bcerac.ca€¦ · web viewpia# [assigned by your privacy office(r)] please note: nothing in this...

Privacy Impact Assessment for [Microsoft 365 Education A3]

PIA# [assigned by your privacy office(r)]

Enquiry BC – Privacy and Access Helpline. Victoria: 250-356-1851 Vancouver: 604-660-2421 and elsewhere in BC, toll-free: 800-663-7867

Please note: Nothing in this document constitutes legal advice to any person. The comments and opinions expressed in this document are to help illustrate the content needed to complete a School/District PIA. This information does not constitute ERAC or OIPC approval of the initiative being consulted on or fetter the Commissioner’s discretion should the initiative later be the subject of a complaint or investigation. It remains the responsibility of the school districts to ensure that they comply with their duties and obligations under applicable laws and are compliant with the Freedom and Protection of Privacy Act.

1 | P a g e

Why should I complete a PIA?

A PIA is a tool to help Schools/Districts ensure compliance with applicable privacy legislation. This document helps mitigate and evaluate many of the unintended risks and consequences that can develop because of not anticipating multiple perspectives and circumstances with a new system or project. As part of the process, schools/districts are taking the appropriate steps to ensure that parents, students and educators understand what measures are taken with regards to the safety and security of personal information and the importance of informed consent.

Section 69(5.3) of the Freedom of Information and Protection of Privacy Act (FIPPA) requires the head of a public body to conduct a privacy impact assessment (PIA) in accordance with the directions of the minister responsible for FIPPA.

School/District staff need to contact the privacy office(r) or PIA Drafter, at their School/District, to determine internal policies for review and signing-off of a Privacy Impact Assessment. Staff may submit PIAs to their Superintendent of Schools for consideration. If you have any questions about this PIA template or FIPPA in general, you may contact the designated PIA Drafter as noted in this document or call the provincial Privacy and Access Helpline at Enquiry BC as noted below. Completed PIA’s must be retained in a secure location at the School/District for the purposes of a Privacy Commissioner’s Audit.

Note: This process can help identify and reduce many of the unintended risks and consequences that may potentially jeapordize student and educator privacy and security issues.

What if my initiative does not include personal information?

Best practices indicate that School/Districts’ should still complete Part 1 of the PIA and submit it along with the signature pages to their privacy office(r) even if it is thought that no personal information is involved. This process ensures that the initiative has been accurately assessed to meet the requirements of FIPPA.

Note: The definition of personal information is “Recorded information about an identifiable individual other than business contact information.”

The following examples are a non-exhaustive list of personal information: Name, address, email address or telephone number; Age, sex, religious beliefs, sexual orientation, marital or family status, blood type; Information about an individual’s health care history, including a physical or mental disability; Information about an individual’s education, financial, criminal or employment history; Social Insurance Number (SIN) and Personal Education Number (PEN); and Personal views, opinions, religious or political beliefs or associations.

This template PIA is the property of ERAC and asserts copyright over its contents. ERAC provides authorization to its members in good standing to use and modify this document, but non-members must first obtain the written consent of ERAC for any use or modifications of this document. Also, remove this textbox once you have completed this PIA. This personalized PIA becomes your district’s property and is managed under your authority, not ERAC.



NOTE TO DISTRICTS:

Instructions in RED text in this document should be removed from the final version of your District’s PIA. Also, remove the blue textbox above once you have completed this PIA. This personalized PIA becomes your district’s property and is managed under your authority, not that of ERAC.

The PIA district drafter completing this document needs to replace the GREEN text throughout the document with specific information attributed to their district.

We understand your District has chosen to make use of Microsoft 365 Education A3. By completing this Privacy Impact Assessment (PIA), it will help your District ensure compliance with the Freedom of Information and Protection of Privacy Act (FIPPA); your School District’s Use Policy; and, provide documentation on your organization’s transparency processes when introducing new programs or services that may involve the collection, use and disclosure of personal information.

The purpose of a PIA is to ensure that the District complies with its obligations under FIPPA, and with heightened sensitivity about the use of personal information and privacy data, it demonstrates to all stakeholders the due diligence that is applied to new services and initiatives within the school district.

To help with your implementation we have included Appendix D, “Confirmation and Checklist for Implementing Microsoft 365 Education A3”. In addition, to address any public concerns regarding user’s privacy, we make reference to the “Accountable Privacy Management in BC’s Public Sector” a guidance document issued by the Office of the Information and Privacy Commissioner of British Columbia in relation to public body compliance with privacy laws.

To assist you in the deployment of these services, this Privacy Impact Assessment (PIA) has been partially completed for you. Please review and edit this document carefully to ensure it accurately reflects the intent and scope of your initiative. We have done our best to indicate where information from your district is required. It is your responsibility to ensure that the information in this PIA is accurate and completed.

This privacy impact assessment (PIA) covers the provision of Microsoft 365 Education A3 cloud-based services for students and staff across BC.

Please do not remove any parts of the PIA. Where a section does not apply, enter “Not Applicable.”


2 | P a g e

https://www.oipc.bc.ca/guidance-documents/1545



Name of District: <Name> Board of Education – SD <##>PIA Drafter: <Name, Title of School District Contact>Email: <Email of School District Contact> Phone: <Number of SD Contact>Program Manager: <Name, Title of initiative contact, if different from PIA Drafter>Email: < Alternate to the above> Phone: <Alternate to the above>

Part 1 – General

1. Description of the Initiative

School District Name and ## has selected Microsoft 365 Education A3 (MS365 A3) as an e-communications service for its students, educators and staff. Microsoft 365 A3, is a super-set of Office 365 A3 which includes additional applications and services to the core Microsoft Office bundle. In addition to email services, tools within the MS365 A3 suite support collaboration, communication, productivity, file storage and other tasks within the education realm. These tools provide opportunities for the School District to modernize and provide robust information security and privacy practices.

While the migration to MS365 A3 provides certain benefits, the School District recognizes that the use of a cloud-based or new on-premises solution gives rise to potential privacy issues. The School District is conducting this Privacy Impact Assessment (PIA) to ensure these services are offered in way that is compliant with the Freedom of Information and Protection of Privacy Act (FIPPA).

MS365 A3 is available to the School District through a group purchasing program offered by the Educational Resource Acquisition Consortium (ERAC). ERAC has entered into a Provincial Microsoft Licensing (PML) Agreement with Microsoft to deliver to their members MS365 A3 which will give all participants access to a full suite of Microsoft online hosted, web-based software solutions and/or the option to use components on-premises where applicable.

