Privacy and Security Best Practices for Sharing Information

Information Security Safeguards While Working from Home

As a member of the University community, you are entrusted to manage University information responsibility and in accordance with the University's Information Management and Information Technology Policies.

Here are some guidelines to follow for working from home securely:

1. Secure your home router and WiFi

Insecurely configured home routers can lead to eavesdropping and/or attackers gaining remote control of your home computing devices.  Follow key and fundamental security safeguards such as changing the default router password and using Wi-Fi Protected Access 2 (WPA2).

See the following guide for router/wifi security:
Keep up-to-date with patches/fixes/updates (including security, operating system, and antivirus updates).  Enable the computer's personal firewall and hard drive encryption.  Use a strong/secure password that is unique and not shared.

3. Minimize information management risks
Do not save, store, or print University information locally (especially that which is personally identifying).  That is, securely connecting to and using University resources remotely keeps University information on the University system.  Examples of such University resources include UAlberta Google, faculty/department based file-shares, and enterprise systems such as PeopleSoft, EDRMS, SupplyNet and eClass.  Use the University VPN where appropriate and necessary to securely connect to the University network.

If you absolutely need to save, store, or print University information at home in order to do your job, obtain approval from your Director/Chair beforehand, and agree on security safeguards around version control, information sharing/exchange, encryption, and retention/archive/disposal, among others.

The university has created these best practices to help address questions related to sharing information securely. You may have other requirements to consider as well, such as faculty or department policies and procedures, Research Ethics Board requirements, and external stakeholder stipulations.

Types of Information

Institutional data can generally be assigned to one of four categories:

  1. Restricted (extremely sensitive)
  2. Confidential (highly sensitive)
  3. Protected (moderately sensitive)
  4. Unrestricted (non-sensitive)

More information can be found in the UAPPOL Institutional Data Management and Governance Procedure document.

General Principles for Sharing Information

It is recommended to avoid sharing extremely sensitive information (such as identifiable patient and health care information, social insurance numbers, and passport information) on any university system (including UAlberta G Suite). If there is a valid and approved business justification for doing so, such sharing may be acceptable provided it includes encryption of data at rest and other compensating controls.

  1. Extremely and highly sensitive information is not to be transmitted by email. It is also prudent to avoid sending emails with any information that could lead to harm upon compromise, e.g., including a full date of birth in an email could lead to identity theft.
  2. UAlberta Google Drive is an approved alternative to email for sharing the university's business, academic, research and administrative information and records. Files in UAlberta Google Drive have built-in information rights management (IRM), meaning users can share files and information securely. However, be conscientious and careful when providing permission to those receiving or viewing the document or files, and always remember to unshare a document once the business need for it has passed.
    • Any type of files containing identifiable patient and health care information is NOT to be shared through or stored in UAlberta G Suite services.
  3. Additional alternatives for sharing and storing university information include encrypted attachments or a faculty / department shared network file server.

Risks of Using Email to Share Sensitive Information

Email is perhaps the most common method to share information on campus. However, it also carries some risks, and it is important to consider these risks when deciding whether to send information to someone through email:

  • Misdirection - when an email is unintentionally sent to the wrong person. Learn how to minimize the risk of sending misdirected emails.
  • Interception - when an email is intercepted by hackers or government surveillance programs. Fortunately, any email sent through Gmail is encrypted for your protection. Learn more about encryption.
  • Mishandling by recipient - when the recipient of an email stores it inappropriately, copies it, and/or forwards it to others. As you have no control over how a recipient handles your email, use caution when sending personal or sensitive information.
  • Account vulnerabilities - these include a weak password and email phishing scams, both of which leave an email account vulnerable to external threats. Always set a strong password (eight to ten characters long) and never open suspicious emails.

For a further discussion about the risks of using email in the context of sending patient information, please see the OIPC Practice Note. Please also review the following infographic and document for additional general guidelines on email management.

