You are now in the main content area

Privacy and Security

Privacy and Security

Best practices for instructors using Brightspace

To ensure student information is kept safe, secure, and private, we recommend adhering to the following best practices: 

  • The Content section in your Brightspace course shell is where students can access your course files and materials. Do not upload content, or create files that contain the personal information of students. This includes anything with student grades, past or current student work, or threads from discussion topics (as these contains the names of students). If you are including past or current examples of student work, be sure to get permission from the student before posting it, and remove the students' names.
  • If you copied a course shell from a previous term, check the Content section at the start of term to make sure no content containing sensitive information is present before you make your course shell is available to students.


Our responsibilities

Your username and password can only be used by you to access TMU resources, such as your email, D2L Brightspace, etc. You are not permitted to share your login information with any other person. 

TMU support staff may ask for your username or email address, for the purpose of identifying you to provide assistance, but will never ask for your password.

Related policies:

Only individuals who have been hired through HR in a role at TMU that involves having access to private student information (name, email address, enrollments, grades, etc) may have access to that information. For example, in most cases, only the instructor and TA (if applicable), as well as a small number of support staff (ie. in the Registrar’s Office or CCS) will have limited access to personal information for students enrolled in a particular course section.

All TMU community members are obligated to be aware of and follow university policies to protect restricted and private information.

If you are unsure, you are encouraged to review the university’s detailed policies, which are available on the TMU website.

Related policies:

Access to learning technologies at the university is dependent on the official role a person has at the university.    

CCS has licensed a number of learning technologies for certain uses, and these licenses may limit who is permitted to access these resources. Typically, we are not at liberty to provide access to people outside of the university.

Related policies:

Senate Policy 157 requires email communication between students and instructors/TA/GA to use a valid TMU email address.

As our support team has a responsibility to protect restricted and private information, such as that related to your students, and the courses you are teaching, please use your TMU email address when communicating with our team. This enables us to confirm your identity, which helps keep our community safe.

Please avoid including private information (such as student numbers, grades, your exam content, etc) in your email communications. Please see the section below named “Avoid sending private information via email” for more information.

Related information:

Brightspace Data Storage

Brightspace by D2L is Toronto Metropolitan University’s new Learning Management System (LMS), replacing our previous system, Blackboard.  The intended use of the LMS is to facilitate an online space to carry out course activities to enhance learning. Instructors have the option to use the LMS for their courses for the purpose of posting the course syllabus, uploading and creating course materials, assignments, quizzes, emailing news to their class list, and also to post and release interim student grades.  Some courses also utilize discussion boards for class or group discussions.  Each course shell is accessible by the instructors who are teaching the course, the TA and graders (if the course has any), as well as all students enrolled in the course.

All data is stored within Canada and not subject to foreign jurisdictions.

If you are accessing a third-party tool through a link in Brightspace, the storage of that data may reside elsewhere.

You will continue to be responsible for how you use and share confidential information (including personal information) in accordance with university policies.

Toronto Metropolitan University has undertaken to review the privacy and security risks associated with moving to Brightspace by D2L using the international standard of Privacy by Design. The university will continue to monitor and assess privacy and security risks.

Toronto Metropolitan University will continue to authenticate your user name and your password. The university application passwords (for example, the password you use to log into will not be sent to or stored by D2L.

Yes. We have a website that provides information on tips for securing your computer, your data and protecting your identity. The number one tip to protecting your identity is choosing good passwords and protecting them. Visit the IT Security page here.

Keeping Your Data Secure

Since Brightspace by D2L is a web based application, it can be accessed from home, from mobile devices and on computer labs at Toronto Metropolitan University. The convenience of being able to access D2L anywhere you have an internet connection introduces risk in exposing your data.  

Here’s what you can do to ensure you keep your D2L data private:

If you are an instructor or if you have permissions to edit settings and you are unsure about privacy or security risk of changing a setting within D2L, contact or check out our Getting Help page for where to get more information.

If you need to share private information with someone, please do not include this information in an email. Email is not considered to be secure, as it is easily intercepted. 

One easy way to securely share sensitive information is to upload it to your TMU Google Drive, then use the sharing functionality to provide access to only the person(s) who require access. When the data is no longer needed by that person, make sure you delete it from your drive.

