Guideline on the storage of work-related electronic records

Revised October 2021

Laptop with magnifying glass

Electronic records created in a work context may, and very often do, contain confidential information, or personal information about one or more individuals. Due to the volume of such records created and maintained within the Temerty Faculty of Medicine, it is impracticable to clearly and consistently differentiate between such records, and other records or files which may not be so sensitive. For this reason, all work-related electronic records should be stored, secured, and accessed in compliance with FIPPA, and more specifically, in line with the General and Administrative Access and Privacy Practices of the University (posted on the Provost’s website, at http://www.provost.utoronto.ca/policy.htm.)

To support compliance with this guideline, the Temerty Faculty of Medicine provides a networked email (UTmail+) and file server expressly intended for the storage of work-related electronic records, and specifically for confidential ones. This server is well secured, is backed up on a daily basis, is located within Microsoft Cloud, and is managed by IT professionals. It therefore complies with FIPPA and with the University’s Access and Privacy Practices in every way, and is officially considered a “secure server environment.” 

With very few exceptions, work-related electronic records must be stored on and remain exclusively on the Faculty's file server, and should be accessed primarily from secure office computers, or via encrypted remote access (VPN) to such computers. Work-related electronic records should not be copied to 'shared drive' services such as DropBox or SkyDrive, as these largely US-based consumer services are not intended nor capable of providing the security, reliability, or legal protections that the University is required to provide. 

If work-related electronic records must be stored on such services for operational reasons, care must be taken to ensure that:

  1. you have the authority to do so
  2. they do not contain confidential or personal information
  3. the sharing functionality required is not offered by the Faculty's file server, and
  4. it should be on a temporary basis only.
    • Additionally, if you must take confidential electronic records out of a secure server environment, then you are required to either encrypt it or to de-identify the information; however, we strongly recommend that confidential electronic records remain in a secure server environment at all times. 

Please see Security for Personal and Other Confidential Information, taken from the Provost’s General and Administrative Access and Privacy Practices document, relating to the storage and security of electronic and hard-copy records. Please take the time to read the checklist, and to ensure that your records management practices adhere to it; you are also encouraged to visit the link provided, and to read the entire document (which was written with end-users in mind). 

For assistance with or advice on the use of the Faculty’s networked file server, secure remote access, or this guideline, please contact the MedIT Service Desk or by phone at 416-978-8504.