The FIPPA restricts how VIU collects, uses and discloses “personal information”, which is defined as recorded information about an identifiable individual other than business contact information. All information about students is personal information, but the names and work contact information of employees are not.
When the VIU email system is used to transmit personal information, this personal information is subject to the protection of privacy requirements of the FIPPA.
In addition, the FIPPA allows members of the public to request access to “records” held by VIU subject to limited exceptions. Emails are considered to be records. Therefore, individuals should be aware that there is a possibility that work-related emails may be disclosed in response to an access request under the FIPPA.
Work email addresses (e.g. john.smith@viu.ca) are not confidential (because they are business contact information, which is public information). Many work email addresses are published on the VIU website.
Personal email addresses (including all student and alumni email addresses) are considered to be personal information and are therefore confidential. Personal email addresses must not be shared with others without the owner’s written consent. If you need to share personal email addresses for legitimate purposes (e.g. for a class project) you should ask the individuals for their consent, and give them an opportunity to create a temporary email address for that purpose.
When sending emails to multiple personal email addresses, you must not place those email addresses in the “To” field because you will expose the email addresses to the other recipients. To hide the email addresses, you must place them in the “Bcc” (blind carbon copy) field.
For work accounts, free/busy information is not considered confidential, provided that no information about the appointment is visible. However, you must not disclose the contents of the calendar entries unless you are certain that they do not contain confidential information.
Emails sent between VIU work email accounts are relatively secure. It is acceptable to include small amounts of personal information (and other information of a confidential or sensitive nature) in the body of these emails. Ideally, when you are sending large volumes of personal information, or when the information is highly confidential (e.g. personal health information), it should be sent in an encrypted attachment to the email; however, encryption is not currently available at VIU.
Emails sent from VIU work email accounts to external email accounts are not a confidential and secure method of communication; therefore, you must exercise extreme caution when emailing personal information (and other information of a confidential or sensitive nature) outside VIU.
The FIPPA prohibits VIU from storing personal information outside Canada or allowing it to be accessed from outside Canada, unless consent has been obtained from the person the information is about. Because VIU’s work email system is used to send personal information, it must be hosted in Canada.
The majority of third party email providers (Hotmail, Gmail, etc.) cannot be used for VIU business purposes because they store data outside Canada. Consequently, VIU’s work email system is hosted on campus to ensure compliance with privacy and security requirements.
Yes. While the FIPPA prohibits VIU from allowing personal information to be accessed from outside Canada, it makes an exception for faculty or staff temporarily travelling outside Canada.
Many students use Hotmail or Gmail accounts, which are hosted outside Canada. If a student or another party initiates contact with you using such an account, it is acceptable for you to respond to their email and to discuss the individual’s personal situation if the individual requests you to do so. However, you cannot disclose information about anybody else.
While work email accounts are intended for official use, VIU Policy 45.01 Use of Information Technology – Section 4.3 authorizes the incidental personal use of these accounts, provided such use does not interfere with the user’s job performance and is not otherwise an inappropriate use under relevant policy or legislation. An example of an “incidental personal use” of your VIU email account would be sending a short message to a friend inviting him to lunch. You should not use your VIU email account for long or sensitive personal communications.
If you use your VIU email account for personal uses, keep in mind that your communications may not remain private. While the University does not, as a routine matter, inspect personal emails stored on VIU email accounts, it may need to access these emails under certain circumstances, e.g. responding to lawful subpoenas or court orders; investigating misconduct and determining compliance with University policies; and searching for electronic messages, data, files, or other records that are required for University business continuity purposes.
You may only use a mobile device to access your VIU email account if proper security controls are in place. Emails or other sensitive documents should not be stored on your mobile device.
There is no special retention period for emails. Each email is a separate record that must be retained for the length of time prescribed in the applicable Records Schedule issued under VIU’s Records Management Policy (in development).
A breach of the FIPPA may constitute an offence and may be subject to investigation and sanctions by the Information and Privacy Commissioner. In addition, it may result in disciplinary action by VIU.