud computing system, there are networks of computers that run applications and store data. These computers are typically located in another country and allow local computers maintained within the organization to interface with the cloud network.
By deploying IT infrastructure and services through “the cloud”, an organization can purchase these resources on an as needed basis and also avoid the capital costs associated with software and hardware administration.
In addition, there is a considerable advantage related to being part of cloud computing in that technology is constantly being advanced largely due to the motivation to improve service to obtain a larger profit by those supplying the cloud.
Yet another advantage is that cloud computing allows an organization’s IT department to quickly adjust to the changes that take place with technology in the workplace. If the cloud maintains specified IT components for an organization, it will give more time for the IT department to dedicate to more pressing matters.
Current examples of cloud computing:
- Google (Buzz)
- Survey Monkey
The common concern related to cloud computing is the fact that an organization’s data can be stored anywhere in the world. Questions arise on how privacy will be protected or secured in another jurisdiction. If data is stored in another country, such as in the United States, how will an individual’s personal privacy be protected considering that another country’s legislation may run counter to Canadian privacy laws.
One law that has received considerable attention by Canadian privacy advocates of late is that of the Patriot Act (2001) in the United States. The U.S. Patriot Act can authorize the American government or its agencies access to personal information belonging to Canadians that is being stored in the United States.
Coincidentally, the concepts contained within the Patriot Act are not entirely new, but simply amend the U.S. Foreign Intelligence Surveillance Act passed back in 1977.
Some post-secondary institutions (such as the University of Alberta) have implemented cloud computing by striking a balance between taking advantage of this technology, while also adhering to the Alberta Freedom of Information and Protection of Privacy Act.
Cloud computing is a considerably new phenomena throughout various industries and the outcomes related to privacy and records management best practices are not yet fully realized.
However, the following gives a representation of how Canadian privacy legislation, legal action, and other post-secondary institutions have approached cloud computing in recent past.
Cloud Computing - other provincial privacy legislation
The province of British Columbia’s Freedom of Information and Protection of Privacy Act (Section 30) requires all public bodies to store records that contain personal information in its custody and control to be stored in Canada.
Nova Scotia’s Personal Information International Disclosure Protection Act (Section 5) also requires that a public body that has personal information in its custody or control must store that information in Canada.
The Alberta Freedom of Information Act is designed to not only protect the privacy of individuals, but also allow access to most records in the custody and control of Alberta public bodies, such as Mount Royal University.
The Alberta FOIP Act does not instruct public bodies to only store their personal information in Canada.
However, the Act still has the following provisions based on the collection, use, and disclosure of personal information retained by a public body:
- A public body must collect personal information directly from the individual the information is about and inform the individual of the purpose (Section 34)
- A public body must use personal information only for the purpose it was collected for in a consistent manner (Section 39(1)a, b)
- A public body must only use an individual’s personal information if the individual has identified and consented to that prescribed use (Section 39(1)b)
- A public body must disclose personal information only if the individual the information is about has identified the information and consented to the disclosure (Section 40(d))
- A public body must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, or destruction (Section 38).
On July 2, 2010 Donald J. Woliogroski of Winnipeg Manitoba filed a class-action privacy lawsuit against the social networking site Facebook. The suit accuses Facebook of breaching privacy by using Woliogroski’s personal information for commercial purposes.
In September of 2010, Google decided to settle a class action lawsuit for a total of $8.5 million due to privacy concerns regarding their new social networking site named Google Buzz. The suit, which was based in California, alleges that Google Buzz made personal information belonging to the users “public” without their knowledge.
April, 2011 Best Buy had 2,500 of their customers have their privacy breached when their personal information was accessed by an unauthorized individual. It was discovered that the stored data was not encrypted by Epsilon Marketing, the company responsible for storing the personal information belonging to Best Buy customers.
Sony experienced a privacy breach in April, 2011 where an unauthorized person obtained names, billing addresses and credit card numbers held within the PlayStation Network located in the Cloud. Sony waited a full week to inform users of the privacy breach.
