Policy and Procedure #158.0, Information Access and Privacy Protection

The Information Access and Privacy Protection policy and procedure addresses the administration of the provisions of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), the Personal Health Information Protection Act (PHIPA) and other relevant legislation and regulations as it applies to all information in the custody or under the control of the Board.

 

On this page:


 

Who has responsibilities?

  • Board of Trustees

  • Director of Education

  • Assistant Manager, Records Management/MFIPPA

  • All staff members

  • Members of the public

 

How is this policy and/or procedure related to Board priorities?

The Information and Access and Privacy Protection policy supports student success and fosters well-being by contributing to safe and supportive schools and workplaces. This policy and related legislation protect an individual’s privacy rights and ensures appropriate collection, use, access, disclosure or destruction of personal information. Thereby, enhancing confidence in public education.

 

Relevant Legislation

Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)

Personal Health Information Protection Act (PHIPA)

Education Act

 

Department

Legal, Legislative and Administrative Services

Director’s Office

 


It is the expectation of the York Region District School Board that all employees, students and persons invited to or visiting Board property, or partaking/volunteering in Board or school-sponsored events and activities, will respect the policies and procedures of the Board.


 

Return to top

Policy #158.0

Information Access and Privacy Protection

 

1. Policy Statement

The York Region District School Board is committed to accountability and transparency in its operations, and to the protection of personal information.

 

2. Application

The Board will make general information that is not confidential in accordance with Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), the Personal Health Information Protection Act (PHIPA) and other relevant legislation and regulations accessible to members of the public. All personal information is treated as confidential, and is collected, used, disclosed and disposed of only in accordance with relevant legislation and regulations

 

3. Definitions

 

3.1 General Information

Information in the Board’s custody or control that is not of a personal nature and is not exempt from public access under MFIPPA or PHIPA unless an access exemption applies. Examples of general information that can be routinely released include, but are not limited to, policies, Ministry guidelines and memoranda, travel expense statements, collective agreements, Board plans, public minutes, or school events and programs.

 

3.2 Personal Information

Information that renders an individual identifiable. Examples of personal information include, but are not limited to, report cards, letters of suspension, private minutes, vendor and supplier resumés or hearing files. Information about a staff member’s professional identity, such as, but not limited to, name, work location or job title, is not personal. Most employment related and labour relations related information is excluded from the access provisions of MFIPPA.

 

4. Responsibilities

 

4.1 The Board of Trustees is responsible for:

  1. reviewing the Information Access and Privacy Protection policy in accordance with the priorities in the Multi-Year Strategic Plan and the approved policy review cycle; and

  2. understanding and communicating with members of the community about the Information Access and Privacy Protection policy, as required.

 

4.2 The Director of Education is responsible for:

  1. implementing and operationalizing the Information Access and Privacy Protection policy;

  2. making the decision to disclose information where grave environmental, health or safety hazards exist and where compelling public interest applies to information;

  3. allocating staff and resources to support the Information Access and Privacy Protection procedure; and

  4. granting or denying access to information requested under MFIPPA.

 

5. Contact

Legal, Legislative and Administrative Services Director’s Office

 

6. History

Approved: 1990

Working Document: May 2013, June 2018

Revised: 1996, 2001, 2008, April 2019


 

Return to top

Procedure #158.0

Information Access and Privacy Protection

 

1. Procedure Statement

This procedure outlines the administration of the provisions of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) in the York Region District School Board.

 

2. Definitions

 

2.1 Access Request

A formal application made under MFIPPA for general or personal information or requesting a correction or deletion of one’s own personal information. Access requests are placed with the Information Access and Privacy Office.

 

2.2 Access Appeal

A person who has made an access request under MFIPPA may appeal any decision of the Board concerning the request. Access appeals are placed with the Information and Privacy Commissioner of Ontario.

 

2.3 Privacy Complaint

A complaint lodged with the Information and Privacy Commissioner of Ontario, where it is believed an organization has compromised or breached privacy protection rights by inappropriately collecting, using, disclosing or destroying personal information.

 

2.4 Privacy Impact Assessment

An essential assessment of all new or revised processes, programs, or services that collect, use or disclose confidential or personal information.

 

2.5 Privacy Breach

Any event causing personal information to be compromised when it is collected, used, disclosed, retained or destroyed in a manner inconsistent with legislation.

 

3. Responsibilities

 

3.1 Legal, Legislative and Administrative Services shall:

  1. ensure requests for general information are processed, in accordance with relevant legislation and regulations;

  2. ensure the appropriate collection, use, disclosure and destruction of personal information; and

  3. coordinate privacy impact assessment processes.

 

3.2 The Information Access and Privacy Access Office shall:

  1. process formal access requests and privacy complaints in accordance with the legislated and regulated process requirements;

  2. represent the Board on Access Appeals;

  3. review and approve forms that collect and/or disclose personal information;

  4. work with applicable staff to complete Privacy Impact Assessments;

  5. administer the Privacy Breach Protocol;

  6. prepare an annual report to the Information and Privacy Commissioner of Ontario and the Board of Trustees;

  7. communicate the public’s right to access general information and an individual's right to access their personal information; and

  8. provide consultation and support regarding information access and privacy protection for staff and members of the public.

     

3.3 Corporate Secretariat and Trustee Services shall:

  1. work with Legal, Legislative and Administrative Services to support the needs of trustees with regard to privacy and information management.

     

3.4 Staff members shall:

  1. treat personal and general information in accordance with relevant legislation and Board policies and procedures;

  2. release general information, where appropriate;

  3. release personal information to the person to whom it relates or to his/her parents or legal guardian, in accordance with MFIPPA;

  4. consult with the Information Access and Privacy Office when there is uncertainty about the accessibility of information that has been requested;

  5. refer all requests for information referencing MFIPPA to the Information Access and Privacy Office; and

  6. support the protection of personal information by;

    • providing the following information when collecting personal information,

      • confirming the legislation which authorizes the collection of the information, such as but not limited to, the Education Act,

      • the purposes for which the information is collected, and

      • the contact information for staff who can explain why the information is required,

        • ensuring that forms that collect and/or disclose personal information are approved by the Information Access and Privacy Office

        • retaining personal information using secure methods for a minimum of 12 months,

        • respect an individual’s right to,

          • access and have copies of their personal information, with limited exceptions,

          • request removal of or corrections to personal information,

            • exercise the process outlined in the Education Act R.S.O. 1990, c. E.2, s. 266 (5) where there is disagreement; and

          • lodge a privacy complaint,

  7. use the Agreement for the Confidentiality of Information when personal information is to be shared with outside service providers,

  8. contact the Information Access and Privacy Office to determine if a Privacy Impact Assessment is required when proposing or revising a program or service involving personal information, and

  9. contact the Information Access and Privacy Office if there is a suspected breach of personal information.

 

3.5 Members of the public shall:

  1. understand that the costs of information access shall be recovered in accordance with the MFIPPA.

 

4. Contact

Legal, Legislative and Administrative Services Director’s Office

 

5. History

Approved: 1990

Working Document: May 2013, June 2018

Revised: 1996, 1999, 2005, 2008, April 2019