As UFV transitions to employees working remotely, it is important to consider the University’s responsibilities with regard to records management and privacy. The University of the Fraser Valley is subject to the Freedom of Information and Protection of Privacy Act. UFV is committed to protecting the privacy and management of records for both students and employees. It is our goal to not only meet the requirements of governing legislation and provincial standards, but also exceed them by implementing “best practices” with respect to the collection, use, disclosure, and security of personal information and records management.
- To ensure the management and protection of records, (including records containing personal, sensitive and confidential information) while employees of UFV are working remotely or working from online platforms such as Zoom, MS Teams, or BlueJeans.
- To provide UFV employees and service providers step-by-step instructions on how to safeguard records (including records containing personal, sensitive and confidential information) if/when they are removed from the physical workplace.
- To ensure employees are aware of and understand protocols should an electronic device be lost or stolen.
The guidelines below will assist employees and service providers who are working remotely in the protection of privacy and managing records.
Whether working remotely, offsite, or travelling with records (including records containing personal information), UFV employees and service providers must take measures to protect records from risks such as unauthorized collection, use, disclosure, access, and destruction as follows:
- Written approval must be obtained by department supervisor prior to remote access to records or removal of records (including personal, confidential and sensitive information) from the worksite.
- Personal, confidential, and sensitive information must not be removed from the physical worksite unless operationally necessary. If there is an operational requirement for removal, employees are to take the least amount of material required and seek the appropriate permissions and approvals prior to working remotely (as described above).
- If physical records need to be removed, originals are to be left at the worksite. Upon return to the worksite, physical records are to be placed in their original location immediately or securely destroyed using UFV’s confidential destruction process if the records are unaltered transitory copies.
- Physical records are never to be left unattended. When working remotely, records should be safeguarded and under the constant control of the employee. If this is not possible, the records should be temporarily stored in a secure location and password protected (e.g. locked room, office, desk drawer, hotel safe, etc.).
- Whenever possible, ensure access to electronic records (including records containing personal, confidential, and sensitive information) is made via a secure VPN or similar connection.
- Electronic records (including personal, confidential, and sensitive information) are to be transported via an encrypted disk or encrypted drive when secure remote access is not available.
- Employees must not use open, public or unsecured Wi-Fi networks when accessing records remotely. Use is prohibited on any electronic mobile device.
- Personal, confidential or sensitive information is not to be stored on any external computer hard drive.
- Laptops and other electronic devices containing records that are sensitive, confidential, and personal information (e.g. tablets, portable USB storage devices, smart phones) must remain in the employee’s possession or stored in a secure location at all times.
- Employees must log off or shut down a laptop or computer when not in use.
- Employees must protect all records from being viewed by the public, including while travelling on airplanes, trains, buses and public transit, and when working in public areas.
- When in transit or working away from the worksite, employees must avoid discussing sensitive, confidential or personal information in areas where the discussions can be overheard.
- Employees are to report all lost or stolen devices immediately to IT Service Desk.
- All electronic devices must be returned and secured after the employee exit process (e.g. device restoration procedures to factory resets to remove all personal or confidential data).
Records Maintenance & Remote Access
- Use UFV’s network shared drive to store and access records when possible. For more information on accessing shared drives remotely, visit UFV ITS.
- If your department is using Zoom, Microsoft Teams or other chat platforms, you could be creating and storing records. Notes, minutes, recordings and files created and stored within chat platforms are subject to formal requests made under FIPPA, document discovery exercises, and UFV records management policies. Ensure transitory records are appropriately destroyed when no longer of use on chat platforms. All records, including transcriptions of chat and recordsings, are subject to UFV's records retention schedule.
- Personal devices must not be used for work-related business as these devices generate UFV records that must be maintained in accordance with records retention practices.
- Ensure UFV's naming convention protocol is applied to all records created and stored while working remotely.
- University records that are to be disposed of in the course of the employee’s work should be destroyed on site at UFV. Ensure records are safeguarded until they can be safely returned to the worksite for secure disposal.
- When working remotely, employees are to continue to manage email and electronic documents and follow records management protocols as when onsite. For tips on managing e-mail as records, click here.