Privacy and Security Best Practices for Sharing Information
Information Security Safeguards While Working from Home
As a member of the university community, you are entrusted to manage university information responsibility and in accordance with the university's Information Management and Information Technology Policies.
Here are some guidelines to follow for working from home securely:
1. Secure your home router and WiFi
See the following guide for router/WiFi security:
2. Secure your home computers
3. Minimize information management risks
If you absolutely need to save, store or print university information at home in order to do your job, obtain approval from your director/chair beforehand, and agree on security safeguards around version control, information sharing/exchange, encryption and retention/archive/disposal, among others.
The university has created these best practices to help address questions related to sharing information securely. You may have other requirements to consider as well, such as faculty or department policies and procedures, Research Ethics Board requirements, and external stakeholder stipulations.
Types of Information
Institutional data can generally be assigned to one of four categories:
- Restricted (extremely sensitive)
- Confidential (highly sensitive)
- Protected (moderately sensitive)
- Unrestricted (non-sensitive)
More information can be found in the UAPPOL Institutional Data Management and Governance Procedure document.
General Principles for Sharing Information
It is recommended to avoid sharing extremely sensitive information (such as identifiable patient and health care information, social insurance numbers, and passport information) on any university system (including UAlberta G Suite). If there is a valid and approved business justification for doing so, such sharing may be acceptable provided it includes encryption of data at rest and other compensating controls.
- Extremely and highly sensitive information is not to be transmitted by email. It is also prudent to avoid sending emails with any information that could lead to harm upon compromise, e.g., including a full date of birth in an email could lead to identity theft.
- UAlberta Google Drive is an approved alternative to email for sharing the university's business, academic, research and administrative information and records. Files in UAlberta Google Drive have built-in information rights management (IRM), meaning users can share files and information securely. However, be conscientious and careful when providing permission to those receiving or viewing the document or files, and always remember to unshare a document once the business need for it has passed.
- Any type of files containing identifiable patient and health care information is NOT to be shared through or stored in UAlberta G Suite services.
- Additional alternatives for sharing and storing university information include encrypted attachments or a faculty/department shared network file server.
Risks of Using Email to Share Sensitive Information
Email is perhaps the most common method to share information on campus. However, it also carries some risks, and it is important to consider these risks when deciding whether to send information to someone through email. For a further discussion about the risks of using email in the context of sending patient information, please see the OIPC Practice Note. Please also review the following infographic and document for additional general guidelines on email management.
Alternatives to Email: UAlberta Google Drive
The Information and Privacy Office (IPO) and the Chief Information Security Officer (CISO) have assessed UAlberta G Suite through a Privacy Impact Assessment and Security Review and have found that Google Drive has adequate privacy and security controls.
Google Drive is a secure and modern digital workspace that stores files encrypted in Google's cloud infrastructure and includes built-in information rights management (IRM), meaning files are kept private until the document owner decides to share them. As a result, Google Drive is a better option than email for sharing highly sensitive or confidential information. However, be conscientious and careful when providing permission to those receiving or viewing the document or files, and always remember to unshare a document once the business need for it has passed.
Learn more information about the different sharing settings at the Google Drive Help Center.
Additional Alternatives for Sharing and Storing University Information
- Encrypted attachment - one way to securely send personal or confidential information is through an encrypted attachment, which can only be read by the person with the decryption key, i.e., password. The password should be shared with the recipient over the phone or through another method that does not involve email. Review the MyCCID Password Tips for help choosing a strong password.
- Shared network drive - if you wish to share a document containing personal information with a colleague in your office, consider whether you can save the personal information to a shared drive on your faculty, department or unit network. Then, simply email or tell your colleague the location in which you saved the document.
- Fax - while faxing documents involves its own set of risks, this tends to be considered a more acceptable practice within the medical community than email. When faxing personal or confidential information, it is prudent to follow the guidelines set out in this publication: OIPC Guidelines on Facsimile Transmission
- Non-electronic methods - sometimes, it will be most appropriate to use traditional methods of exchanging information, such as mail, courier, campus mail, hand delivery or a phone call.
Table of Information Sharing Guidelines / Diagram
|
UAlberta Google Drive |
Encrypted attachment or shared network file server |
Secure fax |
Non- electronic methods |
|
Extremely sensitive - medical records |
❌1 |
❌ |
✓ |
✓ |
✓ |
Extremely sensitive - credit card numbers, social insurance numbers, sexual orientation, gender identity |
❌ |
❌ |
✓ |
✓ |
✓ |
Highly sensitive - personnel files, salary, discipline records, information related to a law enforcement investigation, third-party business information submitted in confidence |
❌ |
✓ |
✓ |
✓ |
✓ |
Moderately sensitive - date of birth * While date of birth can be sent over email, it is prudent to avoid emailing this information when possible |
✓ |
✓ |
✓ |
✓ |
✓ |
Moderately sensitive - grades, CCIDs, employee ID and student numbers, and personal contact information other than publicly displayed university email addresses |
✓ |
✓ |
✓ |
✓ |
✓ |
Non-sensitive - publicly displayed university email addresses, anything available on the university's website |
✓ |
✓ |
✓ |
✓ |
✓ |
1For more details, please see the OIPC Practice Note
Resources
Government of Alberta. "Identity Theft." 2019.
https://www.alberta.ca/identity-theft.aspx
Government of Canada. "Get Cyber Safe." December 21, 2018.
http://www.getcybersafe.gc.ca/index-en.aspx
Government of Canada. "Protect yourself and report scams." March 12, 2018.
https://www.getcybersafe.gc.ca/cnt/blg/pst-20190312-en.aspx
Office of the Information and Privacy Commissioner of Alberta (OIPC), "Advisory for Communicating with Patients Electronically" June 2019. https://www.oipc.ab.ca/media/383685/practicenote_hia_communicating_with_patients_via_email_aug2012.pdf
University of Alberta. "Changing your Campus Computing ID Password."
https://password.srv.ualberta.ca/passwords.html
University of Alberta Policies and Procedures Online (UAPPOL), "Information Technology Use and Management Policy." June 25, 2010. https://www.ualberta.ca/en/alfresco/uappol/informationmanagementinformationtechnology/information-technology-use-and-management/policy/information-technology-use-and-management-policy.pdf
University of Alberta Policies and Procedures Online (UAPPOL), "Information Technology Security Policy." June 25, 2010. https://www.ualberta.ca/en/alfresco/uappol/informationmanagementinformationtechnology/information-technology-security/policy/information-technology-security-policy.pdf
University of Alberta Policies and Procedures Online (UAPPOL), "Email Forwarding Restriction Procedure," February 25, 2013.
https://www.ualberta.ca/en/alfresco/uappol/informationmanagementinformationtechnology/information-technology-use-and-management/procedure/email-forwarding-restriction-procedure.pdf