Encrypting computing devices
All devices containing identifiable student or employee information must be encrypted
Any laptop and other mobile electronic devices used to store any personal information (PI) must be encrypted, including devices where unencrypted email communications between yourself and students are stored. This includes laptops, tablets, and phones.
The reasons, in short:
- UBC has new information security standards (http://cio.ubc.ca/securitystandards) which affect all faculty and staff (including graduate students or UTAs who store student information on devices). One of these standards, Policy #104 (http://www.universitycounsel.ubc.ca/files/2013/06/policy104.pdf) (pdf), addresses the storage of personally identifable information such as student numbers, grades, employee information.
- UBC has identified a legal obligation to ensure that confidential information is protected from unauthorized access, use or destruction.
- Encrypting devices is the most effective way of mitigating this risk to confidential information.
- Mobile devices (ie laptops, tablets, smartphones, USB thumb drives) containing confidential information have been identified by UBC as being the highest risk for compromise, due to theft or loss, so will be our priority for encryption in the department.
There are four choices are available to department members for laptop encryption:
OPTION 1 - Backup and encryption completed by the PHAS-IT staff for Mac (https://phas.ubc.ca/encrypting-macs-mcafee-management-console) and Windows (https://phas.ubc.ca/encrypting-pcs-mcafee-management-console) PCs. This may require surrendering the laptop to the IT staff for several days.
OPTION 2 - Self encrypt your mobile device, using software built into the operating system. Here are our recommendations for Mac (https://phas.ubc.ca/encrypting-your-mac-using-filevault), Windows (https://phas.ubc.ca/encrypting-your-pc-using-bitlocker), and Linux (https://phas.ubc.ca/linux-disk-encryption) PCs.
OPTION 3 - Apply for a personal waiver from the Department Head stating the business case reasons for not encrypting your device containing personal information and a risk mitigation plan for theft or loss.
OPTION 4 - No encryption: only if the mobile device contains no personally-identifiable information. This means that it cannot store department or university email (i.e. using webmail only, used for research only), student assignments, graduate student progress assessments, or other related material.
Other Mobile Devices
Instructions are currently under development.