MA-P0 - Student Electronic Data Privacy and Security

The efficient, safe, and effective collection, analysis, sharing, and storage of student information is essential to the appropriate education of all students. The use of technology to enhance the effectiveness and timeliness of appropriate use of student data for educational purposes has advanced, requiring clarity on policies and procedures related to the care and disposition of confidential student information.

The Prairie Spirit School Division has established written procedures respecting the collection, storage, retrieval and use of information respecting pupils (PSA42.1). Policy JS (Student Records [Pupil Files]) establishes the accompanying regulations pertaining to the privacy and security of electronic files containing student data in alignment with the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Act (PHIA) respecting the collection, use, protection, retention and disclosure of personal student information. In addition, the rules set out in the Youth Criminal Justice Act (CYJA) will be followed for electronic files.

In order to ensure the proper protection of confidential student information, each school in the Prairie Spirit School Division shall adopt, implement and electronically post this policy. It is intended to support the appropriate level of professional sharing of information in the best interest of the child, regarding education, health and safety. The policy provides guidance regarding the collection, access, security and use of education data to protect student privacy. This policy is consistent with Prairie Spirit School Division’s existing policies pertaining to student records (pupil files).

Defined Terms

Administrative Security consists of policies, procedures, and personnel controls including security policies, training, and audits, technical training, supervision, separation of duties, rotation of duties, recruiting and termination procedures, user access control, background checks, performance evaluations, and disaster recovery, contingency, and emergency plans. These measures ensure that authorized users know and understand how to properly use the system in order to maintain security of data.

Aggregate Data is collected or reported at a group, cohort or institutional level and does not contain personally identifiable information (PII).

Data Breach is the unauthorized acquisition of personally identifiable information (PII).

Logical Security consists of software safeguards for an organization’s systems, including user identification and password access, authenticating, access rights and authority levels. These measures ensure that only authorized users are able to perform actions or access information in a network or a workstation.

Personally Identifiable Information (PII) includes: a student’s name; the name of a student’s family; the student’s address; the student’s social insurance number; the student’s Manitoba Education and Advanced Learning (MET) number; or other indirect identifiers such as a student’s date of birth, place of birth or mother’s maiden name; and other information that alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school community who does not have personal knowledge of the relevant circumstances, to identify the student.

Physical Security describes security measures designed to deny unauthorized access to facilities or equipment.

Student Data means data collected at the student level and included in a student’s educational records (both cumulative files and other student files named in the cumulative file).

Unauthorized Data Disclosure is the intentional or unintentional release of personally identifiable information to an unauthorized person or untrusted environment.

Collection of Student Information

All schools in the Prairie Spirit School Division shall follow applicable provincial and federal laws and Manitoba Education guidelines related to student privacy in the collection of student data.

Part 1: Access to and Removal of Access to Student Information

Unless prohibited by law or court order, schools shall provide parents, legal guardians, or eligible students, as applicable, the ability to review their child’s educational records according to the Manitoba Public Schools Act, Education Administration Act and guidelines published by Manitoba Education and Advanced Learning.

The Superintendent, administrator, or designate, is responsible for granting, removing, and reviewing user access to student data. An annual review of existing access shall be performed.

All persons with access to the personal information of students has a professional and ethical responsibility to maintain the privacy and security of student data. Access to any personally identifiable information contained within electronic files maintained by the school division shall be restricted to: (1) authorized staff of the school who require access to perform their assigned duties; and (2) authorized contracted service providers, clinicians, and school counsellors of the school division who require access to perform their assigned duties; and (3) authorized ICT staff who require access to perform their assigned duties. Such access to information shall constitute the minimum student data required to support student success.

Part 2: Appropriate Sharing of Student Information

Personally identifiable information contained within electronic files, including e-mail transmissions, shall only be shared with those persons deemed to have professional and/or legal access to student information and only for legitimate educational purposes and safety reasons such as: 1) student learning and support services within and beyond the school division; 2) health management, crisis management, and threat assessment; 3) student and family awareness of information collected about the student; 4) funding applications to Manitoba Education. Specific procedures for the sharing of student information is located at Procedure MA-P1 Risk Management..

Part 3: Security

The Prairie Spirit School Division shall have in place administrative security, physical security, and logical security controls to protect from a data breach or unauthorized data disclosure.

Schools shall immediately notify their School Administrator and/or the Superintendent of Schools of a data breach or unauthorized data disclosure to allow for remedial actions. The School Administrator shall notify in a timely manner affected individuals, students, and families if there is a confirmed data breach or confirmed unauthorized data disclosure.

