Maintaining Privacy while Supporting Innovation

Protecting the Privacy of Student Data: Required By BC FIPPA Law

British Columbia (BC) has one of the strictest privacy laws of personal data in all of North America - enabled to ensure BC citizens are protected when it comes to storage and access of personal identifiable information.

To abide by BC's Freedom of Information and Privacy Protection Act (FIPPA), faculty members must abide by three principles: giving notice to students they are sending/requiring them to send their data to a location outside of Canada, knowledge of why they are doing this, and if required, obtain written consent for doing so. These principles you can apply to almost any privacy situation in order to show you have done due diligence.

Written consent is the highest level of 'due diligence' when classroom work requires the use of social media, or when a faculty member or student forwards email to Gmail/Hotmail (web email services), and when a course requires the use of online textbooks or textbook activity sites. Education of students is a key element to ensuring we are abiding by privacy laws in all the work we do as educators.

It is the responsibility of individual faculty members to ensure that they are compliant with FIPPA regulations. The following information is provided to help ensure that faculty members are aware of their responsibilities.

When to think about FIPPA

Any time students’ personal, identifiable information (first name, last name, date of birth, course student is enrolled in, student grades, address, student ID) is stored on a server outside of Canada, or the parent company that owns the server is located outside of Canada, students must be provided with notice, knowledge, and consent. Personal, identifiable information includes any information that can be used to identify an individual student.


Any email that contains student’s personal, identifiable information should ONLY be accessed from Canadian-based services, such as the official VIU Outlook email account (hosted at VIU). Services such as Gmail, Hotmail, Yahoo, etc, host their services outside of Canada (on servers around the world), and should not be used to access emails that contain student information. This would be a violation of the FIPPA law.

Note: It is possible to have emails forwarded from VIULearn to faculty members’ personal email accounts. Emails from VIULearn contain students’ personal, identifiable information, and SHOULD ONLY be forwarded to official VIU email accounts, and NEVER to services like Gmail, Hotmail, Yahoo, etc. unless notice, knowledge and written consent have been obtained from the students.

Online resources

Any online learning resource, such as textbooks or any supporting materials included in textbooks (labs, quizzes, resources to access), that faculty require students to use should only be hosted in Canada. If the resource is located outside of Canada, or the parent company is located outside of Canada, faculty are responsible to ensure they give students notice of information that will be stored outside of Canada, knowledge of BC privacy laws, and captures the student consent (written or some alternative form of recording consent). In this way, students are made aware of the implications of having their data reside outside of Canada and what other companies can do with their data.

Social media in the classroom

Many students access social media outside of the classroom, and social media can be included within classroom settings. What students do with social media outside of the classroom is their business, and not the responsibility of faculty. If students are required to use social media as part of their classes (make a Prezi, post to Twitter, create a Facebook account, upload video to YouTube etc), and that social media is based outside of Canada (which almost every company is!), faculty are responsible to ensure they give students notice of information that will be stored outside of Canada, knowledge of BC privacy laws, and captures student consent (written or some alternative form of recording consent).

Alternatives to capturing student consent

  1. Research the technology and your assignment/task to ascertain if you require the collection, upload, and use of personal identifiable information (often you may not and can use the social media tool without needing such information).
  2. If you or the tool requires personal identifiable information – find out how much your students really need to supply (or are connected to through accounts) and what are the privacy risks or abilities to make more private information – then use a consent form. 
  3. If a student refuses consent – have a Plan B. Often it is only a handful or fewer students who may object so have an alternative that still fulfills a lot of the main learning objectives but doesn’t expose them to privacy risks (e.g., use learning management system at VIU etc.) 
  4. Inquire about ‘on site’ or ‘Canadian hosted’ tools that may allow you to do similar activities but not have to use US servers (e.g., VIU learning management system, Kaltura large file video storage at VIU, WordPress on VIU servers etc) 
  5. Educate students – let them know what is going on. They may have some work arounds. 
  6. Try using pseudonyms for some social media elements that won’t release personal identifiable information.