The Privacy policy and procedure sets out responsibilities and requirements for various stakeholders for the protection of student, staff, and other personal information. This policy and procedure describe how the Board meets its obligations under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), the Personal Health Information Protection Act (PHIPA) and other relevant legislation and regulations as it applies to personal information in the custody or under the control of the Board.
On this page:
- Policy #158.0 Information Access and Privacy Protection
- Procedure #158.1 Information Access and Privacy Protection
What has Changed?
Major changes to the document: Minor revisions to formatting and hyperlinks.
Reason for review: Due for second review.
Who is affected by these changes and what is the impact on current practice? Existing stakeholder responsibilities have been clarified; however, no impact to existing operational practices will occur.
Implementation timelines: Immediate upon Board approval.
Lead Superintendent(s)/Subject Matter Expert(s): Comptroller, Corporate and Legal Affairs, Manager, Administrative and Legal Services.
Stakeholder Groups with Responsibilities under this Policy:
- Board of Trustees
- Director of Education
- Administrative and Legal Services
- Trustee Services
- Privacy Office
- All staff members
- Superintendents and Principals
- Members of the public
Relationship to Board Priorities
The Privacy policy and procedure supports student success and fosters well-being by contributing to safe and supportive schools and workplaces. It is intended to protect an individual’s privacy and ensure appropriate collection, use, access, disclosure, or destruction of personal information. Achieving these goals enhances confidence in public education.
Timelines and Next Steps
This policy was scheduled for second review at the November 5, 2024 Policy and By-Law Standing Committee meeting.
Legislative Context
Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
Personal Health Information Protection Act (PHIPA)
Related Documents
Policy and Procedure #194.0, Appropriate Use of Technology
Policy and Procedure #160.0, Records and Information Management
It is the expectation of the York Region District School Board that all employees, students and persons invited to or visiting Board property, or partaking/volunteering in Board or school-sponsored events and activities, will respect the policies and procedures of the Board.
Policy #158.0 Privacy
1. Policy Statement
The York Region District School Board is committed to accountability and transparency in its operations and to the protection of personal information.
2. Application
All personal information is treated as confidential, and is collected, used, disclosed and disposed of only in accordance with relevant legislation and regulations.
This procedure applies to all personal information in the custody or under the control of the Board.
3. Responsibilities
3.1 The Board of Trustees is responsible for:
- reviewing the Privacy policy in accordance with the priorities in the Multi-Year Strategic Plan and the approved policy review cycle;
- treating personal information confidentially, in accordance with MFIPPA and Board policies and procedures; and
- contacting the Privacy Office with questions or community inquiries regarding this policy.
3.2 The Director of Education is responsible for:
- implementing and operationalizing the Privacy policy; and
- allocating staff and resources to support the Privacy procedure.
4. Definitions
4.1 Personal Information
Any information about an individual. This includes information that can be used to identify an individual, either alone or in combination with other information. Examples of Personal Information include, but are not limited to, anything included in an Ontario Student Record, report cards, student or staff investigation documents, letters of suspension, health, biographical or demographic information, resumés, or hearing files.
5. Contact
Administrative and Legal Services
Director’s Office
6. History
Approved: 1990
Working Document: May 2013, June 2018, October 2023
Revised: 1996, 2001, 2008, April 2019, October 2024
Final Approval: December 2024
Procedure #158.1 Privacy
1. Procedure Statement
This procedure outlines the administration of the Privacy policy provisions of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) at the York Region District School Board (YRDSB).
2. Definitions
2.1 Privacy Complaint
A complaint lodged with the Information and Privacy Commissioner of Ontario, where it is believed an organization has compromised or breached privacy protection rights by inappropriately collecting, using, disclosing or destroying personal information.
2.2 Privacy Impact Assessment
An essential assessment of all new or revised processes, programs, or services that collect, use, or disclose confidential or personal information.