Microsoft is offering school districts an option to use MS365 A3 in three different ways:

As a web-based version which includes cloud-based services. As an on-premise version which is installed on devices locally and backed up on secure school district servers. As a hybrid configuration using both cloud-based and on-premise versions of applications

While this PIA addresses both on-premise and cloud versions, at this time, our School District has selected to use <describe configuration of MS365 A3 applications in your district.>

<Note to Districts: Districts can choose to use cloud versions or if you choose, an “on-premise” version. i.e. You can choose to use the Office 2016 client or O365. Not all solutions have a premium version, but these can also be installed locally. Where solutions were developed as cloud solutions, you can use it in the cloud or not at all. This


3 | P a g e



needs to be specified above. School districts electing the “on premise” version, will need to modify content below that addresses the implications of use of the cloud-based system.>

The PML provides for a 3-year Commitment to Participate for a term commencing April 1, 2018 and ending March 31, 2021. Volume licensing with Microsoft will be arranged through a channel partner, Softchoice, a Vancouver-based company. Softchoice does not have access to any data or personal information created or stored through Microsoft products and its participation is not the subject of further comment in this PIA.

Overview of Services

Microsoft 365 Education replaces: E Desktop suite and, as discussed in more detail below, includes Azure Active Director Premium (AADP), Intune, Minecraft and some server Licenses. The services and licenses included in the Agreement offering are shown in the attached component chart which also lists productivity servers SharePoint and Skype found under the heading Management and Security. (To see the full list of components, visit: https://bcerac.ca/wp-content/uploads/2018/10/Discover-Microsoft-365-Education.pdf

Microsoft 365 A3 provides: <Districts to ensure the following configuration description is accurate and customize as needed>

100GB mailboxes and unlimited archive mailboxes, if configured; 1 terabyte (TB) which is 1,024 gigabytes (GB) of OneDrive file storage per user; SharePoint Online shared storage of 1TB; plus, 10GB per user license within the tenant. Office Pro Plus client license in one Stock Keeping Unit (SKU) or product number identifier.

<The list below may not include all components; it is the district’s responsibility to assess all components it intends to deploy and customize this template to reflect its specific circumstances.>

In addition to the MS Office applications (Outlook, Word, Excel, PowerPoint, OneNote, Publisher and Access), our district intends to deploy the following MS365 A3 components: <Districts need to update list of applications based on usage and requirement of their district>

Azure Active Directory Premium (AADP) is a cloud-based identity platform that authenticates users through a single sign-on system. AADP supports MS 365 A3 by providing an identity and access management service. AADP adds reporting and access functionality to Azure AD Basic. Our School District will ensure that personal identifiable information (such as thumbnail photos) is not synced to AADP. The School District should ensure that personal identifiable information (such as phone number or thumbnail photos) is not synced to AADP. Further details and instructions and managing personal data within Azure Active Directory Premium are included in Appendix E. <Districts need to confirm this procedure will be followed, or if not, that the necessary consent will be collected, and revise the text as necessary>

Azure Information Protection is an encryption service for documents and e-mail within SharePoint/OneDrive and Exchange Online. The data resides within the country where those respective services store data at rest.


4 | P a g e

https://bcerac.ca/wp-content/uploads/2018/10/Discover-Microsoft-365-Education.pdf



Bookings is a scheduling application that can be used to create appointments, send reminders, update or cancel appointments and book events. Data created within Bookings may include: names, phone numbers, email addresses, addresses and notes related to specific appointments. All content created in Bookings is stored within the school district’s Exchange Online mailbox.

Delve is a search and analytics function that allows users to find information available through their Office 365 applications, for example, shared documents within Word or Excel. Delve also provides individual analytics for users that could include time spent using email during a specific week, or the number of documents opened.

Forms is an online tool that can be used to create digital surveys, polls, forms and quizzes.

Flow is a cloud-based software that allows users to create and automate workflows and tasks across multiple applications and services. For example, Flow could be used to automatically save any Outlook email attachments to a user’s OneDrive. Administrators can use Microsoft’s data loss prevention functionality to control which services can share data within their Microsoft Flow deployment. This can prevent internal applications like SharePoint or OneDrive from interacting with external services like social media sites.

Microsoft indicates that Flow environments can be created in different regions and are bound to that geographic location. If an environment is created within the Canadian region, flows (i.e. automated workflows) that are created in that environment are routed to all datacenters in Canada. More information: https://docs.microsoft.com/en-us/flow/environments-overview-admin

Minecraft Education Edition is a sandbox video game that allows players to build with a variety of different cubes in a 3D procedurally generated world. Other activities in the game include exploration, resource gathering, crafting, and combat. Minecraft Education Edition has no cloud components and is a game that runs on school district servers and network; play takes place PC-to-PC within the school district.

Office 365 Cloud App Security, a tool used to provide users with insight into suspicious activity in Office 365 so that situations can be investigated, and action taken, and if needed, to address security issues. It includes the provision of a set of security reports and alerts that act upon the Office 365 Audit log data, which resides within the customer’s tenant in Canada.

OneDrive is a file hosting, synchronization and sharing service. Documents created with Office 365 applications can be directly uploaded to OneDrive.

School Data Sync can be used to managed classes and set up to pull information from a school’s Student Information System (SIS) to create groups and classes within Microsoft Teams, Intune for Education, and other applications.

SharePoint is a web-based collaborative platform that can be used to create sites for storing and sharing documents and information.


5 | P a g e

https://docs.microsoft.com/en-us/flow/environments-overview-admin



Skype for Business is a communication tool that can be used for web conferencing, online meetings instant messaging, screen sharing and collaboration. Skype Meeting Broadcast is a feature of Skype for Business Online and Office 365 that enables users to schedule, produce and broadcast meetings for events to online audiences outside of the school district (e. g. French symposium between classes across Canada; Virtual field trips with museums, Vancouver Art Gallery, Aquarium, Science World, etc.). <Districts need to confirm and complete details of how schools or school districts will use Skype for Meeting Broadcast then update the wording accordingly.>

Stream is an enterprise video service that allows users to upload, view, organize and share videos securely.

Sway is used to create interactive presentations and reports that can be quickly shared with anyone online. Images, videos and text are combined to create visual presentations that are optimized for touch screen and mobile displays.

Teams is a collaboration tool that provides a shared workspace where users can chat, meet, share files and work together.

Yammer is a private and secure enterprise social network that allows users to connect with other users (including outside organizations) to share information, collaborate and make group decisions and discussion. Private messages can also be sent to one or many other Yammer users that are not shared publicly or posted to a Yammer group. All users with Office 365 accounts will have access to Yammer. Users have an option to modify their profile details which include a photo, their expertise, interest and work contact information as well as work and education history.

