Institutional Policy on the Use of 'Smart Cards'at Hart House, University of Toronto
Second Draft, March 20, 1999
III. Transaction Fairness
IV. Operating Needs
(A) About the Policy Formation ProcessThis is the second draft of Hart House's official policy on institutional 'smart card' use, begun in the summer of 1998 in response to concerns raised by students, and refined with the input of interested members of the University community. In keeping with the student-driven governance system of Hart House, this draft is directed first to the House Committee of Hart House, and then to its Board of Stewards for adoption.
(B) PreambleIn 1998 the University of Toronto instituted a new, 'smart' student card which joins together for the first time electronic identification with electronic mechanisms for processing and recording the purchase of goods and services on campus. Hart House relies upon the student card for membership verification for access to certain services and facilities, and has therefore proceeded on an institution-wide implementation of the card. The purpose of this policy is to address gaps between current University policies on privacy and confidentiality of information, and the new capabilities of the 'smart' card. Furthermore, this policy is created as an affirmation by Hart House of its continued commitment to adequately address the needs and concerns of its membership, in an environment of trust and cooperation between administration and members.
The development of this document was assisted by members of the Identity Technology Working Group at the University of Toronto, in keeping with a fundamental tenet of the mission of Hart House: that its governance be democratic and participatory through its elected committees, and that broad consultation is indispensable to this process.
In implementing institutional 'smart cards', Hart House is committed to compliance with the privacy guidelines of the Organization for Economic Cooperation & Development (OECD), the Canadian Standards Association (CSA), the Advanced Card Technology Association of Canada (ACT), the Office of the Information and Privacy Commissioner of Ontario, and the University of Toronto policy governing confidentiality of personal information.
Hart House recognizes the fundamental principle of privacy: that information not be used for purposes other than for which it was collected. These purposes are made explicit below.
Under no circumstances will the information systems at Hart House track the activities of individuals using 'smart card' transaction log files. Hart House will track demographic characteristics of its users to be used for resource planning, and for internal University reporting in the fulfillment of its accountability to its membership. The reasons and mechanisms for tracking demographic data are explained in Section C ("Operating Needs") below.
Hart House protects privacy by ensuring that the minimum data needed is collected for a transaction. Three classes of transaction with differing levels of information collection are identified:
(A) Anonymous (common purchases)The purchase of common goods at Hart House is anonymous because there is no need to demonstrate institutional membership. This includes the use of all vending machines and the purchase of sundry items at the Porters' Desk, including bus tickets, newspapers, maple syrup, ties, and so forth. Currently there are no 'smart card' point-of-sale devices at Hart House, including vending machines. In keeping with the anonymity principle, any such implementation would be undertaken only with transparent evidence that the point-of-sale hardware and software do not log any information about the cardholder or purchase, and function solely to debit the card by the correct amount.
The only exception to anonymity in the purchase of common goods is the use of College meal plan debit cards at Hart House food service locations. In such cases, the policies and practices of the meal plan card issuer will apply.
(B) Authentication required (restricted access & services)Access to certain facilities is restricted to valid members of Hart House. Valid members include all University of Toronto students who are responsible for incidental fees and eligible non-students who pay a membership fee. In these instances, the minimum required information is the authentication of a valid membership. In Athletics for example, the current practice is to collect the membership card (the 'smart card' in the case of students) in exchange for access or equipment; the card is then returned when the holder is finished. Hart House assumes liability for the safety of cards in its possession.
There are three points of 'smart card' authentication in Hart House: (i) Porters' Desk; (ii) Membership Services Office; (iii) Athletics Facilities Reception Desk.
(C) Identify and record individual Many services in Hart House, such as participation in clubs and committees, requires recording the identity of the individual. This is done for communication with the individual, and for effective stewardship and administration of its programmes, such as managing refundable deposits. This information is currently provided manually by the members themselves during a service transaction. In the forseeable future, 'smart cards' may allow for the automatic download of the individual's address and contact information from student records. This will only be done with the knowledge and consent of the individual in compliance with the privacy principles stated above.
fairness(D) Special Case: elections
Elections in Hart House will be done using the card to authenticate voters. In keeping with current and accepted voting practices, the name and constituency of all voters will be recorded. However, the voting itself continues to be done using anonymous paper ballots, preserving the secrecy of the ballot. Every effort will be made for equitable voting facilities at the Scarborough and Mississauga campuses.
