Skip to the content of the web site.

Policy 8 -- Information Security FAQ

[ UW home page ] Why do we need Policy 8?
Advances in technology, the internet, and the ability to easily share and duplicate information have had both positive and negative impacts. One negative impact has been a large increase in information security threats. Security breaches can be devastating to individuals as well as costly and damaging to the reputation of the university. Policy 8 is being developed to ensure that the university adequately protects confidential information and the identity and privacy of the individuals about whom it collects and maintains information.

Why is Policy 8 so vague?
Policy 8 is a starting point for a collection of standards and procedures relating to information security. In particular, the security classifications will help the university prioritize its information security efforts. The hope is that the policy is written in such a way that it will not require updating as technology and security threats change. Other related UW standards and procedures are being developed which will be more specific, like: Information Technology Security Standards, Information Security Breach Response Procedure, and Confidential Shredding Procedures.

What makes certain types of information “Highly Restricted” rather than just “Restricted”?
The information classified as Highly Restricted is commonly used to perpetrate identity theft, or, in the wrong hands, could pose a threat to national security. Policy 8 attempts to promote the mindset that Highly Restricted information should be collected only when absolutely necessary. If we reduce the number of cases where Highly Restricted information is collected and stored, then we reduce the chance of a privacy or Information Security Breach.

Who might be an Information Steward?
An Information Steward is typically an associate provost, vice-president, dean, or department head who has the overall responsibility for a functional area. Policy 8 requires that the Information Steward be responsible for “setting the rules” on how data in his / her functional area is to be used. Specific tasks associated with such responsibilities may be delegated.

Who might be an Information Custodian?
If you have a physical copy of some information, then you are an Information Custodian. For example, if information is on paper which is locked in a filing cabinet, whoever has keys to that filing cabinet is an Information Custodian of that information.
If the information is stored electronically on the hard disk of a server, the systems administrator who maintains that server is an Information Custodian. The network administrator for the network connected to that server is an Information Custodian and the web developer who maintains the web application that collects and stores the information is also an Information Custodian. If you download the information from the server to your PC or other media, you have become an Information Custodian too.

Why shouldn’t I keep copies?
Maintaining Restricted or otherwise Confidential information inevitably carries some level of risk: the more copies of the information, the greater the risk of a breach. Security breaches can be devastating to individuals as well as costly and damaging to the reputation of the university. For this reason, the university is committed to maintaining, where possible, a single copy in a secure system, with access given to those who need it to do their work.  We discourage the creation and holding of other local copies. Remember that if you do create and keep copies, whether paper or electronic, of Restricted or otherwise Confidential information, you become an Information Custodian of that information and must ensure that appropriate security controls are in place to protect it.

I’m a faculty member. How does this policy apply to me?
Your records are a mix of those belonging to you and those belonging to the university.  Records which belong to you are as provided in Policy 73, Intellectual Property Rights, and include records relating to research and teaching materials not created under “assigned tasks”. University records are those as defined under “assigned tasks” in Policy 73 and include records like memoranda, letters, and administrative reports.
Your records likely contain mixed information potentially including Highly Restricted (e.g., SINs in your research records), Restricted (e.g., personal information like address, student ID # or grades in your research and / or teaching records), and Confidential (e.g., records of closed meetings in your university records). Maintaining Highly Restricted, Restricted or otherwise Confidential information inevitably carries some level of risk.
Where the records are yours, you are an Information Steward and must ensure that the appropriate security controls are in place to protect it. You may be an Information Steward, Information Custodian or User of the university records in your possession and should follow the responsibilities for security associated with that role.

I’m a system administrator and my supervisor has asked me to create a database which will contain Highly Restricted information. What do I do?
Use of Highly Restricted information requires approval per Appendix A of Policy 8. If the Information Steward does not already have approval, then he/she must seek it as provided in Appendix A of Policy 8.

I’ve received a copy of a credit card statement to process a reimbursement claim, what do I do?
If an individual’s credit card statement is being submitted for reimbursement with forms like Finance’s ‘Request for Payment’ or ‘Travel Advance and Settlement Claim’, have the individual black out all personal information on the form not necessary for processing. In this case, personal information includes the credit card number, address, and expenses unrelated to the claim.  If not blacked out by the individual, Finance will not do so; therefore, personal information will be on file for seven years.

Classifying information sounds like a big job. How might I go about it?
Most people have a good sense of what is Confidential and what is Public, so start with that. Once you have a handle on what is Confidential, determine which Confidential information contains personal information. Personal information is information about an identifiable individual and should not be disclosed, except as may be prescribed in Policy 19. It includes things such as an individual’s address, telephone number, student number, educational history, or health information. If still in doubt about what is personal information, contact the university FOIP Coordinator. If you determine that information should be classified as Restricted, make note of anything from the list of Highly Restricted information. Once you have everything classified, go back and look at the information that is Confidential but not Restricted. At the end of the process:

I need to process a payment for a casual employee, may I collect their SIN?
Fill out the required paperwork for Human Resources as usual. If you must keep a copy in your department, black out the SIN and any other Highly Restricted information which appears in the record.

What characterizes an agreement to which “nondisclosure” would apply?
This applies to any agreement which contains a provision regarding nondisclosure of information.  Such agreements / clauses are typically identified as nondisclosure or confidentiality matters.

Who is the Information Security Officer?
The role of Information Security Officer is currently assigned to Jason Testart, Manager of Information Technology Security.

Who is the FOIP Coordinator?
The role of FOIP Coordinator is currently assigned to Karen Jack, Executive Assistant Special Projects in the Secretariat.