Microsoft Intune (formerly known as Windows Intune) is a cloud-based desktop and mobile device management tool that helps organizations provide their users with access to corporate applications, data, and resources from the device of their choice. This application utilizes access controls from Azure Active Directory and helps to secure school district data.

If using Intune, our School District will ensure no personally identifiable data is contained in the device registration nor for activities that may be performed on that device. <District to confirm this procedure will be followed, and revise the text as necessary>

Microsoft indicates that Intune collects data to provide and troubleshoot the service. This data includes device names, Intune administrator contact data, hardware information (device name, manufacturer, OS, serial number, etc.), and application inventory (app name, version, install location, etc.). Intune does not collect information specific to user activities such as phone logs, contacts, email, calendar information, documents, text, SMS messages, video/photos, GPS information, or web browsing history.

<Add any additional applications that your district will deploy>


6 | P a g e



Specific MS365 A3 applications and services will be deployed as cloud versions for users in our School District, with the following exceptions, which will be deployed on premise:

List applications that will be deployed on premises

Based on this PIA, a checklist has been created that will serve as a means for our School District to ensure that our use of the MS365 A3 meets the requirements set out in the FIPPA. Where our School District meets all the criteria set out in the checklist, this PIA and the accompanying checklist, as provided in Appendix D, will serve as the School Districts’ PIA as required under s.69 (5.3) of the FIPPA.

2. Scope of this PIA

This privacy impact assessment (PIA) covers the provision of Microsoft 365 A3 cloud-based services for educators, staff and students across the School District as detailed below. Our School District is completing this PIA to ensure that use of MS365 A3 in out district is compliant with the Freedom of Information and Protection of Privacy Act (FIPPA).

Note: The Microsoft Home Use Program (HUP) for personal use, is out of the scope of this PIA.

School District Accepted Use of MS365 A3

<Text below is based on districts having a specific use policy for Microsoft 365 A3. If your use of MS365 A3 is covered by a different policy in your district (e.g. general Technology Use Policy), customize text accordingly.>

Our School District has created and implemented a Policy on the use of MS365 A 3 , Microsoft Use Policy, which sets out the School District’s expectation of how the MS365 A3 account will be used. The Use Policy addresses awareness of the potential impacts of sharing digital information online and the importance of protecting personal information.

<Districts are to add any information below about how users are familiarized with district policy in terms of using MS365 A3. E.g. Users are required to read notes given to them during onboarding; annual refreshers and reminders to users need to be review and signed.>

<customize the text below to best reflect the circumstances in your district>

The Use Policy sets out the specific educational and school-related uses for which the user accounts are expected to be used, along with the rules as to what will constitute “appropriate use” of these accounts. The Use Policy also sets out, in very clear terms, to what degree and in w h at c i rc u m s ta n c e s , th ei r MS365 A3 a cc o u nt


7 | P a g e



i n f or m at i on w i l l b e m o ni tored a n d /or v i e w e d b y a d m i n i s trat o r s (e.g. only in resolving technical issues, or when inappropriate use is suspected, etc.). The Use Policy states that the expected use of the user accounts will be for school-based activities (i.e. emailing only other students, school teachers, or school administrators, and all other emailing activities that fall within the scope of the ‘appropriate use’ section of the Use Policy). The School District will mitigate any privacy issues by limiting the personal information exchanged using School District email accounts within the MS365 A3 applications. Additionally, only those individuals who have signed a consent will be issued a School District user account for MS365 A3.

The Use Policy also directs educators and administration as to what constitutes appropriate use of email accounts. For example, students, educators and staff are to only use email address for educational or school-related purposes. Students, educators and staff are made aware that any information that they send to student email addresses will be stored as indicated in the table in section 5 of this PIA, and that data stored at rest in Canada may transit outside of Canada to arrive at the Canadian endpoint may be processed by in-application functionality (such as spell-checkers) which are running on servers outside of Canada.

The Use Policy developed by the School District sets out the intended use of MS365 A3 for Education and the risk of inappropriate or unintended use. Where applications are used inappropriately, the School District is considered to have care of the records and will for the purposes of FIPPA have custody and control of personal information exchanged.

Note: Training on the Use Policy will provided to students, educators and administrators so that appropriate use is understood by all users of MS365 A3.

<It is recommended to further develop and complete the table below to identify accepted use of MS365 A3 components in your district.>

Below are the services offered by Microsoft 365 A3 and the accepted uses that fall within the scope of this PIA:

Service Accepted Use


8 | P a g e



EmailCloud-based Microsoft Exchange staff, educator and student email accounts and calendars, on School District specific domains, with <XX GB> of storage per user.

<School Districts to edit this text and specify the amount of storage space they are prepared to provide their staff and students.>

<In order to mitigate risks of inappropriate storage of personal data on district servers, it is recommended that administrators give users the least amount of storage space needed, then grant more as users need it.>

User mailboxes and calendar content will reside onMicrosoft-owned servers in Canada.

Consent for storage of email in the cloud will be obtained via a hard copy form signed by students, staff and educators or (where necessary) parents and returned to the school. The signed form will be scanned and saved on local file storage areas prior to a student’s account being activated. See Appendix C for a sample consent form.

Students will adhere to the terms of the Use Policy implemented by the School District, which defines:- appropriate use of the email accounts by students- appropriate use of email addresses by educatorsand administration- specific purposes for which administrative access to the accounts will be used

Office Web ApplicationsCreate and edit Word, Excel, PowerPoint andOneNote documents using a web browser

<Districts to identify accepted use of applications>

SharePoint Team sitesShare files and documents with classmates. Create team, study group or club sites. Up to 300 sub sites.

Use of SharePoint for collaboration with classmates on school-related topics, including setting up team sites. Files are stored on <Districts to specify fi le storage location>.

Skype for Business Instant Messaging, Peer-to-peer VoIP and video, Desktop sharing, a u d i o - video conferencing.

Instant Messaging (IM) only.<Districts to specify data storage locations>

Minecraft EducationThe Education Edition with a code builder.

Minecraft Education is an open-world game that promotes creativity, collaboration, and problem-solving in an immersive environment. This version adds features and controls for classrooms, specialty blocks and communication tools, and a tutorial for first-time educator use. <Districts to specify data storage>

<Add any additional applications district intends to deploy>

<Add accepted use description(s) for additional applications>

3. Related Privacy Impact Assessments

<If your district has already conducted a PIA for MS, use this text:> This Microsoft 365 A3 PIA replaces the previous Office 365 PIA (developed in year).