III. Transaction Fairness
Hart House will maintain the following mechanisms available at all days and times it is open, to ensure that no 'smart card' holder is refused access to facilities and services based upon the possibility of computer problems or errors:
(A) "False Negatives"A 'smart card' authentication could result in a "false negative" (where membership is wrongly shown to be invalid) if there is damage to the magnetic stripe, if there are unknown bugs in the processing software, or if the file of valid student numbers is outdated or in error. In such a case, the member can go directly to the Porters' Desk or Membership Services Office where a staff member has direct access to the Student Records database (or Hart House Membership database for non-student members) for authentication, and receive a temporary pass. If the Student Records database is thought to be in error, the member must contact Student Records directly for resolution, as Hart House cannot trace or verify such errors.
(B) Forgotten or Lost CardAs in (a) above, any member who arrives at the facility without his/her card may also request a direct authentication and a temporary pass from the Porters' Desk or Membership Services Office. Some limitation on the number of times this service is performed will be set for individuals who frequently forget their card.
(C) 'System down' contingencyIn cases where the smart card readers and/or database are inoperational ('down'), Hart House will permit access by collecting cards in the usual manner, and assume that visitors are eligible members. In the event of a total loss of power, no entry into Athletics is enforced for reasons of safety; no other transactions can or will be processed until power is restored.
IV. Operating Needs
Hart House has certain explicit needs for information from individuals for efficient and effective operation of its facilities. Transactions which require authentication or additional information from individuals were discussed above. In addition however, Hart House has an explicit need for measuring the demographics of its users. Until now, no efficient, accurate, and confidential method has existed for collecting this information, which has been to the detriment of the institution. 'Smart cards' provide a solution to this problem, according to the methods and limitations described below.
(A) Purpose of demographic information collection
6614.Ensuring through measurement that Hart House is fulfilling its mandate to effectively reach and engage all of its myriad consistencies at the University. For example, if it can be seen that there is low participation from one particular college or faculty, publicity efforts can be properly directed to raise awareness in that constituency about what Hart House has to offer.
6615.Knowing the demographics of the users of its facilities will enable Hart House to better plan resources and programmes to suit demand. For example, learning that women use Athletics more heavily on weekends might prompt scheduling of its free weight-training sessions for women on those days.
6616.Reporting to the University on usage of Hart House is an important facet of its accountability to its membership. For example, Hart House is obligated to make an annual presentation to the Council on Student Services (COSS) concerning student ancillary fee levels. Being able to inform the leaders of each group of the level of usage by its constituents would allow Hart House to demonstrate, as it should, the value of the substantial compulsory student membership fee.
(B) The use of collected demographic informationHart House will only use the demographic information collected for the purposes specified above: internal planning and measurement, and accountability reporting within the University. Under no circumstances will demographic information be sold or used for purposes other than stated here.
(C) Methods of demographic information collection & ensuring privacyThe following information on individual users of restricted services and facilities will be collected:
6627.college or faculty of enrollment
6628.year of study
6629.student status (full or part time)
6630.date and time of facility use
The planned mechanism to be used for this collection is described here: tables of student numbers plus values for each of the four items above (a-d) to be collected are downloaded at suitable intervals from student records. The authentication program will match the student number on the magnetic stripe, and will record only these four items plus a time stamp: at no point in this authentication process will the student number itself be logged or attached to the demographic data collected. This method ensures that the individual's characteristics but not identity is tracked, because this is the minimum needed information to satisfy the institution's operating needs.
Hart House is committed to maintaining trust between its administration and membership through the transparency of its actions, policies, and processes. The following three steps are taken to ensure this transparency:
(A) Copies of this policy document will be publicly and openly available at all points of 'smart card' authentication.
(B) The following three methods ensure the institution's compliance to its own policy:
6638.A hard copy of the source code used in the 'smart card' authentication process will be available for public scrutiny in the Membership Services Office.
6639.Both front line and administrative staff will be adequately educated in the contents and ramifications of this policy.
6640.A complaint process is established for any member who feels unfairly treated with regard to 'smart card' usage at Hart House. Individuals can approach the Director of Membership & Athletics, who if unable to resolve the issue will refer it to either the Recreational Athletics Committee or the House Committee of Hart House, depending on the nature of the complaint. Both of these committees report directly to the Board of Stewards of Hart House, the final level to which a complaint may be escalated.
(C) Any change in practice of the institutional use of 'smart cards' at Hart House will also involve a change to this document, which will be the responsibility of the Board of Stewards as the democratically elected, representative, and highest governing body of the institution. In the same spirit of the creation of this policy document, broad membership consultation is indispensable to this process.
Policy scribe: Colin FurnessInformation Technology CoordinatorHart House, University of Toronto
End of Document