The DUC is firmly committed to protecting the privacy of its students and therefore makes every reasonable effort to maintain the confidentiality of their personal information. Accordingly, the following safeguards are in place:
- Only authorized personnel may consult student records after signing a confidentiality agreement.
- Information contained in student records is shared only with OSAP, the National Student Loans Service Centre, partner institutions and the MTCU. No information is disclosed to a third party without the written consent of the student concerned.
- All inactive files are destroyed according to the policy on record retention.
8.2 Record Retention Policy
8.2.1 Incomplete admission records: All incomplete admission applications are rejected and accompanying documents are destroyed without notice. The Registrar may decide to retain the record for no more than two months in order to allow the candidate to provide missing information.
8.2.2 Non-activated records: Regular student records are activated only if the candidates register following approval of admission. Otherwise, the records are not activated. They are compiled and sent to the Archives Office, where they are retained for two years. After this time, they are destroyed.
8.2.3 OSAP records: At the end of each three-year cycle, (following an OSAP inspection), records are compiled and sent the Archives Office, where they are retained for 10 years. After this time, they are destroyed.
8.2.4 Graduate records: Once the diplomas have been issued, the records of graduates are compiled and sent to the Archives Office, where they are retained for 40 years. After this time, they are destroyed.
8.2.5 Records of auditors and non-programme students: The policy is the same as for graduate records. After a specified period of inactivity (determined by the Registrar), the records are sent to the Archives Office.
8.3 Privacy Violation
A violation of privacy involves the unauthorized access to personal information or the unauthorized collection, use or disclosure of such information.
If the DUC detects a violation of privacy (such as computer theft, email inadvertently sent to the wrong persons or a forcible entry), it takes the following measures immediately:
8.3.1 Limiting of the breach of data security and preliminary assessment: The DUC takes the required steps to stop the leakage or consultation of private data.
8.3.2 Assessment of risks associated with the breach of data security: The DUC then determines whether the breach poses a real risk to students.
8.3.3 Notification: If a real risk is detected, the DUC promptly contacts the individuals concerned to inform them of the incident. In serious cases, it also notifies the Ontario Privacy Commissioner. (http://www.ipc.on.ca/english/
8.3.4 Prevention: The DUC will immediately take appropriate measures to prevent a recurrence of the incident.