<If this is the first and only PIA on MS365 A3, remove text above and use this text:> There isn’t any PIA related to Microsoft.


9 | P a g e



4. Elements of Information or Data

This initiative involves the collection by the School District of <identify personal information that is used to provision user accounts> for the purposes of setting up the Microsoft 365 A3 accounts. Our school district will be collecting user emails (relating to educational, school-related purposes – i.e. only those addressed to educators and staff, and those to other students for school and not personal purposes), and any records or documents created in the collaborative application suite that are created for educational or other school-related purposes.

Information generated by using MS365 A3 may also include: <attendance records, grades, email content, assignments, participation in school programs and activities, schedules etc.> <modify this list based on the district’s usage>

Data in MS365 A3 is distinguished into the three categories below:

Address book data collected when a user account is created User data includes Exchange e-mail body and attachment data Usage data

Address book data collected when a user account is created

This data is used to authenticate each authorized user in the MS365 A3 system and allow them to log in to applications.

When creating user accounts for students, staff and educators within our school district, the principle of data minimization will be applied, meaning that only the minimum data necessary to create and authenticate user accounts will be collected for this purpose. To provision accounts, address book data disclosed to Microsoft will be: <District to customize this paragraph to accurately reflect data that will be disclosed to Microsoft and describe process for provisioning accounts for district users.>

User Generated Data

User generated data includes information within users’ email, documents, calendar entries, site content and any other information these users create or place within MS365 A3 applications and services. This information is created by the users within our district in the course of their appropriate daily use.

<School Districts to add any information below about guidance and/or training provided to any MS365 A3 account users regarding appropriate usage and managing of personal information.>


10 | P a g e



There are situations where user-generated data within the MS365 A3 applications could contain personal information. Examples of personal information that could potentially be generated by users include: calendar appointments, emails containing personal opinions, and presentations with images or video.

Although many of the cloud applications our school district intends to use are hosted within Canada (at Toronto and Quebec City data centres), there are some applications that host data in the United States.

Additionally, some functionality which is built into MS365 A3 software (both Canada-hosted and US-hosted applications) may process data on servers outside of Canada. Examples include spell checker and tools which suggest colour themes for documents and presentations. This could also include future functionality that is added to the software in subsequent updates.

Our School District will make users aware of the potential impacts of creating and sharing records within MS365 A3 documents that contain personal information of themselves or others who engage with our district. If users of the MS365 A3 applications are to store and manage personal information of others, the privacy impacts need be considered, with additional training and guidance.

Users control their own user-generated content and the content which they receive from others, including the deletion of this user-generated content.

System Usage Data

System usage data collected by Microsoft through students, staff and educators use of MS365 A3 includes cookies error reports or analytics data, is used to improve the solution and to store a user’s preference and settings.

All our school district data in MS365 A3 is owned and controlled by our school district, as stated in Microsoft’s online Terms of Service.

Administrative access to the files and accounts owner by School District users will only be used for:

Technical maintenance In order to meet legal requirements to produce records In order to prevent misconduct/ensure compliance with the law

Use of or access to student data by Microsoft support resources is tightly controlled, based upon the data type and specific support situations. Such access is temporary and authorized under section 33.1(1)(p) of FIPPA.

Microsoft states that no one at Microsoft has standing access to user data. Each data centre, regardless of the location, maintains industry standard certifications for security and privacy compliance, like ISO27001, ISO27018, SOC II, etc. The results of these audits are available to each customer within their Office 365 tenant through a tool called the Security and Compliance Centre. For an overview of how Microsoft managers customer data visit: https://www.microsoft.com/en-us/trustcenter/privacy/who-can-access-your-data-and-on-what-terms .


11 | P a g e

https://www.microsoft.com/en-us/trustcenter/privacy/who-can-access-your-data-and-on-what-terms

http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/96165_03#section33.1



In situations where it is determined that the MS365 A3 applications have been used inappropriately, School District ## is considered to have care of the records and will for the purposes of FIPPA have control of personal information that was exchanged.


12 | P a g e

If personal information is involved in your initiative, please continue to the next page to complete your PIA.

If no personal information is involved, please submit Parts 1, 6, and 7 to your privacy office(r). They will guide you through the completion of your PIA.



Part 2 – Protection of Personal Information

According to section 30 of FIPPA, “a public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.”

Note: Contractual Protections

Given the service provider relationship between Microsoft and our school district, the school district will be using its contract with Microsoft as one means through which the appropriate level of protection can be ensured for personal information. The Contract will reinforce Microsoft’s commitment to securing a promise from Microsoft to provide for the technological and security safeguards of personal information, including at a minimum those set out in Microsoft policies and terms of use.

The implications of these contractual provisions will be:

o Confirmation that our School District owns all content;o Confirmation that personal information will be stored, accessed or processed outside of Canada only as

noted in the circumstances described under Question 5 of this PIA;o School District content will be encrypted by Microsoft at rest and in transit;o That our School District will, to the extent possible, be informed of any request for disclosure;o That a designated contact will be informed in a timely manner of any actual or suspected data breaches

that occur involving our school district datao That security tools including access control policies and audit capability are in place.

Informed Consent

The Microsoft Agreement offers the above services to all BC school districts who have signed a Commitment to Participate form for the 3-year term <districts to attach copy of signed agreement to PIA if desired>.

Our school district will arrange to collect signed consent forms acknowledging that district users understand and accept the district’s use policy that applies to MS365 A3, agree that personal information will be stored and accessed in the cloud from Canadian servers located in Ontario and Quebec, and servers with in the United States. The consent form will identify that data which is stored in Canada may transit, and be processed outside of Canada.

<Districts to customize general text below to describe their specific provisioning process. Below description includes creation of email accounts and user names.>

Microsoft states that they do not have access to school district usernames, nor do they need access to this information. Our district IT administrators are responsible for our own Office 365 tenant, include user account provisioning and deprovisioning. The consent forms are collected at the district / school level and the district IT staff


13 | P a g e



adds those staff, educators and students with signed consent forms. Once our district office receives confirmation that an individual has provided consent, they will activate an email address and user account for that individual. FIPPA regulations respecting consent are included in Appendix A.

<It is the responsibility of each School District to ensure that their consent forms meet the criteria set out in the Freedom of Information and Protection of Privacy Act Regulations section 11 (Appendix A).>

For student users, each school that is participating in the use of the product(s) will facilitate the consent-gathering by sending home with every student a letter of intent (Appendix B) along with a consent form (Appendix C).

