- Download the Guide
- Ontario’s Access and Privacy Legislation
Collecting personal information
- Are school boards limited in the amount or kind of personal information they may collect?
- Does a school board need consent to collect personal information about a student?
- When can a school board collect personal information indirectly?
- Does a school board need to give notice that it is collecting personal information?
- What are the rules for collecting, using, disclosing and requiring the production of Ontario Education Numbers?
- Using and disclosing personal information
- Consent to collect, use and disclose personal information
- Safeguarding and retaining information
Access to information
- How do students and parents access personal information?
- Do individuals have a right to access general records from a school board?
- Do students need to reach a certain age before they can exercise their access rights?
- How does a child’s age affect the parent’s right of access to personal information?
- Do non-custodial parents have a right to access a child’s school records?
- Correction of Personal Information
- Special Topics
How do school boards safeguard records?
The principal must ensure that the materials in the Ontario Student Records are securely collected and stored in accordance with the OSR Guideline and school board policies.
School boards are required to define, document and put in place reasonable measures to protect records from inadvertent destruction or damage.56 This means they must record, in a policy or other document, the steps taken to protect the records. They are also required to take reasonable steps to prevent unauthorized access to their records, and ensure that only those individuals who need a record for the performance of their duties have access to it.57 The requirement to prevent unauthorized access applies throughout the life cycle of a given record, from collection, through all of its uses, up to and including its eventual disposal.
School boards are ultimately responsible for the safety and security of their students’ personal information and for ensuring that adequate administrative, physical and technical measures to protect personal information are put in place, which may include the following:
Technical Safeguards to Protect Electronic Data
When determining what safeguards should be put in place, consider the nature of the records, including:
- the sensitivity and amount of information in the record
- the number and nature of people with access to the information
- any threats and risks associated with the manner in which the information is kept
A school board administrator hears that some teachers are using their personal Facebook accounts to share photographs from their classrooms, including posting pictures of students and their artwork.
The administrator responds by updating the board’s policies covering disclosure of personal information on social media and the requirements to get consent before posting online. She also sets up ongoing training for teachers and updates the confidentiality agreements that teachers must sign.