Academic Toolbox Privacy FAQ

The Academic Toolbox & Privacy
Last update: August 20, 2020

Protecting privacy in our Academic Toolbox is a top priority at the University of Toronto. The following questions and answers explain U of T privacy practices specifically with regard to the applications that make up our Academic Toolbox, including Quercus.

What is the Academic Toolbox and what is Quercus?

The Academic Toolbox refers to the suite of enterprise applications used for teaching and learning at the University of Toronto. At the heart of the Academic Toolbox is Quercus, our learning management engine based on software called Canvas from a company called Instructure. Since 2017, it has been the primary system used by U of T to administer, document and deliver educational courses.

What information is stored in the applications that make up the Academic Toolbox?

The following types of personal information may be automatically collected and stored in various applications with the Academic Toolbox, including:

  • your internet protocol address;
  • device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL;
  • on-page click events including, but not limited to login events, viewing content pages, launching tools, uploading files, posting to forums and discussions, authoring calendar items, submitting quizzes; and
  • user assigned or calculated records including, but not limited to, grading rubric scores, grade scores, badge and outcome achievement awards
  • recorded lectures, seminars, and other sessions, which generally include the instructor’s image and voice, and instructional content and materials, and may include the name, image and/or voice or students who participate, as required by the course or program

Personal information is also transferred from U of T’s Student Information System (ROSI) to the Academic Toolbox, including (as applicable) your name, student number, email address, and enrollment information.

How does the law protect students’ personal information?

U of T is subject to the Freedom of Information and Protection of Privacy Act (FIPPA), which is the privacy law that governs most broader public sector entities in Ontario. This law protects personal information (recorded information about an identifiable individual). It only allows U of T to collect and use personal information necessary for its programs or activities, and it requires U of T to keep this information secure and confidential.

Does FIPPA require U of T to ask for students’ consent to collect their personal information?

No. Unlike private sector privacy laws, FIPPA does not require U of T to ask for consent before collecting or using personal information; it allows us to collect any personal information that relates directly to and is necessary for one of our programs or activities. While we do not have to ask for students’ consent to collect this information, we do have to notify them about the collection. The collection notice for U of T systems accompanies a student’s acceptance into a program, but additional notice may be required for unusual, novel, or unexpected purposes involving the student’s personal information.

How is the information in The Academic Toolbox used by U of T?

Under FIPPA, personal information can be used for the purpose it was collected or for a consistent purpose. That means that students’ personal information in the Academic Toolbox is used for delivery of courses they are enrolled in. Personal information may also be used during the process of providing course support and for tools that support the quality of teaching and learning (such as dashboards for monitoring progress or tools that provide student feedback). The information may also be combined with other students’ information to be analyzed for statistical purposes, generally this is done only after anonymizing it (stripping out identifiers to ensure that it can no longer be connected to a specific individual).

Decisions about pedagogical use of recorded videos posted on various services within the Academic Toolbox (Quercus, MyMedia, Stream) are at the discretion of individual instructors, and will vary among courses. These materials are protected in the same way as other information in the Academic Toolbox. Course materials prepared by the instructor are considered by the University to be an instructor’s intellectual property and cannot be shared outside of class in any way, without the explicit permission of the instructor. Additional details about the use of recordings in your course can be found in your course syllabi, and students should ask their instructor if they have any questions or concerns.

Inside U of T, who gets access to the information in The Academic Toolbox?

Under FIPPA, U of T can only make identifiable information available to faculty or staff on a need-to-know basis. U of T enforces this legal principle by restricting U of T employees’ access to information within the Academic Toolbox using role-based access controls. Students do not have authority to view information about other students, with the exception of the names of the students enrolled in their courses, or relevant course content (for example, in discussion boards or group assignments). These exceptions are long-standing practical supports for pedagogy.

Is any of the information in The Academic Toolbox shared with third parties outside U of T?

FIPPA generally does not allow us to share any personal information with third parties outside U of T without the consent of the individuals the information is about. An important exception, however, is the ability for public bodies to share personal information with “service providers”, i.e., companies or consultants that the University hires to perform services for it. Employees working for service providers sometimes require access to the systems they support for installation, trouble-shooting and data-recovery purposes. Service providers are permitted temporary access to information for these limited purposes, but they are forbidden from retaining any personal information or using it for any other purpose. In the case of the Academic Toolbox, information is accessible for the above purposes by service providers who support Quercus and other software tools that are integrated within the Academic Toolbox.

How do you know that service providers won’t misuse students’ information?

Through contracts, service providers are subject to restrictions on use and disclosure of personal information. Through these contracts, U of T ensures that all service providers notify us if there are any security breaches. The University remains legally responsible for the privacy of the personal information that it makes available to service providers, and relies on enforceable contractual assurances and conditions to ensure compliance by those service providers.

Is any of the information in the Academic Toolbox stored outside Canada?

There is no legal requirement that information be stored in Canada, however, U of T does include this provision in most contracts for applications within the Academic Toolbox where possible. The information in Quercus is stored and backed up in secure data centres run by Amazon Web Services (AWS) in Quebec.

Why isn’t the information in the Academic Toolbox stored in a U of T data centre?

Modern software, including most learning management systems, is moving to a Software as a Service (SaaS) model, under which software is hosted in central servers in the “cloud”. These systems are just as secure as locally hosted systems, if not more secure, and provisioned and protected under contract. The SaaS model allows for agility in scaling; during busy periods, such as exam time, additional computational resources can be automatically added to handle the load.

Can students opt out of the Academic Toolbox?

No. It is important for all students to use the Academic Toolbox to ensure that U of T can deliver its courses and programs effectively.

Has U of T reviewed the privacy and security of the applications in Academic Toolbox?

Yes. U of T performs an information risk assessment on all systems that collect or use personal information in the Academic Toolbox. These assessments determined that Quercus and other applications in the Academic Toolbox is secure and privacy-compliant.