How do school boards safeguard records?

The principal must ensure that the materials in the Ontario Student Records are securely collected and stored in accordance with the OSR Guideline and school board policies.

School boards are required to define, document and put in place reasonable measures to protect records from inadvertent destruction or damage.56 This means they must record, in a policy or other document, the steps taken to protect the records. They are also required to take reasonable steps to prevent unauthorized access to their records, and ensure that only those individuals who need a record for the performance of their duties have access to it.57 The requirement to prevent unauthorized access applies throughout the life cycle of a given record, from collection, through all of its uses, up to and including its eventual disposal.

School boards are ultimately responsible for the safety and security of their students’ personal information and for ensuring that adequate administrative, physical and technical measures to protect personal information are put in place, which may include the following:

Administrative Safeguards

Technical Safeguards to Protect Electronic Data

Physical Safeguards

  • privacy and security policies and procedures
  • privacy and security training
  • confidentiality agreements
  • privacy impact assessments
  • strong authentication and access controls
  • logging, auditing and monitoring
  • strong passwords and encryption
  • maintaining up to date software by applying the latest security patches
  • firewalls, hardened servers, intrusion detection and  prevention, anti-virus, anti-spam, and/or anti-spyware software
  • protection against malicious and mobile code
  • threat risk assessments
  • controlled access to locations where personal information is stored
  • locked cabinets
  • access cards and keys
  • identification, screening and supervision of visitors

 

When determining what safeguards should be put in place, consider the nature of the records, including:

  • the sensitivity and amount of information in the record
  • the number and nature of people with access to the information
  • any threats and risks associated with the manner in which the information is kept

A school board administrator hears that some teachers are using their personal Facebook accounts to share photographs from their classrooms, including posting pictures of students and their artwork.

The administrator responds by updating the board’s policies covering disclosure of personal information on social media and the requirements to get consent before posting online. She also sets up ongoing training for teachers and updates the confidentiality agreements that teachers must sign.

 


56 Regulation 823 under MFIPPA, s. 3(3)
57 Regulation 823 under MFIPPA, s. 3(1-2)