Regulation 1161.3 Privacy Impact Assessments

View Document

PRIVACY IMPACT ASSESSMENTS

Purpose

The Board of Education of School District No. 61 (Greater Victoria School District) (“School District”) is responsible for ensuring that it protects the Personal Information within its custody and control, including by complying with the provisions of the Freedom of Information and Protection of Privacy Act (“FIPPA”).  FIPPA requires that the School District conduct a Privacy Impact Assessment (“PIA”) to ensure that all collection, use, disclosure, protection, and processing of Personal Information by the School District is compliant with FIPPA.

A Privacy Impact Assessment (PIA) is an in-depth review of any new or significantly revised initiative, project, activity, or program to ensure that it is compliant with the provisions of FIPPA, to identify and mitigate risks arising from the initiative and to ensure that the initiative appropriately protects the privacy of individuals. A PIA often takes the form of a checklist or questionnaire that requires consideration of the collection, use, and disclosure of personal information in connection with a particular initiative. It also addresses the ways in which personal information is protected, and the existence and mitigation of any privacy-related risks.

Preparing a PIA is a mandatory legal obligation for school districts under FIPPA. However, even before PIAs were legally required they represented privacy best practice. A PIA serves as evidence that the school district conducted appropriate due diligence before implementing new initiatives involving personal information, and that they took appropriate steps to mitigate risk. PIAs can be useful in protecting the school district from liability in the event of a privacy breach, and they also provide a valuable source of institutional memory about how and why certain decisions were made.

The PIA document should be written clearly and in plain language. In the future, it may be reviewed or considered by privacy regulators, the courts, members of the public or the next generation of school district management; therefore, it is important that the initiative and the school district’s decisions about privacy risks are clearly described and articulated

The purpose of this Regulation is to set out the School District’s process for conducting PIAs in accordance with the provisions of FIPPA.

Scope & Responsibility

This Administrative Regulation applies to all new and significantly revised Initiatives of the School District.

All employees of the School District are expected to be aware of and follow this Administrative Regulation in the event that they are involved in a new or significantly revised Initiative.

Departments and management employees are responsible to plan and implement new or significantly revised Initiatives in accordance with the requirements of this Administrative Regulation.

 

Definitions

  1. “Staff” or “Employees” refers to all employees of the School District who are required to comply with FIPPA and all relevant School District policies and regulations;
  2. “Contractors” refers to a service provider retained under a contract to perform services for the School District. Contractors are required to comply with FIPPA and all relevant School District policies and regulations;
  3. “Volunteers” refers to community members carrying out volunteer activities on behalf of the School District. Volunteers are required to comply with FIPPA and all relevant School District policies and regulations.
  4. “Head” means the Superintendent of the School District or any person to whom the Superintendent has delegated their powers under this Administrative Regulation.
  5. “Initiative” means any enactment, system, project, program, or activity of the School District;
  6. “Personal Information” means any recorded information about an identifiable individual that is within the control of the School District and includes information about any student or any Employee of the School District. Personal Information does not include business contact information, such as email address and telephone number, that would allow a person to be contacted at work. Personal information may also be identifiable through the ‘mosaic effect’. The mosaic effect is a concept that illustrates how elements of information may be non-identifiable on their own but when combined could become personally identifiable. For example, a male in his 20s who lives in Vancouver and drives a black Honda would not be identifiable. However, a male in his 60s who lives in Smithers and drives a yellow Lamborghini would be identifiable.
  7. “PIA” means a Privacy Impact Assessment performed in accordance with the requirements of FIPPA;
  8. “Privacy Officers” mean the Secretary Treasurer and Director, IT for Learning, who have been designated by the Head as the Privacy Officers for the School District.
  9. “Responsible Employee” means the Department Head or other Employee who is responsible for overseeing an Initiative, and in the event of doubt, means the Employee designated in the PIA as the Responsible Employee;
  10. “Supplemental Review” means an enhanced process for reviewing the privacy and data security measures in place to protect sensitive Personal Information in connection with an Initiative involving the storage of Personal Information outside of Canada.