In December, 2010 the University of Alberta successfully concluded legal negotiations with Google in regards to having gmail support the University’s e-mail and calendar services. Google has signed a legally binding contract with the institution not to data mine information or share university data with third parties. In addition, Google will allow the U of A to keep their ualberta.ca tags.
The contract negotiations took 15 months to complete as Google had to fulfill Alberta Freedom of Information and the Protection of Privacy requirements. A PIA (Privacy Impact Assessment) was also completed and submitted to the Office of Information and Privacy Commissioner of Alberta who “accepted” the PIA. The University of Alberta argued for the use of gmail based on the fact that e-mail is considered “utility” computing, which means the technology contains common data. In addition, they managed privacy risks by entering into a contract with Google that enables them to pursue legal action in the event of a privacy breach.
- Limit the amount of personal information that is stored in a portable digital device
- Do not leave portable digital devices unattended in vehicles
- Enable passwords or encryption to limit access to the portable digital device
- Sever or remove the personal information from the portable digital device
- Consider not transporting personal information on a portable digital device and eliminate the risk entirely
If you are capturing individuals either as an audio-visual recording, through photographs, or posting images on social media such as, YouTube or Facebook, use the following best practices as a guide to fulfill the Alberta FOIP Act.
- Consider that the Alberta FOIP Act applies to the digital audio-visual recordings and photographs.
According to section 4(1) of the Alberta FOIP Act, the Act applies to all records in the custody or under the control of a public body.
Notably, depending on “where” the digital recording resides online is one aspect that can determine whether the public body has custody or control of the record. If the public body has either custody or control then the FOIP Act applies and a standard FOIP Notification Statement under 34(2) would be required under the Act to notify individuals of the collection, use, and disclosure of the personal information contained in the digital recording.
Under the Act, “custody” refers to the physical possession of a record; while “control” refers to the authority of a public body to manage, even partially, what is done with a record. For example, control could include such abilities as the public body’s right to demand possession of a record or the right to either authorize or forbid access to a record all point to a public body having control of a record.
The Privacy Commissioner of British Columbia supplies the following example that, if while working, a public body employee posts photos of their vacation on their personal social networking profile, it is unlikely those photos would be considered under the custody and control of the public body. In contrast, if the public body employee posts photos of people reading magazines in a public body building on the public body’s social networking page, it is likely that those photos would be considered to be in the custody or under the control of the public body.
Yet another example may involve recordings completed by students that are posted on Youtube where a link to the Youtube site is then posted on the public body website. If students are doing the recording and posting the recording on Youtube, then the record is not under the custody or control of the public body at all. However, supplying a link on the Mount Royal University website may fall under the FOIP Act depending on the circumstances particularly based on the collection and use of the recording by the public body. For example, the Privacy Commissioner of Canada hosts a Twitter account, but only posts future events or trends on privacy rather than collecting and using personal information. Returning back to the Youtube example, if the public body used the video for academic marks, or for marketing, the recording would likely be considered under the custody or control of the public body because collection regarding the personal information in the recording has occurred. In contrast, a link on a public body website that simply re-directs individuals externally to Youtube where recordings are posted would make the consideration for the public body to have custody or control is less likely.
If the recordings are not deemed to be under the custody or control of the public body, it may be best practice to notify individuals in the interest of transparency. An example of such a notification where the FOIP Act does not apply may go as follows:
“Individuals participating in this activity will be required to record events, occurrences, and other individuals. These digital recordings are completed by student participants and are posted on Youtube, which is a public online social media site. Although the public body will provide a link to the recording through the public body website the recording remains with YouTube and is not under the custody or control of the public body. For further inquiries contact Title – Name – Address – Phone Number – E-mail”
Note: If your activity involves communication rather than a recording of personal information (Example= video teleconferencing) then consent is not required because the Alberta FOIP Act only applies to records within a public body. However, signs should be used to inform individuals that such a communication is taking place.
