AP 116

Privacy Management Program

Background

The Board of Education is committed to ensuring the privacy of students, staff, parents and community members in accordance with the requirements of the Freedom of Information and Protection of Privacy Act (“FIPPA”) or (the “Act”).

The School District has a privacy management program in place in accordance with Section 36.2 of FIPPA.

The School District’s privacy management program is directed to ensuring that all members of the School District understand and follows privacy appropriate practices that comply with the requirements of FIPPA. The administrative procedure explains how the School District is meeting its privacy requirements under FIPPA and helps maintain accountability and transparency with respect to the management of personal information under its custody or control.

Definitions

“Personal Information” is any recorded information about an identifiable individual other than business contact information. Personal information includes information that can be used to identify an individual through association or inference. Personal information includes, but is not limited to:

Name, age, sex, weight, height
Home address and phone number
Race, ethnic origin, sexual orientation
Medical information
Health care history, including physical or mental disability
Number or symbol assigned to the individual
Marital or family status
Religion
Education
Financial information
Employment information
Personal views or opinions, except if they are about someone else

“Privacy Impact Assessment” is an assessment that is conducted by a public body to determine if a current or proposed enactment, system, project, program or activity meets or will meet the requirements of Part 3 of FIPPA.

“Information Sharing Agreement” means an agreement between a public body and any other organization or government body (including a federal or provincial government body, a company or organization, and may include a person or group of persons that sets conditions for the collection, use or disclosure of personal information by the parties to the agreement).

Procedures

1. Designating a Privacy Contact Person

1.1 The Board of Education has appointed the Secretary-Treasurer as the “head” of the School District for the purposes of section 77 of FIPPA and they will designate authority to the position of privacy contact/coordinator accordingly.

1.2 The district has a privacy contact/coordinator to be the point of contact for privacy-related matters such as FIPPA requests, privacy questions, training or concerns. The district makes available, including by posting it on the district website, the name and contact information for the privacy contact/coordinator and will incorporate the contact information upon onboarding for new employees.

1.3 The head of the district together with the privacy contact will support and assist in the development, implementation, and maintenance of the public body’s privacy policies and/or administrative procedures.

2. Privacy Impact Assessments and Information Sharing Agreements.

2.1 Privacy Impact Assessments (“PIA”)

The district performs PIAs in accordance with the requirements of FIPPA, and all district personnel, if requested, are expected to provide their cooperation in this process.

A PIA is a step-by-step review process that is undertaken when a new or significantly revised initiative is being undertaken by the School District. It ensures the School District is meeting its privacy requirements under FIPPA and helps the district identify and mitigate any privacy risks.

PIAs seek to ensure the security and protection and privacy compliance of personal information collected or used by the district in connection with its initiatives, systems, projects, programs or activities.

The district’s PIAs are conducted by directors of departments, managers and individuals directly involved with the initiative or changes made to initiatives, ongoing systems, projects, programs, or activities.

Initiatives and/or changes made to enterprise software (Office 365, Enterprise Resource Planning, Student Information Systems), will be conducted by the Director, Information Technology, with the assistance of individuals working on the initiative. The privacy contact, in consultation with the head of the public body, may also review and approve all PIAs.

Where applicable, staff will identify:

how and from whom the personal information will be collected;
how the personal information will be used;
how and to whom personal information will be disclosed;
how the personal information will be maintained (AP 523 – Records Retention); and
if an assessment of disclosure of personal information outside of Canada is required.

A PIA template is referenced with this administrative procedure.

2.2 Information Sharing Agreements (“ISA”)

The district seeks to implement ISAs in relation to routine, ongoing or significant information sharing agreements.

An information sharing agreement is a document that establishes acceptable agreements and security standards in relation to permitted information sharing activities. Requests for information sharing agreements will be directed to the Superintendent or Secretary-Treasurer’s office for review.

ISAs will be reviewed for:

ensuring the collection, use and disclosure of personal information under the agreement complies with FIPPA and other applicable laws.
documenting information sharing conditions such as security standards and limits on the use and access to personal information.
demonstrating compliance with FIPPA and other legislation.
outlining each party’s responsibilities respecting the permitted uses and protection of personal information.
building a trusted information sharing relationship and ensuring appropriate accountability for information access and use.
harmonizing expectations for public bodies subject to different policies or legislation.

While an important right, privacy should not be a barrier to sharing information where compelling circumstances related to the health and safety of an individual or a group of people are concerned.

A sample ISA template is referenced with this administrative procedure.

3. Privacy Awareness and Education Activities

The district will promote privacy training and awareness commencing with the onboarding of new employees.

The privacy contact will provide ongoing training and awareness upon request.

The Secretary-Treasurer’s office will ensure information is readily available on the School District website and reviewed annually for currency and relevancy or in response to changing legislation.

The Secretary-Treasurer’s office will ensure that fair practice and good public administration is overseen under the guidance of the BC Ombudsperson.

4. Service Provider Management

The district engages with many kinds of service providers that may involve personal information and will ensure it meets its obligations under FIPPA. The district’s Manager, Purchasing, and/or contracting staff will conduct procurements.

Privacy requirements for service provider relationships, service contracts/agreements should include the following:

clear contractual requirements, including limiting use and disclosure of personal information by the service provider to specified contractual purposes:
- taking reasonable security measure to protect personal information.
- requiring compliance with privacy procedures and controls of the district including storage, retention and secure disposal and requiring notice to the Secretary-Treasurer in the event of privacy-related breach.
mechanisms ensuring service providers are informed of their privacy obligations such as contractual terms that address privacy obligations.
controls on sub-contracting by the service provider.
training or educating all service provider employees who are subject to access of personal information.
ensure service providers agree that their employees will comply with privacy obligations.

The Manager, Purchasing and/or contracting staff will collaborate with the district’s privacy contact to ensure the district remains in compliance with Ministerial directions.

The Secretary-Treasurer’s office will ensure information is readily available on the School District website and reviewed annually for currency and relevancy or in response to changing legislation.