6.1
Using Electronic References and Other Documents
The process for analysing files and making admissions decision is ultimately a local decision in the graduate unit. SGS does set minimum admission requirements and as well as standards for documentation (referring to both the documents themselves and documentation of the process). SGS will continue to provide training and share best practices as appropriate.
Having reference letters and other documents available in electronic format presents opportunities for units to re-imagine their decision making processes. It could better facilitate communication and file sharing for graduate units or programs in which decision makers are physically separated from one another (e.g., multi campus programs). When adequate security is employed with an electronic system, it can be more secure than the distribution of paper application files.
Graduate units will need to make decisions about the use of the electronic reference and supporting document files in their decision making processes. The following
information is provided as suggestions of best practice.
6.2
Confidentiality and Protection of Privacy
In all cases, confidentiality of applicant records must be maintained.
Physical files should not leave University premises or be left in public or unsecured areas. Committee members who choose to print documents must be instructed to secure the copies and destroy (shred) them immediately after use.
Electronic files may be housed on departmental files servers or secure web servers. Access to these files must be limited to faculty and staff members who need to process or assess the files. Staff and faculty must be advised to maintain good practice in safeguarding the confidentiality of the files (e.g., do not save copies to personal computers or laptops; do not view files in public places; do not leave a computer unattended while it is connected to the server).
Electronic files stored on removable or portable media (laptop computers, disks, thumb/flash drives, CD-ROMs) must always be encrypted. Password protection is insufficient.
An important element of privacy protection is the general security of the electronic systems used:
protection. This means office computers, network systems and home computers (if faculty or staff members are working from home).
Servers, networks and computers should be properly protected behind firewalls.
6.3
Secure Website (or Intranet)
When creating secure websites, graduate units need to pay particular attention to
security in order to avoid unauthorized access. Graduate units should seek the advice of their Faculty’s IT, communications and Freedom of Information offices before setting these pages up. The SGS Information Systems Office recommends the following:
Files should be stored on a secure server. This means that the server has no direct access from the Internet and very limited access to it from computers on the internal network (most commonly other secure servers). A robust firewall with a strict set of access rules can accomplish this setup, along with restricted user rights on the server.
In developing a secure website, certain guidelines apply:
i. Ensure web traffic to and from the site is encrypted by using the 128-bit (at least) SSL protocol.
ii. Ensure access to each page requires the user to be logged in (except for the login page, of course) and provide only one point of entry
iii. Authenticate users using a password that is at least 8-characters and requires mixed-case letters and numbers.
iv. Do not allow users to access confidential files directly. Provide a web page instead that permits the download based on the user's authorized rights. v. If possible, limit traffic to the website to internal users only.
In general, a site of this nature should only be developed and implemented by an IT developer with some previous experience.
Note: If transcripts and third party documents are scanned, the originals should be retained as part of the physical file.
6.4
Server-Based Files
Many Faculties and graduate units already employ file servers and remote access protocols. In place of secure web sites, graduate units might store applicant folders of received and scanned documents on the server together with any collaborative decision files (e.g., Excel sheets; recommendation forms) for the use authorized faculty and staff. Graduate administrators should consult their local area network administrators to
ensure that appropriate access rights are given to authorized staff and faculty and that secure offsite access is available.
Staff and faculty must be reminded not to print documents, transfer or copy them to local computers or view them in public places (public transport, coffee shops, libraries etc.).
6.5
Portable Media (Disks, USB Drives, Etc.)
If graduate units are unable to create secure websites or server access, files of received and scanned documents might be provided to faculty on portable media. Particular care needs to be paid under this option. All files must be properly encrypted. Password protection is not sufficient. There are a number of encryption applications available both under licence and available as “freeware.” Graduate administrators should consult with their unit or Faculty IT office for information.
The use of portable media should only be considered as the last of all possible options given the inherent risks. The news media and the publications of government privacy commissioners are filled with stories of lost or stolen laptops and storage media containing personal information. The expected level of care is much higher than in the past. The following suggestions, while not exhaustive, should be considered:
The same or stronger safeguards should be applied as they would for paper copies of the application files. Paper files would not normally leave the graduate unit office. If secure websites, intranets or file servers are not available then consideration should be given to having files accessible only in the unit office.
If portable media are used, faculty and staff should sign for them and indicate their compliance with protection of privacy
The data should not be printed or copied to personal computers or viewed in public places.
The data must be securely encrypted.
6.6
Paper
Graduate units may still print off application summary sheets, references and the other electronic documents for use in paper based processes. The paper copies may be retained in the file as the file and archive copy of the document. The standard of care with respect to confidentiality and protection of privacy remains high.
Paper copies of the application must not leave the graduate unit office, and must be securely stored when not in use.
6.7
File Retention
The SGS online admissions application is currently considered to be a tool and not a repository or official file for the application. In some ways it is simply a “virtual mail- room.” ROSI, along with supporting files in the Graduate Unit, will continue to comprise the official record.
The graduate unit will be responsible for maintaining a physical version of the application and supporting documents, or for ensuring that an electronic copy is
maintained. If an electronic copy is maintained, the graduate unit will take responsibility for maintaining it in a format that continues to be accessible and reliable. Whether the documents are maintained in physical or electronic form, the graduate unit must follow the standards and retention schedules established by the University of Toronto Archives and the School of Graduate Studies. The current retention requirements are as follows:
Documents that are received in physical format may be scanned for
administrative use, but the original must be retained and should be treated as the official document. Electronic documents may be printed for administrative or archival use but if printed, all content must be displayed and retained.
Files for applicants refused admission and for applicants admitted but who fail to register are retained for one calendar year after use (effectively two years). Admitted applicants who do not formally request a deferral must re-apply if they wish to be considered in a subsequent session.
Files for registered masters, diploma and special students must be retained for seven years after the last registration. They may be maintained in electronic format but must be maintained over the period in a readable format.
Specific documents in the files of registered PhD students must be retained in perpetuity. Please consult the official retention schedule for specifics. Electronic documents may be maintained in electronic format but must be readable. PDF(a) is the recommended format but the University of Toronto archives advises that paper is still the best way of maintaining the archival information.
Reference letters and forms as well as documents related to deliberations by the admissions committee and supervisors (e.g., collaborative assessment forms or spreadsheets) should be maintained as would other documents in the file.
However, these documents are considered to be confidential and excluded under policy and legislation from those a student may ask to view.