Privacy Management Program
A Privacy Management Program (PMP) is an evolving set of policies, procedures, tools and controls to ensure that personal information is collected, used, stored, and shared in a way that is compliant with privacy laws and regulations and aligned with privacy commitments.
As of February 1, 2023, B.C.’s Freedom of Information and Protection of Privacy Act (FIPPA) requires all public bodies to develop a PMP in accordance with mandatory PMP directions issued by the Minister of Citizens’ Services. Section 36.2 of the Act addresses this requirement.
The School District No. 8 (Kootenay Lake) PMP is as follows:
Designating a Privacy Officer
As required under section 76.1(a) of the Freedom of Information and Protection of Privacy Act, the Board designates the Superintendent of Schools/CEO as the official head of the school district for the purposes of the Act.
As permitted under section 76.1(b) of the Freedom of Information and Protection of Privacy Act, the Secretary-Treasurer is authorized to fulfill the role of Privacy Officer and to administer the Act and make operational decisions.
For any privacy related matters, please email the Privacy Officer
Privacy Impact Assessments and Information Sharing Agreements
- Administrative Procedure 820.6 – Privacy Impact Assessments
- The district maintains Information Sharing Agreements (ISAs) with various organizations such as Interior Health and private contractors used for school photos or yearbooks. The school district does not provide student or employee personal information with third parties unless otherwise specified through a multi-step approval process for the use of software or applications needed for learning or business purposes.
Privacy complaints and privacy breaches
Administrative Procedure 820.4 – Critical Incident and Privacy Breach
If you have a privacy concern or would like to make a freedom on information request, please contact the Privacy Officer at email@example.com or (250) 352-6681.
Privacy awareness and education activities
Privacy training and awareness helps employees identify personal information, understand their privacy obligations, and are an important part of breach prevention.
What is considered personal information?
Personal information includes information that can be used to identify an individual through association or inference. Some examples are:
- Name, age, sex, weight, height
- Home address and phone number
- Race, ethnic origin, sexual orientation
- Medical information
- Human resources information
The following privacy topics for education activities are relevant for most public bodies:
- An understanding of what constitutes personal information.
- Appropriate collection, use and disclosure of personal information.
- Reasonable security measures and access controls to protect personal information.
- Identification and reporting of privacy breaches and privacy complaints.
Training on the following topics may also be included:
- Privacy impact assessments.
- Privacy and security requirements for storage of sensitive personal information outside of Canada.
Employees in the school district with access to student or employee personal information are subject to FIPPA training and final test.
Making privacy practices and policies available
Privacy related policies or procedures are published on the SD8 Board Policies page and are also listed below.
- Policy 820: Freedom of Information and Protection of Privacy
- Form 820.1.a: Student Consent Freedom of Information and Protection of Privacy
- AP 820.2: Employee Records
- AP 820.3: Freedom of Information and Protection of Privacy Act Designation of Head
- AP 820.4: Critical Incident and Privacy Breach
- AP 820.5: Personal Information Management Program
- AP 820.6: Privacy Impact Assessments
- AP 820.7: Student and Employee Personal Privacy on the Internet
- AP 820.8: Freedom of Information and Protection of Privacy Act Fee Schedule
- AP 820.9: Student's Personal Records
Informing service providers of privacy obligations
When service providers handle personal information related to the provision of services for a public body, the public body must inform them of their privacy obligations. Contracts are one way to demonstrate privacy obligations for service providers. (See Information Sharing Agreements above)
PIAs are another useful tool to demonstrate how public bodies and service providers can meet their privacy obligations. By completing a PIA, a public body can assess the services, confirm compliance for such things as collection, use and disclosure of personal information under FOIPPA, and identify privacy risks.
Privacy training, policies and procedures will also support a service provider in complying with their privacy obligations when providing services for a public body. (See sections above)
Monitoring and updating
The school district will continue to review its PMP and ensure its relevancy each year. New or updated information from the Province of B.C. or the Office of the Information and Privacy Commissioner will added as it becomes available.