Frequently Asked Questions

In June 2013, after an extensive drafting and consultation process, Policy SC14 (formerly Policy 104) (Acceptable Use and Security of UBC Electronic Information and Systems) was approved by the Board of Governors to replace two older policies, Policy 104 (Responsible Use of Information Technology Facilities and Services) and Policy 106 (Access to and Security of Administrative Information).

Policy SC14 requires the Chief Information Officer (CIO) to publish Information Security Standards regarding the security of UBC Electronic Information and Systems. The Information Security Standards were first published in August 2014.

The Policy and Standards apply to all Users of UBC Electronic Information and Systems that are intended to be used for University Business. Essentially all University-supported administrative, academic and research activities are covered by these requirements.

There are a few UBC Systems that are not intended for University Business, e.g. the Student and Alumni Email system. These are exempt from the scope of Policy SC14, and are instead governed by separate terms of use. The Chief Information Officer has issued a Directive listing these exempt systems.

The purpose of the Information Security Standards is to maintain the confidentiality, availability and integrity of UBC Electronic Information and protect it from unauthorized access, disclosure or deletion, and to protect UBC Systems from disruption. Specifically, the Standards are intended to reduce system "down-time", improve productivity, minimize data breaches, and comply with data protection laws such as the Freedom of Information and Protection of Privacy Act (FIPPA).

The Standards were initially created with reference to information security best practice frameworks published by the International Standards Organization (ISO), Payment Card Industry, and the BC Office of the Information and Privacy Commissioner. All requirements were adjusted, as required, to reflect the maturity level of the University's IT systems and information management practices. The goal of the process was to strike a balance between UBC's need for simple, straightforward information security rules and the legal requirement to implement "reasonable security measures" for the protection of Personal Information.

In 2024, a decision was made to align the Standards with the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), which is widely used by higher education institutions. This change will require a mapping of our current Policies and Standards to the NIST CSF to identify gaps and future enhancements as required. It will not result in a re-write or restructuring of our Standards, but will inform future content and prioritization of changes and enhancements.

The Information Security Standards were initially developed in 2013 - 2014 by representatives of UBC Information Technology, Risk Management Services and the Office of the University Counsel. They were distributed to the University community for consultation and were also reviewed by the Information Security Governance Committee, an advisory body with representatives from faculty and administrative units across campus. Drafts were approved by the Chief Information Officer (CIO) in March 2014 and published in August 2014.

The Standards are considered living documents and are reviewed on a continuous basis to address ongoing concerns or questions. Every comment or question received is carefully reviewed by the Information Security Standards Working Group. Where necessary, the Standards are updated in draft before going to the Information Security Standards Review Committee and CIO for approval. Feedback regarding the Standards is welcomed. Please submit all feedback to information.security@ubc.ca.

All Users are required to follow the Standards. Where the Standard says that Users "must" or are "required" to do something, this is a mandatory requirement under the authority of Policy SC14. Where the standard says that Users "should" or are "recommended" to do something, this is not mandatory; it is a guideline.

The Information Security Standards cover a wide variety of topics. For convenience, the Standards are divided into two categories: those that are applicable to all Users, and Management & Technical Standards that are mainly applicable to University IT Support Staff and Administrative Heads of Unit.

This website contains an array of resources to assist Users in complying with the Information Security Standards, which includes procedures, guidelines, forms and checklists. For more information about these documents, see the Resources page.

While there are many requirements in the Standards, some of them only apply to High Risk and Very High Risk information because this information poses the highest risk to UBC if it is not adequately protected. For Users handling lower-risk types of information, including some teaching and research information, it should not take a significant amount of time to meet the requirements in the Standards.

It is recognized that some units may have specific circumstances that merit a variance from the Information Security Standards. Administrative Heads of Unit that wish to deviate from these Standards, or are unable to comply with them, must request a variance from the Chief Information Officer, in accordance with the Requesting Variances Standard.

The Freedom of Information and Protection of Privacy Act (FIPPA) requires the University to protect Personal Information, which is defined as "recorded information about an identifiable individual" (with the exception of business contact information, such as the names and work contact information of University employees). Failure to protect Personal Information may be investigated by the provincial Information and Privacy Commissioner. If the Commissioner determines that there has been a privacy breach, this may result in a fine of up to $500,000. The University is required to take 'reasonable' measures to protect Personal Information, which should depend on the sensitivity of the information. Therefore, highly sensitive information such as SINs, financial history or personal health information is subject to more stringent controls under the Standards.

Students' names fall under the legal definition of Personal Information ("recorded information about an identifiable individual") and are therefore protected under the terms of the Freedom of Information and Protection of Privacy Act (FIPPA). For more information on what constitutes Personal Information, please see the Privacy Fact Sheet on Personal Information.

Like many organizations, UBC requires work to be conducted using business email systems such as FASmail. Gmail, Google Drive and other personal services are not suitable for work purposes for the following reasons:

1. Privacy: UBC has a legal obligation under the Freedom of Information and Protection of Privacy Act (FIPPA) to protect Personal Information and conduct Privacy Impact Assessments. In order to ensure these obligations are met, UBC (a) requires Privacy Impact Assessments to be conducted for all external tools and software and (b) requires contractual agreements covering these protections. In addition, Gmail is hosted outside of Canada, which would require additional assessment and special approval under a Privacy Impact Assessment.
2. Security: UBC has an obligation to ensure that Medium, High or Very High Risk Information is reasonably secure from unauthorized use or disclosure. It cannot guarantee the safety of the information if it is stored in a personal email account on Gmail. UBC has no contractual arrangements in place with Gmail, and no control over the security settings and data handling practices of third-party email providers.
3. Records management: UBC's Records Management Policy requires staff and faculty members to manage and preserve records of value, which includes email messages. Emails that are stored on external email accounts may not be preserved as required under that policy. In the event of an emergency, UBC may need direct access to a user’s emails or records of business value.

The Office of the University Counsel publishes several useful Privacy Fact Sheets covering privacy issues.

In certain circumstances, yes. The November 2021 changes to the Freedom of Information and Protection of Privacy Act (FIPPA) in British Columbia (BC) allow for personal information to be stored outside of Canada, but a Privacy Impact Assessment (PIA) must be conducted.

Although a PIA is required for all administrative projects handling Personal Information, additional assessment and specific approval is required when Very High Risk Information will be stored outside Canada.

Learn more about the PIA process.

In accordance with the directions of the minister responsible for the Freedom of Information and Protection of Privacy Act (FIPPA), the Office of the University Counsel has published information about UBC's Privacy Management Program, highlighting practical and operational controls for privacy functions across the University. We are all responsible and accountable for following the program.

The program components include internal policies, standards, procedures, guidelines and other privacy-related processes, such as the process of conducting privacy impact assessments, handling privacy breaches, and privacy awareness and education activities.

Learn more about the UBC’s Privacy Management Program.

The Information Security Standards only apply to the security of UBC Electronic Information and Systems. For hardcopy records, see the fact sheet on Security of Paper Records, which is published by the University Archives.

Contact information.security@ubc.ca if you have any questions about the Standards.