Code: CNA.AR Topic: Security of Personal and District Information Issue Date: 23/08/2007 Effective Date: 03/05/2007 Review Year: 2012
INTRODUCTION A student, parent or staff member provides their personal information to the District trusting that the District will use it only as necessary to carry out the District's mandate. The security of personal information is compromised when the information is stored on portable information devices or when the information is transported to and from work and home.
All district records created by staff in the course of their work are subject to the Freedom of Information and Protection of Privacy Act and are under the custody and or control of the District at all times. The Freedom of Information and Protection of Privacy Act and the orders of the privacy commissioner provide standards for the security of personal information.
Personal Information Under the Freedom of Information and Protection of Privacy Act, "personal information" means recorded information about an identifiable individual, including:
the individual's name, home or business address or home or business telephone number,
the individual's race, national or ethnic origin, colour or religious or political beliefs or associations,
the individual's age, sex, marital status or family status,
an identifying number, symbol or other particular assigned to the individual,
the individual's fingerprints, other biometric information, blood type, genetic information or inheritable characteristics,
information about the individual's health and health care history, including information about a physical or mental disability,
information about the individual's educational, financial, employment or criminal history, including criminal records where a pardon has been given, anyone else's opinions about the individual, and
the individual's personal views or opinions, except if they are about someone else.
Portable Information Devices (PID) and Portable Information Storage Media Portable information devices and portable information storage media include (but is not limited to) the following:
electronic computing and communication devices and media designed for mobility, including laptop, desktop, and in-vehicle personal computers, blackberries, personal data assistants, cellular devices, and other devices that have the ability to store data electronically,
CDs, DVDs, flash memory drives, zip drives, backup tapes, and other information storage media or devices that provide portability or mobility of data.
REQUIREMENTS AND PROCEDURES
Principals and DU Managers shall ensure that an adequate level of security is provided for personal information that is in their control and custody and shall ensure that the staff they supervise are aware of the following responsibilities.
All employees who use personal information in the execution of their duties shall:
use secure remote connections to access personal information on the District network rather than storing personal information on PIDs whenever possible; and
refrain from loading personal information on PIDs unless it is impossible to carry out their duties without this information; and
only copy, download or transport the personal information that is required for specific tasks; and
keep the paper records and PIDs secure; and
maintain an inventory or copy of the personal information temporarily stored at home or on PIDs under their control; and
ensure that district information on a PID can be replaced if the storage device is lost or stolen; and
destroy or remove transitory paper, digital or electronic records and or return district records containing personal information about students, parents and staff of Edmonton Public Schools when it is no longer needed to carry out their duties.
PID configuration specifications: If personal information must be placed on a PID, then that information must be password protected and encrypted. For further technical details about passwords, encryption, device deactivation, remote information deletion and other technical solutions, consult with District Technology.
District staff using PIDs that contain personal information shall follow these security procedures:
ensure the portable device is labeled with appropriate contact information in case of loss; and
do not leave portable devices or portable storage in non-secured areas; and
do not leave portable device or portable storage in an unlocked vehicle; place the devices and storage in a locked trunk; and
any personal information on PID must be encrypted; and
ensure that PIDs are protected by strong passwords; and
confer with district technical support for specific technology help, including procedures for the encryption of data.
Employees shall report incidents involving personal information as follows:
immediately report loss, theft or unauthorized access of personal information and other security related incidents to a supervisor and to the Superintendent of Schools; and
immediately report theft of PIDs or records containing personal information to local police; and
document the details of any loss, theft, unauthorized access of PIDs, or personal information security related incident, including an inventory of the personal data involved.
Any person aware of an unreported loss, theft or compromise of personal information shall make a report to their supervisor and the Superintendent of Schools as soon as possible.
The Principal or Decision Unit Administrator shall send out notification letters to all individuals whose personal information was subject to an inadvertent disclosure as soon as possible.
Violations of this regulation shall result in disciplinary action for individuals, up to and including termination.
Edmonton Public Schools is helping to shape the future in every one of our classrooms. We’re focused on ensuring each student learns to their full potential and develops the ability, passion and imagination to pursue their dreams and contribute to their community. Learn More»
Edmonton Public Schools
Centre for Education
1 Kingsway NW
Edmonton, Alberta T5H 4G9 780-429-8000