Bridging the gap between policy and process: A UTSC story

Published: May 30, 2025

Often, policies fail not due to their inherent flaws, but because of poor implementation. The University of Toronto Scarborough’s (UTSC) response to the updated guidance on protecting social insurance numbers (SINs) is a great example of how to successfully implement a policy.

In early 2024, the Information Security Council officially designated SINs as level 4 data and issued updated protection guidelines. Processes for handling SINs had shifted during the pandemic and in some cases did not fully align with the new guidelines. Responding to the situation at hand, UTSC’s Information and Instructional Technology Services (IITS) team initiated a campus-wide effort to help departments meet the new security requirements.

The first step was to build a secure platform for collecting and storing SINs. But that was not enough. Teams across the campus needed training and support to adopt the new platform and evolve their business processes. This is when the journey of organizational change, involving multiple human resources teams, payroll departments and business officers, started. This was no easy endeavour, but UTSC successfully moved 48 departments to the new platform within six months.

Today, all employee onboarding processes at UTSC follow secure protocols for handling SINs, protecting not just the University but also its people.

“It is truly amazing how the UTSC community came together to make this transition happen in such a short amount of time. This reflects the power of collective action. We are secure together.”

John Stewart
Information Security Program Manager, IITS, UTSC

For more stories that highlight our cyber security maturity journey, read the 2024-2025 Information Security Annual Report.