Privacy Compliance Guidelines

Following the rules and regulations around student privacy is an important consideration in using learning technologies at UBC. Find out the key points you need to know to choose tools and use them in a way that complies with privacy requirements, including BC’s Freedom of Information and Protection of Privacy Act (FIPPA).

UBC & FIPPA Protect Students’ Personal Information

FIPPA ensures that UBC collects, uses, and discloses personal information in a lawful and appropriate manner.

Responsibilities of Instructors

For instructors at UBC, FIPPA primarily affects how you handle information about students. Any information that can personally identify a student—such as names, student numbers, email addresses, or student biographical, financial, educational, and employment data—is protected by FIPPA. You are required to keep this information confidential and secure.

  • Confidentiality: Students’ personal information may be accessed by faculty and staff members on a need-to-know basis. Students are also entitled to know the names of other students in their own classes to facilitate learning and engagement. Otherwise, identifiable information about students should not be disclosed without their consent.
  • Security: Personal information should only be stored on encrypted computers, encrypted mobile devices (i.e., laptops, tablets, or smart phones), or learning technologies that have passed a UBC Privacy Impact Assessment (PIA). Large amounts of personal information should not be emailed; Microsoft OneDrive or another secure information-sharing tool should be used instead. As of November 2021, changes to FIPPA mean that there is no longer a strict requirement to store and access personal information on Canadian servers, and it is no longer a requirement to obtain consent from students if data is stored outside of Canada.

Learning Technology You Use Should Pass a UBC PIA

All tools supported by the LT Hub undergo a UBC PIA to receive central technical and pedagogical support. But for pedagogical reasons, you may in some instances want to use other learning technologies (e.g., applications, tools, platforms).

Changes to FIPPA in November 2021 make it easier to use tools that store personally identifiable information outside of Canada; however, a UBC PIA is still expected to ensure that the learning technology in question meets UBC’s privacy and security standards.

Ask the Right Questions in Choosing Technology

Here are the key questions to consider when thinking about selecting technology for your course:

  1. What are your learning goals in choosing this technology?
  2. Is there already a UBC-supported, PIA-approved technology that can support your learning goals? Explore the UBC tool finder, talk to your Instructional Support Unit or contact us in the LT Hub about possible alternatives.
  3. If there are no alternatives: what will the technology allow you to do that you couldn’t do before? What are the concrete benefits?
  4. What are the risks to you and your students? In determining risks, consider the following:
    • Does the vendor for the technology have terms of service and a privacy policy? Ideally, you have read and understood these, and you will not relinquish any rights to student data or intellectual property to use the tool. Please contact us with any questions.
    • Does the tool require and store personally identifiable information about students? This information is anything that can identify a student, such as names, student numbers, email addresses, or student biographical, financial, educational, and employment data.
    • Does the tool require and store sensitive information about students? This information includes any highly confidential data like credit card details, SIN, birth certificates, bank account information, medical records, or driver’s licenses.
    • Where and how is student information stored? Does storage comply with UBC’s Information Security Standard U3?
    • Who can access the student information? Does access comply with UBC’s Information Security Standard U9?
    • Can students substitute aliases or other mock details in place of the required information and still use the tool as intended? Assume for the purposes of this question that you will keep a record of what aliases your students use.
  5. How do any risks measure up against the benefits?
  6. If you determine this technology is right for your context, you should start the UBC PIA process. This process will ensure that the technology complies with relevant privacy and security standards, which will keep student personal information safe.

An approved PIA documents that you are complying with the requirements of UBC and FIPPA. Should a student complain about a breach of privacy, this documentation will be important to demonstrate that you—on behalf of UBC—took reasonable steps to comply with UBC’s obligations under FIPPA.

Learn More About Privacy at UBC

  • You can read more about FIPPA on the Office of the Information and Privacy Commissioner of BC’s website.
  • The UBC Office of the University Council has a Protection of Privacy overview to introduce some of the key requirements.
  • Privacy Matters @ UBC is a website for increasing the awareness of privacy and information security at UBC, including how to protect personal information and keep your data secure.