- Download the Guide
- Ontario’s Access and Privacy Legislation
Collecting personal information
- Are school boards limited in the amount or kind of personal information they may collect?
- Does a school board need consent to collect personal information about a student?
- When can a school board collect personal information indirectly?
- Does a school board need to give notice that it is collecting personal information?
- What are the rules for collecting, using, disclosing and requiring the production of Ontario Education Numbers?
- Using and disclosing personal information
- Consent to collect, use and disclose personal information
- Safeguarding and retaining information
Access to information
- How do students and parents access personal information?
- Do individuals have a right to access general records from a school board?
- Do students need to reach a certain age before they can exercise their access rights?
- How does a child’s age affect the parent’s right of access to personal information?
- Do non-custodial parents have a right to access a child’s school records?
- Correction of Personal Information
- Special Topics
Privacy in the networked classroom and the use of online educational services
Ontario teachers often use online educational tools and services in their classrooms, sometimes without the knowledge or approval of school administrators and school boards.
Online educational services involve computer software and web-based tools that students and their parents access via the internet and use as part of a school activity. Examples include online services that students use to:
- access class readings
- view their learning progression
- watch video demonstrations
- comment on class activities
- complete their homework
While these services may be innovative, readily accessible, and available at little or no cost, their use may pose privacy risks to students and their families.
Under MFIPPA, school boards are accountable for online educational services used in the classroom. They must ensure that these services do not improperly collect, use or disclose students’ personal information. For example:
- Improper Collection: Some online educational services collect and retain students’ personal information for their own non-educational purposes. They may also track and record students’ online activities and interactions with others, and collect personal information from indirect sources.
- Unauthorized Use: Online educational services may evaluate students’ behaviour and performance, and generate profiles to market learning tools or products directly to students and parents without their consent.
- Unauthorized Disclosure: Some online educational services sell students’ personal information to third parties that market other services and products directly to students and parents without their consent.
Best Practices for the Use of Online Educational Services
Given the privacy risks, the IPC recommends that schools and school boards considering the use of online educational services take the following steps:
- Develop and implement policies to evaluate, approve and support the use of online educational services for use in the classroom. Consider carrying out a privacy impact assessment and working with other educational stakeholders. Take precautions before accepting “take-it-or-leave-it” terms and conditions. Provide educators with a list of online education services which are approved for use in the classroom.
- Provide privacy and security training and ongoing support for teachers and staff. Educators must be able to provide effective guidance and support to students and parents on the use of online educational services.
- Notify students and parents about the personal information that may be handled by the online services and the reasons for handling it. The notice should be timely, accessible, clear, and concise, and enable individuals to make informed decisions.
- Allow for students or parents to opt out of online educational services that collect, use, retain or disclose personal data. Provide other ways to deliver the same educational services.
- Develop and implement a “Bring Your Own Device” policy for students and parents who access online educational services with their personal electronic devices. The policy should clarify appropriate uses of the online services and any consequences of using a personal device – especially when installing software or mobile applications.
- Set and enforce retention periods for accounts and different categories of personal data. Only use the data that is collected for as long as needed. In particular, logs of interactions between students, parents and educators should be routinely purged.
To raise awareness of the risks of using some online educational services, the IPC developed a brochure and poster about online educational services that are available on the IPC website.120