Canvas & Privacy

Protecting student privacy in learning technologies like Canvas is a top priority at UBC. The following questions and answers explain UBC privacy policies specifically with regard to Canvas.


Management of Personal Information in Canvas

What is Canvas?
Canvas is a learning management system (LMS). Since 2017, it has been the primary system used by UBC to administer, document and deliver educational courses.

What information does Canvas store about students?
Canvas stores information such as students’ names, contact information, grades and course schedules.

How does the law protect students’ personal information?
UBC is subject to the Freedom of Information and Protection of Privacy Act (FIPPA), which is the privacy law that governs all government bodies in British Columbia. This law protects personal information (recorded information about an identifiable individual). It only allows UBC to collect and use personal information for purposes connected with its programs or activities, and it requires UBC to keep this information secure and confidential.

Does FIPPA require UBC to ask for students’ consent to collect their personal information?
No. Unlike private sector privacy laws, FIPPA does not require UBC to ask for consent before collecting or using personal information; it allows us to collect any personal information that relates directly to and is necessary for one of our programs or activities. While we do not have to ask for students’ consent to collect this information, we do have to notify them about the collection. The collection notice for Canvas can be found in the Privacy Policy, which is linked from the footer of the Canvas dashboard.

How is the information in Canvas used by UBC?
Under FIPPA, personal information can be used for the purpose it was collected or for a consistent purpose. That means that students’ personal information in Canvas is used for the purpose of facilitating the delivery of courses they are enrolled in. Personal information may also be used during the process of providing course support and for tools that support the quality of teaching and learning (such as dashboards for monitoring progress or tools that provide student feedback). The information may also be combined with other students’ information to be analyzed for statistical purposes, but only after anonymizing it (stripping out identifiers to ensure it is no longer tied to a specific individual).

Inside UBC, who gets access to the information in Canvas?
Under FIPPA, UBC can only make identifiable information available to faculty or staff on a need-to-know basis. UBC enforces this legal principle by restricting UBC employees’ access to information within Canvas using role-based access controls. Students do not have authority to view information about other students, with the exception of the names of the students enrolled in their courses.

Is any of the information in Canvas shared with third parties outside UBC?
As a rule, FIPPA does not allow us to share any personal information with third parties outside UBC without the consent of the individuals the information is about. There is an exception to this rule, however, that allows public bodies to share personal information with “service providers”, i.e., companies or consultants they hire to perform services for them. Employees working for service providers sometimes require access to the systems they support for installation, trouble-shooting and data-recovery purposes. Service providers are permitted temporary access to information for these limited purposes, but they are forbidden from retaining any personal information or using it for any other purpose. In the case of Canvas, information is accessible for the above purposes by service providers who support Canvas and other software tools that integrate with Canvas (you can view the list of external tool integrations).

How do you know that service providers won’t misuse students’ information?
Under FIPPA, service providers are treated the same as employees. That is, they are subject to the same restrictions on use and disclosure of personal information as UBC employees. They are subject to investigation by the provincial Information and Privacy Commissioner and can be charged with an offence if they violate the rules—which can result in large fines. In addition to these legal restrictions, UBC ensures that all service providers sign strict confidentiality agreements that require them to notify us if there are any security breaches.

Is any of the information in Canvas stored outside Canada?
No. The information in Canvas is stored and backed up in secure data centres run by Amazon Web Services (AWS) in Quebec. It is not stored outside Canada at any time.

Why isn’t the information in Canvas stored in a UBC data centre?
Modern software, including most LMS systems, is moving to a Software as a Service (SaaS) model, under which software is hosted in central servers in the “cloud”. These systems are just as secure as locally hosted systems. FIPPA does not allow data to be stored outside Canada, so Canvas uses Amazon Web Services, Canada region (AWS Canada). This is a very secure storage service that is used by many public bodies in BC and across Canada. It is at least as secure as UBC’s own data centres.

How is my information protected from unauthorized use or disclosure?
Canvas is a secure system. You can read more about its security features for details.

Can students opt out of Canvas?
No. Most services provided by public bodies do not allow for “opt out”. It is important for all students to use Canvas to ensure that UBC can deliver its courses and programs effectively.

Has UBC reviewed the privacy and security of Canvas?
Yes. UBC is legally required to perform a Privacy Impact Assessment (PIA) on all systems that collect or use personal information. The PIA determined Canvas is secure and privacy-compliant. It is also used by many educational institutions across Canada.

For any additional questions related to Canvas and privacy, please contact the LT Hub.