Designate Accountability

School districts must designate the appropriate person responsible for new or substantially changed programs or activities that require a Privacy Impact Assessment. The level of responsibility should vary in proportion to the sensitivity of the personal information involved and the risks of the initiative. The person responsible for the initiative must ensure that they have read, agreed with and accepted the risks and mitigation strategies. The PIA must finally be reviewed, approved and ‘signed off’ by the Privacy Officer and/or Head of the public body.

 

Responsibilities of the Head

The implementation of this Administrative Regulation is the responsibility of the Superintendent, who is the “Head” of the School District, including for all purposes under FIPPA.  The Head is also responsible for ensuring there is a process for completing and documenting Privacy Impact Assessments and, as required, Information Sharing Agreements.  The Head may delegate any of their powers under this Regulation or FIPPA to other School District Employees by written delegation.

Responsibilities of the Privacy Officers

The Privacy Officers are responsible, in consultation with the Head, to ensure that all PIAs and Supplemental Reviews are completed in accordance with the requirements of FIPPA and this Regulation.

 

Responsibilities of All Employees

All Employees are responsible for:

  1. understanding that all purchases of software must be pre-approved by the Information Technology for Learning Department to ensure the completion of a Privacy Impact Assessment and compliance with the Freedom of Information and Protection of Privacy Act, as per the Greater Victoria School District Purchasing Regulation;
  2. understanding that any Employees responsible for developing or introducing a new or significantly revised Initiative that involve or may involve the collection, use, disclosure or processing of Personal Information by the School District must report that Initiative to the Privacy Officer at an early stage in its development;
  3. cooperating with the Privacy Officers and providing all requested information needed to complete the PIA when involved in a new or significantly revised Initiative;
  4. cooperating with the Privacy Officers, at the request of the Privacy Officers, in the preparation of any other PIA that the Privacy Officer decides to perform;

 

The Role of the Responsible Employee

Responsible Employees are responsible for:

  1. ensuring that new and significantly revised Initiatives for which they are the Responsible Employee are referred to the Privacy Officers for completion of a PIA;
  2. supporting all required work necessary for the completion and approval of the PIA;
  3. being familiar with and ensuring that the Initiative is carried out in compliance with the PIA; and
  4. requesting that the Privacy Officer make amendments to the PIA when needed and when significant changes to the initiative are made.

 

Initiatives involving the Storage of Personal Information

  1. Employees may not engage in any new or significantly revised Initiative that involves the storage of Personal Information until the Privacy Officers have completed and the Head has approved a PIA and any required Supplemental Review.
  2. The Responsible Employee or Department may not enter into a binding commitment to participate in any Initiative that involves the storage of Personal Information outside of Canada unless any required Supplemental Review has been completed and approved by the Head.
  3. It is the responsibility of the Privacy Officers to determine whether a Supplemental Review is required in relation to any Initiative, and to ensure that the Supplemental Review is completed in accordance with the requirements of FIPPA.
  4. The Head is responsible for reviewing and, if appropriate, approving all Supplemental Reviews and in doing so must consider risk factors including:
    a. the likelihood that the Initiative will give rise to an unauthorized, collection, use, disclosure or storage of Personal Information;
    b. the impact to an individual of an unauthorized collection, use, disclosure or storage of Personal Information;
    c. whether the Personal Information is stored by a service provider;
    d. where the Personal Information is stored;
    e. whether the Supplemental Review sets out mitigation strategies proportionate to the level of risk posted by the Initiative.
  5. Approval of a Supplemental Review by the Head shall be documented in writing.

 

Contact Information

Questions or comments about this Policy may be addressed to the Privacy Officers via email: privacy@sd61.bc.ca

 

Review

This Administrative Regulation relates to newly amended legislation for public bodies and will therefore be reviewed annually until further notice.
 

Related Acts and Regulation

School Act and Regulations
Freedom of Information and Protection of Privacy Act (FIPPA) and Regulations

 

Supporting References, Policies, Regulations and Forms

Policy 1161 Freedom of Information and Protection of Privacy
Administrative Regulation 1161.1 Fees for Access to Information
Administrative Regulation 1161.2 Privacy Management Program
Administrative Regulation 1161.4 Critical Incident and Privacy Breach

 

Adopted: November 27, 2023
Revised:

Disclaimer

Google Translate is used as a free tool to enhance the usability of the Greater Victoria School District website. As such, the Greater Victoria School Disctrict is not responsible for Google Translate™.