5. Storage or Access outside Canada

Microsoft indicates that they offer “in-Geo data residency” which means that, for Canadian-hosted applications, school district data is stored in two geographically distributed data centres located in Canada. As the district’s MS365 A3 tenant is provisioned in Canada, data for core Office 365 applications as well as other services is stored within the Canadian “Geo” within two distributed data centres in Toronto and Quebec City. Some services store customer data outside of Canada, in the United States. (Details are provided in the table on the next page, and further data residency information is available at: https://products.office.com/en-us/where-is-your-data-located?geo=Canada#Canada

Users’ data will be stored by Microsoft on servers in Toronto and Quebec, Canada and in the USA, as indicated in the table on the next page. However, Microsoft indicates that data may transit outside of Canada to arrive at the Canadian data centre endpoint from the Canadian starting point, even if it is stored at rest in Canada. Additionally, some functionality which is built into MS365 A3 (both Canada- and US-hosted applications) may process data on servers outside of Canada. Examples include: spell checker and tools which suggest colour themes for documents and presentations. This could also include future functionality that is added to the software in subsequent updates. Microsoft advises this data processing will take place in jurisdictions where data centres are available with the necessary capacity.

Users’ should ensure that files or documents, including emails created within MS365 applications are not to contain personal information (pertaining to themselves, students or parents within the district) unless they have been authorized by the district to use these applications for such purpose, and if the necessary consent has been obtained. For applications and services with US data residency, access outside of Canada and personal information must not be saved or stored within these unless an informed consent process is in place within the district, and the relevant student and parent have provided consent that is stored on file.

Users will also be made aware of the fact that those using (and consenting to the use of) Microsoft 365 A3 services and agreeing to applicable district policies may have their personal information disclosed to both authorized district and Microsoft staff for the purposes of correction, deletion or as required by law.


14 | P a g e

https://products.office.com/en-us/where-is-your-data-located?geo=Canada#Canada




Information in the table below is current as of May 2019, based on the Microsoft website and their support pages.

Component name What it does Where your data locatedAzure Active Directory Authorization / Authentication USABookings* Calendar, appointment booking Canada*Delve Analytics Accesses data residing in other

applicationsExchange Online Email CanadaFlow Collaboration CanadaForms Survey creator USAIntune Device and OS management USAOneDrive File storage CanadaOneNote Collaboration CanadaProject Online Project management CanadaSchool Data Sync School information system synchronization USASharePoint Online Collaboration CanadaSkype for Business Voice, video & Meetings CanadaStream Video service CanadaSway Presentations & Reports USATeams** Collaboration Canada**Yammer Collaboration USA

*Bookings - All content created in Bookings is stored within the school district’s Exchange Online mailbox.

**As of August 10, 2018 Microsoft Teams provides data residency in Canada. All new Microsoft Teams users (those who were provisioned or who started using Teams after this date) in Canada will have data for conversations and chat stored at rest in Canada. Users who were already using Teams prior to August 10, 2018 continue to have data residency for their content stored at rest in the AMER geo (Americas – North and South with datacenters in Bay, California and Boydton, Virginia). Microsoft states that they will provide a migration feature to enable data migration for these existing Teams customers. Location of Teams data can be verified within the Office 365 Admin Portal.

Note: The Office 365 data maps page applies to new customers or tenants. The data of current customers may be in a Geo or datacenter location other than what is documented on the page.

The Location of data within the district’s current tenant can be verified in the Data Location card on the Organization Profile page in the Office 365 Admin Centre.


15 | P a g e




Microsoft does not maintain standing access to customer data. Access is only granted to Microsoft staff through an audited process and only to perform maintenance and/or support activities.

<Note: If School Districts seek to restrict administrative access to their district staff only when they are located in Canada, this should be defined within the relevant School District policy.>


16 | P a g e



6. Data-linking Initiative - Not applicable for the use of MS365 A3 in this PIA.

In FIPPA, "data linking" and “data-linking initiative” are strictly defined. Answer the following questions to determine whether your initiative qualifies as a “data-linking initiative” under the Act. If you answer “yes” to all 3 questions, your initiative may be a data linking initiative and you must comply with specific requirements under the Act related to data-linking initiatives.

1. Personal information from one database is linked or combined with personal information from another database;

No

2. The purpose for the linkage is different from those for which the personal information in each database was originally obtained or compiled;

No

3. The data linking is occurring between either (1) two or more public bodies or (2) one or more public bodies and one or more agencies.

No

If you have answered “yes” to all three questions, please contact your privacy office(r) to discuss the requirements of a data-linking initiative.

7. Common or Integrated Program or Activity - Not applicable for the use of MS365 A3 in this PIA.

In FIPPA, “common or integrated program or activity” is strictly defined. Answer the following questions to determine whether your initiative qualifies as “a common or integrated program or activity” under the Act. If you answer “yes” to all 3 of these questions, you must comply with requirements under the Act for common or integrated programs and activities.

1. This initiative involves a program or activity that provides a service (or services);

Yes

2. Those services are provided through:(a) a public body and at least one other public body or agency working collaboratively to provide that service; or (b) one public body working on behalf of one or more other public bodies or agencies;

No

3. The common or integrated program/activity is confirmed by written documentation that meets the requirements set out in the FIPPA regulation.

No

Please check this box if this program involves a common or integrated program or activity based on your answers to the three questions above.


17 | P a g e



8. Personal Information Flow Diagram and/or Personal Information Flow Table

The diagram below illustrates the flow of information between the School District and Microsoft’s MS365 A3 services:

The District completes a PIA pertaining to the use of the MS365 A3 service for student, educators and staff use to go forward with this initiative providing that the implementation follows the attached provisions in the Appendix D checklist.

Before user accounts are activated, users (where applicable) provide to the School District their signed informed consent agreeing that personal information will be stored and accessed in the cloud on Canadian servers located in Ontario and Quebec, and servers within the United States. Consent forms will also identify that data which is stored in Canada may be in transit, and processed from outside of Canada.

Example:


18 | P a g e



Note: Examples can be removed, and additional lines can be added as needed.

Personal Information Flow Table

Description/Purpose Type FIPPA Authority

1. School District enters into agreement with Microsoft. No PI Collection

N/A 26(c)

2. School District creates students, staff and educators’ accounts. Collection & Use

26(c) and 32(a)


19 | P a g e



3. Users create messages and other works and store emails and files on Microsoft servers in connection with educational, administrative or operational activities.