- Consider that video recordings and photographs capture personal information.
According to an Investigation Report 2000-IR-007 by the Alberta Office of the Information and Privacy Commissioner, it was decided that video tapes record an individual’s characteristics or personal information.
These characteristics include an individual’s skin color, gender, and other identifiable traits for that person. The same principles apply to photographs.
- Consider the legal authority to collect personal information through video recording or photographing individuals
Prior to any video recording or photographing activity, a public body must determine the legal authority for such a collection.
This authority is found under section 33, whereby it states that no personal information may be collected by or for a public body unless
- the collection of that information is expressly authorized by an enactment of Alberta or Canada
- that information is collected for the purposes of law enforcement
- that information relates directly to and is necessary for an operating program or activity of the public body.
In most cases, the legal authority to collect by a public body falls under subsection 33(c). Notably, the legal authority to collect must be disclosed in the consent form directed to the individual authorizing the recording.
- Consider the audience of who will be viewing the recording
Before drafting a form to obtain consent from the individual being recorded, consider the audience that will be accessing the collected personal information. In the digital age of social media tools, such as YouTube, Facebook, etc, personal information can now be presented to a world-wide audience.
According to section 17(2)a, disclosure of personal information to any third party must be given consent by the individual the recording is about.
Other audience considerations
- Take steps to protect the individual being recorded by eliminating sensitive personal information such as, banking, credit card, and other sensitive financial information
- If the recording is being completed by a third party outside the University there are other important issues to consider such as copyright related matters. Please contact the Privacy Office, Legal Counsel, or copyright office to seek advice before contracting with the third party.
- When creating videos, follow copyright law and do not use copyright materials without prior permission. For advice on copyright related matters contact the University Copyright Advisor.
- Inform the individual how the recording will be used and to whom it will be disclosed to as required in section 17(2)a of the Act. (Through the consent form)
- Post signs in the area of the recording to warn by-standers that a recording is in progress.
- Ensure that individuals (by-standers) are not accidentally recorded during the activity.
- Determine who is responsible for the recording and how long the recording will be retained. Be transparent and inform the individual being recorded as to how long the recording will be retained.
- Use a consent form to collect personal information in the video-recording. Indicate how the information will be used and disclosed.
The consent form presents to an individual an opportunity to sign or authorize your collection of their personal information. This form should also describe how an individual’s personal information will be used and disclosed.
A public body must collect personal information directly from the individual is about (section 34(1) of the Act).
According to section 34(2) of the Act, a public body must collect personal information directly from the individual the information is about and must inform the individual:
- the purpose for which the information is collected
- the specific legal authority for the collection
- the title, business address and business telephone number of an officer or employee of the public body who can answer the individual’s questions about the collection.
Note: If your digital recording has a hyperlink on a Mount Royal University web page, include the contact information of the Mount Royal University employee who can answer the individual’s questions about the recording to demonstrate transparency.
In addition, according to section 17(2)a of the Act, the individual the information is about must consent to any disclosure to a third party. The consent form must include to whom the personal information will be disclosed to.
There is an example of both a video recording and photograph collection form on the external FOIP website.
Public event recordings
At times, due to the nature of recording devices, personal information can often be video taped, photographed, or digitally recorded at a public event. One example of such an event would be at convocation.
Based on a discussion paper regarding School Promotional Videos by the provincial government, it is recommended that notice be given to those attending the event that the recording will be used for a future purpose, such as in promotional material.
A notification to the audience would demonstrate transparency and help inform the audience as to what the personal information will be used for. The example given in the report would be if the master of ceremonies announced that the event is being recorded at the beginning of the ceremony.
According to section 17(2)j(iii) of the Act, a disclosure of personal information is not considered an unreasonable invasion of a third party’s personal privacy if the disclosure is not contrary to the public interest and reveals only the attendance at or participation in a public event or activity related to a public body, including a graduation ceremony, sporting event, cultural program or club, or field trip.
