Date Approved: October 23 2023
The Board of Education of School District No. 52 (“School District”) is responsible for ensuring that it protects the Personal Information within its custody and control, including by complying with the provisions of the Freedom of Information and Protection of Privacy Act (“FIPPA”). FIPPA requires that the School District conduct a Privacy Impact Assessment (“PIA”) to ensure that all collection, use, disclosure, protection and processing of Personal Information by the School District is compliant with FIPPA.
A Privacy Impact Assessment (PIA) is an in-depth review of any new or significantly revised initiative, project, activity or program to ensure that it is compliant with the provisions of FIPPA, to identify and mitigate risks arising from the initiative and to ensure that the initiative appropriately protects the privacy of individuals.
The purpose of this Procedure is to set out the School District ’s process for conducting PIAs in accordance with the provisions of FIPPA.
SCOPE AND RESPONSIBILITY
This Procedure applies to all new and significantly revised Initiatives of the School District. All employees of the School District are expected to be aware of and follow this Procedure in the event that they are involved in a new or significantly revised Initiative.
Departments and management employees are responsible to plan and implement new or significantly revised Initiatives in accordance with the requirements of this Procedure.
Where used in this Procedure, the following terms have the following meanings:
a) “Employees” means the employees, contractors and volunteers of the School District.
b) “Head” means the Superintendent of the School District or any person to whom the Superintendent has delegated their powers under this Procedure.
c) “Initiative” means any enactment, system, project, program or activity of the School District.
d) Personal information means any recorded information about an identifiable individual that is within the control of the School District and includes information about any student or any Employee of the School District. Personal Information does not include business contact information, such as email address and telephone number, that would allow a person to be contacted at work.
e) “PIA” means a Privacy Impact Assessment performed in accordance with the requirements of FIPPA.
f) “Privacy Officer” means the Executive Director – Communications, Privacy and Community Engagement who has been designated by the Head as the Privacy Officer for the School District.
g) “Responsible Employee” means the Department Head or other Employee who is responsible for overseeing an Initiative, and in the event of doubt, means the Employee designated in the PIA as the Responsible Employee.
h) “Supplemental Review” means an enhanced process for reviewing the privacy and data security measures in place to protect sensitive Personal Information in connection with an Initiative involving the storage of Personal Information outside of Canada.
RESPONSIBILITIES OF THE HEAD
The administration of this Procedure is the responsibility of the Superintendent, who is the “head” of the School District for all purposes under FIPPA. The Head may delegate any of their powers under this Procedure or FIPPA to other School District Employees by written delegation.
RESPONSIBILITIES OF THE PRIVACY OFFICER
The Privacy Officer is responsible to, in consultation with the Head, ensure that all PIAs and Supplemental Reviews are completed in accordance with the requirements of FIPPA and this Procedure.
RESPONSIBILITIES OF ALL EMPLOYEES
Any Employees responsible for developing or introducing a new or significantly revised
Initiative that involve or may involve the collection, use, disclosure or processing of Personal Information by the School District must report that Initiative to the Privacy Officer at an early stage in its development.
All Employees involved in a new or significantly revised Initiative will cooperate with the Privacy Officer and provide all requested information needed to complete the PIA.
All Employees will, at the request of the Privacy Officer, cooperate with the Privacy Officer in the preparation of any other PIA that the Privacy Officer decides to perform.
THE ROLE OF THE RESPONSIBLE EMPLOYEE
Responsible Employees are responsible for:
a) ensuring that new and significantly revised Initiatives for which they are the Responsible Employee are referred to the Privacy Officer for completion of a PIA;
b) supporting all required work necessary for the completion and approval of the PIA;
c) being familiar with and ensuring that the Initiative is carried out in compliance with the PIA; and
d) requesting that the Privacy Officer make amendments to the PIA when needed and when significant changes to the initiative are made.
INITIATIVES INVOLVING THE STORAGE OF PERSONAL INFORMATION OUTSIDE OF CANADA
a) Employees may not engage in any new or significantly revised Initiative that involves the storage of Personal Information outside of Canada until the Privacy Officer has completed and the Head has approved a PIA and any required Supplemental Review.
b) The Responsible Employee or Department may not enter into a binding commitment to participate in any Initiative that involves the storage of Personal Information outside of Canada unless any required Supplemental Review has been completed and approved by the Head.
c) It is the responsibility of the Privacy Officer to determine whether a Supplemental Review is required in relation to any Initiative, and to ensure that the Supplemental Review is completed in accordance with the requirements of FIPPA.
d) The Head is responsible for reviewing and, if appropriate, approving all Supplemental Reviews and in doing so must consider risk factors including:
i. the likelihood that the Initiative will give rise to an unauthorized, collection, use, disclosure or storage of Personal Information;
ii. the impact to an individual of an unauthorized collection, use, disclosure or storage of Personal Information;
iii. whether the Personal Information is stored by a service provider;
iv. where the Personal Information is stored;
v. whether the Supplemental Review sets out mitigation strategies proportionate to the level of risk posted by the Initiative.
e) Approval of a Supplemental Review by the Head shall be documented in writing.
Questions or comments about this Policy may be addressed to the Privacy Officer – at email@example.com.