GUIDELINES FOR PRIVACY AND INFORMATION MANAGEMENT (PIM) PROGRAM SELF-ASSESSMENT ACTIVITY Guidelines for the Stage of Implementation - Self-Assessment Activity PURPOSE This tool is for the use of school board/authority members to identify where on the continuum their department/school or board/authority is with respect to each of the program elements identified through the PIM Toolkit. Note: It is suggested that participants read the referenced documents prior to undertaking the self-assessment in order to gain an understanding of the expectations of the categories and, therefore, to have a context for the self-assessment activity. Process Protocol 1. Start by having each team member independently identify (by placing a dot using a coloured marker) where on the team continuum the department/school or system is with respect to each of the program elements identified down the far left column. 2. Have participating team members independently provide an example of evidence to support their stage selection in each of the blank boxes corresponding to the program element and stage selected. 3. Next, have each participant transfer his/her stage selection to the Team Self-Assessment Activity Template. Post the sheet on a wall or centre on the table for a group review. The markers allow all team members to see how much they are in agreement with one another. 4. When all dots/marks have been placed on the team continuum, have team members reflect/brainstorm on where there is agreement or disagreement among the ratings. 5. Start with the first principle element and have team members discuss why they believe the department/school/system is where they rated it. Have team members continue this discussion until the team comes to a consensus on one stage that reflects where the department/school/ system is right now. 6. Have team members brainstorm on possible next steps for moving toward the next stage along the continuum. Self-Assessment 1
PRIVACY AND INFORMATION MANAGEMENT (PIM) PROGRAM SELF-ASSESSMENT ACTIVITY SELF-ASSESSMENT ACTIVITY Program Elements Level 1 Level 2 Level 3 Level 4 The system has not yet begun to address the program element. An effort has been made to address the program element, but the effort impact a critical mass. endorsed the program element. Members are beginning to modify their thinking and practice as they attempt to implement the program element. The program element is deeply embedded in the system s culture. It represents a driving force in the daily work of the system. It is so internalized that it can survive changes in keypersonnel. Foundational Program Elements Privacy Standard The privacy standard helps to foster a culture of privacy with respect to the way Ontario school boards/authorities collect, use, disclose, secure, retain, and dispose of personal information. DR DRAFT Record and Information Management Framework The record and information on management framework establishes a vision, goals, objectives, principles, and practices which are guided Dd d by legislation, policies, standards, and guidelines Dto support effective information management Dt in school boards. RAF Self-Assessment 2
PRIVACY AND INFORMATION MANAGEMENT (PIM) PROGRAM SELF-ASSESSMENT ACTIVITY SELF-ASSESSMENT ACTIVITY Program Elements Level 1 Level 2 Level 3 Level 4 The system has not yet begun to address the program element. An effort has been made to address the program element, but the effort impact a critical mass. endorsed the program element. Members are beginning to modify their thinking and practice as they attempt to implement the program element. The program element is deeply embedded in the system s culture. It represents a driving force in the daily work of the system. It is so internalized that it can survive changes in keypersonnel. Data and Information Management Privacy Policy A written declaration that spells out the details of a school board s/authority s policy on the type of personal information it collects, how it uses that information, and how the information can be shared with third parties. DRAFT Access and Control The access and control matrices Datrices are frameworks that will guide boards in Dtheir journey to identify, inventory, understand, and manage the requirements for access to personal information Dormation and personal information banks in support Dport of the varied roles and duties within the organization. anizationḋanization. Self-Assessment 3
PRIVACY AND INFORMATION MANAGEMENT (PIM) PROGRAM SELF-ASSESSMENT ACTIVITY SELF-ASSESSMENT ACTIVITY Program Elements Level 1 Level 2 Level 3 Level 4 The system has not yet begun to address the program element. An effort has been made to address the program element, but the effort impact a critical mass. endorsed the program element. Members are beginning to modify their thinking and practice as they attempt to implement the program element. The program element is deeply embedded in the system s culture. It represents a driving force in the daily work of the system. It is so internalized that it can survive changes in keypersonnel. Data and Information Management (cont d) Model Classification Scheme and Retention Schedule The model classification scheme and retention schedule is intended to provide a recommended classification methodology, legal citation table of retention periods, and recommended retention guidelines for school board/authority recorded information. DRAFT Electronic Documents Dnd and Records Management System The electronic information Don landscape is growing rapidly school boards/authorities need to consider effective ways to manage Delectronic and records. documentsraft Self-Assessment 4
