For most activities of independent schools in Ontario that operate as not-for-profit organizations, the schools generally are not subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA is federal privacy legislation that applies to the collection, use and disclosure of personal information by private sector organizations in Ontario in the course of commercial activities.
PIPEDA also generally does not apply to the personal information of employees of independent schools, as its application is limited to the collection, use and disclosure of personal information of employees of federal businesses such as banks , telecommunication and transportation companies.
Even though privacy law does not generally apply to the personal information of employees of independent schools in Ontario or to their activities in regard to the personal information of volunteers, independent schools need to assess the applicability of PIPEDA on a case-by-case basis. Accordingly, there is good reason to apply privacy principles (principles of fair information practice) to such personal information. In addition, adherence to the privacy principles enshrined in PIPEDA is good practice, to protect personal information of employees and others.
The privacy principles that are the foundation of this Policy are based on the principles in Schedule 1 of PIPEDA. The School also adheres to the Ministry of Education’s “Ontario Student Record (OSR) Guideline, 2000” as regards the OSR.
The School may amend this Policy from time to time to account for changes in its activities and/or the law. The date on which this Policy was last amended is provided at the end of the Policy and individuals are invited to contact the School’s Chief Privacy Officer if in doubt about whether they have the most recent version of the Policy.
“Personal Information”, as used in this Policy, means information about an identifiable student, parent of a student, or alumnus of the School.
Principle 1 – Accountability
Accountability for compliance with this Policy rests with the School’s Chief Privacy Officer, even though others within the School may have responsibility for the day-to-day collection and processing of Personal Information and may be delegated to act on behalf of the Chief Privacy Officer. The School is responsible for Personal Information in its custody and under its control, including Personal Information that it has transferred to an external service provider for processing. Where the School uses external service providers that require access to Personal Information, for example to maintain its computer system or to assist with clerical or administrative activities, it requires the service providers to treat Personal Information with a comparable level of protection to that provided by the School.
Principle 2 – Identifying Purposes
The School will identify and document the purposes for which it collects, uses, or discloses Personal Information at or before the time of collection. The purposes will be limited to those which are related to the School’s business and activities including without limiting the following;
- to process applications and open and maintain a student file;
- to maintain a record of a student’s course of study, evaluations, academic and other achievements;
- to process or facilitate scholarships, grants and like awards;
- to provide information to other academic institutions, for example colleges and universities;
- to communicate with students and parents about matters related to the student’s attendance, evaluation, course of study and School activities and events;
- to maintain contact with and notify all stakeholders of activities, events, services and other matters relating to the School;
- in connection with fundraising initiatives;
- for billing and the processing of fees and donations;
- to communicate with designated contacts and to manage emergencies;
- to obtain insurance and file insurance claims;
- to protect students, staff and the public and to detect and deter criminal activity and vandalism (video surveillance);
- to distribute School promotional material;
- in connection with a sale or other transaction or reorganization of the School’s operations;
- to comply with legal requirements and cooperate with law enforcement activities.
If the School plans to use Personal Information it has collected for a purpose not previously identified, the School will identify the purpose and obtain consent to the use unless using the information without consent is permitted or required by law.
Principle 3 – Consent
The School only collects, uses, or discloses Personal Information with the knowledge and consent of the individual to whom it relates (or their parent or guardian), except where otherwise permitted or required by law. The way in which the School seeks consent varies depending upon the sensitivity of the Personal Information, the reasonable expectations of the individual to whom it relates (and in the case of students, their
Adopted by the Board of Governors, December 17, 2019 Last Updated, December 2019
parents) and the purpose for which the Personal Information is to be used. Consent may be withdrawn, subject to legal restrictions and reasonable notice, however the withdrawal (or refusal) of consent to use or disclose Personal Information may restrict or prevent participation in programs or the receipt of certain services. The School will provide notice where there will be implications to withdrawing consent.
