About

About

Keeping information safe is a community effort. Together, we can make a big difference in protecting personal information online.

About the initiative

Learn more about why privacy matters at UBC.

Privacy and information security at UBC is largely dependent on faculty and staff taking an active role in keeping data secure. UBC provides security tools such as anti-virus software, firewalls, and spam filtering. However, these tools can only do so much. We need your help.

The Privacy Matters @ UBC initiative aims to increase the awareness of privacy and information security at UBC. Higher education institutions are often the target of data breaches, which not only affect the individuals whose personal information is compromised, but also the organization experiencing the breach.

Through comprehensive communication strategy and online training, our goal is to provide the campus community with the information needed to protect personal information and to keep UBC's data secure.

Privacy and Information Security Management (PrISM)

Privacy and Information Security Management (PrISM) at UBC is a coordinated effort between Risk Management Services, Office of the University Counsel, and UBC Information Technology.

The mandate of PrISM is to enhance the privacy and security of information in electronic and hard-copy format through a series of campaigns related to technology, maintenance, data mapping and risk management, training, awareness, and communications.

Executive Leadership Committee

Hubert Lai (Chair)

University Counsel, Office of the President

Dr. Andrew Szeri

Provost and Vice President, Academic

Andrew Simpson

Vice President, Finance

Program Leadership Committee

Paul Hancock (Chair)

Legal Counsel, Information and Privacy, Office of the University Counsel

Jennifer Burns

Chief Information Officer and Associate Vice President, Information Technology

Ron Holton

Chief Risk Officer, Risk Management Services

Jennifer Kain

Director, Personal Information Governance & Security, Risk Management Services

Don Thompson

Chief Information Security Officer

Johann Boulter

Associate Director, Internal Audit, Ex-officio

Zoe Armer

Program Manager, Cybersecurity, Information Technology

Current Projects

Learn more about the current initiatives that are a part of PrISM.

Projects

Online Privacy and Information Security Training

PrISM has developed online privacy and information security training for all faculty and staff at UBC. This 20-30-minute training session will empower you to protect personal information and other confidential UBC information and systems.

Learn more about the training.

Risk Assessment Process

RMS provides a risk management service to the University community to facilitate the identification and management of key privacy and information security risks related to the collection, use, storage, disclosure, and disposition of Personal Information (PI).  In most cases, our approach is to:

  1. Perform PI data mapping, at the category or unit level, to determine what PI repositories exist (electronic and paper-based), and which ones present the highest-risk.
  2. Identify opportunities to stop collecting high-risk PI, and any other PI, if it is not necessary to support the unit’s activities. Additionally, we explore ways to reduce the need to download PI from source systems and store it on mobile devices.
  3. Take a risk-based approach, and partner with units to perform PI risk assessments to determine if PI is handled in a secure manner. Currently available risk assessments include: 
    • Operational Risk Assessment (ORA) – a management tool to assess at the department / unit level key risks and levels of compliance associated with end-user requirements defined in the Information Security Standards and Privacy Fact Sheets;
    • User Risk Assessment (URA) – an end-user tool built to support management’s completion of the ORA, and provide an educational tool that any employee can use to familiarize themselves with key privacy and information security requirements; and,
    • Application Risk Assessment (ARA) – a technical tool for IT personnel to assess the level of risk and compliance associated with the technical requirements defined in the Information Security Standards.
  4. Following up with units semi-annually to obtain a progress report and provide any additional support that may be required for them to move into compliance with the University’s key privacy and information security requirements.

Key Deliverables:

  1. A simple, practical action plan for units to reduce key risks and compliance gaps with the Privacy Fact Sheets and Information Security Standards, and a unit heat map to enable them to prioritize the actions based on the level of risk they are currently exposed to.
  2. Our work significantly informs other PrISM initiatives including: 
    • Updates to the Information Security Standards – we provide feedback to UBC IT on areas that units are struggling to comply with and the reasons why.
    • Privacy & Information Security Training and Awareness – we provide common risk areas (identified during our risk assessment activities), to ensure these are addressed in a manner that helps educate employee’s on their responsibilities.

Encryption

Encryption is the most effective way to keep your personal information and UBC’s data secure. Encryption is a method of making information unreadable in order to protect it from unauthorized access. When information is encrypted, a password is required to make it readable again.

UBC policy and British Columbia law require all mobile devices (including laptops) that are used to store confidential information to be encrypted. The PrISM team is working to encourage encryption of all devices used for work purposes by departments and faculties at UBC. Learn more about encryption.

Awareness and Communication

The awareness and communication project is working to increase education and awareness to change behavior and build a privacy and information security conscious culture. The creation of the Privacy Matters @ UBC initiative to ensure that all faculty and staff are regularly exposed to communications about privacy and information security requirements. The comprehensive communications strategy is working to sustain awareness and engagement among faculty and staff at UBC.