Procedure 2.1.31 FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY

Approved: June 2, 2009

Revised: October 8, 2024

1.0 Administration of the Freedom of Information and Protection of Privacy Procedures

The Director of Education, as “Head” under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and under section 49 (1) of the Act, may delegate an employee to be responsible for Freedom of Information. The person responsible for this will establish and administer the procedures for managing Freedom of Information requests and responsibilities. In District School Board Ontario North East the Communications Officer shall perform this role.

2.0 Accountability and Responsibility

Under MFIPPA, the Board is responsible for the personal information under its care and/or control. The Director of Education, and their designate, is responsible for the development and implementation of the Board’s privacy policies and procedures.

Similarly, under the Personal Health Information Protection Act (PHIPA), the Board is the health information custodian and is therefore responsible for personal health information in its custody.

2.1 Superintendents, Principals, Managers and Supervisors are responsible for:

complying with legislation, professional standards, Board directives and procedures;
implementing reasonable security measures and safeguards to protect student personal information;
ensuring that staff, including volunteers and students on placements, are aware of and adequately trained in their responsibilities as set out in this document and other board procedures;
ensuring that agreements with service providers contain privacy protection provisions with regard to the protection, collection, use, retention and disclosure of personal information.
Reporting any suspected privacy or security breaches to the Communications Officer.

2.2 Staff are responsible for:

complying with legislation, professional standards, Board directives and procedures;
protecting personal information by following proper procedures and best practices as outlined in this document and as directed by the Manager/Supervisor/Principal;
reporting any suspected privacy or security breaches of which they are aware to their immediate supervisor;
taking reasonable steps to ensure the personal information within their custody and control is secured and protected, and
participating in training regarding their duties and obligations to protect personal information.

The Communications Officer is responsible for:

Receiving and processing all requests for information and corrections;
Coordinating staff training related to the protection of privacy;
Ensuring that a notice of collection is on an appropriate and applicable form for request of information;
Initiating the breach protocol as outlined in section 6;
Supporting Superintendents, Principals, Managers and Supervisors on matters related to access to information and the protection of privacy.

3.0 Collection, Access and Disclosure of Student Personal Information

3.1 Collection

The collection and use of personal information of a student registered with the Board is limited to that which is necessary for the provision of educational services in accordance with the Education Act.

Personal information will be collected directly from the student and/or their parent or guardian.

At the time of collection, individuals must be given notice of the legal authority for the collection, the purpose(s) of its intended use and the title and contact information of an individual who may respond to specific questions regarding the collection.

The following Notice of Collection statement will be included on all Board forms requesting the personal information of a student:

The personal information provided on this form is collected by District School Board Ontario Norther East (DSB1) under the authority of the Education Act, the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), the Personal Health Information Privacy Act (PHIPA) and other applicable legislations. Personal information is collected for the purpose of planning and delivering educational programs and services which best meet students’ needs and for reporting to the Ministry of Education and other authorities as required. In addition, the information may be used or disclosed to comply with legislation, for compelling circumstances affecting health and safety or discipline, as required in circumstances related to law enforcement matters, or in accordance with any other Act. Information may be shared with employees as required to carry out their duties. For questions about this collection, contact the Board’s Freedom of Information Coordinator at [email protected] or by calling 705-360-1151.

3.2 Access to Student Records by Parents/Guardians

Parents/guardians of students under the age of 18 may have access to records contained in the OSR, unless otherwise indicated in a separation agreement or court order that is filed with the school in the OSR.

3.2.1 Records of Students over Age 18 Records of students over the age of 18 may be discussed and shared only with the student unless informed written consent has been provided by the student. Care must be taken not to leave telephone messages on the home phone unless there is an emergency and the number has been given as an emergency contact by the student.

3.3 Access to Student Records by Third Parties

Schools receiving requests for student records by third parties (i.e., Child and Family Services, legal firms, insurance companies, summons to witness/subpoena, police, etc.) are to contact their Superintendent and the Communications Officer to determine the legal right of the individual making the request and determine requirements for consent.

3.4 Disclosure Not Requiring Consent

MFIPPA sets out when a Board may use or disclose personal information in its custody or control without the consent of the parent/guardian/student.

3.4.1 Performance of Job Duties Staff may use and share a student’s personal information for the purpose of planning and delivering educational programs and services and internal board context. “Educational programs and services” include ancillary services such as student transportation. For example, student addresses may be provided to the Transportation Consortium and bus operators for the provision of home-to-school transportation. Personal information may be made available to an officer, employee, volunteer, consultant or agent of the Board who needs the record for the performance of their duties and if the information is necessary and proper for the discharge of the Board’s functions. Staff responsible for these records will assess what should be made available and to whom. Access should be minimized as much as possible to reduce risk of wrongful disclosure. Information may be limited to that which is necessary for the required purpose.
3.4.2 Consistent Purpose Personal information may be disclosed for the purpose for which it was obtained or compiled or for a “consistent purpose”. A consistent purpose is how the individual, to whom the information relates, might reasonably expect their information to be used or disclosed.
3.4.3 Legal Authority Personal information may be disclosed for the purpose of complying with legislation. When a request is received for personal information or confidential records from the Ministry of Education, other Ministries, other Ontario school Boards/authorities, or private agencies, staff will verify the legal authority for the disclosure.
- - 3.4.3.1 Local Medical Officer of Health The school is authorized to provide the local medical officer of health with student information for the purposes of maintaining immunization records for the student (Ontario Regulation 645: Immunization of School Pupils Act).

