Multimedia

Protecting Student Privacy Rights in Ontario

IPC webinar on protecting student privacy rights. This webinar explores the privacy obligations that schools and school boards have under MFIPPA when delivering educational services and includes best practices for meeting these obligations | September 9, 2021

September 21, 2021
An illustration of a student writing in a notebook.
Transcripts

Hello and welcome to the IPC’s webinar on protecting student privacy rights in Ontario.

As part of our mandate, the IPC provides guidance on public sector access and privacy legislation that apply to Ontario’s educational institutions. 

These laws are: 

  • the Freedom of Information and Protection of Privacy Act, or FIPPA, and 
  • the Municipal Freedom of Information and Protection of Privacy Act, or MFIPPA 

Today, in addition to discussing the privacy obligations that schools and school boards have under MFIPPA when delivering educational services, we will also share some best practices for meeting these obligations.

Responsibilities

Public school board officials and teachers have responsibilities under Ontario’s municipal privacy law, MFIPPA.

For example, principals and school board officials are responsible for:

  1. Complying with Ontario’s privacy laws and other laws, such as the Education Act
  2. Collecting personal information only where permitted
  3. Ensuring that reasonable security measures are in place
  4. Training staff, and 
  5. Establishing and adhering to contracts with service providers 

Teachers and staff are responsible for: 

  1. Complying with legislation, professional standards, guidelines, and school board policies when collecting, using, and disclosing personal information 
  2. Protecting personal information by following school policies and procedures 
  3. Reporting suspected privacy or security breaches to the principal, and 
  4. Participating in training on their duties and obligations to protect personal information

What is personal information?

Let’s take a moment to discuss personal information as it relates to MFIPPA.

MFIPPA defines personal information as recorded information about an identifiable individual. 

In the case of a school or school board, this includes information such as a student’s name, address, or phone number. 

Other examples of personal information include:

  • school photos and videos
  • health information
  • student records, and
  • any identifying number or symbol assigned to the student 

A record may contain personal information even if it does not include a name. 

For example, if a teacher posts students’ grades or test scores in a way that the identity of the students could be determined, even without their names, it could be a disclosure of personal information.

Personal information can be recorded in any format. In a school setting, this may include: 

  • paper records, such as report cards, class lists, or printed special education records, including individual education plans, safety plans, or behaviour plans 
  • electronic records, such as electronic student attendance records 
  • photographs, including yearbook images 
  • video footage, including from surveillance cameras located in schools

MFIPPA protects student’s privacy by setting rules for the collection, use, and disclosure of personal information.

Collecting personal information

A school or school board may collect personal information from a parent, a guardian, or a student if the collection is:

  1. Specifically authorized by a law, such as the Education Act. For example this could include collecting information for the Ontario Student Record, or,

  2. Necessary to deliver educational services or other related activities

School boards cannot rely only on consent from parents, guardians or students to collect personal information. They need to have legal authority for the collection, or demonstrate that the collection is necessary to deliver educational services. 

As a general rule, personal information must be collected directly from the individual, unless consent is given for indirect collection.

For example, a parent consents to a school board obtaining a report from a psychologist directly who will be assessing the learning abilities of their elementary-age child.

Collection of personal information that is not specifically authorized by law but is deemed necessary — which means more than merely helpful — must still be rationally connected to a lawfully authorized activity, and be demonstrated as necessary to properly administer that lawfully authorized activity.

For example, under Ontario’s Education Act, school boards are responsible for promoting student achievement and well-being. 

If a board wants to collect personal information for the purpose of promoting student well-being through, for example, a student survey about bullying, the collection of personal information through the survey must be necessary to achieve this goal. 

Justification must be provided for all personal information that is collected.

Demonstrating necessity requires taking into account the nature of the information, how sensitive it is, as well as the amount of personal information collected. 

For example, in some circumstances, video surveillance may be used for the purpose of ensuring the safety of students and the security of school property, but collection must be limited to fulfilling those purposes only.

Using personal information

As a general rule, once collected, personal information may only be used for the purpose it was collected, or for a consistent purpose. 

A consistent purpose is one which the parent, guardian or student would reasonably expect, such as using the information to improve learning or instruction for the student. 

Lastly, once collected, schools may not use personal information for any new purpose, unless the student, parent or guardian has consented to that new use, preferably in writing.

Disclosing personal information

A school or school board may disclose personal information under limited circumstances. For example, disclosure can be made: 

  1. Where necessary to deliver education services
  2. Where permitted or required by law, or
  3. Where the individual has consented

Again, consent to share is only valid if the personal information was collected lawfully in the first place.

