EPSB.ca » Our District » Board Policies & Administrative Regulations » C - District Administration » CNA.AR Security of Personal and District Information

Security of Personal and District Information

  • Code: CNA.AR
    Topic: Security of Personal and District Information
    Issue Date: 23/08/2007
    Effective Date: 03/05/2007
    Review Year: 2012

Regulation

  1. INTRODUCTION
    A student, parent or staff member provides their personal information to the District trusting that the District will use it only as necessary to carry out the District's mandate. The security of personal information is compromised when the information is stored on portable information devices or when the information is transported to and from work and home.

    All district records created by staff in the course of their work are subject to the Freedom of Information and Protection of Privacy Act and are under the custody and or control of the District at all times. The Freedom of Information and Protection of Privacy Act and the orders of the privacy commissioner provide standards for the security of personal information.

  2. DEFINITIONS
    1. Personal Information
      Under the Freedom of Information and Protection of Privacy Act, "personal information" means recorded information about an identifiable individual, including:
      1. the individual's name, home or business address or home or business telephone number,
      2. the individual's race, national or ethnic origin, colour or religious or political beliefs or associations,
      3. the individual's age, sex, marital status or family status,
      4. an identifying number, symbol or other particular assigned to the individual,
      5. the individual's fingerprints, other biometric information, blood type, genetic information or inheritable characteristics,
      6. information about the individual's health and health care history, including information about a physical or mental disability,
      7. information about the individual's educational, financial, employment or criminal history, including criminal records where a pardon has been given, anyone else's opinions about the individual, and
      8. the individual's personal views or opinions, except if they are about someone else.
    2. Portable Information Devices (PID) and Portable Information Storage Media Portable information devices and portable information storage media include (but is not limited to) the following:
      1. electronic computing and communication devices and media designed for mobility, including laptop, desktop, and in-vehicle personal computers, blackberries, personal data assistants, cellular devices, and other devices that have the ability to store data electronically,
      2. CDs, DVDs, flash memory drives, zip drives, backup tapes, and other information storage media or devices that provide portability or mobility of data.
  3. REQUIREMENTS AND PROCEDURES
    1. Principals and DU Managers shall ensure that an adequate level of security is provided for personal information that is in their control and custody and shall ensure that the staff they supervise are aware of the following responsibilities.

      All employees who use personal information in the execution of their duties shall:
      1. use secure remote connections to access personal information on the District network rather than storing personal information on PIDs whenever possible; and
      2. refrain from loading personal information on PIDs unless it is impossible to carry out their duties without this information; and
      3. only copy, download or transport the personal information that is required for specific tasks; and
      4. keep the paper records and PIDs secure; and
      5. maintain an inventory or copy of the personal information temporarily stored at home or on PIDs under their control; and
      6. ensure that district information on a PID can be replaced if the storage device is lost or stolen; and
      7. destroy or remove transitory paper, digital or electronic records and or return district records containing personal information about students, parents and staff of Edmonton Public Schools when it is no longer needed to carry out their duties.
    2. PID configuration specifications:
      If personal information must be placed on a PID, then that information must be password protected and encrypted. For further technical details about passwords, encryption, device deactivation, remote information deletion and other technical solutions, consult with District Technology.

    3. District staff using PIDs that contain personal information shall follow these security procedures:
      1. ensure the portable device is labeled with appropriate contact information in case of loss; and
      2. do not leave portable devices or portable storage in non-secured areas; and
      3. do not leave portable device or portable storage in an unlocked vehicle; place the devices and storage in a locked trunk; and
      4. any personal information on PID must be encrypted; and
      5. ensure that PIDs are protected by strong passwords; and
      6. confer with district technical support for specific technology help, including procedures for the encryption of data.
    4. Employees shall report incidents involving personal information as follows:
      1. immediately report loss, theft or unauthorized access of personal information and other security related incidents to a supervisor and to the Superintendent of Schools; and
        1. immediately report theft of PIDs or records containing personal information to local police; and
        2. document the details of any loss, theft, unauthorized access of PIDs, or personal information security related incident, including an inventory of the personal data involved.
      2. Any person aware of an unreported loss, theft or compromise of personal information shall make a report to their supervisor and the Superintendent of Schools as soon as possible.
      3. The Principal or Decision Unit Administrator shall send out notification letters to all individuals whose personal information was subject to an inadvertent disclosure as soon as possible.
    5. Violations of this regulation shall result in disciplinary action for individuals, up to and including termination. 

References

CN.BP Managing District Information
CN.AR Creation, Use and Maintenance of District Information
HO.AR Student Records
Freedom of Information and Protection of Privacy Act