Tip Sheet 2 - Confidential Records
Defining Confidential Records
Confidential records contain information that for one or more reasons should only be disclosed to specific people or groups.
What kinds of records could be considered confidential?
1. Information relating to the business of a third party which is
• A trade secret or scientific, technical, commercial, financial or labour relations information, and
• Supplied in confidence, implicitly or explicitly, and
• May result:
• in harm to a competitive or negotiating position;
• in information no longer being supplied;
• in undue loss or gain, or
• in revealing information supplied to or the report of a conciliation officer, mediator, labour relations officer or other person appointed to resolve a labour relations dispute.
2. Personal Information
Personal information (information about an identifiable individual) should be treated as confidential unless:
a) it is public information or
b) there is consent for disclosure from the individual for whom the information is about.
3. Solicitor-client privilege
Information that is subject to solicitor-client privilege, or that is prepared by legal counsel for use in giving legal advice or in contemplation of or for use in litigation.
4. Other types of confidential records
Other types of records might need to be treated as confidential, depending on the content and circumstances. These include but are not limited to:
• Law enforcement information/proceedings (may include administrative tribunals, student disciplinary proceedings, etc.)
• Government relations information
• Information related to economic interests
• Institutional plans
• Tests or examinations
• Closed meetings
When could records cease to be confidential?
Some confidential information is sensitive for specified periods, but may cease to be confidential after a certain period of time or change of circumstances. Here are some examples:
• A press release would be considered confidential until the release date and time.
• Institutional plans, policies or projects would be considered confidential while in development. Once a decision has been made on them and they are disclosed broadly, they could cease to be confidential.
• Personal information is always treated as confidential unless it is about a person who has been dead for more than 30 years.
Identifying and Labelling Confidential Records
It is important to treat confidential records differently from those which are more broadly distributed. Confidential records should be labelled so that they are easily identifiable.
Tip: Ensure that records for which circulation should be limited are clearly marked CONFIDENTIAL.
Determine who should have access to a confidential record. Normally a university employee who needs the information in performance of their duties would have access. For example, a member of a committee considering someone for an honour or award would have access to the committee’s record of proceedings but circulation would be limited to committee members only and held in confidence.
• Note on the record itself or in associated notes the persons or groups who should have access to this information, e.g. Confidential – circulate to committee members only.
Tip: Use the “confidential” designation thoughtfully. Don’t mark most or all of your records as CONFIDENTIAL. Doing so will undermine the argument for treating selected records as confidential.
And, while a confidential marking does not mean that a record will not be disclosed as the result of an access request, it may help to explain if the University makes a decision not to release a record in response to a request for access to it.
Working with Confidential Records
Tip: Ensure that confidential information is not inadvertently disclosed:
• Position your computer screen so that no unauthorized persons can read it.
• Close down the program and lock your computer when you leave your desk.
• Turn off or lock your computer when leaving your desk for a long period of time.
• Place paper copies of drafts and final versions in locked file cabinets when you are not working on them.
• Shred drafts when they are no longer useful, and delete drafts from your computer
• Ensure that confidential records on your computer are password protected. Don’t leave your laptop in an easily accessible area where it could be stolen.
• If you have handwritten confidential information in a notebook, keep the notebook in a locked cabinet when not in use
• When travelling with confidential records, don’t leave them unattended in vehicles, hotel or meeting rooms. Don’t work with confidential records where others can see them.
• When emailing confidential records, ensure that the subject states that the records are confidential and verify the email address(es) are accurate prior to hitting ‘send’
• If you must use email to transfer personal, restricted or confidential information, encrypt the email. The Information and Security Office provides instructions on how to encrypt emails using MSO Outlook that allows users to share protected email with anyone on any device. The encryption option is supported by both Outlook on the web, as well as the Outlook applications on both Windows and macOS.
• Communicate confidential information to individuals by using only those technologies endorsed by UIT’s Information Security Office. Review the Guidelines on How to Handle University Data in Microsoft 365.
• When faxing confidential records, include a fax transmittal page with a confidentiality statement. Verify that the number on the screen is accurate before proceeding with the transmission and confirm receipt of the documents.
Storing Confidential Records
Tip: Ensure that confidential information is protected against unauthorized access. Store confidential records in a secure location such as a locked file cabinet, locked record room or on a secure server.
Don’t store confidential records in storage space which is shared with other units.
Disposing of Confidential Records
Tip: Dispose of confidential information securely, and ensure that any personal information to be destroyed has been authorized for disposal. For additional tips see the Information and Privacy Commissioner’s website:/ http://www.ipc.on.ca/images/Resources/up-fact_10_e.pdf.
At York University, acceptable methods to dispose of confidential records are:
• Shred documents in an office paper shredder. Cross-cut shredders are preferred over strip shredders.
• Place documents in a locked confidential disposal bin obtained from York’s Facilities Services
When the disposal bin is full, arrange for pick up by Facilities Services. Filled confidential bins are held in a secure area on campus until contents are shredded on site by an external service. Destruction certificates are held in Facilities.
• For electronic media such as floppy disks, CDs, USB keys, personal digital assistants (PDAs) and hard drives, destroy electronic records by overwrite software or physical destruction of disk, drive or other digital storage media. Note that overwriting may not irreversibly erase every bit of data on a drive.
This document has been developed to assist in establishing good practices and procedures. Additional questions or requests for advice on records and information management or information and privacy issues should be referred to the Information and Privacy Coordinator: info.privacy@yorku.ca.
