Privacy and Security
Best practices for instructors using Brightspace
To ensure student information is kept safe, secure, and private, we recommend adhering to the following best practices:
- The Content section in your Brightspace course shell is where students can access your course files and materials. Do not upload content, or create files that contain the personal information of students. This includes anything with student grades, past or current student work, or threads from discussion topics (as these contains the names of students). If you are including past or current examples of student work, be sure to get permission from the student before posting it, and remove the students' names.
- If you copied a course shell from a previous term, check the Content section at the start of term to make sure no content containing sensitive information is present before you make your course shell is available to students.
Brightspace by D2L is Toronto Metropolitan University’s new Learning Management System (LMS), replacing our previous system, Blackboard. The intended use of the LMS is to facilitate an online space to carry out course activities to enhance learning. Instructors have the option to use the LMS for their courses for the purpose of posting the course syllabus, uploading and creating course materials, assignments, quizzes, emailing news to their class list, and also to post and release interim student grades. Some courses also utilize discussion boards for class or group discussions. Each course shell is accessible by the instructors who are teaching the course, the TA and graders (if the course has any), as well as all students enrolled in the course.
D2L has servers located in Toronto and Waterloo, ON. All data is stored within Canada and not subject to foreign jurisdictions.
You will continue to be responsible for how you use and share confidential information (including personal information) in accordance with university policies.
Toronto Metropolitan University has undertaken to review the privacy and security risks associated with moving to Brightspace by D2L using the international standard of Privacy by Design. The university will continue to monitor and assess privacy and security risks.
Toronto Metropolitan University will continue to authenticate your user name and your password. The university application passwords (for example, the password you use to log into my.torontomu.ca) will not be sent to or stored by D2L.
Yes. We have a website that provides information on tips for securing your computer, your data and protecting your identity. The number one tip to protecting your identity is choosing good passwords and protecting them. Visit the IT Security page here.
Since Brightspace by D2L is a web based application, it can be accessed from home, from mobile devices and on computer labs at Toronto Metropolitan University. The convenience of being able to access D2L anywhere you have an internet connection introduces risk in exposing your data.
Here’s what you can do to ensure you keep your D2L data private:
- Select a good and strong password for your university Applications. Read some tips for selecting a strong password.
- Be sure to always lock your computer screen and logout of all web pages and applications when you are not using them. Never leave your computer with open and logged in applications, especially when using a public computer. Read additional tips and instructions about locking your computer.
- Protect mobile devices by enabling a passcode. Learn about securing mobile devices.
- Set-up and use a 2 factor authentication for your university Applications.
If you are an instructor or if you have permissions to edit settings and you are unsure about privacy or security risk of changing a setting within D2L, contact email@example.com or check out our Getting Help page for where to get more information.
Toronto Metropolitan University’s Computing and Communications Services (CCS) Department provides many good resources on security, support and offers training to the university community. The IT Security pages will help you keep your computer and your data secure. Check our Top 10 Computer Security Tips and browse through Security Documents.
The two-factor authentication is like having to enter 2 passwords when you login. It provides an additional level of security when signing in to university web applications via the university’s Central Authentication Service. When you enter your username and password for a system, you will get another prompt to enter a time sensitive pass code if the two-factor authentication is enabled. The pass code is generated by an application on your mobile device (Google Authenticator)
Learn how to set up 2 factor authentication for your university applications.
For a list of user roles and what their purpose is in the D2L Brightspace system, visit the user roles page.
In addition to the user roles, there is also a D2L System Administrator role: System Administrators are Toronto Metropolitan University Employees in the Computing and Communications Services Department (CCS). System Administrators have access to all information, and all courses for the sole purpose of administering the system and to support all users.
Students' information can be accessed solely by the instructor(s), graders and teaching assistants (if the course has any) of the course the student is enrolled in.
Information that the instructor, graders or TA can access about students in the course includes:
- First and last name
- mytorontomu username
- Toronto Metropolitan University email address
- Student number
- Course enrollment information for the course (example: section number)
- Grades, performance, evaluation and everything else related to assessments in the course
- Student work, such as assignment submissions, quiz responses and discussion forum contributions
- In the User Progress tool, instructors have the ability to review the course statistics, individual student and/or overall class progress in the course. They can see what course content/materials have been accessed and how long was spent on each item. This data helps the instructor revise the teaching plans accordingly.
Information that that students can access about other students in the course:
- Students will not be able to see the class roster (Classlist tool).
- Students will not be able to see other students’ information, unless the instructor creates groups or uses discussion or chat tools in the course. In this case, your classmates can see your first and last name in the below scenarios:
- On any posts to discussion boards
- If you are assigned to a group
- If the instructor has allowed students to email other student’s (email address will not be displayed UNLESS you chose to reply to a message, in which case the sender will see your email address)
By default, student information is not displayed to other students in the course. There are tools and situations where student names will be displayed. If you are planning on using the following tools, note that students’ names will be visible to other students:
- Groups tool in D2L for group work
- Groups tool in D2L set up to allow students to email other students
- Discussion forums (when student’s post)
An instructor needs to obtain class agreement prior to sharing student names with the class in the course. It is recommended that instructors include a note in their Course Outline outlining any possibility of student information, primarily their names, being shared with other students in the course.
CCS/DMP will assist the instructor needing to provide an alternate for students who do not wish to have their names displayed.
What if I think sensitive information on D2L has been exposed (e.g. stolen device, passwords, exposing student information, grades, etc.)?
Under what circumstances and to whom should I report an issue if I think sensitive information on D2L has been exposed (e.g. stolen device, passwords, exposing student information, grades, etc.)?
A security incident is a violation or imminent threat of violation of security policies and practices resulting in the compromise of system(s) or data.
When using a system like D2L, an incident could result from the unintended exposure of student information such as grades, names and email address. This could be from the following few examples:
- Changing D2L settings that allowed unauthorized users to access and see information not intended for them
- Sharing confidential information, or sending information to the wrong recipient.
- Failing to protect data or applications with strong passwords and ensuring to log out as to not compromise access to sensitive data in D2L.
- Stolen devices without passwords
Depending on how significant the incident, it could become a security breach.
If you would like to inquire about, or report an incident where personal or confidential information has been exposed or is at risk in D2L, you can review the information protection policy, opens in new window and contact the Office of the General Counsel and Board Secretariat at firstname.lastname@example.org.
Upon investigation, the Privacy Officer and/or ISSO will make the determination whether a reported concern is indeed an incident or a breach.
Personal and highly sensitive information should not be stored in D2L such as:
- Instructors should never ask students to submit their medically related information via D2L
- Never store financial information in D2L that could put your information at risk of being exposed.
- Research data uploaded or stored, should be de-identified. This means if the research data includes any personal or identifying information or results, this information should be removed before storing it on D2L.
How long are courses stored on D2L? What are the responsibilities of the university and the Instructor?
Courses remain on D2L for 2 years after they end. Courses 2 years and older will be removed from D2L’s Brightspace. Toronto Metropolitan University’s CCS department will initiate the removal of courses which are 2 years and older. The course removal will be done once every term and an email will be sent to notify instructors roughly 2 weeks prior to the course removal date.
It is CCS/the university’s responsibility to adhere to record retention policies and ensure deletion of data is carried out and executed according to agreements between Toronto Metropolitan University and D2L.
It is the instructor’s responsibility to ensure they have saved all proper records prior to the deletion of a course from D2L to ensure compliance with Senate’s Course Management Policies. Instructors are responsible for downloading student’s grades from D2L, downloading submitted assignments for any “incomplete” students and, optionally, saving discussion board postings if you want to keep them for your records.