PRIVACY AND INFORMATION MANAGEMENT (PIM) PROGRAM SELF-ASSESSMENT ACTIVITY SELF-ASSESSMENT ACTIVITY Program Elements Level 1 Level 2 Level 3 Level 4 The system has not yet begun to address the program element. An effort has been made to address the program element, but the effort impact a critical mass. endorsed the program element. Members are beginning to modify their thinking and practice as they attempt to implement the program element. The program element is deeply embedded in the system s culture. It represents a driving force in the daily work of the system. It is so internalized that it can survive changes in keypersonnel. Information Protection/Operational Control Password Procedures In a school board/authority environment, it is not uncommon for most employees to have multiple passwords for access to email, voice mail, computer applications, and portals. Every school board/authority should have a password strategy in place as part of the overall security strategy. DRAFT Privacy and Information DSecurity Guidelines School boards/authorities should have a variety of policies and/or procedures to guide the identification of areas of risk and strategies for the development of in internal procedure or regulation (e.g., guidelines for working outside the office, for cross-panel sharing of student information, for the use of Privacy and Confidentiality ty agreements and website, for videosurveillance, and for video conferencing guidelines). guidelines)ṛaft Self-Assessment 5
PRIVACY AND INFORMATION MANAGEMENT (PIM) PROGRAM SELF-ASSESSMENT ACTIVITY SELF-ASSESSMENT ACTIVITY Program Elements Level 1 Level 2 Level 3 Level 4 The system has not yet begun to address the program element. An effort has been made to address the program element, but the effort impact a critical mass. endorsed the program element. Members are beginning to modify their thinking and practice as they attempt to implement the program element. The program element is deeply embedded in the system s culture. It represents a driving force in the daily work of the system. It is so internalized that it can survive changes in keypersonnel. Information Protection/Operational Control (cont d) Data Encryption Encryption is a secure process for keeping personal and confidential information private. It is a process by which bits of data are mathematically jumbled using a password key. The encryption process makes the data unreadable unless or until decrypted. DRAFT Information Technology DEquipment Hardware Disposal and Redistribution Dtion Guidelines All school board/authority computer systems, electronic devices, and electronic storage media should be purged of sensitive personal or confidential data when it is no longer needed or before reuse of such equipment to ensure the continued protection of personal and corporate privacy. privacyṙaft Self-Assessment 6
PRIVACY AND INFORMATION MANAGEMENT (PIM) PROGRAM SELF-ASSESSMENT ACTIVITY SELF-ASSESSMENT ACTIVITY Program Elements Level 1 Level 2 Level 3 Level 4 The system has not yet begun to address the program element. An effort has been made to address the program element, but the effort impact a critical mass. endorsed the program element. Members are beginning to modify their thinking and practice as they attempt to implement the program element. The program element is deeply embedded in the system s culture. It represents a driving force in the daily work of the system. It is so internalized that it can survive changes in keypersonnel. Risk Management Privacy Impact Assessment (PIA) A PIA is an assessment framework used to identify the actual or potential risks that a proposed or existing information system, technology, or program may have on an individual s privacy. Privacy Breach Protocol DRAFT The protocol is designed to help Ontario school boards/ authorities contain and respond to incidents involving unauthorized disclosure Df of personal information.raft Self-Assessment 7
PRIVACY AND INFORMATION MANAGEMENT (PIM) PROGRAM SELF-ASSESSMENT ACTIVITY SELF-ASSESSMENT ACTIVITY Program Elements Level 1 Level 2 Level 3 Level 4 The system has not yet begun to address the program element. An effort has been made to address the program element, but the effort impact a critical mass. endorsed the program element. Members are beginning to modify their thinking and practice as they attempt to implement the program element. The program element is deeply embedded in the system s culture. It represents a driving force in the daily work of the system. It is so internalized that it can survive changes in keypersonnel. Risk Management (cont d) Privacy Notification Privacy notification statements explain how personal information will be treated as individuals interact with a school board/authority or school. These statements assure both internal and external publics that the personal and confidential information they provide will be handled appropriately. DRAFT Self-Assessment 8
PRIVACY AWARENESS CHECKLIST PURPOSE Ontario school boards/authorities should use this checklist as they feel appropriate as a means of gauging how aware staff are about protecting privacy. Staff should reflect upon their responses and act when they can. This is an awareness-enhancing exercise first. Introduction In accordance with the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), the Personal Health Information Protection Act (PHIPA), and the Personal Information Protection and Electronic Documents Act (PIPEDA), all Ontario school board/authority employees are responsible for the protection of personal, confidential, and sensitive information entrusted to them. They should be aware of privacy policies, procedures, and practices. Personal information is secured and protected from unauthorized access, disclosure, and inadvertent destruction by adhering to safeguards appropriate to the sensitivity of the information. This tool is designed to raise your level of awareness of privacy issues. Do not hesitate to contact your school board s/authority s Freedom of Information Coordinator at telephone number if you have any questions. DO YOU FOLLOW YOUR PRIVACY POLICY AND/OR PROCEDURE? A. Security of Personal, Confidential, or Sensitive Information Yes No N/A 1. Are all hard copies of personal, confidential, or sensitive information stored in lockable filing cabinets? 2. Have I safeguarded all electronic personal information records maintained in password-protected databases? 3. Do I refrain from storing personal, confidential, or sensitive information on a Shared Network Drive? 4. Do I immediately pick up any personal, confidential, or sensitive records sent to printer, photocopier or received by fax? 5. If I notice personal, confidential, or sensitive information left at the printer/copier/fax machines, do I immediately retrieve them and/or return them to the owner? 6. Before sending personal, confidential, or sensitive information via email, have I considered taking precautions such as removing personal information? Self-Assessment 9
