Privacy at St. Thomas University: What’s public, what’s secret?

    St. Thomas University is updating how privacy of information will be dealt with in response to the Government of New Brunswick’s updated Right to Information and Protection of Privacy Act.

    The recent changes and updates to the provincial government’s act was in alignment with evolving North American information protection standards said Jeffrey Carleton, STU’s associate vice-president communications.

    Carleton said now it’s easier to commit fraud because information is available and circulated in an electronic format.

    “It’s becoming increasingly more complex than it was 10 years ago when the version of the act was enacted,” Carleton said.

    The 2018 revisions in the provincial government’s update included revised practices on sharing information between public bodies and government departments. It also discussed under what circumstances the sharing of information is permitted and regulations requiring public institutions to have relevant and related policies on information security and privacy in place.

    The university has developed a five-page statement, that summarizes the act and reiterates RTIPPA policies specifically applicable to universities.

    STU’s statement outlines information considered public and information considered private. Some student information will be used to highlight the success of the university and its students.

    “[The New Brunswick government] brought in specific regulations that now cause us to have to demonstrate to the government that we do have appropriate policies and protections and procedures in place that meet their thresholds,” Carleton said.

    “Public institutions have to demonstrate that we’re taking great care of it.”

    The new regulations state those included in the act must create their own policies on information practices, how they handle information, security arrangements, the issue of privacy breaches and the retention of information. Before, the university had pieces of the now cohesive policy statement distributed in different documents such as the academic calendar.

    Following these new regulations, the university will develop a policy on information retention in a few weeks. Carleton said proof of graduation and attendance is important for the university to keep in case graduates want to access the documents later down the road. The university also must form a specific policy for each type of information and how long they must keep it – since universities do not adhere to the Archives Act, a provincial legislation that lays out the means by which New Brunswick’s public records and materials from the Provincial Archives of New Brunswick are handled.

    A system of tracking what staff positions have access to student files and who they can be shared with is also being developed.

    The protocol for dealing with security arrangements and policy breaches must be laid out in detail. Carleton said if there has been a breach of systems or of information, the university is required by law to handle it a certain way – this process will be determined once the policy is complete.

    The university must look at new European Union regulations on data privacy enacted last year. Since STU hosts students from European universities and sends students to European universities as well, the university must determine whether General Data Protection Regulations will apply to STU.

    In response to the updated policy changes, Carleton said the university also plans to update the privacy information stated on university forms and applications, such as entrance application forms. This will notify signatories that the university is collecting their information, why, and what it will do with it.

    STU’s not alone in developing their privacy and information protection policies. In the coming months, Carleton said the University of New Brunswick, Université de Moncton, STU, Mount Allison University, Collège Communitaire du Nouveau Brunswick, New Brunswick Community College, New Brunswick College of Craft and Design and other universities and colleges under the act will be conducting a similar privacy update in response to the new provincial regulations.

    Carleton said while the update is necessary, it can take a long time to complete.

    “The regulations have been enacted and you have to comply with them, but you can’t just comply with them overnight you have to build the policies and the procedures and the protocols.”