Privacy Management Program


PURPOSE

A Privacy Management Program (PMP) is an evolving set of policies, procedures and tools developed by a public body to enable systematic privacy protection throughout the personal information lifecycle. Section 36.2 of the Freedom of Information and Protection of Privacy Act (FIPPA) requires each public body to develop a Privacy Management Program (PMP).

As a public body that is subject to the Freedom of Information and Protection of Privacy Act (FIPPA), the Comox Valley School District (School District No. 71) is committed to upholding the principles of privacy, transparency, and accountability.

As of February 1, 2023, B.C.’s Freedom of Information and Protection of Privacy Act (FIPPA) requires all public bodies to develop a PMP in accordance with mandatory PMP directions issued by the Minister of Citizens’ Services.

DEFINITIONS 

  • Consent means written consent to the collection and use or disclosure of personal
  • FIPPA means the BC Freedom of Information and Protection of Privacy Act, and regulations
  • Head means the Superintendent/CEO and includes any person to whom the Head has delegated (in writing) their powers to act as the Head.
  • Personal Information means any recorded information about an identifiable individual that is within the control of the School District and includes information about any student or any staff member of the School District. Personal Information does not include business contact information, such as email address and telephone number, that would allow a person to be contacted at work.
  • Records include any paper or electronic media used to store or record information, including books, documents, photographs, audio/video recordings, computers files, emails and
  • Staff means all persons employed or engaged by the School District to carry out its operations, including independent contractors and volunteers.

PRINCIPLES 

School District staff are responsible for:

  • Making reasonable efforts to familiarize themselves with this procedure and the requirements of FIPPA, including participating in privacy training initiatives offered by the School District.
  • Following responsible information management practices to ensure the School District collects, uses, and discloses personal information in compliance with FIPPA and other applicable laws.
  • Always seeking to protect personal information against unauthorized collection, use and disclosure, including by limiting the sharing of sensitive personal information on a need-to- know basis.
  • Cooperating with School District procedures to facilitate the appropriate release of records within its custody/control in response to access requests received from members of the community under FIPPA.
  • Cooperating with School District procedures for the completion of privacy impact assessments.
  • Cooperating with School District procedures for actions related to access requests received under FIPPA.
  • Reporting privacy breaches to the School District in accordance with School District procedures.

ACCOUNTABILITY 

The Superintendent/CEO is the Head of the School District for the purposes of FIPPA and is responsible for the implementation of this procedure.

The Head is responsible to appoint, oversee, and if appropriate, delegate responsibility to a Privacy Officer for the School District to supervise it’s Privacy Management Program.

COMMITMENT TO PRIVACY PROTECTION 

The School District protects the privacy of students, staff, and individuals whose personal information it collects, uses, shares, and retains. It expects all staff to follow responsible information management practices to ensure the School District fully complies with its obligations under FIPPA and other applicable laws.

This Privacy Management Program will be regularly updated at least yearly to ensure it remains appropriate to the School District’s activities and is compliant with FIPPA.

PURPOSES FOR COLLECTING PERSONAL INFORMATION 

The School District communicates the purposes of why personal information is collected at or before the time it is collected, unless otherwise permitted or required by FIPPA.

While carrying out the programs and activities of the School District, it collects personal information of its students for purposes including:

  • Registration, enrollment, and transfer of students
  • Providing and delivering educational programs/services
  • Accommodating students with unique needs
  • Communicating with students and responding to inquiries/complaints
  • Preparing and providing assessments of student performance
  • Supervising and ensuring the safety of students (such as using video surveillance)
  • Investigating and responding to accidents, safety events, misconduct, or similar incidents
  • Ensuring compliance with applicable School District bylaws, policies, and other laws
  • Making all required reports and filings to the Ministry of Education and Childcare; and for other purposes set out in the procedures or required under applicable laws

While carrying out its employment programs and activities, the School District collects the personal information of prospective, current, and former staff for purposes including:

  • Hiring and recruiting
  • Managing and administering employment relationships
  • Communicating with authorized union representatives
  • Administering employment compensation/benefits
  • Evaluating performance and managing disciplinary incidents
  • Supervising and ensuring the safety of the School District (such as through the use of video surveillance)
  • Investigating and responding to accidents, safety events, misconduct or similar incidents
  • Ensuring compliance with applicable School District bylaws, procedures, policies, and other applicable laws

COLLECTION, USE, AND DISCLOSURE OF PERSONAL INFORMATION 

The School District limits the personal information it collects to what is related to and necessary to carry out its programs and activities or for other purposes authorized by FIPPA.

The School District seeks to collect personal information by fair, lawful and transparent means, including via collecting personal information directly from the individual, except where otherwise authorized by FIPPA.