PRIVACY AWARENESS CHECKLIST Yes No N/A 7. Have I considered alternatives to faxing personal, confidential, or sensitive information? If such information must be faxed, have the following precautions been taken: Ensure that a fax cover sheet is used that contains contact information of both the sender and recipient with the mention Confidential? Call the intended recipient immediately before and after sending the fax to ensure receipt and immediate pick-up? Print and check a confirmation activity sheet to ensure that the fax reached its intended recipient? Retrieve originals from the fax machine as soon as completed? 8. If it is necessary to take information out of the office, have all necessary precautions been taken to ensure that it is protected? Is it possible to only take non-confidential/ sensitive information? If not, do I have managerial approval to take personal, confidential, or sensitive information from the workplace? 9. Are computer access rights reviewed and updated regularly to ensure that I do not have access to personal information that I do not need to perform my duties and responsibilities? 10. Am I following the procedures in place for safeguarding personal information on laptops, memory sticks, personal digital assistants (PDAs, e.g., BlackBerry devices), etc.? Comments: B. Limitation of Collection, Use, Retention, and Disclosure of Personal Information Yes No N/A 1. Do I need to collect, use, or disclose identifiable personal information to perform my duties and responsibilities? 2. If I need identifiable personal information, do I need to obtain the consent of the individual to whom the information relates before collecting, using or disclosing their personal information? 3. Do I limit my collection, use, or disclosure of personal information to only that which I require to perform my duties and responsibilities? 4. Is there a clear purpose for each type of personal information that I collect, use, retain, or disclose? Self-Assessment 10
PRIVACY AWARENESS CHECKLIST Yes No N/A 5. Do I provide a notice to individuals whenever their personal information is collected, e.g., on forms, surveys, websites, etc.? 6. Is all the personal information that I use or disclose utilized for the purpose for which it was collected, or for a consistent purpose? 7. Do all notices of collection that I use provide the specific purposes of collection, the legal authority for collection, and the contact information for an official who can answer questions about the purposes of collection? 8. Do I know who in my workplace is responsible for maintaining records retention schedules? 9. Do I securely dispose of (i.e., destroy or store) personal, confidential, or sensitive information in accordance with established records retention schedules? 10. Do I know when it is appropriate to destroy personal, confidential, or sensitive information? When destroying such information, do I place it in the appropriate shredding bins? 11. Am I aware that all information stored in the memory of electronic devices (e.g., personal computers, printers, photocopiers, fax machines, etc.) has to be deleted permanently prior to their removal from the office? Comments: C. Workstation Security Yes No N/A 1. Am I using a password-protected screen saver and is it set to turn on after five minutes of inactivity? 2. Do I always log off or sign out of applications I am not using, and close the browser window? 3. Do I always shut down my computer at the end of the day? 4. Have I positioned my monitor so that casual observers cannot view personal, confidential or sensitive information? 5. Have I adopted a clean desk model so that no personal, confidential or sensitive information or material is left unsecured at my desk? 6. Do I make a habit of checking that my desk drawers, filing cabinets, and/or door are locked when I leave for the day? Comments: Self-Assessment 11
PRIVACY AWARENESS CHECKLIST D. Accuracy Yes No N/A 1. Am I following the procedures in place to update personal information to ensure that it is still accurate? 2. Am I following the procedures in place so that individuals can update their own personal information so that it is still accurate? 3. Am I following the procedures in place for informing third party service providers to whom personal information has been disclosed that the information has been updated? 4. Do I note on the record if individuals have disputed the accuracy of their personal information, so that subsequent users of the personal information are aware of it? Comments: E. Third-Party Service Providers Yes No N/A 1. When personal information is shared with, or collected, used or disclosed by a third party service provider under an arrangement with the Ontario school board/authority, am I making sure that the provider follow its own privacy policies, procedures, and practices? 2. Am I verifying that there is a written agreement in place with any third party service provider with which I am sharing personal information, or if the provider has permission to collect, use, or disclose personal information on behalf of the Ontario school board/authority? 3. If the answer to the question above is Yes, do I monitor compliance with any agreement with a third party service provider? Comments: F. School and Classroom Yes No N/A 1. Ontario Student Records (OSR) and Office Index Cards are securely stored in the main office of the school and are only accessible by authorized personnel in the main office of the school. 2. School staff have received training and are aware of the Ontario School Board/ Authority s Privacy and Access to Information Policy. 3. Teachers and administrators notes and other instruction-related information about students is secured in the classroom or office in the school. Self-Assessment 12
