Why do privacy and information security matter?
Information sharing is so common today that it is easy to become complacent about the importance of maintaining strong privacy and information security. Yet, everyone has the right to expect their personal information to remain safe and secure.
In 2015 it was determined that “the risk of a major privacy or information security breach” was one of the top five risks on the UBC major risk register, and it was not moving down. It was clear that there was a general lack of understanding within the UBC community of why and how personal information needed to be secured.
Higher education institutions are often the target of data breaches, which not only affect the individuals whose personal information is compromised, but also the organization experiencing the breach. At UBC, we handle a substantial amount of personal information relating to students, faculty, staff, alumni, and donors. Protecting this information is everyone’s responsibility.
People, process & technology
To address this need, and as a result of significant advocacy from Safety and Risk Services, Office of the University Counsel, the Chief Information Security Office and UBC IT, the Privacy and Information Security Management (PrISM) program was formed. Using the branding “Privacy Matters @ UBC”, the program has introduced governance, resourcing and a mandate to reduce the assessed risk. This includes campaigns related to technology, maintenance, data mapping and risk management, training, awareness, and communications.
Privacy Matters @ UBC has introduced refined incident response, new Privacy Impact Assessments, mandated new cybersecurity controls, and secured the selection and implementation process for applications.
Introducing and enforcing proper privacy and information security practices are not about injecting fear, uncertainty or doubt into people in order to elicit forced action. Instead, it is about helping change the mindset and behavior of the user community, while they continue to complete their required operational tasks.
Website and online training
Communication efforts have helped to build a framework to support all of the guidance, advice, and information being delivered to the UBC community.
With the publication of the Privacy Matters @ UBC website, users now have a single repository of resources and documentation regarding privacy and information security. The information used to be available on a number of disparate websites across multiple portfolios, making it difficult to maintain consistency. Pages on the site provide detailed information about security and privacy services, tools and applications currently available to the UBC community as well details regarding soon to be introduced technologies and processes.
By far the most critical element available from the Privacy Matters @ UBC website from an awareness perspective is the mandatory online Privacy & Information Security – Fundamentals training that launched in 2017. This training is divided into two parts, each containing five modules with videos, a synopsis of key points, and a short quiz to embed the lessons learned.
Topics covered in the modules include:
- Privacy & Personal Information
- Storage & Encryption of Information
- Working Remotely
- Transmission & Sharing of Information
- Disclosure of Information
- Freedom of Information Requests
- Managing Records & Information
- Managing Accounts & Passwords
- General Privacy & Information Security Tips
With the support of campus communicators, Human Resources, UBC Cybersecurity, Safety and Risk Services, UBC Studios, Engagement Services and departmental IT Support, we have provided all faculty and staff at UBC with the knowledge and tools necessary to empower their efforts to contribute to the protection of personal information at UBC.
The training modules have been included in the onboarding process for all new faculty and staff hires. Faculties and Departments are able to monitor training completion statistics directly from the Privacy Matters @ UBC website.
PrISM are working on a new mandatory training module for IT professionals, as well as an ongoing re-certification program for all faculty and staff.
The Privacy Matters @ UBC initiative is one example of how UBC is working to transform university-level systems and processes to facilitate collaboration, innovation and agility (Strategy 5: Systems Renewal).