Privacy FAQ

Privacy

Q. Can I decline the UTmail+ service?

A. Yes.  However we strongly recommend you do not choose to decline the service. The University of Toronto has negotiated expanded privacy and security protections for students using UTmail+ than are available by signing up directly with consumer services such as Gmail, Hotmail, and Yahoo. You will not receive these expanded protections if you decline.

By declining service you acknowledge that:

1.     There are known problems that will occasionally prevent important messages from reaching youunder the University’s “Policy on Official Correspondence with Students” you are still responsible if an important message fails to reach you.

2.     You will not have access to UTmail+ functionality—this may limit your ability to collaborate with other University members.

3.   Declining the UTmail+ service is not the best way to forward your e-mail. If you require a forward service, please create your UTmail+ account and forward your e-mail using built in UTmail+ forward functionality.  Althought forwarding may still result in messages not being delivered, for which are you still responsible, you will have access to the full suite of UTmail+ services.

Q. Will a Privacy Impact Assessment (PIA) on the potential risks of using outsourced email be done?

A. Yes, U of T has elected to complete a full Privacy Impact Statement (PIA) and has made it available for reference to the public under the reports section.

Q. Would the PIA be limited to only email and calendaring, or would it include other outsourced e-communication applications?

A. The PIA considers all information and data flows and therefore includes use of outsource service applications.

Q. The PIA looks at the flow of data happening now, but would it be sustainable over 20 to 30 years?

A. The University will enter into a time constrained contract, estimated 4 years. After four years, both parties can review the partnership. Any major change in information flows triggers revisiting the PIA and conducting any additional assessments, revisions, and updates, as needed in ensuring information privacy and security is upheld.

Q. Does the US Patriot Act allow the US government to access my personal information?*

A. Yes. The Patriot Act allows for the US Government to access personal information that is held or accessible by anyone within the United States or any US citizen by two different methods. The first tool which the US Government possesses is found in Section 215 of the Patriot Act. Under this section the relevant Government agency must apply to a court for an order allowing them to access the personal information in question. The information which can be collected pursuant to this court order is very broad. The second tool which the US Government has is found in Section 505 of the Patriot Act. It is under this section that the Government can issue National Security Letters whereby they can request that personal information be disclosed to them. The information can be accessed where it meets the following criteria: that the information sought is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities. No court order is necessary for a National Security Letter to be issued; however, the type of information that is retrievable is more limited than through that available in a Section 215 (see above) order.

Q. How does the US Government’s ability to access my personal information differ from the Canadian Government’s ability to do so?

A. In Canada, like in the United States, the Government has wide abilities to view personal information that is held in email accounts. The Canadian Government’s ability to do this is found in various pieces of Canadian legislation including the Criminal Code, the Canadian Security Intelligence Service Act, the National Defence Act, and others.

The key difference between Canada and the United States is that, in general, the Canadian legislation requires that all warrants for the seizure of personal information must be issued by a judge. However, it still remains that the application to the court for this order/warrant will be made without the knowledge of either the holder of the information or the person who is the subject of the information.

There have been a number of recent bills introduced in the Canadian House of Commons which would increase the scope of information that is available to the Canadian Government and also decrease the number of restraints preventing the Government from accessing that information.

Should you wish to see further information regarding the Canadian system for intelligence gathering you can visit the website for The Office of the Privacy Commissioner of Canada and review a Position Statement produced by that office.

Q. Does the US Government have access to intelligence and personal information that has been collected by the Canadian Government?

A. Yes, the US and Canadian governments readily share intelligence of this nature pursuant to bilateral agreements which have been entered into and pursuant to existing legislation which permits the sharing of information.

Q. If I use outsourced e-mail will my personal information be more readily available to the US Government?

A. The information may be physically located in the United States, which would allow the US Government to obtain direct access to that information. Where the information is located in Canada, the US Government would have to approach the Canadian Government to obtain that same information.

Also, information which is held in an email account has no guaranteed privacy. Any email exists not only in the account it has been sent to, but also in the account it was sent from, in any accounts to which it was forwarded, and likely on many servers which are situated in the United States. If an email user wanted to ensure that their account was not subject to US Government surveillance they would also need to ensure that those with whom they are corresponding have also ensured that their own accounts have no US exposure.

Q. Is the outsourcing company able to provide assurances to the University of Toronto and all of the potential users that they will not release personal information to the US Government?

A. The outsourced companies have provided the University with assurances that it will not release any personal information unless it is required to do so by law. They have also assured the University that where possible they will notify the University of any requests/demands for personal information. Requests/demands for personal information will often include a requirement that the holder of the information not advise any other party, other than their own legal counsel, that such a request/demand has been made. The effect of this is that the University would have no notice of its information being accessed by the US Government.

Q. Will the use of outsourced email increase the probability that my name will be added to a no fly list?

A. It is not clear how the so-called no fly list is composed and therefore the University is unable to provide any comment on how or why anyone person is added to this list.

Q. Does the University’s change to outsourced email infringe on my privacy rights?

A. No. The Office of the Privacy Commissioner of Canada has reviewed similar scenarios where email is provided to an organization by a US based companies and has determined that there is not an automatic infringement of privacy rights. The Commissioner’s findings provide a useful overview of the privacy implications where email is provided by a US based company and the University encourages any interested person to review those findings.

One thought on “Privacy FAQ

Comments are closed.