Use 32(a)

4. School District collects signed consent from users acknowledging that some applications store data outside of Canada, and that data may also transit, and be processed outside of Canada.

Storage & Access

30.1(a)

5. Information is used by educators, counsellors, administrative staff, and other professionals in the school system for the purposes for which the information was collected, or for a purpose that is consistent with the original purpose.

Use 32(a)

6. Information may be disclosed if the head of the public body determines that compelling circumstances exist that would affect anyone’s health or safety.

Disclosure 33.1(1)(m)

7. Personal Information in the Microsoft 365 A3 system can be disclosed to Microsoft in order to install, implement, maintain, repair, troubleshoot or upgrade the system.

Disclosure 33.1(1)(p)

8. Information in the Microsoft 365 A3 may be access and viewed by School District when travelling temporarily outside of Canada.

Storage & Access

33.1(1)(e)


20 | P a g e



9. Risk Mitigation

As personal, private information could be transmitted within communications or hosted within documents, MS365 A3 users should be aware of this risk.

Users should be familiar with the appropriate use of the potential impacts of sharing digital information online and the importance of protecting personal information, as these are key components of digital literacy. They should be familiar with appropriate use of the MS365 A3 applications. Personal information transmitted by email should be limited to mitigate privacy issues. When using these services for personal data, it is recommended that the district assess the need and appropriateness for the transfer and storage of such data using these services and delete data that is no longer needed. Our school district will identify types of sensitive data commonly in its custody and control and determine whether the services should be used in relation to that data.

Data will be stored on servers as indicated in the table in question 5 of this PIA. This use and storage as well as the storage of such information in the cloud will be managed through locally created consent forms for staff and educators.

There is a risk that users will use their school email addresses for non-work or non-school-related reasons. This may lead to personal information being voluntarily transmitted outside of Canada. Users will be instructed to follow the appropriate use policy and to not to use their email account for these purposes. This is an inherent risk to the non-work or non-school-related use of school district resources, but this risk will be managed by notification and supervision and consent forms.

Our District retains user email content and files for <XX> years. <School district to identify retention schedule>

Risk Mitigation TableRisk Mitigation Strategy Likelihood Impact

1. Unauthorized access to user’ emails stored in Microsoft’s Canadian data centres.

Contractual requirements with Microsoft to secure the information and to report to the district any actual or suspected cases of unauthorized access.

Low High

2. Users use email address for non-work or non-school-related reasons, potentially exposing 3rd party information.

District Use Policy contains instructions to users on appropriate content when using this method of communication; training is provided for users.

Medium High

3. Inappropriate exposure of personal information could result in a breach.

District Use policy; training; incident management process.

Low High


21 | P a g e



4. Personal information may transit outside of Canada on route to Canadian data centres.

Potential data path outside Canada is included in the information and consent letter signed by staff and educators.

Districts communicate with their internet service provider (ISP) to understand what peering arrangements and internet exchange points they use.

Ensuring personal information is encrypted, so that if it is accessed in transit it is of little value.

High Low

5. Personal data within applications is processed by embedded functionality within the applications (such as spelling/grammar checker) that is running on servers outside of Canada.

Information about data processing is included in the information and consent letter signed by users.

Limiting use of applications to store and/or handle personal information.

Appropriate encryption and security measures of data storage and processing facilities is ensured via contract and terms of service.

High Low

6. Unauthorized individuals (including students) gain access the system.

All authorized users are issued individual accounts by the District and receive training and guidance regarding appropriate use. Passwords must have a degree of complexity that is compliant with provincial requirements. Sessions terminate automatically after <xx> minutes of inactivity.

Medium High

7. Vendor could change terms of use of the service.

School District terms of use are set for 3 years.

Mandatory disclosure by the vendor in advance about any changes to terms to give

Low Low


22 | P a g e



school districts an opportunity to mitigate any FIPPA compliance issues.

8. Inadvertent storage of data / information outside of Canada (e.g. Yammer)

Users within the school district are advised on the appropriate use of software and applications with US data residency are identified as inappropriate for storing this data.

Low Low

10. Collection Notice

Any personal information collected by the School District in connection with Microsoft programs will be collected by the School District for the above noted purposes under the authority of s.26(c) of the Freedom of Information and Protection of Privacy Act (FIPPA). Personal information may also be accessed, exchanged or collected to facilitate interactions between users (such as videos containing images of other users) for the purposes of collaboration on an educational project under the authority of the School Act and s.27 of FIPPA. If you have any questions about this collection, please contact <List the title, business address, business phone number and email of person who can address questions about collection as described in this PIA>.

Read the relevant FIPPA sections at the following links: s. 26(c) and s. 27(2).

Part 3 – Security of Personal Information

11. Description of the physical security measures related to the initiative.

Microsoft

Microsoft indicates that physical access to the MS365 A3 and Microsoft Dynamics CRM Online data centers is controlled by a two-tier authentication, including proxy card access readers (card access badge required) and hand geometry biometric readers.

On a quarterly basis, the Microsoft Security Officer sends reports to the authorized Microsoft personnel with authority to approve data center access. The reports contain the list of persons who currently have access to the data centers. The authorized personnel audit the list to ensure all persons still require access and have the least privileged access level necessary to perform their job function.


23 | P a g e

http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/96165_03#section27

http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/96165_03#section26



School District

<Describe the additional physical security measures used in the School District to protect the computers and network.>

12. Description of the technical security measures related to the initiative.

Microsoft

All Microsoft 365 A3 and Microsoft Dynamics CRM Online personnel are accountable for their handling of user data. All access to MS365 A3 and Microsoft Dynamics CRM Online data by Microsoft personnel can be tracked and traced to the specific user.

Accountability is enforced by Microsoft through a set of system controls, including the use of unique usernames, data access controls, and auditing. Unlike generic usernames such as "Guest" or "Administrator," unique usernames are used to enforce accountability by linking user actions to a specific person (referred to as "binding"). Two-factor authentication, such as smart card logins using digital certificates or RSA tokens, is also used to further strengthen this binding.

Microsoft enforces role-based access and applies strict controls over which personnel roles and personnel will be granted access to customer data. Personnel access to the IT systems that store customer data is strictly controlled via Role-Based Access Control (RBAC). This is an approach to restricting system access to unauthorized users. Access control is an automated process that follows the separation of duties principle and the principle of granting least privilege. This process ensures that the engineer requesting access to these IT systems has met the eligibility requirements, such as a background screen, fingerprinting, required security training, and access approvals . In addition, the access levels are reviewed on a periodic basis to ensure that only users who have appropriate business justification have access to the systems. User access to data is also limited by user role. For example, system administrators are not provided with database administrative access.


