U3, Transmission and Sharing of UBC Electronic Information

Information Security Standard

1. Introduction

2. Key Considerations when Transmitting and Sharing UBC Electronic Information

  • 2.1 Only transmit the minimum amount of information required to complete a task (the Principle of Least Privilege). Do not transmit any information that is not required (e.g., do not include Social Insurance Number and Date of Birth unless necessary). Where possible, do not transmit information that could be used to identify unique individuals.
  • 2.2 Where possible, do not copy, extract, or download Medium, High, or Very High Risk Information from ERPs.
  • 2.3 Medium, High, or Very High Risk Information may be shared with other UBC employees on a ‘need to know’ basis, when their role at UBC requires them to have access to perform their duties.
  • 2.4 Computing services based outside of Canada (such as Gmail) are not permitted for transmission or sharing of Personal Information unless a Privacy Impact Assessment (PIA) has been conducted for that service, and the risks of storage outside of Canada have been considered and accepted. When sensitive personal information will be stored outside of Canada, the initiative must receive approval through the PIA process. For academic research projects, a Security Threat Risk Assessment (STRA) may be required in place of a PIA when the tool is used solely for research purposes, as outlined in UBC's research-specific guidelines. Please refer to the PIA & STRA webpage for more information.
  • 2.5 Before Medium, High, or Very High Risk Information is shared with Service Providers, Users must ensure the recipient is compliant with all requirements in the Outsourcing and Service Provider Management standard.

3. Acceptable Methods of Transmitting and Sharing UBC Electronic Information

  • 3.1 The table below provides requirements for Users of UBC Systems on how to appropriately transmit or share UBC Electronic Information based upon the risk classification (see the Security Classification of UBC Electronic Information and Services standard).

    §Method of TransmissionVery High RiskHigh RiskMedium RiskLow Risk
    3.1.1UBC Email Accounts (e.g., FASmail)Acceptable only when placed in encrypted email attachmentsAcceptable, although if you are sending significant amounts of this information it is best practice to put it in an encrypted attachmentRecommended
    3.1.2Personal Email Accounts (e.g., Gmail, Hotmail, Yahoo)Not permittedNot recommended
    3.1.3UBC File Sharing, Collaboration & Messaging Tools1 (e.g., SharePoint, OneDrive, Teams, Zoom, network shared folders)Recommended
    3.1.4Other/Personal File Sharing, Collaboration & Messaging Tools (e.g., Dropbox, Google Drive/Docs/Hangouts, Skype, Slack, Facebook)Not permitted, unless approved by PIANot recommended
    3.1.5Mobile storage devices/media (e.g., USB drives, CDs/DVDs, tapes)Tier 1 Encryption is required
    3.1.6Websites Hosted Within CanadaPermitted with authentication and HTTPS (encrypted) connectionsHTTPS (encrypted) strongly recommended2
    3.1.7Websites Hosted Outside CanadaNot permitted, unless approved by PIAPermitted with authentication and HTTPS (encrypted) connectionsHTTPS (encrypted) strongly recommended2
    3.1.8Other Internet Transmissions (e.g., SSH, FTPS, SFTP)Permitted with authentication and encrypted connections3
    3.1.9FaxOnly permitted when sending/receiving fax machines are in secure locations (see Faxing guideline)
  • 3.2 Section 3.1 does not prevent the use of UBC scanners/copiers on the University network to scan documents and email them to UBC email accounts regardless of the classification of the information in those documents.
  • 3.3 In addition to section 3.1, UBC Systems must also comply with the Security Architecture and Firewalls standard.
  • 3.4 Subject to section 3.1, if the User is using personal accounts or other information sharing tools to share UBC Electronic Information, they are responsible for ensuring that a copy of this information is stored on UBC Systems, located in UBC Data Centres or in other authorized locations, in addition to any desktop computers and Mobile Devices, at all times.
  • 3.5 For the purpose of section 3.4, the following are authorized locations:
    • 3.5.1 Data centres at other higher education institutions and health authorities in Canada;
    • 3.5.2 EduCloud;
    • 3.5.3 UBC Hybrid Cloud;
    • 3.5.4 Q9 Data Centre (Kamloops);
    • 3.5.5 Digital Research Alliance of Canada (not to be used for storage/processing of High or Very High Risk Information); and
    • 3.5.6 other third-party locations approved by the CISO.
  • 3.6 For detailed information about Encryption requirements, including how to encrypt documents and Devices, refer to the Encryption Requirements standard.
  • 3.7 For further guidance or assistance with protecting UBC Electronic Information, please contact University IT Support Staff.

