Skip to main content
Procedure

Procedure 5700.2 - Privacy Impact Assessments


1. 

PURPOSE

1.1. 
The Board of Education of District No. 36 (Surrey) (the “district”) is responsible for ensuring that it protects personal information within its custody and control, including by complying with the Freedom of Information and Protection of Privacy Act (“FIPPA”) of BC.
1.2.
FIPPA requires that the district conduct a Privacy Impact Assessment (“PIA”) to ensure that all collection, use, disclosure, protection, and processing of personal information by the district is compliant with FIPPA.
1.3.
A PIA is an in-depth review of any new or significantly revised initiative, project, activity, or program to ensure that it is compliant with the provisions of FIPPA, to identify and mitigate risks arising from the initiative and to ensure that the initiative appropriately protects the privacy of individuals.
1.4.
The purpose of this procedure is to set out the district process for conducting PIAs in accordance with the provisions of FIPPA.

2. 

DEFINITIONS

2.1. 
“initiative” means any enactment, system, project, program, or activity of the district.
2.2. 
“personal information” means any recorded information about an identifiable individual that is within the control of the District and includes information about any student or staff member of the District. Personal information does not include business contact information, such as email address and telephone number, that would allow a person to be contacted at work.
2.3. 
“PIA” means a Privacy Impact Assessment performed in accordance with the requirements of FIPPA.
2.4. 
“Responsible Employee” means the manager or other staff member who is responsible for overseeing an initiative, and in the event of doubt, means the staff member designated in the PIA as the Responsible Employee.
2.5. 
“staff” means the employees, contractors, and volunteers of the district.
2.6. 
“Supplemental Review” means an enhanced process for reviewing the privacy and data security measures in place to protect sensitive personal information in connection with an initiative involving the storage of personal information outside of Canada.

3. 

SCOPE & RESPONSIBILITY

3.1. 
This procedure applies to all new and significantly revised initiatives of the district.
3.2. 
All staff are expected to be aware of and follow this procedure if they are involved in a new or significantly revised initiative.
3.3. 
District leaders are responsible for planning and implementing new or significantly revised initiatives in accordance with the requirements of this procedure.

4. 

DISTRICT RESPONSIBILITIES

4.1. 
The Superintendent is the “Head” of the district for all purposes under the Freedom of Information and Protection of Privacy Act (FIPPA) of BC.
4.2. 
The Superintendent has delegated to the Privacy Officer the responsibility for the management of the district Privacy Management Program including PIAs.

5. 

RESPONSIBILITIES OF ALL STAFF

5.1. 
Any staff responsible for developing or introducing a new or significantly revised initiative that involves or may involve the collection, use, disclosure or processing of personal information by the district must report that initiative to the Privacy Officer at an early stage in its development.
5.2. 
All staff involved in a new or significantly revised initiative will cooperate with the Privacy Officer and provide all requested information needed to complete the PIA.
5.3. 
All staff will, at the request of the Privacy Officer, cooperate with the Privacy Officer in the preparation of any other PIA that the Privacy Officer decides to perform.

6. 

THE ROLE OF THE RESPONSIBLE EMPLOYEE

6.1. 
Responsible Employees are responsible for:
a)Ensuring that new and significantly revised initiatives for which they are the Responsible Employee are referred to the Privacy Officer for completion of a PIA.
b)Supporting all required work necessary for the completion and approval of the PIA.
c)Being familiar with and ensuring that the initiative is carried out in compliance with the PIA.
d)Requesting that the Privacy Officer make amendments to the PIA when needed and when significant changes to the initiative are made.

7. 

INITIATIVES INVOLVING THE STORAGE OF PERSONAL INFORMATION OUTSIDE OF CANADA

7.1. 
Staff may not engage in any new or significantly revised initiative that involves the storage of personal Information outside of Canada until the Privacy Officer has completed and the head has approved a PIA and any required Supplemental Review.
7.2. 
The Responsible Employee or Department may not enter into a binding commitment to participate in any initiative that involves the storage of personal information outside of Canada unless the required Supplemental Review has been completed and approved by the Head.
7.3. 
It is the responsibility of the Privacy Officer to determine whether a Supplemental Review is required in relation to any initiative, and to ensure that the Supplemental Review is completed in accordance with the requirements of FIPPA.
7.4. 
The Privacy Officer is responsible for reviewing and, if appropriate, approving all Supplemental Reviews and in doing so must consider risk factors including:

8. 

REFERENCES AND RELATED DOCUMENTS

8.1. 
District and Institute Act.
8.2. 
Freedom of Information and Protection of Privacy Act (FIPPA) of BC.
8.3. 
Policy 5700 – Privacy Policy
8.4. 
Policy 5700.1 – Privacy Management Program
8.5. 
Privacy Impact Assessment – SD36 Internal Template

9.  

AUTHORITY AND RESPONSIBILITY

9.1. 
Superintendent of Schools
9.2. 
Privacy Officer - Questions or comments about this Policy may be addressed to the Privacy Officer at privacy@surreyschools.ca

10.  

HISTORY

Approved:  2023-09-13

image description
Back to top