24 | P a g e



School DistrictThe School District will ensure that personally identifiable information (e.g. such as phone number or thumbnail photos) is not synced to AADP unless appropriate consent has been received.

When receiving technical support from Microsoft, our school district can request confirmation of how soon Microsoft staff will lose their temporary access to personal information within the system (to ensure that the duration of temporary access does not greatly exceed the time necessary to resolve a technical issue.)

<Describe any additional technical security measures used in the School District to protect the computers and network i.e. encryption, passwords etc.>

13. Describe District Security Policies and provide contact details for someone who could answer further questions regarding these policies and procedures.

<Please note Microsoft’s Online Services Information Security Policy is available by contacting Microsoft’s Chief Information Security Officer>

Microsoft

The following links provide information about Microsoft’s privacy policies and procedures.

Microsoft Privacy Statement - https://privacy.microsoft.com/en-US/privacystatement# (updated as of April 2019)

Microsoft Online Service Terms –https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31 (May 2019 Version)

Microsoft’s Canadian Head Office is located at:

1950 Meadowvale BlvdMississauga, OntarioL5N 8L9

Canadian Head Office: (905) 568-0434Customer Inquiries: (877) 568-2495


25 | P a g e

https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31

https://privacy.microsoft.com/en-US/privacystatement



School District

<School Districts must identify their policies and contact person’s information (Please also add to the checklist in Appendix D)>

Identify district security policies and procedures documents.

ContactName:Title:Email:Phone:

14. Access controls and/or ways in which you will limit or restrict unauthorized changes (such as additions or deletions) to personal information.

<Read carefully and customize to reflect your school district’s circumstances.>

Administrators in our school district have full control over the data in MS365 A3. This is for the purposes of account setup and deletion. Access to, or search of, the account content (users’ emails and data) by School District Administrators and Microsoft would only occur for the following purposes:

• For Technical maintenance. Such access by Microsoft is authorized under section 33.1(1)(p) of FIPPA.• In order to meet legal requirements to produce records under Canadian law. Such access and disclosure

are authorized under section 33.1(1)(t) of FIPPA.• To prevent misconduct/ensure compliance with the law (e.g. the School Act) at the request of the school

district in accordance with section 33.2(a) of FIPPA.

If law enforcement contacts Microsoft with a demand for school district data, Microsoft will attempt to redirect the law enforcement agency to request that data directly from the school district. If compelled to disclose school district data to law enforcement, Microsoft will promptly notify the school district and provide a copy of the demand unless legally prohibited from doing so.

No changes to personal information contained in the emails or data will occur except as by the users themselves within their own accounts, or unless they are informed.

Where the application is used inappropriately, our school district is considered to have care of the records and will for the purposes of FIPPA have custody and control of personal information exchanged.


26 | P a g e



Microsoft Privacy Statement (Current as of April 2019 at the writing of this document) <School Districts need to confirm the date as policies are refreshed periodically.>

Available online at: https://privacy.microsoft.com/en-us/privacystatement

The following Microsoft privacy statement explains what personal data Microsoft collects from users, through their interactions with users and through their products, and how they use that data.

o Microsoft collects data to operate effectively and provide users the best experiences with their products. Users provide some of this data directly, such as when they create a Microsoft account or administer their organization’s licensing account.

o Windows is a personalized computing environment that enables users to seamlessly roam and access services, preferences and content across computing devices. Rather than residing as a static software program on your device, key components Windows are cloud-based, and both cloud and local elements of Windows are updated regularly, providing users with the latest improvements and features.

o Microsoft uses the data they collect to operate their business and provide users the products they offer, which includes using data to improve their products and personalize user experiences. They also may use the data to communicate with users, for example, informing users about their accounts, security updates and product information. Microsoft does not use what users say in email, chat, video calls or voice mail, or documents, photos or other personal files to target ads to users.

o The Microsoft products intended for use by the school district and are administered to users by the school district may be subject to the school district's policies, if any. If the school district is administering users’ use of the Microsoft products, please direct privacy inquiries to your administrator.

o The Enterprise and Developer Products enable users to purchase, subscribe to or use other products and online services from Microsoft or third parties with different privacy practices, and those other products and online services will be governed by their respective privacy statements and policies.

Further information can be found in the Microsoft Services Agreement (Effective as of May 2018 at the writing of this document.) https://www.microsoft.com/en-us/servicesagreement/

15. Description on how you track and who has access to the personal information.

Statements issued by Microsoft indicate that its information security procedures around audits and controls are based upon the ISO 27001 standards and are documented in the Standard Response Document at http://www.microsoft.com/en-us/download/details.aspx?id=26647 (click “Download” button, then select the document named “StandardResponsetoRequestforInformationWindowsAzureSecurityPrivacy.docx”).

All Microsoft employees and contractor staff represent that they have reviewed, and agree to adhere to, all policies within the Information Security Policy documents.


27 | P a g e

http://www.microsoft.com/en-us/download/details.aspx?id=26647

https://www.microsoft.com/en-us/servicesagreement/

https://privacy.microsoft.com/en-us/privacystatement



Microsoft has implemented and will maintain reasonable and appropriate technical and organizational measures, internal controls, and information security routines intended to help protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction. Each year, Microsoft undergoes third-party audits to validate that they have independent attestation of compliance with their policies and procedures for security, privacy continuity and compliance.

Microsoft states that all Microsoft employees and subcontractors with access to customer data are subject to the same access controls and security checks. This includes background checks, lockbox usage, and user roles and IDs. All employees and subcontractors are required to follow applicable intellectual property laws. Subcontractors who must have access to customer content are required to join the Microsoft Vendor Privacy Assurance Program and to meet Microsoft's privacy requirements by contract.

Access to all Microsoft buildings is controlled, and access is restricted to those with card reader (swiping the card reader with an authorized ID badge) or biometrics for entry into datacenters.

Microsoft does not have standing access to their users’ names. Each district IT administrator is responsible for their own Office 365 tenant, including user account provisioning and deprovisioning, which is completed through the User Management Administrator Role.

School District

Administrator access will be limited to specific selected staff and tightly controlled through an approval process. Access to the data will be tracked, and activity will be monitored by review of log files. Access to individual mailboxes by non-owners of the mailboxes will be logged. <customize and expand this sample text as needed>

The right and responsibilities of the school district system administrator, outlined in our district’s <name specific use policy>, are as follows:

<Identify and list your district’s specific policy and regulation that apply>

Part 4 – Accuracy/Correction/Retention of Personal Information

16. How is an individual’s information updated or corrected? If information is not updated or corrected (for physical, procedural or other reasons) please explain how it will be annotated? If personal information will be disclosed to others, how will the public body notify them of the update, correction or annotation?