3.4.4 Law Enforcement Personal information may be shared with a law enforcement agency to aid an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result. In non-urgent matters, police shall provide a written statement that personal information is required for investigative purposes.
3.4.5 Health and SafetyPersonal information may be disclosed in compelling circumstances affecting the health or safety of the individual. The imminence and reasonableness of the risk to health and safety must be considered and balanced with the right to privacy.

4.0 Disclosure of Student Health Information

The Board is a Health Information Custodian (HIC) since it collects personal health information from students, parents and guardians related to medical conditions and through the work of regulated professionals (Social Workers).

Personal health information shall not be included in the student’s OSR. This information should not be accessible when an OSR is requested to be viewed.

A capable individual, regardless of age, can consent to the collection, use, or disclosure of their own personal health information. As such, the personal health information of a student deemed capable shall not be disclosed to parents or guardians without the student’s informed consent.

Express consent is required for disclosure of a student’s health information to non HICs. Consent may be implied between HICs for healthcare purposes.

5.0 Security of Personal Information

All DSB1 employees are responsible for ensuring student and employee personal information is secured in a reasonable manner to prevent its loss or unauthorized use or disclosure. This applies to records and information in all formats.

All staff are encouraged to adopt the following strategies to ensure confidential and/or personal information is not openly accessible:

Do not release student or employee personal information before confirming the individual’s identity.
Do not email personal information to external recipients. To share personal information electronically with external recipients, staff shall create a secure SharePoint link.
Adopt a ‘clean desk’ model such that no personal, confidential, and sensitive information is left unsecured on your desk.
Position your monitor so that casual observers cannot view the screen and/or add a monitor privacy screen.
Log off or apply a stand-by mode when leaving or desk.
Log off or sign out of applications you are not using.
Ensure documents containing confidential or personal information are not left at a photocopier or fax machine in an open area.
Lock confidential information away at the end of the day.

6.0 Breach Protocol

A privacy breach occurs when personal information is collected, used, disclosed, lost or stolen, retained, or destroyed in a manner inconsistent with privacy legislation.

All employees are responsible for reporting suspected and known privacy breaches to their direct supervisor. The supervisor is responsible for informing the appropriate Superintendent and the Communications Officer.

6.1 Assess

The Communications Officer will work with the school/department to assess the situation, determine if a breach has indeed occurred and outline next steps. All steps taken during this process shall be documented and reported to the Communications Officer.

6.2 Contain

The Communications Officer and involved staff members will identify the scope of the breach and take immediate corrective action to address it. The goal is to minimize and alleviate any consequences for both the individual(s) whose personal information was involved and the Board. Activities may include:

Recovering records
Revoking/ changing computer access codes
Correcting weaknesses in physical or electronic security

6.3 Investigate

Once the privacy breach has been contained, the Privacy Officer will ensure an investigation has been conducted. The investigation shall include:

Identifying the events that led to the privacy breach;
Evaluating if it was an isolated incident or if there is risk of further exposure of information;
Determining who was affected by the breach (e.g. students, employees and how many were affected)
Identifying who had access to the information;
Determining if information was lost or stolen;
Evaluating the effect of containment activities; and
Determining if any of the personal information was recovered.

6.4 Notify

Affected individuals shall be promptly notified. Depending on the nature and the scope of the breach, individuals may be notified in stages.

Individuals shall be notified by the department associated with the breach.

The notification shall include:

A description of the incident and the personal information involved;
The nature of potential or actual risks or harm, if any, and the appropriate action for individuals to take to protect themselves against harm;
What mitigating actions were/are being taken;
The contact information for the Information and Privacy Commissioner and how to file a complaint; and
A contact person at the Board for questions or to provide further information.

The Communications Officer shall notify the Information and Privacy Commissioner’s Office (IPC) as appropriate.

6.5 Implement Change

Once the breach has been resolved, the Communications Officer shall work with the school Administrator, department Manager or Superintendent to develop a plan for prevention or corrective action as required.

7.0 Access to General Records and Freedom of Information (FOI) Requests

Persons wishing to access general records from the Board may do so informally or by filing a Freedom of Information (FOI) request under MFIPPA.

If the informal request is denied, the individual may proceed with an FOI request.

A request for access to a record under Part I of the Act or for access to or correction of personal information under Part II of the Act shall be made using the form in Appendix A or shall be any other written form that specifies that it is a request made under the Act as legislated under MFIPPA Reg. 823 section 11.

The request must be accompanied by the $5.00 non-refundable application fee.

The request must provide sufficient detail to enable an employee of the Board to identify the record(s) requested. Should the request not be clear, The Communications Officer will offer assistance to the requestor with reformulating the request under section 17 of MFIPPA.

Requests will be processed according to legislative requirements made within the 30-day timeframe outlined in section 19 of the MFIPPA and/or the conditions for extension of time in section 20 of MFIPPA.

Fees may be collected, as outlined in MFIPPA Reg. 823. The communications Officer will inform the requestor if fees apply for the search and copy of the records.

If a person is denied access to information under the Act, they will be notified of their right to appeal to the Commissioner as legislated under section 22 of the Act.

Appendices

References