Privacy Legislation Compliance
When sending emails, you need to ensure that you are complying with all applicable privacy legislation, namely CASL, FOIPP, and HIA. The Information and Privacy Office (IPO) is responsible for ensuring the institution’s privacy compliance and are the first point of contact if you have any questions related to privacy.
Please note that although the U of A follows sound IT practices and due diligence to provide secure, private and reliable email services to its users, you must exercise caution when using email to communicate confidential or sensitive matters, especially when using third-party apps like Campaign Monitor. Avoid emailing:
- medical records;
- credit card numbers;
- social insurance numbers;
- sensitive employee records:
- personnel files,
- Salary,
- discipline records,
- information related to a law enforcement investigation,
- third-party business information submitted in confidence.
In general, it is acceptable to email the following through Gmail, however caution must still be used when sending this information through third party apps:
- date of birth (but avoid where possible);
- moderately sensitive information: grades, CCIDs, employee and student ID numbers, personal contact information;
- non-sensitive information: publicly displayed University email addresses, accounting chart of accounts, anything available on the University's website.
Visit the IST website for more information about email privacy.
FOIP (Freedom of Information and Protection of Privacy)
FOIP is the provincial legislation that protects an individual's privacy by setting out rules for the collection, use or disclosure of personal information by public bodies. There are specific rules under the Act around how contact information, including emails, can be collected, used, and shared with others.
CASL (Canadian Anti-Spam Legislation)
The Canadian Anti-Spam Legislation ("CASL") prohibits the distribution of commercial electronic messages (CEMs) without the expressed or implied consent of the recipient. Non-compliance with CASL could result in fines up to $10,000,000 levied against the university. This law affects how the university uses email to communicate with external audiences.
CASL does not apply to most of the emails sent by the U of A for a few reasons:
- Most emails sent are not commercial; and
- We have implied consent to send CEMs to internal audiences.
You should be mindful, however, that CASL may apply to external communications for things like third-party advertising or if you are selling a product or service to an external audience.
If you have any specific questions about CASL, please get in touch with the Office of General Counsel via gcounsel@ualberta.ca.
HIA (Health Information Act)
The Health Information Act (HIA) governs and regulates the collection, use and disclosure of health information. It protects the privacy and confidentiality of health information and enables it to be accessed and shared to provide health services and manage the health system. Under the Act, contact information such as email addresses are considered health information, so access and use of emails are strictly regulated.
It is very important that you do not:
- Send patient information via email; and
- Do not send mass emails such as newsletters to lists of patients through tools like Campaign Monitor. You do not know who has access to the lists behind the scenes or where the servers are located that are storing them.