Data privacy: A multi-faceted topic in higher education

To celebrate Data Privacy Day on Jan. 28, Information Technology Services (ITS) hosted a virtual panel event: Impact of evolving technology and privacy laws in higher education. The one-hour event opened a conversation about data privacy and protection and answered privacy questions from the University of Toronto (U of T) community.

Over 145 attendees including staff, faculty and students from the tri-campus community joined virtually to learn from legal, cybersecurity and privacy experts on how changes in technology and privacy laws impact higher education. The featured panelists were:

  • Ashley Langille, Information Privacy Analyst
  • Carlos Chalico, IT Risk and Privacy Consultant, EY & Instructor, School of Continuing Studies, U of T
  • Daniel Michaluk, Information Security and Privacy Lawyer & Partner, Borden Ladner Gervais LLP
  • Deyves Fonseca, Associate Director, Information Security Operations

The event was moderated by Rafael Eskenazi, Director, Freedom of Information and Protection of Privacy (FIPP) Office.

“The Data Privacy Day virtual panel event provided a great opportunity to engage with the U of T community, to answer their questions about privacy and to share University resources they can use to protect personal information,” said Kalyani Khati, Associate Director, Information Security Strategic Initiatives.

Highlights from the event

DPD panel event screenshot

From left to right: Deyves Fonseca (bottom left), Daniel Michaluk (top left), Rafael Eskenazi (top right), Carlos Chalico, Ashley Langille (bottom right)

Daniel Michaluk began the session by speaking about the Freedom of Information and Protection of Privacy Act (FIPPA) and observed how there hasn’t been an adverse regulatory finding about a university’s privacy practices since FIPPA was introduced in Ontario. Michaluk explained that this can be attributed to the good work done by the universities of Ontario, so there is no historical basis for additional regulation in the sector.

“Right from the start in 2006, all the Ontario universities took FIPPA and privacy protection very seriously, and from some good work early on by the Council of Ontario Universities, there’s been a continuous dialogue in the sector about privacy,” he said.

Speaking about the University’s digital transformation, Deyves Fonseca expressed that the pandemic brought significant changes with the move of data to the cloud. He said that the move to using the cloud is going to continue and accelerate as part of U of T’s digital transformation as we prepare to go back to in-person work and learning.

Collaboration was the keyword during Carlos Chalico’s presentation. “We need to think about collaboration across organizations to minimize cyber security risks,” said Chalico. “Alliances are necessary within organizations to protect information as a business issue, not just a tech issue.”

Ashley Langille remarked that the inclusion of stricter General Data Protection Regulation (GDPR) focused language in privacy policies has created issues with informed consent, as the language in these policies often only apply to data of European Union (EU) citizens and is often misinterpreted to apply to all users. Ashley noted that inclusion of a GDPR protection in policy does not necessarily translate to FIPPA compliance.

The presentations were followed by a Q&A session which consisted of pre-submitted and live questions from the audience. Some key highlights from the Q&A session:

Raffle winners

Two attendees were randomly selected to win a $50 U of T Bookstore gift card. Congratulations to the raffle winners:

  • Bismah Khalid, On Location Accessibility Advisor, University of Toronto Accessibility Services
  • Linda Ye, Senior Auditor – Information Systems, Internal Audit Department

Visit the Security Matters website to learn more about protecting yourself online and your data.

Data classification: Using a risk-based approach for data protection

Most of us work with data on a day-to-day basis; the data we handle range from blog posts, course material and internal reports to personal information and health records. Not all data are created equal – while press releases and blogs are meant for public consumption, personal information and health records are extremely sensitive and need to be protected accordingly. Knowing the criticality of data and their risks helps us make informed decisions on how best to protect our data.

To appropriately protect data, we need to identify how sensitive the data are and the risk to the University and its people if the data are lost, stolen or exposed. This is where data classification helps – it allows users to classify data into separate categories. These categories indicate the value and sensitivity of the data and determine the level of protection needed for the data. This is akin to putting a “Fragile, handle with care!” label on a box of valuable crystal.

We want to provide the right level of protection to our data. While under-protecting data puts them at risk, overprotecting data wastes valuable resources that could be better utilized elsewhere. Just like we wouldn’t put a “Fragile, handle with care!” label on a box of pillows, it doesn’t make sense to apply the same level of protection to less sensitive data as that applied to highly sensitive data such as personal information.

To help protect University data, the University of Toronto (U of T) has released a data classification schema, endorsed by the Information Security Council. This data classification schema applies to everyone at U of T who produces, defines or uses University data, along with those who govern the access, use, storage and deletion of University data.

Hear more about the data classification schema from U of T staff

“Data classification is essential for effective data governance, privacy, risk management, security program development and operations. Protecting our data is a shared responsibility. We want to educate the community about U of T’s data classification schema and how it can be applied to make risk-based decisions about protecting data.” – Kalyani Khati, Associate Director, Information Security Strategic Initiatives.

“A long-term objective of the Institutional Data Governance Program is to create a culture in which everyone who collects, manages or uses institutional data follows good data governance principles and practices. The U of T data classification schema is an effective tool that helps us better understand our data so we can meet this objective.” – Jeffrey Waldman, Manager, Institutional Research and Data Governance.

Understanding U of T’s
data classification schema

Level 1

This category is for data that the University has designated as being generally accessible to the public. Examples include:

  • Data from the U of T Directory
  • Press releases
  • News articles

Level 2

This is the default category. It includes data that the University has chosen not to make public but has also not been designated in another level. Examples include:

  • U of T Advanced Directory for faculty and staff
  • Most unpublished research
  • Most course materials

Level 3

This category is for non-public data that contains personal information (as defined by Freedom of Information and Protection of Privacy Act [FIPPA] for which appropriate permission to disclose has not been received) and other data that the University has designated as being level 3. Examples include:

  • Student information and records
  • Employee records
  • Video surveillance security footage

Level 4

This category is for non-public data that is highly sensitive such that its disclosure poses substantially greater risk of harm to the University and to the data subject than level 3 data. Examples include:

  • Personal health records as defined by Personal Health Information Protection Act (PHIPA)
  • Customer payment card information when the University is in a merchant capacity.

Find out more about data classification at

This article is part of a series for Cyber Security Awareness Month (CSAM). To learn more about how to stay safe online, visit the CSAM resources page.

University of Toronto’s new Information Security Standard

The Information Security program at the University of Toronto (U of T) is continually working with the community to better protect the University and its people against security risks. Most recently, the University’s Information Security Council has endorsed the Information Security Standard (the Standard) to provide a set of baseline security measures to protect our data and information systems based on the associated data classification. The standard is customized to U of T’s specific environment.

“The Information Security Standard consists of the measures we take to protect our systems and data based on risk,” said Deyves Fonseca, Associate Director, Information Security Operations. “Keeping U of T’s data and computing environment safe and secure is a team effort. Therefore, it is critical that everyone at U of T understands the Information Security Standard and applies it to protect our data and information systems,” he added.

Applying the Information Security Standard

Protecting our data and information systems is a shared responsibility — every person in the U of T community plays a role in applying the Information Security Standard guidelines.

Here is how you can use the standard based on your role:

  • Data users: Learn how to securely handle the data you work with.
  • Decision makers: Make strategic decisions about protecting data and systems within divisions and administrative or academic organizational units.
  • Teams managing information systems: Implement security safeguards, configure systems and build processes to reduce risk.

Help secure U of T’s data and information systems

For more information, visit the ISEA website.

This article is part of a series for Cyber Security Awareness Month (CSAM). To learn more about how to stay safe online, visit the CSAM resources page.