Frequently Asked Questions

General Information

In June 2013, after an extensive drafting and consultation process, Policy SC14 (formerly Policy 104) (Acceptable Use and Security of UBC Electronic Information and Systems) was approved by the Board of Governors to replace two older policies, Policy 104 (Responsible Use of Information Technology Facilities and Services) and Policy 106 (Access to and Security of Administrative Information).

Policy SC14 requires the Chief Information Officer (CIO) to publish Information Security Standards regarding the security of UBC Electronic Information and Systems. The Information Security Standards were first published in August 2014.

The Policy and Standards apply to all Users of UBC Electronic Information and Systems that are intended to be used for University Business. Essentially all University-supported administrative, academic and research activities are covered by these requirements.

There are a few UBC Systems that are not intended for University Business, e.g. the Student and Alumni Email system. These are exempt from the scope of Policy SC14, and are instead governed by separate terms of use. The Chief Information Officer has issued a Directive listing these exempt systems.

The purpose of the Information Security Standards is to maintain the confidentiality, availability and integrity of UBC Electronic Information and protect it from unauthorized access, disclosure or deletion, and to protect UBC Systems from disruption. Specifically, the Standards are intended to reduce system "down-time", improve productivity, minimize data breaches, and comply with data protection laws such as the Freedom of Information and Protection of Privacy Act (FIPPA).

The Standards were initially created with reference to information security best practice frameworks published by the International Standards Organization (ISO), Payment Card Industry, and the BC Office of the Information and Privacy Commissioner. All requirements were adjusted, as required, to reflect the maturity level of the University's IT systems and information management practices. The goal of the process was to strike a balance between UBC's need for simple, straightforward information security rules and the legal requirement to implement "reasonable security measures" for the protection of Personal Information.

In 2024, a decision was made to align the Standards with the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), which is widely used by higher education institutions. This change will require a mapping of our current Policies and Standards to the NIST CSF to identify gaps and future enhancements as required. It will not result in a re-write or restructuring of our Standards, but will inform future content and prioritization of changes and enhancements.

The Information Security Standards were initially developed in 2013 - 2014 by representatives of UBC Information Technology, Risk Management Services and the Office of the University Counsel. They were distributed to the University community for consultation and were also reviewed by the Information Security Governance Committee, an advisory body with representatives from faculty and administrative units across campus. Drafts were approved by the Chief Information Officer (CIO) in March 2014 and published in August 2014.

The Standards are considered living documents and are reviewed on a continuous basis to address ongoing concerns or questions. Every comment or question received is carefully reviewed by the Information Security Standards Working Group. Where necessary, the Standards are updated in draft before going to the Information Security Standards Review Committee and CIO for approval. Feedback regarding the Standards is welcomed. Please submit all feedback to information.security@ubc.ca.

Application of the Standards

All Users are required to follow the Standards. Where the Standard says that Users "must" or are "required" to do something, this is a mandatory requirement under the authority of Policy SC14. Where the standard says that Users "should" or are "recommended" to do something, this is not mandatory; it is a guideline.

The Information Security Standards cover a wide variety of topics. For convenience, the Standards are divided into two categories: those that are applicable to all Users, and Management & Technical Standards that are mainly applicable to University IT Support Staff and Administrative Heads of Unit.

Compliance with the Standards

This website contains an array of resources to assist Users in complying with the Information Security Standards, which includes procedures, guidelines, forms and checklists. For more information about these documents, see the Resources page.

While there are many requirements in the Standards, some of them only apply to High Risk and Very High Risk information because this information poses the highest risk to UBC if it is not adequately protected. For Users handling lower-risk types of information, including some teaching and research information, it should not take a significant amount of time to meet the requirements in the Standards.

It is recognized that some units may have specific circumstances that merit a variance from the Information Security Standards. Administrative Heads of Unit that wish to deviate from these Standards must request a variance from the Chief Information Officer, in accordance with the Requesting Variances Standard.

Protection of Personal Information

The Freedom of Information and Protection of Privacy Act (FIPPA) requires the University to protect Personal Information, which is defined as "recorded information about an identifiable individual" (with the exception of the names and work contact information of University employees). Failure to protect Personal Information may be investigated by the provincial Information and Privacy Commissioner. If the Commissioner determines that there has been a privacy breach, this may result in a fine of up to $500,000. The University is required to take 'reasonable' measures to protect Personal Information, which should depend on the sensitivity of the information. Therefore, highly sensitive information such as SINs, financial history or personal health information is subject to more stringent controls.

Students' names fall under the legal definition of Personal Information ("recorded information about an identifiable individual") and are therefore protected under the terms of the Freedom of Information and Protection of Privacy Act (FIPPA). While the unauthorized access or disclosure of a single class list would probably not have serious consequences, the disclosure of other personal information about students, such as their grades, contact information or counselling records, could be a serious matter.

Like many organizations, UBC requires work to be conducted using business email systems such as FASmail. Gmail and other services that are hosted in the "cloud" are not suitable for work purposes for the following reasons:

  1. Privacy: The Freedom of Information and Protection of Privacy Act (FIPPA) requires Personal Information to be stored and accessed in Canada. Since Gmail is hosted outside Canada, it should not be used by UBC faculty or staff to transmit Personal Information.
  2. Security: UBC has an obligation to ensure that Medium, High or Very High Risk Information is reasonably secure from unauthorized use or disclosure. It cannot guarantee the safety of the information if it is stored in a personal email account on Gmail.
  3. Records management: UBC's Records Management Policy requires staff and faculty members to manage and preserve records of value, which includes email messages. Emails that are stored on external email accounts may not be preserved as required under that policy.

The Office of the University Counsel publishes several useful Privacy Fact Sheets covering privacy issues.

In certain circumstances, yes. The November 2021 changes to the Freedom of Information and Protection of Privacy Act (FIPPA) in British Columbia (BC) allow for personal information to be stored outside of Canada, but a Privacy Impact Assessment (PIA) must be conducted.

Although a PIA is required for all administrative projects handling Personal Information, additional assessment and specific approval is required when Very High Risk Information will be stored outside Canada.

Learn more about the PIA process.

In accordance with the directions of the minister responsible for the Freedom of Information and Protection of Privacy Act (FIPPA), the Office of the University Counsel has published information about UBC's Privacy Management Program, highlighting practical and operational controls for privacy functions across the University. We are all responsible and accountable for following the program.

The program components include internal policies, standards, procedures, guidelines and other privacy-related processes, such as the process of conducting privacy impact assessments, handling privacy breaches, and privacy awareness and education activities.

Learn more about the UBC’s Privacy Management Program.

Protection of Paper Records

The Information Security Standards only apply to the security of UBC Electronic Information and Systems. For hardcopy records, see the fact sheet on Security of Paper Records, which is published by the University Archives.

Further Assistance

Contact information.security@ubc.ca if you have any questions about the Standards.