In terms of physical security, the Prairie Spirit School Division shall adhere to the guidelines located in the most recent publications of Manitoba Education and Advanced Learning. Additionally, hardware and software shall:

• • Be approved for use by the school division;

  • Be updated regularly by ICT staff;

  • Be linked to a virus protection program;

  • Have current authentication certificates;

  • Allow for administrative security in a timely manner; and,

  • Allow for the use or linking of external assessment tools for clinical staff

 In terms of logical security, the Prairie Spirit School Division shall adhere to the following processes related to hardware and software safeguards:

• • Personally identifiable information that includes data identified as confidential because they contain personal information and are being shared or stored on a ‘need to know’ basis for educational programming and health reasons (“green files”) shall be stored solely using school division authenticated servers with firewalls requiring user identification authentication and password access;

  • Personally identifiable information that includes data identified as both confidential and sensitive (“yellow files”) or confidential, extremely sensitive, and/or have legal prohibitions for the sharing of information (“red files”), shall be stored solely using school division authenticated servers with firewalls requiring specified and limited access rights and authority levels;

  • Hardware shall not be shared with non-authorized personnel or used for purposes other than school division-related tasks; and,

Only authorized users are able to perform actions or access information in the school division network, laptop, or workstation.

Part 4: Use

Specific procedures for the use and sharing of personally identifiable information is located at Procedure MA-P. The procedures shall be updated regularly and are designed to support the appropriate level of professional use and sharing of information in the best interest of the child, regarding education, health and safety. The procedure uses a colour coded system of confidentiality levels to identify levels of privacy within student-related documentation (See Exhibit MA-E1).

In general, the following protocols shall guide the use and sharing of student information:

• • Publicly released reports shall not include personally identifiable information and shall use only aggregate data in such a manner that re-identification of individual students is not possible.

  • School division contracts with outside vendors involving student data, which govern databases; online services; assessments; special education; or instructional or health supports, shall include the following provisions which are intended to safeguard student privacy and the security of the data:

    • • Requirement that the vendor agree to comply with all applicable provincial and federal law and Manitoba Education and Advanced Learning guidelines;

      • Requirement that the vendor have in place administrative security, physical security, and logical security controls to protect from a data breach or unauthorized data disclosure;

      • Requirement that the vendor restrict access to personally identifiable information to the authorized staff of the vendor who require such access to perform their assigned duties;

      • Requirement for data destruction and an associated timeframe; and,

      • Remedies or penalties for non-compliance with the above provisions.

Determining Specific Levels of Sensitivity

Specific levels of sensitivity are described in Exhibit MA-E1.

Disposition of Private and Sensitive Student Data

The actions related to the retention and disposition of private and sensitive student data have at their foundation the Guidelines on the Retention and Disposition of School Division Records (January, 2010). In addition to, and in alignment with these provincial guidelines are Prairie Spirit School Division policies related to records (See EJB – Retention and Destruction of Records and JS-P Retention and Destruction of the Pupil File) and the following requirements for culling, destruction, transfer of data in the event of:

a.  Change of employment status of a professional educator, clinician, service provider, or other

Data collected in the course of employment with the school division remains the property of the school division at all times. Such records continue to be “under the control of” a school division when the employment status of a record keeper changes. The same access and privacy provisions will apply as apply to all other personal information or personal health information on a specific pupil.  Specific legal advice from the school division or district’s legal counsel may be required on this issue in particular circumstances.

 The school division pupil file policy allows staff to maintain a working file.  The existence of any such file should be documented in both the cumulative file component and a master pupil support file component.  Professional staff should be aware that any record made during the course of employment with a school division or district is in the custody, or under the control, of the school division or district; it is not the author’s personal property.  Therefore, the working file is subject to the same access and privacy provisions as all other personal information or personal health information about a specific pupil and change in employment status does not affect the retention or disposition of files.

b.  Change in student enrollment

Principals should follow the same process for forwarding pupil files to out-of-province schools as is used to transfer pupil files to Manitoba schools. Refer to the “Transfer of the Pupil File” section of the provincial guidelines for further information. Principals should always ensure that the request for the pupil file is received from the new school in writing and that the transfer is made using appropriate security measures.  Principals requesting pupil files for students transferring into Manitoba from out-of-province should contact the previous jurisdiction for instructions on how to request the pupil file. 

c.  Change in student status (e.g., temporality of a condition)

Furthermore, with respect to personal information, subsection 40(1) of FIPPA requires that a school board establish and comply with a written policy concerning retention and destruction of personal information. Subsection 40(2) of this Act states that the policy “require that personal information be retained for a reasonable period of time so that the individual the information is about has a reasonable opportunity to obtain access to it”. (See Manitoba Pupil File Guidelines –Appendix II)

d.  Third party information within or associated with a file

Once third party information is within or associated with a file, it becomes part of the record and therefore must be retained according to the retention periods stipulated in the provincial guidelines. Working copies of documents created by third parties are records, as well as the original or official documents.