PRIVACY AWARENESS CHECKLIST Yes No N/A 4. Information about a student(s) is shared only with other staff in the school who are assigned to work with the student(s), and only as needed to improve the education of the student(s). 5. Full names of students and other personal information and/or photographs do not appear on work displayed in the school, on websites and/or in newsletters. 6. Information related to student(s) is shared outside the classroom for educational purposes only with consent or notification of parent(s) or guardian(s). Comments: G. Privacy Breaches Yes No N/A 1. I am aware of my obligation to immediately report a suspected or actual privacy breach to my supervisor and the school board s/authority s Freedom of Information Coordinator. 2. I am aware of the Ontario school board/authority s Responding to a Suspected Privacy Breach protocol? Comments: Self-Assessment 13
PRIVACY STANDARD ASSESSMENT ACTIVITY PURPOSE Use this tool in conjunction with the Privacy Standard to assess which stage your school board/authority has achieved for each of the 10 commitments. Commitments Privacy commitments are based on globally recognized fair information principles and are grounded in Ontario privacy legislation. The system has not yet begun to address the standard. An effort has been made to address the standard, but the effort has not yet begun to impact a critical mass. endorsed the standard. Members are beginning to modify their thinking and practice as they attempt to implement the standard. The standard is deeply embedded in the system s culture. It represents a driving force in the daily work of the system. It is so internalized that it can survive changes in key personnel. Accountability Personal information under our control has designated individual(s) who are accountable for the school board s/authority s compliance with privacy legislation. Identifying Purposes The purposes for which personal information is collected, used, retained, and disclosed, as well as for notifying individuals, is identified at or before the time the information is collected. Self-Assessment 14
PRIVACY STANDARD ASSESSMENT ACTIVITY Commitments Privacy commitments are based on globally recognized fair information principles and are grounded in Ontario privacy legislation. The system has not yet begun to address the standard. An effort has been made to address the standard, but the effort impact a critical mass. endorsed the standard. Members are beginning to modify their thinking and practice as they attempt to implement the standard. The standard is deeply embedded in the system s culture. It represents a driving force in the daily work of the system. It is so internalized that it can survive changes in key personnel. Consent The knowledge or consent of the individual is obtained for the collection, use or disclosure of personal information, except when not required by law. Limiting Collection The collection of personal information is limited to that which is necessary for the purposes identified by the organization. Information is collected by fair and lawful means. Limiting Use, Disclosure and Retention Personal information shall not be used or disclosed for purposes other than those for which is was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes, or as required by law. Self-Assessment 15
PRIVACY STANDARD ASSESSMENT ACTIVITY Commitments Privacy commitments are based on globally recognized fair information principles and are grounded in Ontario privacy legislation. The system has not yet begun to address the standard. An effort has been made to address the standard, but the effort impact a critical mass. endorsed the standard. Members are beginning to modify their thinking and practice as they attempt to implement the standard. The standard is deeply embedded in the system s culture. It represents a driving force in the daily work of the system. It is so internalized that it can survive changes in key personnel. Accuracy Personal information is as accurate, complete, and up-to-date as is necessary to fulfill the specified purposes for which it is to be used. Safeguards Personal information is protected from unauthorized access, disclosure, and inadvertent destruction by adhering to safeguards appropriate to the sensitivity of the information. Openness Information about policies and practices relating to the management of personal information is made readily available to the public, including breach protocol. Self-Assessment 16
PRIVACY STANDARD ASSESSMENT ACTIVITY Commitments Privacy commitments are based on globally recognized fair information principles and are grounded in Ontario privacy legislation. The system has not yet begun to address the standard. An effort has been made to address the standard, but the effort impact a critical mass. endorsed the standard. Members are beginning to modify their thinking and practice as they attempt to implement the standard. The standard is deeply embedded in the system s culture. It represents a driving force in the daily work of the system. It is so internalized that it can survive changes in key personnel. Individual Access Upon request, an individual is informed of the existence, use, and disclosure of his/her personal information and is given access to that information. An individual may challenge the accuracy and completeness of the information and request that it be amended as appropriate or have a letter of objection retained on file. Challenging Compliance An individual shall be able to address a challenge concerning compliance with the above tenets to the designated individual(s) accountable for compliance. Self-Assessment 17