Accountability and Data Security
IF A DIVISION IS HOSTING AN ALTERNATIVE PLATFORM OR USING THE SERVICES OF A THIRD PARTY, WHAT ACCOUNTABILITY AND DATA SECURITY CONSIDERATIONS ARE INVOLVED?
The CIO’s IT Roadmap recognizes the growing demand for a range of technologies and notes that our community is most effectively and efficiently served by a collaborative mix of university wide and locally provided IT services. At the same time the document states that “we must be vigilant to the risk of attack or unauthorized access to our data resources and IT systems”.
The following practices are recommended to ensure the integrity and compliance of academic programming that depends upon online environments that are not centrally supported by the institution:
- Compliance with the Freedom of Information and Protection of Privacy Act (FIPPA) and the University’s Guidelines Concerning Access to Official Student Academic Records regarding use of personal information
- Provision of online environments that follow basic web accessibility requirements. (For detailed technical information see WCAG 2.0 – Level A)
- Regular back up course data
- Implementation and testing of disaster recovery processes and business continuity plans at appropriate level of service
- Maintenance of records for the period of academic appeal and deletion after that retention period
- Provide notice to students of environments they will be required to use in the course syllabus
- Provide full technical support for environments not institutionally supported by central or by divisional IT unit.
- Publish online only materials that are cleared with regard to copyright.
While responsibility for the integrity of academic programming and deployment of institutional information technologies rests with the Office of the Vice-President and Provost, accountability for decisions related to use of alternative learning environments as the primary vehicle for course delivery by faculty rests with the principal or dean, or those designated by a principal or dean (e.g., department chair). Responsibility for associated costs related to use of systems that are not supported by CTSI or the CIO’s office must be borne by the department or division. These costs cannot be passed on to students.
Guidance is specified in the University’s Information Security Practices, recently released by the CIO’s office, which outlines in some detail the minimum actions required to ensure reasonable protection of data. In all situations, determining what security controls to apply is a question of proportion. With increased usage in terms of volume or reliance as a critical component of program delivery, the associated risk increases and should be considered in light of system security.
Per the CIO’s security guidelines, information related to online learning activities would normally be classified as “Confidential Distribution” meaning that the information and data is intended “to be read by a clearly defined group of individuals, but not containing any personally identifiable or financial, legal or access control-related information.” In this context, digital content related to course activities are normally restricted to access by those students participating in a course, TA’s and instructors. Program coordinators may also have access to course data.
Grade related information should be considered “Personal” and limited to the communication between instructor and individual student only, or on occasion may be accessed by other administrators on a need to know basis.
The security guidelines for University of Toronto applications require that these activities be password protected and stored on system managed to a set of security standards that are to be applied when the data is in storage, use or transport. Bearing in mind the question of proportion as noted above, for both in house and outsourced services the security and management standards must be equivalent to those followed by the University of Toronto. Specific guidance available within the CIO’s published Information Security Practices covers topics such as:
- Data Classification
- Access and Alteration Controls
- Security Baseline
Specific practices referred to in the guidelines include anti-virus protection, encryption, firewall protections, physical protection of IT resources, back up of critical data. The security baseline appendix may also serve as a useful reference when critical teaching support services are being outsourced to a third party provider such as a publisher or licensed from a vendor as an application accessed through the internet on demand.