For example, yearbooks often contain personal information collected for different purposes, such as class and individual photographs. 

Most people within the school community expect that these photos, along with the students’ names, will be published in the yearbook. 

Where an individual can reasonably expect a disclosure, that is considered to be a disclosure for a consistent purpose, which is permitted under MFIPPA

However, for personal information that an individual would not reasonably expect to be published in the yearbook—such as an autobiographical essay for a class assignment—the school would need to get consent before including it in the yearbook.

Our Guide to Privacy and Access in Ontario Schools offers additional guidance on the rules for disclosure. 

Access to personal information

Students and their parents and guardians have a right to access the students’ personal information from their schools and school boards.

Under MFIPPA, a child under 16 years-old can access their own records. 

A parent, or other person who has lawful custody of the child, can also access records on the child’s behalf.

Access requests can be informal or formal.

As a best practice, schools or school boards should seek written consent or document oral consent so that there is a written record of it. 

The school or school board must issue a decision letter within 30 days of receiving the access request.

Other laws, such as the Education Act, may establish different access rights and responsibilities.

Retaining personal information and the requirements of safeguards

Let’s turn our attention to retaining or storing personal information and the importance of having safeguards in place to protect student’s personal information.

MFIPPA requires records to be retained for a minimum of one year after use, or for a period set out in a bylaw or school board resolution — whichever is shorter.

There may be other rules setting the length of the retention period applicable in your school board. 

Records must be destroyed securely in a way that ensures the complete destruction of the record so it cannot be reconstructed or retrieved.

Ontario’s privacy laws require schools and school boards to define, document and put in place reasonable information security measures to prevent unauthorized access to, inadvertent destruction, or damage of records.

When determining appropriate safeguards, schools and school boards should consider the nature of the records, such as:

  • the sensitivity of and amount of information in the records
  • the number and nature of people with access to the records, and
  • any threats and risks associated with how the information is stored

The general rule is that safeguards should be proportionate to the risks. 

That means, for example, a class project website that contains no personally identifiable information might not need to meet the highest security standards.

To identify risks and appropriate mitigation measures, the IPC strongly encourages all institutions to carry out regular threat and risk assessments and privacy impact assessments. Please visit our website for additional resources and guidance on risk management. 

Privacy and security breaches

Privacy and security breaches can occur, especially if a school, school board or teacher does not comply with MFIPPA or other applicable laws that set rules for managing personal information.  

Some common examples of breaches, and their causes, include:

  • a lost or stolen flash drive containing personal information 

  • correspondence containing personal information mailed or emailed to the wrong person, or 

  • disclosing information about a student without consent or legal authority. This could include posting photos, videos or school activities online that contain identifiable information. 

Some do’s and don’t to protect student’s personal information include:

DO 

  • protect your students’ personal information by ensuring files and electronic devices are secure

  • collect and disclose personal information only for education-related purposes 

  • seek guidance from the principal before using any new online educational tool that collect students’ personal information, and 

  • inform your supervisor, manager or principal when you become aware of a privacy breach or potential privacy breach, and cooperate with any resulting investigation 

DON’T 

  • collect more personal information than you need 

  • disclose personal information about a student unless it is necessary for education reasons 

  • use identifiable photos or information about students on school websites or on social media without consent

In the event of a breach or a complaint, the IPC may investigate the information handling practices of school boards and their contracted agents. 

If the IPC determines there has been an unauthorized collection, use, or disclosure of personal information, then a public report may be issued naming the school board. In this instance, a school board would be required to notify the affected parents and students.

It is important to mention that cyberattacks are a growing criminal phenomena and cyber criminals are becoming increasingly sophisticated. 

To help public institutions protect against cyberattacks, we have published two fact sheets, Protecting Against Ransomware and Protect Against Phishing. These fact sheets outline various approaches to protect personal information, including employee training, limiting user privileges, software protections and more.

Security best practices: Working and learning in the digital frontier

The COVID-19 pandemic has had a significant impact on traditional workflows and the delivery of educational services. 

School officials and teachers have shifted to remote, work-from-home arrangements, which, for some, have blurred the boundaries between home and work. 

Students and teachers have adopted — and adapted — to new forms of online education that involve using their personal computers, home networks, and public internet access.

Schools and school boards have acquired new digital communication tools and cloud-based collaboration services, which have increased their reliance on third party service providers. 

Some of these tools and services raise concerns about information security and privacy.