However, the recorder needs to also consider 17(3) of the Act, which states that a disclosure of personal information under subsection 17(2)j is considered an unreasonable invasion of personal privacy if the third party whom the information is about has requested that the information not be disclosed.
When it comes to using recording devices, having a signed consent form allowing the public body to collect, use, and disclose personal information is the best course of action.
The consent form demonstrates openness and transparency by the public body. It also allows the individual being recorded to give formal consent prior to the collection and use by the public body.
If the recording is of a large group of individuals attending a public event and appropriate notification has been given regarding the collection, use, and disclosure of the recorded personal information than consent is not necessary.
However, if the group of individuals who will be recorded is small enough that the individuals are readily identifiable, than consent form should be obtained from each individual.
A strong password is a simple, but vital way to provide a first line of defense against unauthorized access to personal information held in electronic format.
Password protocol best practices include changing your password on a regular basis and ensuring your password:
- is at least eight characters long
- does not contain a complete word in a dictionary
- is not obvious, such as a name or company name or simply “password”
- is not similar to previous passwords (Password1, Password2)
- contains a combination of:
- Uppercase letters
- Lowercase letters
- Symbols (%,$,*,@)
Password protocols - 25 worst passwords for 2015
According to Time Magazine (online) the following were considered the top 25 worst passwords for 2015. These passwords are easy to guess or hack, which significantly increases the risk of your account being compromised.
The following are common problems with shared drives that can lead to a disorganized shared drive:
- Uncertainty regarding what electronic documents are actually considered the “final effectual” document
- More than one document with similar file names
- More than one document with similar content within each document
- Duplication, Duplication, Duplication
- Saving a different copy of the electronic document after each and every revision
- Saving a separate copy for your own personal use, while revisions are completed by your team members on another electronic document
- Saving a separate copy on another drive as simply a “back-up” or “just in case” measure
- Inconsistent naming conventions that make electronic documents hard to find for your team
Files saved using various naming conventions.
111111 Contract Number – (Unique Identifier is 111111)
Contract Number 1111111
Smith, Bob Employee Record – (Unique Identifier is Smith)
Employee Record, Bob Smith
Computers have a natural tendency to order electronic files and folders either alphabetically or numerically. Placing unique identifying information at the front of your file name helps utilize this natural tendency and keeps your electronic files organized for retrievals purposes.
- Naming an electronic document file name “Miscellaneous” or “General”
Assigning an electronic document file or folder name such as, “Miscellaneous” or “General” can be confusing to team members you are collaborating with.
Furthermore, a naming convention such as “miscellaneous” attracts a wide-range of record types to be saved under one location, therefore, making routine destruction extremely difficult to implement.
- Saving electronic documents with long file names causing them not to open at all
Always try to keep your file name a reasonable length and test that your file will open after it is saved on the shared drive.
- No retention code assigned or retention code grouping to help quickly determine destruction.
Electronic records have a tendency to multiply and overrun folders, thus making the more important documents difficult to find among the many (and sometimes unnecessary) saved files.
- Electronic documents have not been assigned an appropriate retention code resulting in having to open each document to determine what the document pertains to. In addition, the meaning of the electronic document also tends to become lost over time making records classification more difficult.
Consider assigning retention codes at the point of document creation when the subject- matter of the document is more recent to the author of the document.
- Electronic documents that have gradually become semi-active (used only on an occasional basis)
Consider printing the final record and file it in the paper file folder to be formally managed. However, be sure to remember to delete the electronic document, which would then be considered transitory as the official version would be in paper file format.
- Saving electronic documents on the shared drive that are not even meant to be shared with the group.
Refrain from saving electronic documents on the shared drive when the file is not meant to be shared with the group as these documents ultimately create clutter on the shared drive for your team.
The shared drive is designed to save electronic documents that require team collaboration or universal access for your team.
The H:// Drive (on the other hand) is the best place to maintain your backed-up personal work documents, when team collaboration is not required.