2.3 Privacy Breach
Any event causing personal information to be compromised when it is collected, used, disclosed, retained, or destroyed in a manner inconsistent with legislation or this policy.
3. Responsibilities
3.1 Administrative Services shall:
- ensure the appropriate collection, use, disclosure, and destruction of personal information.
3.2 The Privacy Office shall:
- implement and operationalize the Privacy procedure;
- promote awareness of and compliance with this policy and procedure, the Board’s Privacy Notice and MFIPPA;
- process and manage privacy inquiries, requests, and complaints in accordance with the legislated and regulated process requirements;
- review forms that collect and/or disclose personal information;
- work with applicable staff to conduct Privacy Impact Assessments;
- administer procedures in response to privacy breaches; and
- provide consultation and support regarding privacy protection for staff and members of the public.
3.3 Trustee Services shall:
- work with Administrative and Legal Services to support the needs of trustees with regard to privacy management.
3.4 Staff members shall:
3.4.1 General requirements:
- treat personal information confidentially, in accordance with MFIPPA and Board policies and procedures;
- protect personal information under their control from unauthorized access, use or disclosure, including ensuring that any third-party handling personal information (such as software providers) is approved by the Board to do so;
- only access, collect, use, transfer or disclose personal information as required by the staff member’s job duties;
- regularly review, and act in accordance with, the Board’s Privacy Notice;
- immediately report any suspected or actual Privacy Breach to the Privacy Office, and otherwise support any efforts pursuant to the breach investigation;
- maintain records involving personal information in accordance with Policy and Procedure #160.0, Records and Information Management;
- abide by any confidentiality requirements that apply to their profession (e.g., psychologists, social workers, and other health-related professions); and
- contact the Privacy Office for questions about responsibilities or requirements under this procedure or the Privacy policy.
3.4.2 Collecting, using and disclosing personal information:
- when collecting personal information, provide the following contents in a notice:
- the law that authorizes the collection of the information, such as the Education Act;
- the reason why the information is being collected and what will be done with the information; and
- the contact information of a staff member who can answer questions about the collection;
- before indirectly collecting personal information about a person (i.e., through a third party who is not the person about whom the personal information relates or their parent or guardian), obtain consent from the person in question;
- only use personal information about an individual where:
- the information is being used for the same purpose for which it was collected, or for a consistent purpose that the individual would reasonably expect;
- the individual’s consent (or for minors, their parent or guardian’s consent) has been obtained; or
- where required to meet a legal obligation or in the case of a health or safety emergency;
- only disclose personal information about an individual where:
- the information being disclosed for the same purpose for which it was collected, or for a consistent purpose that the individual would reasonably expect;
- the individual’s consent (or for minors, their parent or guardian’s consent) has been obtained; or
- where required to meet a legal obligation or in the case of a health or safety emergency;
- when updating or proposing initiatives that could involve student or other personal information, prior to implementing the initiative;
- engage the Privacy Office to conduct a Privacy Impact Assessment; and
- use an agreement for the confidentiality of information when personal information is to be shared with third party service providers.
3.4.3 Handling requests and concerns:
- upon receiving a privacy related inquiry, request, or complaint, refer to the appropriate principal or superintendent; and
- consult with the Privacy Office on how to handle or respond to an inquiry, request or complaint where needed.
3.5 Superintendents and Principals (or their designates) shall:
- ensure staff at the school(s) for which they are responsible abide by the Privacy policy and this procedure;
- respond to privacy related inquiries, requests, or complaints, and escalate them to the Privacy Office as appropriate; and
- consult with the Privacy Office on how to handle or respond to an inquiry, request or complaint where needed.
3.6 Members of the public shall:
- understand that the costs of personal information access shall be recovered in accordance with the MFIPPA.
4. Contact
Administrative and Legal Services
Director’s Office
5. History
Approved: 1990
Working Document: May 2013, June 2018, October 2023
Revised: 1996, 1999, 2005, 2008, April 2019, May 2022, October 2024
Final Approval: December 2024