300: Security of Personal and Division Information
Responsible Administrator: Associate Superintendent Corporate Services
PURPOSE
The Division has a responsibility to protect the privacy of individuals by appropriately securing confidential personal information.
PROCESS
The Associate Superintendent, Corporate Services shall maintain this Administrative Procedure.
DEFINITIONS
Personal information is recorded information about an identifiable individual, including:
- individual’s name, home/business address or home/business telephone number;
- race, national or ethnic origin, religious/political beliefs and affiliations;
- age, sex, marital status or family status;
- identifying number, symbol or other identifiers assigned to an individual;
- fingerprints and other biometric information including blood type, genetics or inheritable characteristics;
- health and health care history including information about physical or mental disability;
- educational, financial, employment or criminal history including criminal records where a pardon has been given;
- third-party opinions about an individual, and
- an individual’s personal views or opinions, except if they are about someone else.
Portable Information Devices (PIDs) include (but are not limited to) the following:
- Electronic computing and communication devices and media designed for mobility, including laptop, desktop, and in-vehicle personal computers, blackberries, personal data assistants, cellular devices, and other devices that have the ability to store data electronically.
- CDs, DVDs, flash memory drives, zip drives, backup tapes, and other information storage media or devices that provide portability or mobility of data.
PROCEDURE
1. Principals and supervisors shall ensure that an adequate level of security is provided for personal information within their control and custody and shall ensure that employees whom they supervise are aware of their responsibilities to secure personal information in the execution of their duties:
1.1 use secure remote connections to access personal information on the division network rather than storing personal information on Portable Information Devices (PIDs) whenever possible;
1.2 when a secure remote connection is not feasible, refrain from loading personal information on PIDs that are not encrypted;
1.3 only copy, download or transport personal information that is required for specific tasks;
1.4 ensure personal information stored on paper records and/or PIDs is secure;
1.5 maintain an inventory of personal information while it is temporarily and securely stored at home or on PIDs;
1.6 destroy or remove transitory paper, digital or electronic records and/or return division records containing personal information about students, parents and staff of Sturgeon Public Schools when it is no longer needed to carry out specific duties, and
1.7 ensure the retention and destruction of records is in keeping with divisional requirements.
1.7.1 Paper records are destroyed at the worksite by shredding or temporarily stored awaiting destruction by an approved vendor.
1.7.2 Electronic records are deleted from the source when electronic devices are terminated or transferred.
1.7.3 Electronic memory is processed by the Technology Services Department to ensure that deleted information is not retrievable.
2. PID configuration specifications
2.1 If personal information must be placed on a PID, then that information must be password protected and encrypted. For further technical details about passwords, encryption, device deactivation, remote information deletion and other technical solutions, consult with the Technology Services Department.
3. Employees using PIDs or paper records which contain personal information shall follow these security procedures:
3.1 do not leave paper records or portable devices or portable storage in non-secured areas;
3.2 do not leave paper records, portable device(s) or portable storage in an unlocked vehicle; temporarily store in a locked trunk;
3.3 any personal information on PID must be encrypted;
3.4 ensure that PIDs are protected by strong passwords;
3.5 ensure that computers are shut down during transit; and
3.6 consult the Technology Services Department for specific technology support, including procedures for the encryption of data.
4. Employees shall report incidents involving personal information as follows:
4.1 Immediately report loss, theft or unauthorized access of personal information and other security related incidents to a Principal/supervisor who shall immediately report unauthorized access to the Associate Superintendent Human Resources;
4.2 immediately report theft of PIDs or records containing personal information to local police; and
4.3 document the details of any loss, theft, unauthorized access of PIDs, or personal information security related incident, including an inventory of the personal data involved.
5. Any person aware of an unreported loss, theft or compromise of personal information shall make a report to their Principal/supervisor and the Associate Superintendent Human Resources as soon as possible.
6. In consultation with the Associate Superintendent Human Resources, a Principal/supervisor shall send out notification letters to all individuals whose personal information was subject to an inadvertent disclosure of confidential personal information as soon as possible.
7. Violations of this administrative procedure may result in disciplinary action for individuals, up to and including termination.
References:
Admin Procedure: 520 Student Records Management
Freedom of Information and Protection of Privacy Act
History
2020 Jan 29 Initial Approval
Administrative Procedures III. General School Administration