The university collects personal information about students, faculty and staff in order to operate effectively and efficiently as a post-secondary institution. The university is required to protect personal information and ensure it is only used and disclosed for appropriate purposes.

Personal information includes any information about an identifiable individual, but excludes the salary and employment responsibilities of an employee of the university, travel expenses of any individual travelling at the expense of the university, academic ranks or departmental designations of faculty, and degrees or certificates granted by the university.

We can only use protected personal information with express consent, with implied consent (for the purpose for which it was collected or a use consistent with that purpose) or without consent in very limited circumstances.

If you have questions or concerns about how your personal information is being handled, please feel free to discuss with your college or the unit dealing with your personal information. They should be your first line of inquiry. If you continue to have concerns, please contact the Access and Privacy Officer at privacy@usask.ca.

A student’s USask registration is considered protected personal information. Personal information includes any information about an identifiable individual, including information relating to the education of an individual.

If you receive a request to disclose a student’s registration status, please contact the Privacy Officer at privacy@usask.ca for assistance.

Grades may be posted anonymously, such as by student number, provided that the student number and other identifying information such as the student’s name has not previously been disclosed (so that the information could be combined to reveal the grades of an identifiable individual).

Leaving exams/assignments outside of faculty offices is not recommended. Grades and personally identifying information can easily be gleaned by other students, there is a risk that the work could be stolen, possibly resulting in copyright and academic appeals issues.

The preferred method for facilitating requests for alumni contact information is to provide the requestor’s contact information to the intended recipient, allowing them to initiate contact if desired.

External services providers could include: eg. mailing houses and research companies.

The university is permitted to disclose personal information to service providers and for research purposes under certain conditions. The privacy officer can review the request and advise. Considerations include whether the use of personal information is necessary or whether de-identified information could be used. If disclosed the information should be limited to the least amount necessary, and the contract with the service provider should contain explicit protections of the personal information. If the contract is insufficient in this regard, the information may be disclosed under a non-disclosure agreement.

If the university will be disclosing personal information of students, faculty, staff or others to the service provider, or requiring students, faculty or staff to disclose their personal information to the service provider, our due diligence should include a review of the service provider’s security and privacy policies and procedures as well as the terms of use or contract. In addition to privacy, there may be enterprise architecture, operational, and other concerns. The Technology Assessment team assists in reviewing the acquisition of technology, including web and cloud services.

• Technology Assessment

Breaches can take many forms. Some examples include:

• an office or car being broken into and a laptop with student, patient, or human research data being stolen; 
• a staff or faculty member retiring and leaving files containing personal information in a box in the hallway for unsecure destruction;
• faxes or emails containing personal information being sent to the wrong recipient;
• a staff or faculty member inadvertendly sharing the wrong electronic file with students or colleagues which contains personal information not intended for the recipient;
• staff or faculty discussing an employee or student matter in public. 

Any person has a right to request access to university records, including records of your own personal information. If you would like access to your student records, please contact the college or unit who holds the record. With the exception of certain evaluative material, or the personal information of others, a student generally has the right to access their file, which is their own personal information. These requests can usually be handled informally. If you are unsatisfied with the response of the college or unit, please submit an access to information request to the Access and Privacy Officer at privacy@usask.ca. At times, the college or unit may be unsure of how to respond to your request and they may consult with the Access and Privacy Officer and/or ask you to submit your request to the Access and Privacy Officer to ensure it is handled correctly..

Giving permission to another person (Proxy Access)

If you would like to give permission to someone to obtain certain financial or academic information, the Proxy Access Management is a tool that allows students to grant (view-only access) to a person or organization (called a proxy). 

• Proxy Access Management Info

Any person has a right to request access to any record in the university’s possession or control, regardless of their location, identity or motive. University records in your possession may be subject to an access to information request. The Access and Privacy Officer requires your assistance and cooperation in ensuring university compliance with access to information legislation.

Further, you are entitled to request access to any university record, including records of your own personal information. If you would like to request access to your personnel file or other records of your own personal information, please contact the college or unit who holds the records. Generally these requests can be handled informally.

When considering whether to use or disclose personal information of students, employees, or others, please start by considering whether it is protected personal information. If it is, and we don’t have express consent, ask yourself - what were the purposes for its original collection, what was the individual informed of in regards to our use and disclosure of the information, and is this new or intended use or disclosure is consistent with the original purpose.

Please see the Data Governance Framework. Data stewards and data managers for your area may be able to assist. If it involves personal information, the Privacy Officer can review the request and advise whether it is an appropriate use of the information, having regard to the purposes for initially collecting the information and the consent(s) (if any) given by the individual to whom the information relates, along with other factors that may be relevant.

Under the freedom of information legislation, any person has a right to access any record in the possession or under the control of the university, subject to limited exemptions. Generally, requests by external parties should be made formally through the Access and Privacy Office. Certain procedures must be followed, including legislated time lines, and the Access and Privacy Officer will coordinate the response to ensure compliance. If you are unsure how to respond to the request, please contact the Access and Privacy Officer, or have the requestor submit a formal application.

Like the university, the federal and other provincial governments are subject to access to information legislation. If they receive a request, and the responsive records includes university information, the federal government may be required to provide formal ‘third party notice’ – they are giving the university the opportunity to respond with why the information should not be disclosed. In some cases, these requests capture proprietary or technical information or other financial information which the university may not want disclosed. If you receive third party notice, the Access and Privacy Officer can help you review the documents and exemptions and make a response to the government.

Canada's Anti-Spam Legislation (CASL) places limits on commercial electronic messages. Please find more information about scope and compliance in the Marketing and Communications channel.

The university has a preferred provider for confidential shredding services.

 Make information security a priority.

Faculty, staff and students can find information and training resources to protect personal information and the information of all members of our community including using the internet safely, setting strong passwords, avoiding phishing attempts, using anti-virus software, protecting mobile devices, working remotely and dealing with ransomware. 

• Information Security

Thinking of acquiring new software, hardware, or outsourcing to a cloud service provider? Our Technology Assessment team of experts in privacy, information security, enterprise architecture, risk, legal and procurement can help you in defining needs and conducting due diligence and will help ensure the university is protected by ensuring compliance and mitigating risk.

• Technology Assessment

USask offers a self-drected USask Data Governance course, which includes access and privacy training.

The Access and Privacy Officer is happy to meet with you or your unit to discuss present access and privacy training and any issues or questions specific to your unit. Please contact privacy@usask.ca to arrange a meeting.

The Access and Privacy Branch of the Ministry of Justice provides training and resources to government bodies and local authorities. Please see their Access and Privacy Course for Saskatchewan Local Authorities.

The Office of the Information and Privacy Commissioner of Saskatchewan also offers webinars and other resources.

• Working Remotely