For example, the School seeks and obtains the express consent of any recipient of any scholarship, grant or like award, before publishing any Personal Information associated with the recipient of such award.
Principle 4 – Limiting Collection
The School will limit the amount and type of Personal Information it collects to that which is necessary for the identified purposes listed under Principle 2.
Principle 5 – Limiting Use, Disclosure, and Retention
Similarly, the School will not use or disclose Personal Information for purposes other than those for which it was collected, except with consent or as permitted or required by law. The School retains Personal Information for as long as required to fulfill the identified purposes or to comply with statutory retention periods.
The School may hire service providers to perform services on our behalf. The School provides them with a limited amount of information which is necessary in order for them to provide the services required. They are prohibited from using the information for purposes other than to facilitate and carry out the services they have been engaged to provide and are not permitted to disclose this information to others. The School will strive to protect personal information disclosed to third parties by contractual agreements requiring that those third parties adhere to confidentiality and security procedures and protections.
In some cases, Personal Information that the School manages may be transferred, processed and stored outside Canada, and therefore may be available to government authorities under lawful orders and laws applicable therein. The School ensures that a comparable level of protection is afforded to all Personal Information transferred, processed and stored outside of Canada, as compared to the level of protection described above, through contractual means.
The School maintains a video monitoring system in the public areas of the School’s premises. This system is used mainly for the protection of students, staff and the public, and assists in the detection and deterrence of criminal activity and vandalism. The School will not use the information collected from this system for any other purpose, other than personal or public safety concerns.
The School may disclose Personal Information if the School believes that the disclosure is necessary to enforce our agreements or policies, or if the School believes that the disclosure will help us protect the rights, property, or safety of the School or our students, employees or of another organization, or as otherwise permitted by applicable law. From time to time, the School may also be compelled to disclose personal information in response to a law, regulation, court order, subpoena, valid demand, search warrant, government investigation or other legally valid request or enquiry.
Principle 6 – Accuracy
The School will use its best efforts to ensure that Personal Information is as accurate and complete as is necessary for the purposes for which the information is to be used and asks students, parents and alumnae to update Personal Information they have provided to the School as it changes.
Principle 7 – Safeguards
The School employs physical measures (such as locks on offices and other areas of the facilities), organizational measures (such as policies permitting access to Personal Information on a “need- to-know” basis only), and technological measures (such as the use of passwords for access to the School’s computer system) to protect Personal Information against loss and theft, unauthorized access, disclosure, use and modification. The School requires compliance by its employees with this Policy, enforces that requirement and exercises care in the disposal of Personal Information to prevent unauthorized access.
Principle 8 – Openness
Through this Policy, the School makes available a general account of its Personal Information management practices, including the purposes for which it uses and discloses Personal Information, instructions on how to gain access to and correct Personal Information and how to obtain additional information about the School’s privacy practices and/or its use and disclosure of particular Personal Information.
Principle 9 – Access, Correction, Inquiries
The School will correct or complete Personal Information, on the written request of an individual, where it is satisfied the information is inaccurate or incomplete. Individuals are invited to direct any requests for access or correction and any questions they may have about this Policy, the School’s privacy practices or the School’s management of their Personal Information to the Chief Privacy Officer, whose contact information is provided below.
The School will respond to written requests for correction or access as promptly as possible. The School may ask for additional information it needs to process a request and/or to verify identity and ensure that it does not disclose Personal Information to someone who is not authorized to receive it or otherwise in violation of this Policy.
Principle 10 – Compliance, Contact: Chief Privacy Officer
As previously mentioned, any student, parent of a student or alumnus is invited to bring any concerns or questions concerning the School’s compliance with this Policy or Personal Information management to the Chief Privacy Officer, who can be reached at:
Phone number: 613-749-6761 ext 223 Email: firstname.lastname@example.org
Adopted by the Board of Governors, December 17, 2019 Last Updated, December 2019