Security

Privacy and Security Best Practices for Sharing Information

Information Security Safeguards While Working from Home

As a member of the university community, you are entrusted to manage university information responsibility and in accordance with the university's Information Management and Information Technology Policies.

Here are some guidelines to follow for working from home securely:

1. Secure your home router and WiFi

Insecurely configured home routers can lead to eavesdropping and/or attackers gaining remote control of your home computing devices. Follow key and fundamental security safeguards such as changing the default router password and using Wi-Fi Protected Access 2 (WPA2).

See the following guide for router/WiFi security:

Router Security: How to Setup Wi-Fi Router Securely

2. Secure your home computers

Keep up-to-date with patches/fixes/updates (including security, operating system and antivirus updates). Enable the computer's personal firewall and hard drive encryption. Use a strong/secure password that is unique and not shared.

3. Minimize information management risks

Do not save, store or print university information locally (especially that which is personally identifying). That is, securely connecting to and using university resources remotely keeps university information on the university system. Examples of such university resources include U of A Google Workspace, faculty/department based file-shares, and enterprise systems such as PeopleSoft, EDRMS, SupplyNet and eClass. Use the university VPN where appropriate and necessary to securely connect to the university network.

If you absolutely need to save, store or print university information at home in order to do your job, obtain approval from your director/chair beforehand, and agree on security safeguards around version control, information sharing/exchange, encryption and retention/archive/disposal, among others.

The university has created these best practices to help address questions related to sharing information securely. You may have other requirements to consider as well, such as faculty or department policies and procedures, Research Ethics Board requirements, and external stakeholder stipulations.

Types of Information

Institutional data can generally be assigned to one of four categories:

Restricted (extremely sensitive)
Confidential (highly sensitive)
Protected (moderately sensitive)
Unrestricted (non-sensitive)

More information can be found in the UAPPOL Institutional Data Management and Governance Procedure document.

General Principles for Sharing Information

It is recommended to avoid sharing extremely sensitive information (such as identifiable patient and health care information, social insurance numbers, and passport information) on any university system (including UAlberta G Suite). If there is a valid and approved business justification for doing so, such sharing may be acceptable provided it includes encryption of data at rest and other compensating controls.

Extremely and highly sensitive information is not to be transmitted by email. It is also prudent to avoid sending emails with any information that could lead to harm upon compromise, e.g., including a full date of birth in an email could lead to identity theft.
UAlberta Google Drive is an approved alternative to email for sharing the university's business, academic, research and administrative information and records. Files in UAlberta Google Drive have built-in information rights management (IRM), meaning users can share files and information securely. However, be conscientious and careful when providing permission to those receiving or viewing the document or files, and always remember to unshare a document once the business need for it has passed.
- Any type of files containing identifiable patient and health care information is NOT to be shared through or stored in UAlberta G Suite services.
Additional alternatives for sharing and storing university information include encrypted attachments or a faculty/department shared network file server.

Risks of Using Email to Share Sensitive Information

Email is perhaps the most common method to share information on campus. However, it also carries some risks, and it is important to consider these risks when deciding whether to send information to someone through email. For a further discussion about the risks of using email in the context of sending patient information, please see the OIPC Practice Note. Please also review the following infographic and document for additional general guidelines on email management.

Alternatives to Email: UAlberta Google Drive

The Information and Privacy Office (IPO) and the Chief Information Security Officer (CISO) have assessed UAlberta G Suite through a Privacy Impact Assessment and Security Review and have found that Google Drive has adequate privacy and security controls.

Google Drive is a secure and modern digital workspace that stores files encrypted in Google's cloud infrastructure and includes built-in information rights management (IRM), meaning files are kept private until the document owner decides to share them. As a result, Google Drive is a better option than email for sharing highly sensitive or confidential information. However, be conscientious and careful when providing permission to those receiving or viewing the document or files, and always remember to unshare a document once the business need for it has passed.

Learn more information about the different sharing settings at the Google Drive Help Center.

Additional Alternatives for Sharing and Storing University Information

Encrypted attachment - one way to securely send personal or confidential information is through an encrypted attachment, which can only be read by the person with the decryption key, i.e., password. The password should be shared with the recipient over the phone or through another method that does not involve email. Review the MyCCID Password Tips for help choosing a strong password.
Shared network drive - if you wish to share a document containing personal information with a colleague in your office, consider whether you can save the personal information to a shared drive on your faculty, department or unit network. Then, simply email or tell your colleague the location in which you saved the document.
Fax - while faxing documents involves its own set of risks, this tends to be considered a more acceptable practice within the medical community than email. When faxing personal or confidential information, it is prudent to follow the guidelines set out in this publication: OIPC Guidelines on Facsimile Transmission
Non-electronic methods - sometimes, it will be most appropriate to use traditional methods of exchanging information, such as mail, courier, campus mail, hand delivery or a phone call.

Table of Information Sharing Guidelines / Diagram

	Email	UAlberta Google Drive	Encrypted attachment or shared network file server	Secure fax	Non- electronic methods
Extremely sensitive - medical records	❌¹	❌	✓	✓	✓
Extremely sensitive - credit card numbers, social insurance numbers, sexual orientation, gender identity	❌	❌	✓	✓	✓
Highly sensitive - personnel files, salary, discipline records, information related to a law enforcement investigation, third-party business information submitted in confidence	❌	✓	✓	✓	✓
Moderately sensitive - date of birth * While date of birth can be sent over email, it is prudent to avoid emailing this information when possible	✓	✓	✓	✓	✓
Moderately sensitive - grades, CCIDs, employee ID and student numbers, and personal contact information other than publicly displayed university email addresses	✓	✓	✓	✓	✓
Non-sensitive - publicly displayed university email addresses, anything available on the university's website	✓	✓	✓	✓	✓

¹For more details, please see the OIPC Practice Note

Resources

Government of Alberta. "Identity Theft." 2019.
https://www.alberta.ca/identity-theft.aspx

Government of Canada. "Get Cyber Safe." December 21, 2018.
http://www.getcybersafe.gc.ca/index-en.aspx

Government of Canada. "Protect yourself and report scams." March 12, 2018.
https://www.getcybersafe.gc.ca/cnt/blg/pst-20190312-en.aspx

Office of the Information and Privacy Commissioner of Alberta (OIPC), "Advisory for Communicating with Patients Electronically" June 2019. https://www.oipc.ab.ca/media/383685/practicenote_hia_communicating_with_patients_via_email_aug2012.pdf

University of Alberta. "Changing your Campus Computing ID Password."
https://password.srv.ualberta.ca/passwords.html

University of Alberta Policies and Procedures Online (UAPPOL), "Information Technology Use and Management Policy." June 25, 2010. https://www.ualberta.ca/en/alfresco/uappol/informationmanagementinformationtechnology/information-technology-use-and-management/policy/information-technology-use-and-management-policy.pdf

University of Alberta Policies and Procedures Online (UAPPOL), "Information Technology Security Policy." June 25, 2010. https://www.ualberta.ca/en/alfresco/uappol/informationmanagementinformationtechnology/information-technology-security/policy/information-technology-security-policy.pdf

University of Alberta Policies and Procedures Online (UAPPOL), "Email Forwarding Restriction Procedure," February 25, 2013.
https://www.ualberta.ca/en/alfresco/uappol/informationmanagementinformationtechnology/information-technology-use-and-management/procedure/email-forwarding-restriction-procedure.pdf

Research Computing

Enterprise Apps

Initiatives