Instant Messaging and Personal Email Accounts: Meeting Your Access and Privacy Obligations 3
Applying this approach, emails sent from or received in personal email accounts have been
found to be under an institution’s control for FIPPA and MFIPPA purposes.
3
HOW CAN YOU MEET YOUR ACCESS AND PRIVACY
OBLIGATIONS?
The IPC strongly recommends that institutions prohibit their staff from using instant messaging
tools and personal email accounts for doing business, unless they can be set up to retain and
store records automatically.
4
However, there may be situations where an institution has a legitimate business need to use
these tools or accounts. If your institution is considering using instant messaging tools, or
permitting the use of personal email accounts, the following steps can help you plan for
compliance with the acts.
ASSESS THE RISKS AND BENEFITS
Conduct a needs analysis to determine when the use
of these tools would be appropriate or necessary, and
whether the benets outweigh the risks. This does not
need to be a formal review or audit.
In some cases, there may be a legitimate business need
to use instant messaging. For example, university staff
may determine that they need to use instant messaging
tools to communicate with students or to conduct
independent research.
If it is necessary to use instant messaging tools or
personal email accounts for business purposes, do a
thorough review of the privacy, security and access
implications.
Consult with your information technology staff, and records and information management
staff to:
• determine the types of tools that best support your institution’s communications and
records management needs
• determine if records can be automatically and securely retained on your institution’s digital
storage
3 IPC Order MO-3281 and IPC Order MO-3107-F (30 September 2014)
4 This is consistent with the recommendations made by the Information Commissioner of Canada and the Information
and Privacy Commissioner for British Columbia:
Information Commissioner of Canada, “Access to Information at Risk from Instant Messaging,” November 2013, and
Ofce of the Information and Privacy Commissioner for British Columbia, “Use of Personal Email Accounts for Public
Business,” March 2013.
If possible, all
communications should be
automatically and securely
retained on your institution’s
digital storage. Ensure that
you can search and retrieve
records so that you can meet
your access to information
and other obligations.