Privacy Compliance Breach: Recreation Management Systemget help

Last updated May 28, 2018

This page contains frequently asked questions regarding the privacy compliance breach of the recreation program management and registration system called Fusion.

What happened?

SFU recently implemented a new recreation program management and registration system called Fusion. On January 8, 2018, due to a clerical error at the company that provides Fusion, our data was accidentally stored in the United States of America (U.S.) rather than Canada. Storing personal information outside of Canada is a violation of the Freedom of Information and Protection of Privacy Act section 30.1. The company that provides Fusion identified the error on April 16, 2018 and notified us the following day. Removal of our data from the United States of America was completed on April 24, 2018.

This privacy compliance breach is solely about storage outside of Canada; at no time was there any unauthorized access to Fusion.

What personal information was included?

Fusion contains the personal information of 38,000 students and employees eligible to use our athletic and recreation facilities, and 6,000 other people who have been registered for programs with SFU Athletics and Recreation.  

For students and employees, the information included is:

  • affiliation (APSA, academic, CUPE, employee, exchange student, FIC student, management, other staff, Poly Party, student, or TSSU)
  • birth date
  • email address
  • employee eligibility for a free membership
  • fees paid
  • full name
  • gender
  • home address
  • how many credits a student takes on each campus
  • library barcode
  • recreation eligibility by campus
  • recreation program registration
  • recreation waiver completion and date
  • SFU Computing ID
  • student/employee ID number
  • telephone numbers

For people registered for programs with SFU Athletics and Recreation, the personal information includes the above information as well as:

  • Personal Health Number or travel insurance number, and
  • allergies and medications.

Was my personal information disclosed?

This privacy compliance breach is solely about storage outside of Canada; at no time was there any unauthorized access to Fusion.

Potential concerns associated with this type of privacy compliance breach are that the U.S. government can lawfully request access to information stored in the United States of America.

What can I do to protect myself?

In general, to protect your identity and personal information you should review where your personal information is stored and manage the risk as appropriate for your risk tolerance.

 How exactly do I review where my personal information is stored?

There is no comprehensive, simple solution, as our personal information is stored on many systems across the Internet.  One place to start is with third-party web services where you have accounts.  For each you can explore the settings and preferences to protect privacy, and check that each web service has only the minimum required personal information.

What is SFU doing about the privacy compliance breach?

We have already worked closely with the company that provides Fusion to ensure that our data has been moved to Canada and that all data stored in the U.S. has been permanently deleted.

We are also:

  1. Notifying affected individuals about the privacy compliance breach;
  2. Assisting individuals upon request and as needed to mitigate any harm;
  3. Investigating the cause(s) and extent of the privacy compliance breach and taking further action as appropriate;
  4. Evaluating the risks associated with the privacy compliance breach and responding to them as we receive more information;
  5. Reviewing and changing as appropriate physical, procedural, and technical security measures; and
  6. Reviewing and changing as appropriate internal operating policies and procedures.

Who can I contact to file a complaint about this?

You may consult the website for the Office of the Information and Privacy Commissioner for British Columbia at https://www.oipc.bc.ca for general information about protection of personal privacy.  You have the right to complain to the Commissioner by writing to:

Information and Privacy Commissioner
PO Box 9038, Stn. Prov. Govt.
Victoria, British Columbia V8W 9A4
Telephone: 250-387-5629
Email: info@oipc.bc.ca

If you submit a complaint, please provide the Commissioner’s office with:

  1. Your name, address, and telephone number;
  2. A copy of this letter; and
  3. The reasons or grounds upon which you are complaining.

When was the information stored in the United States of America?

The information was stored in the United States of America between January 8, 2018 and April 24, 2018.

How many people were affected?

Fusion contains the personal information of 38,000 students and employees eligible to use our athletic and recreation facilities, and 6,000 other people who have been registered for programs with SFU Athletics and Recreation.  

How do I know if my personal information was affected?

People whose information was included received a notification on May 25, 2018.  If you received the notification and have any further questions, please contact us using the Get Help button at the top of this page.

Why was my personal information included in Fusion?

Your personal information may have been included in Fusion because you were a student or employee eligible to use our athletic and recreation facilities, or because you were registered for programs with SFU Athletics and Recreation.

Has the University contacted law enforcement about this incident?

Law enforcement has not been contacted about this privacy compliance breach because it is solely about storage outside of Canada; at no time was there any unauthorized access to Fusion.

What is the legal recourse for an individual whose personal information may have been included in the privacy compliance breach?

The University does not provide legal advice to individuals outside of the scope of their duties as employees or agents of the University.

Is this connected to the recent spam problems?

To our knowledge, this is not in any way connected to the amount of spam messages in your SFU email.

The battle between anti-spam vendors and spammers is like an arms race; each side is continually striving to gain an advantage over the other.  For example, one spam campaign we experienced flooded our inboxes for a day or two and then seemingly disappeared.  Behind the scenes our anti-spam technology caught up to the spammers and is now blocking their attack.

Here's our list of the top four tips on how you can help reduce spam:

  1. Do not reply, click on links, or open attachments in any spam or suspicious messages.
  2. Keep your computer and mobile devices up-to-date with security patches.
  3. Limit who has permission to send to any mail lists you own.  For more information, see https://www.sfu.ca/itservices/sfu_email/user-guide/edit-maillists/sender-restrictions.html.
  4. Report phishing scams targeting SFU.  For more information on phishing, see https://www.sfu.ca/newemail/using-sfu-mail/mail/phishing-scams.html.