Privacy Requirements

Following the rules and regulations around student privacy is an important consideration in using learning technologies at UBC. Find out the key points you need to know here.


UBC Student Personal Information Is Protected

The British Columbia Freedom of Information and Protection of Privacy Act (FIPPA) ensures that UBC collects, uses, and discloses personal information in a lawful and appropriate manner.

For instructors at UBC, FIPPA primarily affects how you handle information about your students. Any information that can personally identify a student, such as names, student numbers, email addresses, or student biographical, financial, educational, and employment data is protected by FIPPA. You are required to keep this information confidential and secure.

  • Confidentiality: Students’ personal information may be accessed by faculty and staff members on a need-to-know basis. Students are also entitled to know the names of other students in their own classes, to facilitate learning and engagement. Otherwise, identifiable information about students should not be disclosed without their consent.
  • Security: Personal information should only be stored on encrypted computers or encrypted mobile devices (i.e., laptops, tablets, or smart phones). Large amounts of personal information should not be emailed; Microsoft OneDrive or another secure information sharing tool should be used. No personal information should be stored on servers located outside of Canada without the consent of the students.

The requirement to keep personal information in Canada can have a big impact on your teaching, as it means you will need to build in a student consent process to use non-Canadian-hosted technologies in your courses.


Choosing Non-Canadian-hosted Technologies Requires Transparency and Alternatives for Students

FIPPA requires that all personally identifiable information about your students remain in Canada, to protect students’ privacy and identities. But for pedagogical reasons, you may in some instances want to use learning technologies (e.g., applications, tools, platforms) that are hosted outside of Canada.

Know first that you cannot require your students to share personal information on non-Canadian-hosted technology to meet the academic requirements of a course. UBC respects that students’ online activities may affect their personal and professional lives.

However, many technologies have options for students to use them anonymously, with an alias. The UBC Office of the University Counsel specifies that, if use of a non-Canadian-hosted technology is required for a course, to comply with FIPPA you must seek consent from students and allow use of an alias for those who opt out.

Ask the right questions in choosing technology

Here are the key questions to consider when thinking about using a non-Canadian-hosted technology in your course:

  1. What are your learning goals in choosing this technology?
  2. Is there a UBC-supported, FIPPA-compliant technology that can support your learning goals instead? Explore our tool finder, talk to your Instructional Support Unit or contact us in the LT Hub about possible alternatives.
  3. If there are no alternatives: what will the technology allow you to do that you couldn’t do before? What are the concrete benefits?
  4. What are the risks to you and your students? How do these risks measure up against the benefits?
  5. How will you inform your students about the technology’s non-Canadian-hosted status, explain their consent, and provide the option to use an alias and/or use an alternative to complete their work?

    • Many but not all technologies support the use of aliases. It’s important at this step to find out if and how aliases could work in the technology you’re considering.
  6. How will you ensure all students have an equitable learning experience, whether they consent to use the non-Canadian-hosted technology or choose the alternative?

If you are unsure about answers to any of the questions, please contact us to discuss.

Inform students about their technology consent

If you’ve decided to use a non-Canadian-hosted technology after going through the questions above, you will need to properly inform your students about its use.

In the course description or in another form of written communication to students, cover these key points:

  • Describe the non-Canadian-hosted technology and the personal student information that it will be storing or accessing.
  • Explain that consenting to share this personal information with the technology is voluntary and not required as part of completing the course.
  • Instruct students who choose not to provide consent to contact you for alternate arrangements (e.g., an alias or another way to complete their work).
  • Detail the alternate arrangements for any students who contact you to opt out, such as allowing them to sign in to the technology using a false name and/or non-identifying email address that you agree upon.

Sample communication to students

Typically, non-Canadian-hosted technology will require students to enter a name and email address. The easiest option for those students who do not want to disclose their identities is to provide a fake name and non-identifying email address.

Here is a sample communication for a typical use of a non-Canadian-hosted technology:

In this course, you will be using [name the technology], which is a [define the technology]. This tool will help us to [describe benefits from using the technology]. When creating an account in the tool, you will be required to provide personally identifying information, specifically your [list the information collected]. Because this tool is hosted on servers in [give the location] and not in Canada, by creating an account you will also be consenting to the storage of your information in [give the location]. Please know you are not required to consent to sharing this personal information with the tool, if you are uncomfortable doing so. If you choose not to provide consent, you may create an account using a nickname and a non-identifying email address.

In addition to protecting students’ privacy, you can also use this consent process to teach them about making informed decisions about online activities more broadly. The UBC Digital Tattoo Project offers student-developed resources you can share to help students make choices about their online participation and identity.

Document your FIPPA-compliancy process

If you’ve decided to use a non-Canadian-hosted technology, it’s important to document how you are complying with the requirements of UBC and FIPPA. Your documentation should capture all your efforts to ensure that students are informed of the use of the tool, the reason for its use, and the option to request alternate arrangements (whether through use of an alias or another way).

Documents will vary based on context but may include the following:

  • a copy of or link to your course description, syllabus, or whatever you’ve used to describe the technology, its potential learning benefits, and where its information is stored
  • a copy of or link to any other information (e.g., technical or assignment instructions) provided to students about the use of the technology
  • a copy of the list of students who opted out and their aliases or other means of participating

Should a student complain about a breach of privacy, these documents will be important to demonstrate that you on behalf of UBC took reasonable steps to comply with UBC’s obligations under FIPPA to use a non-Canadian-hosted technology.


Learn More About Privacy