AP 564: Access to Information and Protection of Privacy
Business & Finance
Background
The Access to Information Act (ATIA) and the Protection of Privacy Act (POPA) control the manner in which a local public body collects, uses, discloses and disposes of personal information.
Definitions
a) Personal Information: means recorded information about an identifiable individual, including:
a. An individual’s name, home or business address, home or business telephone number, home or business email address, or other contact information, except where the individual has provided the information on behalf of the individual’s employer or principal, in the individual’s capacity as an employee or agent;
b. An individual’s race, national or ethnic origin, colour or religious or political beliefs or associations;
c. An individual’s age, gender identity, sex, sexual orientation, marital status or family status;
d. An identifying number, symbol, or other particular assigned to the individual;
e. An individual’s fingerprints, other biometric information, blood type, genetic information or inheritable characteristics;
f. Information about the individual’s health and health care history, including information about the individual’s physical or mental health;
g. Information about the individual’s educational, financial, employment or criminal history, including criminal records where a pardon has been given;
h. Anyone else’s opinions about the individual; and
i. An individual’s personal views or opinions, except if they are about someone else.
b) Privacy Breach: refers to a loss of, unauthorized access to, or unauthorized disclosure of personal information.
c) Record: means any electronic record or other record in any form in which information is contained or stored, including information in any written, graphic, electronic, digital, photographic, audio or other medium, but does not include any software or other mechanism used to store or produce the record.
d) Transitory record: refers to records in any format that are of short-term value, with no further use beyond an immediate transaction and have no permanent value for the Division.
Procedures
1. The Access to Information Act (ATIA) primarily intends to:
1.1. Allow any person a right of access to the records in the custody or under the control of a public body subject to limited and specific exceptions as set out in ATIA;
1.2. Allow individuals, subject to limited and specific exceptions as set out in ATIA, a right of access to personal information about themselves that is held by a public body; and
1.3. Provide for independent reviews of decisions made by a public body under ATIA and the resolution of complaints under ATIA.
2. The Protection of Privacy Act (POPA) primarily intends to:
2.1. Control the collection, use and disclosure of personal information by a public body;
2.2. Allow individuals a right to request corrections to personal information about themselves that is held by a public body;
2.3. Control the creation, use and disclosure of data derived from personal information and non-personal data by a public body, and
2.4. Provide for independent reviews of decisions made by public bodies under POPA and the resolution of complaints under POPA.
3. The Associate Superintendent of Corporate Supports and Services shall be the Head of Privacy for the Division as delegated by the Superintendent.
4. The Executive Assistant of the Associate Superintendent, Corporate Supports and Services shall act in the capacity of ATI Coordinator for the Division.
5. Site Supervisors, including the Principal of each school shall be the “Site Coordinator” for the purposes of ATIA and POPA. Site coordinators are responsible to ensure the protection of personal information at their schools or business units and are to direct inquiries about disclosure of information to the ATI Coordinator.
With respect to collection, disclosure and access to information:
6. No personal information may be collected unless collection is specifically authorized by the Education Act or the information relates directly to and is necessary for an operating program or activity of the Division, including a common or integrated program or service.
7. The Division may use or disclose personal information:
7.1. Only for the purpose for which it was collected or compiled or for use consistent with that purpose;
7.2. If the individual the information is about has identified the information and consented, in the prescribed manner, to the use of the information; or
7.3. For purposes specifically provided for in POPA.
8. The following personal information can be used or disclosed, without obtaining consent, for educational and safety purposes:
8.1. Student records, report cards, attendance lists, absenteeism verification, and student identification cards;
8.2. Classroom educational activities and field trips;
8.3. Digital and online student accounts;
8.4. School newsletters and yearbooks and internal websites and publications;
8.5. Transportation services, including school buses;
8.6. Honour roll, academic or athletic awards, graduation ceremonies, and scholarships;
8.7. Emergency response, including law enforcement and security;
8.8. Eligibility determinations for provincial and federal funding and information sharing with Alberta Education; and
8.9. Other items deemed as educational or for safety purposes.
9. The Division has a duty to maintain accurate and complete personal information that is used to make decisions about the individual; notably:
9.1. Under POPA an individual has the right to request a correction when the applicant believes an error or omission has been made.
10. The Division provides access to Division publications; notably:
10.1. All publications, following release, will be available in the Division Office, for review by members of the public.
11. Persons requesting information shall first contact either the school or Division office, whichever is responsible for creating or maintaining the information in question; notably:
11.1. The records management system may be reviewed to assist in locating readily available accessible information, documents or contact persons.
12. Access to information through ATIA is intended as a last resort and may be considered if other attempts to acquire information have failed.
13. If the requested information is not available from the school, then the person requesting the information may apply to the designated ATI Coordinator with their request.
13.1. In a request, the applicant may ask for a copy of the record or to examine the record; and
13.2. A request shall be in writing by completing an ATI Request Form – Schedule 564A and shall provide enough detail to enable the Division to identify the record.
With respect to privacy breach
14. In the event of a privacy breach, the Division shall:
14.1. Mitigate the breach;
14.2. Evaluate the risks associated with the breach;
14.3. Notify the affected parties if necessary to avoid or mitigate risk of harm to those individuals; and
14.4. Determine if there is a real risk of significant harm and if the breach needs to be reported to the Commissioner and the Minister.
15. Division staff members are required to fill out the Privacy Breach Form (F5900) and submit the completed form to the ATI Coordinator.
With respect to records management
16. Staff shall attend to the proper handling of transitory records; notably, transitory records:
16.1. Are only required for a limited period of time in order to complete a routine action;
16.2. Are produced or received in the preparation of other records which supersede them;
16.3. Are not needed as evidence of a business activity, as such, can be normally routinely disposed of;
16.4. Are not filed in official records systems; and
16.5. Are not required to meet legislative or regulatory obligations.
17. Examples of transitory records include but are not limited to: advertising materials, junk email, notices of social events, duplicate documents used for convenience, email notices on meetings, holidays, boardroom reservations, photocopies of departmental publications, and draft documents.
18. Staff shall properly and securely destroy transitory records when they are no longer required.
19. If an ATI request is received, the ability to routinely destroy transitory records is suspended by Technology Services until the ATI request has been completed.