4. Auto-forwarding from UBC Email Accounts

Case Study: Receiving Emails from Students

Students sometimes send emails to their instructors containing personal information about themselves. It is acceptable for instructors to receive and respond to these emails, as long as they only do so using their UBC email accounts. If the student wants to send or receive some extremely sensitive information, such as a medical report, the instructor should encourage the use of Encryption on the document to ensure it is secure.

  • 4.1 Automatically forwarding or redirecting UBC email accounts (Auto-forwarding) to a non-business email account (e.g. a personal Gmail, Hotmail or Yahoo account) is not permitted.
  • 4.2 Auto-forwarding to non-UBC business email accounts is only acceptable for UBC faculty and staff members who have employment or appointments at other organizations and are unable to manage multiple work email accounts. Under these circumstances, Auto-forwarding is acceptable if:
    • 4.2.1 the other organization is a public body located in British Columbia and is subject to the Freedom of Information and Protection of Privacy Act, including the associated data residency and security requirements; and
    • 4.2.2 the faculty or staff member ensures that copies of emails are retained on or copied to UBC Systems in accordance with UBC’s Records Management Policy.
  • 4.3 Auto-forwarding to non-UBC business email accounts outside of the circumstances set out in section 4.2 is prohibited unless the User has submitted the UBC Email Auto-forwarding Agreement and it has been approved by the Administrative Head of Unit and CISO.

5. Additional Requirements for Merchant Systems

  • 5.1 Due to the sensitivity of Payment Card Industry (PCI) Information, it is subject to the following additional requirements:
    • 5.1.1 PCI Information must only be stored in approved Merchant Systems;
    • 5.1.2 PCI Information must never be transmitted via email or instant messaging systems. This activity is prohibited;
    • 5.1.3 PCI Information must never be transmitted unencrypted by any of the other above methods;
    • 5.1.4 media containing PCI Information must be sent by secured courier or other delivery method that can be accurately tracked; and
    • 5.1.5 management must approve the transfer of PCI Information from a secured area.

6. Receiving Information from Third Parties

  • 6.1 Individuals who are not UBC employees, such as students, sometimes use insecure transmission methods, such as personal email accounts, to transmit their information to UBC. While it is acceptable to receive information in this way, we should encourage these individuals to take measures to minimize the risk of interception by unauthorized parties, such as encrypting files.

Related Documents and Resources

Security Classification of UBC Electronic Information and Services standard

Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems

BC Freedom of Information and Protection of Privacy Act (FIPPA)

Privacy Impact Assessment (PIA) and Security Threat Risk Assessment (STRA)

Outsourcing and Service Provider Management standard

Faxing guideline

Security Architecture and Firewalls standard

Encryption Requirements standard

Policy GA4, Records Management

UBC Email Auto-forwarding Agreement (with CWL credentials)

Standard Last Revised: 2025-03

1 Endorsed by the CIO or the Administrative Head of Unit as an acceptable method for transmitting and sharing all UBC Electronic Information.

2 All Canadian federal government websites were mandated to be HTTPS by September 30, 2019.

3 Insecure internet transmissions (e.g., Telnet, FTP) are not permitted.

Page last updated on January 30, 2026

Office of the CIO

6356 Agricultural Road
Vancouver, BC Canada
V6T 1Z2
604 822 3634
E-mail ubc.cio@ubc.ca

Related Sites

Need Help?

Urgent Message An exclamation mark in a speech bubble. Bluesky The logo for the Bluesky social media service. Bookmark A bookmark in a book. Browser A web browser window. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Time A clock. Chats Two speech clouds. E-commerce Cart A shopping cart. Facebook The logo for the Facebook social media service. Help A question mark in a circle. Home A house in silhouette. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Locked A locked padlock. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Pencil A pencil indicating that this is editable. Telephone An antique telephone. Play A media play button. Plus A plus symbol indicating more or the ability to add. Print A printer pushing out a piece of paper. Search A magnifying glass. Settings A single gear. Arrow indicating share action A directional arrow. Speech Bubble A speech bubble. Star An outline of a star. Twitter / X The logo for the X (aka, Twitter) social media service. User A silhouette of a person. Vimeo The logo for the Vimeo video sharing service. Youtube The logo for the YouTube video sharing service.