For example, unlike in-person learning, these technology solutions can record text and video images, and log device and user activities. 

Whether a school board is providing remote learning, in-person learning — or both — Ontario’s privacy laws always apply.

The IPC has published a fact sheet for public institutions about work from home arrangements and meeting requirements under Ontario’s privacy laws. The fact sheet offers suggestions on matters such as:

  • creating a home workspace
  • how to ensure secure remote internet access, and
  • safe online video conferencing

Online educational tools and services

As noted earlier, many schools and school boards across the province use online or web-based digital tools and services provided by contracted service providers to help meet educational and administrative needs.

Schools and school boards are accountable for the operation and use of these online tools and services, and for the actions of the service providers. 

Schools and school boards must ensure that these service providers do not improperly collect, use or disclose students’ personal information.

Our office recommends the following minimum steps to take when considering the use of online educational tools and services:

  1. Assign responsibility for making decisions to use online educational tools
  2. Implement policies and procedures to evaluate, approve and support their appropriate use 
  3. Provide teachers and staff with ongoing privacy and security training, and 
  4. Notify students, parents and guardians that the service may collect personal information, and explain how the information will be used 

Communication platforms and services

Online communication services, such as videoconferencing platforms, enable remote collaboration and virtual learning. 

These online platforms and services have been used widely by schools and boards since the start of the pandemic. 

Videoconferencing platforms introduce or heighten security and privacy risks, especially if security controls are weak and users lack appropriate training.

The IPC recommends the following best practices for schools and school boards:

  • ensure due diligence when purchasing and integrating these tools and services into operations
  • establish contract terms to govern the service and handling of personal information 
  • control access to any platforms and services and personal information
  • standardize configuration and settings, and keep the software updated
  • provide teachers with adequate training on all platforms, and
  • have in place appropriate safeguards to ensure privacy, security and prevent breaches

We also recommend that schools and school boards provide clear guidance to students and parents for using these tools at home, and ensure they follow these best practices:

  • use in a private and distraction-free home environment
  • use headsets at all times
  • blur backgrounds
  • enable the option to show or hide students’ faces; and
  • limit the ability to record video sessions

Contracting and securing personal information

Our office recently released two privacy complaint reports related to the use of cloud-based data management services by school boards. 

These reports contain important lessons for school officials and staff.

Both investigations found the school board’s collection, use, and disclosure of students’ personal information were in compliance with MFIPPA, and that reasonable contractual measures were in place to ensure the privacy and security of that personal information.

However, the first investigation found the school board did not have reasonable oversight measures in place in relation to the performance of its service provider’s contractual security obligations.

To address this, the report recommended the board strengthen and document the steps they have taken to ensure the service provider has fulfilled the mandatory requirements of their agreement, including requiring the service provider to: 

  • submit to an independent data security and privacy audit and provide its results and conclusions to the board 
  • confirm that they have implemented all of the recommendations made by a security expert in a recent assessment 
  • put in place information and security policies and controls that are aligned with a technical and organizational framework standard, which can be independently audited.

The second investigation recommended some changes to the notice of collection in order to strengthen transparency to parents and students, as well as recommending the board improve its oversight of third-party security measures by:

  • requesting regular security briefings and evidence of compliance
  • reviewing any significant developments in the scope of the services or their features, and,
  • determining whether an updated privacy and security assessment is warranted

Both of these privacy complaint reports serve as a reminder to school boards to fulfill their obligations to protect student privacy, and that school boards must couple a strong contract with appropriate monitoring and oversight of its provisions.

Looking ahead

Children and Youth in a Digital World is one of the strategic priorities the IPC has identified to guide our work over the next four years.  

Our goal is to champion the access and privacy rights of Ontario’s children and youth by promoting their digital literacy and the expansion of their digital rights, while holding institutions accountable for protecting the children and youth they serve. 

As part of our action plan to advance this strategic priority, we look forward to engaging with education stakeholders across Ontario, including schools and school boards, as well as students, parents and guardians. 

Be sure to visit our website at www.ipc.on.ca for more resources. The IPC is committed to working with Ontario’s public institutions, and we encourage you to contact us if you have any questions or require additional guidance. 

Follow us on twitter @IPCinfoprivacy for all the latest access and privacy news and subscribe to our YouTube channel for videos like this one on a variety of access and privacy topics. 

If you are a podcast listener, the IPC’s Info Matters show is for you and its available wherever you listen to your favourite podcasts.

Thanks for tuning in.

Help us improve our website. Was this page helpful?

Note:

  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.