Policy and Procedure #158.0, Privacy

The Privacy policy and procedure sets out responsibilities and requirements for various stakeholders for the protection of student, staff and other personal information. This policy and procedure describes how the Board meets its obligations under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), the Personal Health Information Protection Act (PHIPA) and other relevant legislation and regulations as it applies to personal information in the custody or under the control of the Board.

On this page:

 

What has Changed?

Major changes to the document: Given the separate roles played by Information Management/Access and Privacy, the current Policy and Procedure #158.0, Privacy has been revised to focus solely on the critical role of privacy at the York Region District School Board.  Information access pieces have been moved to Policy and Procedure #160.0, Records and Information Management. This separation better captures and clarifies Board and staff obligations and roles for both documents by providing clearer stakeholder procedural responsibilities.

Reason for review: Due for first review.

Who is affected by these changes and what is the impact on current practice? Existing stakeholder responsibilities have been clarified; however, no impact to existing operational practices will occur.

Implementation timelines: Immediate upon Board approval.

Lead Superintendent(s)/Subject Matter Expert(s): Comptroller, Corporate and Legal Affairs; Assistant Manager, Privacy.


 

Stakeholder Groups with Responsibilities under this Policy:

  • Board of Trustees

  • Director of Education

  • Administrative and Legal Services

  • Privacy Office

  • All staff members

  • Superintendents and Principals

  • Members of the public

 

Relationship to Board Priorities

The Privacy policy and procedure supports student success and fosters well-being by contributing to safe and supportive schools and workplaces. It is intended to protect an individual’s privacy and ensure appropriate collection, use, access, disclosure or destruction of personal information. Achieving these goals enhances confidence in public education.

 

Timelines and Next Steps

This policy was scheduled for first review at the November 7, 2023 Policy and By-Law Standing Committee meeting.

 

Providing Feedback

Questions about this policy and/or procedure should be raised with your principal, manager or supervisor. If additional clarification is required, principals, managers and supervisors may contact the lead superintendent and/or subject matter expert and Trustee Services.

In accordance with Board Policy #285.0, Board Policies, Procedures and Supporting Documents, the Board welcomes all comments and suggestions on Board policy.

Input is an important component of the review process. If you feel a policy and/or procedure needs to be revised, feedback may be submitted through the school council or by submitting the on-line form. In your response please;

  • outline clearly the specific section(s) of the policy and/or procedure in which you are not comfortable,

  • suggest specific alternate wording to reflect your position, and

  • identify the reason(s) for your concern(s).

Specific recommendations or questions about the review process should be submitted using the on-line form or sent to the Policy Officers via email at policy.committee@yrdsb.ca, or via telephone at 905-727-0022 extension 2570 or in hard copy at The Education Centre – Aurora.

 

Legislative Context

Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)

Personal Health Information Protection Act (PHIPA)  

Education Act

 

Related Documents

Policy and Procedure #194.0, Appropriate Use of Technology

Policy and Procedure #160.0, Records and Information Management

 


It is the expectation of the York Region District School Board that all employees, students and persons invited to or visiting Board property, or partaking/volunteering in Board or school-sponsored events and activities, will respect the policies and procedures of the Board.


 

Return to top

Policy #158.0 Privacy

 

1. Policy Statement

The York Region District School Board is committed to accountability and transparency in its operations and to the protection of personal information.

 

2. Application

All personal information is treated as confidential, and is collected, used, disclosed and disposed of only in accordance with relevant legislation and regulations.

This procedure applies to all personal information in the custody or under the control of the Board.

 

3. Responsibilities

 

3.1 The Board of Trustees is responsible for:

  1. reviewing the Privacy policy in accordance with the priorities in the Multi-Year Strategic Plan and the approved policy review cycle;

  2. treating personal information confidentially, in accordance with MFIPPA and Board policies and procedures; and

  3. contacting the Privacy Office with questions or community inquiries regarding this policy.

 

3.2 The Director of Education is responsible for:

  1. implementing and operationalizing the Privacy policy; and

  2. allocating staff and resources to support the Privacy procedure.

 

4. Definitions

 

4.1 Personal Information

Any information about an individual. This includes information that can be used to identify an individual, either alone or in combination with other information. Examples of personal information include, but are not limited to, anything included in an Ontario Student Record, report cards, student or staff investigation documents, letters of suspension, health, biographical or demographic information, resumes, or hearing files. 

 

5. Contact

Administrative and Legal Services

Director’s Office

 

6. History

Approved: 1990

Working Document: May 2013, June 2018

Revised: 1996, 2001, 2008, April 2019, October 2023


 

Return to top

Procedure #158.1 Privacy

 

1. Procedure Statement

This procedure outlines the administration of the Privacy policy provisions of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) at the York Region District School Board. 