- Saving electronic documents that are eventually submitted to another department for processing.
These electronic documents would ultimately be considered “transitory“ records as the original document is maintained by another department.
There are various kinds of email accounts that can consist of either an institutional or a personal nature.
For example, an @mtroyal.ca account is utilized in the context of completing the daily business activities of the University, whereas accounts with domain names such as, @shaw.ca or @gmail.com are typically used more for personal interactions.
The Alberta Freedom of Information and Protection of Privacy Act outlines those records upon which the Act applies. According to section 4(1), the FOIP Act “applies to all records in the custody or under the control of [the] public body[.]”
Based on section 4(1), the FOIP Act would apply to information held within email accounts that have the domain name @mtroyal.ca as this information is in the custody or control of Mount Royal University.
However, information retained in an email account with a domain name belonging to a particular person would “generally” not be considered in the custody or control of the public body.
Notably, there are several possible implications if a public employee elected to use a personal email account to complete University business activities.
Firstly, in the event of a formal FOIP request the employee may be required to provide that information to the University Privacy Office to fulfill an access request submitted by an applicant.
Secondly, and probably most importantly, maintaining information outside the custody and/or control of the public body can lead to suspicion that the public body employee is hiding information (willingly or not) that would normally be accessible to the public under the FOIP Act.
Information held within a personal e-mail account would not be in the custody or control of the public body, hence the FOIP Act would not apply, which would ultimately impede access by the public.
In the fall of 2011, CBC News reported that “Alberta Progressive Conservative leadership candidate was using a covert email [address] for his internal communications while he was a government minister to evade public scrutiny documents confirm”.
Morton used his formal first and middle name (Frederick Lee) to create an email account for internal communications with his staff.
The Office of the Information and Privacy Commissioner of Alberta launched an investigation into whether Ted Morton was in contravention of section 92(1)(e,g) of the Act.
According to section 92(1)(e,g), a “person must not willfully (e)alter, falsify, or conceal any record, or direct another person to do so, with the intent to evade a request for access to the record…or…(g) destroy any records subject to this Act, or direct another person to do so, with the intent to evade a request for access to the records”.
The Alberta Privacy Commissioner concluded that Ted Morton did not use the secondary email account to evade or impede access. Notably, the secondary email account had the domain name @gov.ab.ca, which meant it was under the government’s custody and/or control.
Although the investigation concluded that Ted Morton did not evade access to government records in this case, the investigation still provides an example of how suspicion can develop in regards to using secondary emails.
There are times or circumstances within the University Community when a student may be required to record a lecture in a class they are registered in. For example, when the student has special needs/circumstances and requires accommodation by the University based on their individual needs.
Does the FOIP Act apply when it comes to a student recording a lecture in a classroom?
No – The Alberta FOIP Act only pertains to how a public body (not a student) must collect, use, disclose, and protect personal information. Under definitions within section 1 of the Act, a student is not defined as part of the public body and, therefore, the FOIP Act does not apply in this circumstance.
According to section 4(1), the Act “applies to all records in the custody or under the control of a public body[.]”
Under section 1 of the FOIP Act regarding the definition of a public body
Section 1(p)(vii) of the Act, a public body means a local public body.
Section 1(j)(i) of the Act, a local public body is an educational body.
Section 1(d)(i) of the Act, an educational body means a university as defined in the Post-Secondary Learning Act
Does a student need to ask permission to record a lecture in a classroom?
Mount Royal University’s POL 505 on the Recording and Distribution of Academic Presentations and Materials states that prior permission from the faculty member must be obtained prior to a student proceeding with recording academic material belonging to a faculty member.
The Mount Royal University Copyright Advisor is available as an additional resource regarding the Canada Copyright Act.
Additionally, depending on the circumstances, other students may need to be informed of the recording to protect their rights to privacy through the instructor generally notifying the class in advance of the recording.
If, however, formal accommodation is required by a student due to their circumstances there are policies and procedures in place at the University to facilitate accommodation on behalf of students.