The Information Access and Privacy Protection policy and procedure addresses the administration of the provisions of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), the Personal Health Information Protection Act (PHIPA) and other relevant legislation and regulations as it applies to all information in the custody or under the control of the Board.
On this page:
Who has responsibilities?
Board of Trustees
Director of Education
Assistant Manager, Records Management/MFIPPA
All staff members
Members of the public
How is this policy and/or procedure related to Board priorities?
The Information and Access and Privacy Protection policy supports student success and fosters well-being by contributing to safe and supportive schools and workplaces. This policy and related legislation protect an individual’s privacy rights and ensures appropriate collection, use, access, disclosure or destruction of personal information. Thereby, enhancing confidence in public education.
Relevant Legislation
Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
Personal Health Information Protection Act (PHIPA)
Department
Legal, Legislative and Administrative Services
Director’s Office
It is the expectation of the York Region District School Board that all employees, students and persons invited to or visiting Board property, or partaking/volunteering in Board or school-sponsored events and activities, will respect the policies and procedures of the Board.
Policy #158.0
Information Access and Privacy Protection
1. Policy Statement
The York Region District School Board is committed to accountability and transparency in its operations, and to the protection of personal information.
2. Application
The Board will make general information that is not confidential in accordance with Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), the Personal Health Information Protection Act (PHIPA) and other relevant legislation and regulations accessible to members of the public. All personal information is treated as confidential, and is collected, used, disclosed and disposed of only in accordance with relevant legislation and regulations
3. Definitions
3.1 General Information
3.2 Personal Information
4. Responsibilities
4.1 The Board of Trustees is responsible for:
reviewing the Information Access and Privacy Protection policy in accordance with the priorities in the Multi-Year Strategic Plan and the approved policy review cycle; and
4.2 The Director of Education is responsible for:
implementing and operationalizing the Information Access and Privacy Protection policy;
granting or denying access to information requested under MFIPPA.
5. Contact
Legal, Legislative and Administrative Services Director’s Office
6. History
Approved: 1990
Working Document: May 2013, June 2018
Revised: 1996, 2001, 2008, April 2019
Procedure #158.0
Information Access and Privacy Protection
1. Procedure Statement
This procedure outlines the administration of the provisions of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) in the York Region District School Board.
2. Definitions
2.1 Access Request
A formal application made under MFIPPA for general or personal information or requesting a correction or deletion of one’s own personal information. Access requests are placed with the Information Access and Privacy Office.
2.2 Access Appeal
A person who has made an access request under MFIPPA may appeal any decision of the Board concerning the request. Access appeals are placed with the Information and Privacy Commissioner of Ontario.
2.3 Privacy Complaint
A complaint lodged with the Information and Privacy Commissioner of Ontario, where it is believed an organization has compromised or breached privacy protection rights by inappropriately collecting, using, disclosing or destroying personal information.
2.4 Privacy Impact Assessment
An essential assessment of all new or revised processes, programs, or services that collect, use or disclose confidential or personal information.
2.5 Privacy Breach
Any event causing personal information to be compromised when it is collected, used, disclosed, retained or destroyed in a manner inconsistent with legislation.
3. Responsibilities
3.1 Legal, Legislative and Administrative Services shall:
ensure requests for general information are processed, in accordance with relevant legislation and regulations;
ensure the appropriate collection, use, disclosure and destruction of personal information; and
coordinate privacy impact assessment processes.
3.2 The Information Access and Privacy Access Office shall:
process formal access requests and privacy complaints in accordance with the legislated and regulated process requirements;
represent the Board on Access Appeals;
review and approve forms that collect and/or disclose personal information;
work with applicable staff to complete Privacy Impact Assessments;
administer the Privacy Breach Protocol;
prepare an annual report to the Information and Privacy Commissioner of Ontario and the Board of Trustees;
communicate the public’s right to access general information and an individual's right to access their personal information; and
provide consultation and support regarding information access and privacy protection for staff and members of the public.
3.3 Corporate Secretariat and Trustee Services shall:
work with Legal, Legislative and Administrative Services to support the needs of trustees with regard to privacy and information management.
3.4 Staff members shall:
treat personal and general information in accordance with relevant legislation and Board policies and procedures;
release general information, where appropriate;
release personal information to the person to whom it relates or to his/her parents or legal guardian, in accordance with MFIPPA;
consult with the Information Access and Privacy Office when there is uncertainty about the accessibility of information that has been requested;
refer all requests for information referencing MFIPPA to the Information Access and Privacy Office; and
support the protection of personal information by;
providing the following information when collecting personal information,
confirming the legislation which authorizes the collection of the information, such as but not limited to, the Education Act,
the purposes for which the information is collected, and
the contact information for staff who can explain why the information is required,
ensuring that forms that collect and/or disclose personal information are approved by the Information Access and Privacy Office
retaining personal information using secure methods for a minimum of 12 months,
respect an individual’s right to,
access and have copies of their personal information, with limited exceptions,
request removal of or corrections to personal information,
exercise the process outlined in the Education Act R.S.O. 1990, c. E.2, s. 266 (5) where there is disagreement; and
lodge a privacy complaint,
use the Agreement for the Confidentiality of Information when personal information is to be shared with outside service providers,
contact the Information Access and Privacy Office to determine if a Privacy Impact Assessment is required when proposing or revising a program or service involving personal information, and
contact the Information Access and Privacy Office if there is a suspected breach of personal information.
3.5 Members of the public shall:
understand that the costs of information access shall be recovered in accordance with the MFIPPA.
4. Contact
Legal, Legislative and Administrative Services Director’s Office
5. History
Approved: 1990
Working Document: May 2013, June 2018
Revised: 1996, 1999, 2005, 2008, April 2019