 

2. Definitions

 

2.1 Privacy Complaint

A complaint lodged with the Information and Privacy Commissioner of Ontario, where it is believed an organization has compromised or breached privacy protection rights by inappropriately collecting, using, disclosing or destroying personal information.

 

2.2 Privacy Impact Assessment

An essential assessment of all new or revised processes, programs, or services that collect, use or disclose confidential or personal information.

 

2.3 Privacy Breach

Any event causing personal information to be compromised when it is collected, used, disclosed, retained or destroyed in a manner inconsistent with legislation or this policy.

 

3. Responsibilities

 

3.1 Administrative Services shall:

  1. ensure the appropriate collection, use, disclosure and destruction of personal information.

 

3.2 The Privacy Office shall:

  1. implement and operationalize the Privacy procedure;

  2. promote awareness of and compliance with this policy and procedure, the Board’s Privacy Notice and MFIPPA;

  3. process and manage privacy inquiries, requests and complaints in accordance with the legislated and regulated process requirements;

  4. review forms that collect and/or disclose personal information;

  5. work with applicable staff to conduct Privacy Impact Assessments;

  6. administer procedures in response to privacy breaches; and

  7. provide consultation and support regarding privacy protection for staff and members of the public.

 

3.3 Trustee Services shall:

  1. work with Administrative and Legal Services to support the needs of trustees with regard to privacy management.

 

3.4 Staff members shall:

 

3.4.1 Staff members shall:

  1. treat personal information confidentially, in accordance with MFIPPA and Board policies and procedures;

  2. protect personal information under their control from unauthorized access, use or disclosure, including ensuring that any third party handling personal information (such as software providers) is approved by the Board to do so;

  3. only access, collect, use, transfer or disclose personal information as required by the staff member’s job duties;

  4. regularly review, and act in accordance with, the Board’s Privacy Notice;

  5. immediately report any suspected or actual Privacy Breach to the Privacy Office, and otherwise support any efforts pursuant to the breach investigation;

  6. maintain records involving personal information in accordance with Policy and Procedure #160.0, Records and Information Management;

  7. abide by any confidentiality requirements that apply to their profession (e.g., psychologists, social workers, and other health-related professions); and

  8. contact the Privacy Office for questions about responsibilities or requirements under this procedure or the Privacy policy.

 

3.4.2 Collecting, using and disclosing personal information:

  1. when collecting personal information, provide the following contents in a notice:

    • the law that authorizes the collection of the information, such as the Education Act;

    • the reason why the information is being collected and what will be done with the information; and

    • the contact information of a staff member who can answer questions about the collection;

  2. before indirectly collecting personal information about a person (i.e., through a third party who is not the person about whom the personal information relates or their parent or guardian), obtain consent from the person in question;

  3. only use personal information about an individual where:

    • the information is being used for the same purpose for which it was collected, or for a consistent purpose that the individual would reasonably expect;

    • the individual’s consent (or for minors, their parent or guardian’s consent) has been obtained; or

    • where required to meet a legal obligation or in the case of a health or safety emergency;

  4. only disclose personal information about an individual where:

    • the information being disclosed for the same purpose for which it was collected, or for a consistent purpose that the individual would reasonably expect;

    • the individual’s consent (or for minors, their parent or guardian’s consent) has been obtained; or

    • where required to meet a legal obligation or in the case of a health or safety emergency;

  5. when updating or proposing initiatives that could involve student or other personal information, prior to implementing the initiative:

    • engage the Privacy Office to conduct a Privacy Impact Assessment; and

    • use an agreement for the confidentiality of information when personal information is to be shared with third party service providers.

 

3.4.3 Handling requests and concerns:

  1. upon receiving a privacy related inquiry, request or complaint, refer to the appropriate Principal or Superintendent; and

  2. consult with the Privacy Office on how to handle or respond to an inquiry, request or complaint where needed.

 

3.5 Superintendents and Principals (or their designates) shall:

  1. ensure staff at the school(s) for which they are responsible abide by the Privacy policy and this procedure;

  2. respond to privacy related inquiries, requests or complaints, and escalate them to the Privacy Office as appropriate; and

  3. consult with the Privacy Office on how to handle or respond to an inquiry, request or complaint where needed.

 

3.6 Members of the public shall:

  1. understand that the costs of information access shall be recovered in accordance with the MFIPPA.

 

4. Contact

Administrative and Legal Services

Director’s Office

 

5. History

Approved: 1990

Working Document: May 2013, June 2018

Revised: 1996, 1999, 2005, 2008, April 2019, May 2022, October 2023