The School District endeavors to inform individuals from whom it collects personal information about the purposes for which the information is being collected, the legal authority for collecting it, and the contact information of someone at the School District who can answer questions about the collection and use of the information.

The School District limits the internal and external use and sharing of personal information to what is required and authorized by FIPPA or consented to by the individual.

The School District only uses or discloses personal information for the purpose for which it was collected, except with the individual’s consent or as otherwise required or permitted by FIPPA or other laws.

SECURING PERSONAL INFORMATION AND AWARENESS 

The School District protects personal information by ensuring it has reasonable security safeguards (physical, organizational, and electronic) in place which are appropriate to the sensitivity of the information.

All staff have a duty to protect the privacy and security of personal information collected and used by them as part of their ongoing employment responsibilities, including by complying with the terms of this procedure, and all related procedures.

The School District will provide ongoing awareness training to all staff to ensure they have the requisite knowledge to ensure compliance with the terms of this procedure and FIPPA.

PRIVACY IMPACT ASSESSMENTS (PIA) 

A PIA is a step-by-step review process to make sure that a public body is meeting its privacy requirements under FOIPPA and helps a public body identify and mitigate any privacy risks involved in a particular initiative. Section 69 (5.3) of FIPPA requires that public bodies complete PIAs.

The School District will complete a PIA when new technology initiatives are requested or started that involve the use or storage of personal information. They are typically completed with the help of privacy contacts and the individuals working on the initiative.

Once a PIA is completed and reviewed, it will be stored in a central location. Should there be any changes to the technology initiative after the PIA is completed, there will be a review done to determine if any changes will need to be made.

INFORMATION SHARING AGREEMENTS 

An information-sharing agreement (ISA) is an agreement that sets the terms and conditions on the regular or systematic collection, use/exchange, or disclosure of information by the parties to the agreement. ISAs are done to help ensure privacy protection where personal information is exchanged. ISAs may be used for agreements between public sector organizations or between public sector organizations and external agencies.

When new technology initiatives have a need for information to be shared regularly/systematically between parties, the School District will complete an ISA based on the BC government guidance.

Once an ISA is completed and reviewed, it will be stored in a central location. Should there be any changes to the information being shared after the ISA is completed, there will be a review done to determine if any changes will need to be made.

RETENTION 

The School District does not seek to retain personal information longer than necessary to satisfy the School District’s applicable operational, instructional, financial, and legal needs.

Personal information that is no longer required for administrative, operational, financial, legal, or historical purposes shall be securely destroyed in a manner which retains the confidentiality of those records in accordance with School District policies and approved record retention procedures.

Administrative Policy 185 Records Management provides procedures that must be followed with respect to the retention and disposal of records.

ACCURACY AND CORRECTION 

The School District shall make reasonable efforts to ensure the accuracy of personal information that is collected and used.

Individuals have the right to request the correction of their personal information, and the School District will receive and respond to requests in accordance with FIPPA and School District procedures.

ACCESS TO INFORMATION 

Comox Valley Schools District No. 71 supports appropriate transparency and accountability in its operations by making information available to the public as permitted or required under FIPPA.

The School District recognizes that individuals may make request for access to records within the custody and control of the School District and will respond to such requests in accordance with FIPPA and procedures.

The School District recognizes that individuals have a right to access their own personal information within the custody and control of the School District and will facilitate said access in accordance with the requirements of FIPPA.

PRIVACY BREACHES 

A privacy breach is defined as the theft or loss, unauthorized collection, use or disclosure, of personal information in the custody or under the control of a public body such as the school district. Per the Districts’ privacy breach procedure, steps will be taken to report, assess and contain the breach.

Consistent with legal obligations from FIPPA and PIPEDA, written notice will be given to affected individuals and the Information and Privacy Commissioner of British Columbia if the personal information in the custody or control of the school district “could be reasonably be expected to result in the significant harm” to an individual.

Investigations into each incident will be completed, and measures will be implemented to prevent similar future occurrences.

COMPLAINTS AND INQUIRIES 

Questions and complaints about the School District’s information management practices should be directed to the Privacy Officer at privacy@sd71.bc.ca.

The School District will respond to all complaints in writing.

Dissatisfaction with the district’s practices or response regarding Personal Information may also write to the Information and Privacy Commissioner of British Columbia:

Office of the Information and Privacy Commissioner for British Columbia

PO Box 9038, Stn. Prov. Govt. Victoria, BC V8W 9A4
Phone: (250) 387-5629
Fax: (250) 387-1969
Website: https://www.oipc.bc.ca
Email: info@oipc.bc.ca