Related information:

Toronto Metropolitan University’s Computing and Communications Services (CCS) Department provides many good resources on security, support and offers training to the university community.  The IT Security pages will help you keep your computer and your data secure. Check our Computer Security Tips and browse through Security Documents.

The two-factor authentication is like having to enter 2 passwords when you login. It provides an additional level of security when signing in to university web applications via the university’s Central Authentication Service. When you enter your username and password for a system, you will get another prompt to enter a time sensitive pass code if the two-factor authentication is enabled. The pass code is generated by an application on your mobile device (Google Authenticator)

Learn how to set up 2 factor authentication for your university applications.

For a list of user roles and what their purpose is in the D2L Brightspace system, visit the user roles page.

In addition to the user roles, there is also a D2L System Administrator role: System Administrators are Toronto Metropolitan University Employees in the Computing and Communications Services Department (CCS). System Administrators have access to all information, and all courses for the sole purpose of administering the system and to support all users.

Students' information can be accessed solely by the instructor(s), graders and teaching assistants (if the course has any) of the course the student is enrolled in.  

Information that the instructor, graders or TA can access about students in the course includes:

  • First and last name
  • mytorontomu username
  • Toronto Metropolitan University email address
  • Student number
  • Course enrollment information for the course (example: section number)
  • Grades, performance, evaluation and everything else related to assessments in the course
  • Student work, such as assignment submissions, quiz responses and discussion forum contributions
  • In the User Progress tool, instructors have the ability to review the course statistics, individual student and/or overall class progress in the course.  They can see what course content/materials have been accessed and how long was spent on each item. This data helps the instructor revise the teaching plans accordingly.

Information that that students can access about other students in the course:

  • Students will not be able to see the class roster (Classlist tool).
  • Students will not be able to see other students’ information, unless the instructor creates groups or uses discussion or chat tools in the course. In this case, your classmates can see your first and last name in the below scenarios:
    • On any posts to discussion boards
    • If you are assigned to a group
    • If the instructor has allowed students to email other student’s (email address will not be displayed UNLESS you chose to reply to a message, in which case the sender will see your email address)

Under what circumstances and to whom should I report an issue if I think sensitive information on D2L has been exposed (e.g. stolen device, passwords, exposing student information, grades, etc.)?

A security incident is a violation or imminent threat of violation of security policies and practices resulting in the compromise of system(s) or data.

When using a system like D2L, an incident could result from the unintended exposure of student information such as grades, names and email address. This could be from the following few examples:

  • Changing D2L settings that allowed unauthorized users to access and see information not intended for them
  • Sharing confidential information, or sending information to the wrong recipient.
  • Failing to protect data or applications with strong passwords and ensuring to log out as to not compromise access to sensitive data in D2L.
  • Stolen devices without passwords

Depending on how significant the incident, it could become a security breach.

If you would like to inquire about, or report an incident where personal or confidential information has been exposed or is at risk in D2L, you can review the information protection policy (opens in new window)  and contact the Office of the General Counsel and Board Secretariat at​.

Upon investigation, the Privacy Officer and/or ISSO will make the determination whether a reported concern is indeed an incident or a breach.

Personal and highly sensitive information should not be stored in D2L such as:

  • Instructors should never ask students to submit their medically related information via D2L
  • Never store financial information in D2L that could put your information at risk of being exposed.
  • Research data uploaded or stored, should be de-identified. This means if the research data includes any personal or identifying information or results, this information should be removed before storing it on D2L.

Courses remain on D2L for 2 years after they end. Courses 2 years and older will be removed from D2L’s Brightspace. Toronto Metropolitan University’s CCS department will initiate the removal of courses which are 2 years and older. The course removal will be done once every term and an email will be sent to notify instructors roughly 2 weeks prior to the course removal date.

It is CCS/the university’s responsibility to adhere to record retention policies and ensure deletion of data is carried out and executed according to agreements between Toronto Metropolitan University and D2L.

It is the instructor’s responsibility to ensure they have saved all proper records prior to the deletion of a course from D2L to ensure compliance with Senate’s Course Management Policies. Instructors are responsible for downloading student’s grades from D2L, downloading submitted assignments for any “incomplete” students and, optionally, saving discussion board postings if you want to keep them for your records.