A Privacy Management Program (PMP) is an evolving set of policies, procedures, tools and controls to ensure that personal information is collected, used, stored, and shared in a way that is compliant with privacy laws and regulations and aligned with privacy commitments.
B.C.’s Freedom of Information and Protection of Privacy Act (FIPPA) requires all public bodies to develop a PMP in accordance with mandatory PMP directions issued by the Minister of Citizens’ Services. Section 36.2 of the Act addresses this requirement.
The School District No. 61 Privacy Management Program is being developed as follows:
Designating a Privacy Officer
As required under section 76.1(a) of the Freedom of Information and Protection of Privacy Act, the Board designates the Superintendent of Schools as the official head of the school district for the purposes of the Act.
As permitted under section 76.1(b) of the Freedom of Information and Protection of Privacy Act, the Secretary-Treasurer and the Director of IT for Learning are authorized to jointly fulfill the role of Privacy Officers and to administer the Act and make operational decisions.
For any privacy related matters, please contact the Privacy Officers at email@example.com
Privacy Impact Assessments
Administrative Regulation 1161.3 Privacy Impact Assessments is currently under review.
The school district does not provide student or employee personal information to third parties unless otherwise specified through an approval process for the use of software or applications needed for learning or business purposes.
Privacy Breaches & Related Complaints
Administrative Regulation 1161.4 Critical Incident and Privacy Breach Procedure is currently under review
If you have a privacy concern or would like to make a freedom on information request, please contact the Privacy Officers at firstname.lastname@example.org
Privacy Awareness and Education Activities
Privacy training and awareness helps employees identify personal information, understand their privacy obligations, and are an important part of breach prevention. All staff access to the student information system, MyEducation BC, is dependent on completing privacy and functional training for the role – see myed.sd61.bc.ca . The Ministry of Citizen’s Services BC have made available their online privacy training at mytrainingbc.ca/FOIPPA
Broader privacy and security related training resources are being evaluated for all staff.
What is considered personal information?
Personal information includes information that can be used to identify an individual through association or inference. Some examples are:
- Name, age, sex, weight, height
- Home address and phone number
- Race, ethnic origin, sexual orientation
- Medical information
- Human resources information
Personal information may also be identifiable through the ‘mosaic effect’. The mosaic effect is a concept that illustrates how elements of information may be non-identifiable on their own but when combined could become personally identifiable. ; For example, a male in his 20s who lives in Vancouver and drives a black Honda would not be identifiable. However, a male in his 60s who lives in Smithers and drives a yellow Lamborghini would be identifiable.
The following privacy topics for education activities are relevant for most public bodies:
- An understanding of what constitutes personal information.
- Appropriate collection, use and disclosure of personal information.
- Reasonable security measures and access controls to protect personal information.
- Identification and reporting of privacy breaches and privacy complaints.
Training on the following topics may also be included:
- Privacy impact assessments.
- Privacy and security requirements for storage of sensitive personal information.
Making privacy practices and policies available
Privacy related policies or procedures will be published on the GVSD Board of Education Policies and Regulations pages and are also listed below.
Regulation 1161.1 Fees for Access to Information
Administrative Regulation 1161.2 Privacy Management Program (currently in review)
Administrative Regulation 1161.3 Privacy Impact Assessments (currently in review)
Administrative Regulation 1161.4 Critical Incident and Privacy Breach Procedure (currently in review)
Informing service providers of privacy obligations
When service providers handle personal information related to the provision of services for a public body, the public body must inform them of their privacy obligations. Contracts are one way to demonstrate privacy obligations for service providers. Privacy Impact Assessments are another useful tool to demonstrate how public bodies and service providers can meet their privacy obligations. By completing a PIA, a public body can assess the services, confirm compliance for such things as collection, use and disclosure of personal information under FOIPPA, and identify privacy risks.
Privacy training, policies and procedures will also support a service provider in complying with their privacy obligations when providing services for a public body.
Monitoring and updating
The school district will continue to review its Privacy Management Program and ensure its relevancy each year. New or updated information from the Province of B.C. or the Office of the Information and Privacy Commissioner will be added as it becomes available.