Alternatives to Email: UAlberta Google Drive

The Information and Privacy Office (IPO) and the Chief Information Security Officer (CISO) have assessed UAlberta G Suite through a Privacy Impact Assessment and Security Review and have found that Google Drive has adequate privacy and security controls.

Google Drive is a secure and modern digital workspace that stores files encrypted in Google's cloud infrastructure and includes built-in information rights management (IRM), meaning files are kept private until the document owner decides to share them. As a result, Google Drive is a better option than email for sharing highly sensitive or confidential information. However, be conscientious and careful when providing permission to those receiving or viewing the document or files, and always remember to unshare a document once the business need for it has passed.

Learn more information about the different sharing settings at the Google Drive Help Center.

Additional Alternatives for Sharing and Storing University Information

  • Encrypted attachment - one way to securely send personal or confidential information is through an encrypted attachment, which can only be read by the person with the decryption key, i.e., password. The password should be shared with the recipient over the phone or through another method that does not involve email. Review the MyCCID Password Tips for help choosing a strong password.
  • Shared network drive - if you wish to share a document containing personal information with a colleague in your office, consider whether you can save the personal information to a shared drive on your faculty, department or unit network. Then, simply email or tell your colleague the location in which you saved the document.
  • Fax - while faxing documents involves its own set of risks, this tends to be considered a more acceptable practice within the medical community than email. When faxing personal or confidential information, it is prudent to follow the guidelines set out in this publication: OIPC Guidelines on Facsimile Transmission
  • Non-electronic methods - sometimes, it will be most appropriate to use traditional methods of exchanging information, such as mail, courier, campus mail, hand delivery or a phone call.

Table of Information Sharing Guidelines / Diagram

Email

UAlberta Google Drive

Encrypted attachment or shared network file server

Secure fax

Non- electronic methods

Extremely sensitive - medical records

1

Extremely sensitive - credit card numbers, social insurance numbers, sexual orientation, gender identity

Highly sensitive - personnel files, salary, discipline records, information related to a law enforcement investigation, third-party business information submitted in confidence

Moderately sensitive - date of birth

* While date of birth can be sent over email, it is prudent to avoid emailing this information when possible

Moderately sensitive - grades, CCIDs, employee ID and student numbers, and personal contact information other than publicly displayed university email addresses

Non-sensitive - publicly displayed university email addresses, anything available on the university's website


1For more details, please see the OIPC Practice Note

Resources

Government of Alberta. "Identity Theft." 2019.
https://www.alberta.ca/identity-theft.aspx

Government of Canada. "Get Cyber Safe." December 21, 2018.
http://www.getcybersafe.gc.ca/index-en.aspx

Government of Canada. "Protect yourself and report scams." March 12, 2018.
https://www.getcybersafe.gc.ca/cnt/blg/pst-20190312-en.aspx

Office of the Information and Privacy Commissioner of Alberta (OIPC), "Advisory for Communicating with Patients Electronically" June 2019. https://www.oipc.ab.ca/media/383685/practicenote_hia_communicating_with_patients_via_email_aug2012.pdf

University of Alberta. "Changing your Campus Computing ID Password."
https://password.srv.ualberta.ca/passwords.html

University of Alberta Policies and Procedures Online (UAPPOL), "Information Technology Use and Management Policy." June 25, 2010. https://policiesonline.ualberta.ca/PoliciesProcedures/Policies/Information-Technology-Use-and-Management-Policy.pdf

University of Alberta Policies and Procedures Online (UAPPOL), "Information Technology Security Policy." June 25, 2010. https://policiesonline.ualberta.ca/PoliciesProcedures/Policies/Information-Technology-Security-Policy.pdf

University of Alberta Policies and Procedures Online (UAPPOL), "Email Forwarding Restriction Procedure," February 25, 2013.
https://policiesonline.ualberta.ca/PoliciesProcedures/Procedures/Email-Forwarding-Restriction-Procedure.pdf