<Districts to confirm the below suggested text is correct, and customize to answer this according to your district practices>


28 | P a g e



Users may have access to their own personal information to correct it or update it themselves. Where this is not possible, they will be directed to system administrators who can update their information upon request.

OR

To modify their personal profile information stored with MS365 A3, users will have to contact the User Management Administrator(s) with their role / title to request changes to their profiles.

17. Does this initiative use personal information to make decisions that directly affect an individual(s)?

<Districts to confirm and customize this answer according to their practices. Example text provided below.>

Yes. Assignments and other student work created within MS365 A3 applications are evaluated by educators to assess student progress and assign grades within classes. <This answer is provided as an example only. Districts to expand or customize as needed.>

OR

No.

18. If you answered “yes” to question 17, please explain the efforts that will be made to ensure that the personal information is accurate and complete.

<if the answer to Question 17 is “No”> N/A.

<if the answer to Question 17 is “Yes”, customize the text below as needed>

The designated contact person below is responsible for providing access to, ensuring accuracy and completeness of, and making requested corrections to personal information held within the MS365 A3 program. Where corrections cannot or will not be made, this contact will annotate the records containing the information.

Name of designated contact person:Email / Phone number:

19. If you answered “yes” to question 17, do you have a records retention and/or disposition schedule that will ensure that personal information is kept for at least one year after it is used in making a decision directly affecting an individual?

The School District will retain all information used to make decisions about students for a minimum of 1 year. The School District will agree and sign-off on this term to make use of this PIA.


29 | P a g e



Part 5 – Further Information 20. Does the initiative involve systematic disclosures of personal information? If yes, please explain.

Not applicable if used in the context of this PIA.

<For example: not applicable if your department does not have a regular exchange of personal information (both collection and disclosure) with the federal government to provide services to your staff and students.>

Please check this box if the related Information Sharing Agreement (ISA) is attached. If you require assistance completing an ISA, please contact your privacy office(r).

21. Does the program involve access to personally identifiable information for research or statistical purposes? If yes, please explain. <For example: your public body will disclose information to PhD students so that they can conduct research.>

No. <If there are future plans for personal information to be used for research or statistical pursues, such as by the school district or Ministry, this would need to be examined at that time through a new PIA and would need to be noted here.>

Please check this box if the related Research Agreement (RA) is attached. If you require assistance completing an RA please contact your privacy office(r).

22. Will a personal information bank (PIB) result from this initiative? If yes, please list the legislatively required descriptors listed in section 69 (6) of FIPPA. Under this same section, this information is required to be published in a public directory.

The creation of individualized students, educators and staff user accounts may constitute a personal information bank within the meaning of section 69 of the Act, and reference to it will be included in the School District Personal Information Directory.

Title: Student, educator and staff user accounts Description: Education and school work related and necessary communicationsLocation: Local School District servers and Microsoft servers in Ontario and QuebecAuthority: Section 26(a) and the School ActPurposes: Educational, student assessment, operational, administrative usage

Authorized Users: Educators, school administrators, School District technical staff and students


30 | P a g e

Please ensure Parts 6 and 7 are attached to your submitted PIA.



Part 6 – Privacy Office(r) Comments

This PIA is based on a review of the material provided to the Privacy Office(r) as of the date below. The PIA is a “living document” that needs to be periodically reviewed. Should there be substantial changes that may affect the privacy of our users, an update will be initiated. As part of our business practices, this PIA will be reviewed annually. If, in the future, any substantive changes are made to the scope of this PIA, the school district will complete a PIA Update and submit it to this Privacy Office(r).

NOTE: We cannot say with any degree of certainty what the unintended consequences could potentially arise out of Microsoft’s Services which they provide and maintain. Various customer value added services such as on-line templates, spell check, grammar check, international language availability and supported languages of Office 365 are not determined by our Geo and data center locations. Users will not know for certain, whether their data is being ‘touched’ by the MS organization nor will they necessarily be notified except when MS expands an existing multi-country Geo to include a new country. In other words, we do not know with a high degree of certainty if the data is being collected and potentially used, and for what purposes, other than what has been described as Microsoft’s Services.

<Please add any additional relevant information that you deem important to the completion of this PIA>

Privacy Officer/Privacy Office Representative

Signature Date


31 | P a g e



Part 7 – Program Area Signatures

Program/Department Manager Signature Date

Contact Responsible for Systems Maintenance and/or Security (Signature not required unless they have been involved in this PIA.)

Signature Date

Head of School District, or designate Signature Date

If you have any questions, please contact your school district’s privacy office(s) or call the OCIO’s Privacy and Access Helpline at 250 356 1851 and email [email protected].

A final copy of this PIA (with all signatures) must be kept on record.


32 | P a g e

mailto:[email protected]

APPENDIX A – Consent Respecting Personal Information

<To be valid, consent forms must meet the requirements of the following sections of the FIPPA Regulation.>

11. (1) For the purposes of section 26 (d), 30.1 (a), 32 (b) and 33.1 (1) (b) of the Act, consent must

(a) be in writing, and

(b) be done in a manner that specifies

(i) the personal information for which the individual is providing consent, and

(ii) the date on which the consent is effective and, if applicable, the date on which the consent expires.

(2) In addition to the requirements of subsection (1) of this section, for the purposes of

(a) section 26 (d) of the Act, consent must be done in a manner that specifies

(i) who may collect the personal information, and

(ii) the purpose of the collection of the personal information,

(b) section 30.1 (a) of the Act, consent must be done in a manner that specifies(i) who may store or access the personal information, as applicable,

(ii) if practicable, the jurisdiction in which the personal information may be stored or

from which the personal information may be accessed, as applicable, and

(iii) the purpose of the storage of or access to the personal information,

(c) section 32 (b) of the Act, consent must be done in a manner that specifies the use of the

personal information, and

(d) section 33.1 (1) (b) of the Act, consent must be done in a manner that specifies

(i) to whom the personal information may be disclosed,

(ii) if practicable, the jurisdiction to which the personal information may be disclosed, and

(iii) the purpose of the disclosure of the personal information.

(3) Subject to subsection (4), a consent under section 33.1 (1) (b) of the Act that was given before the date this regulation comes into force and is still effective on the date this regulation comes into force, continues to be effective in accordance with its terms.

(4) Unless a consent described in subsection (3) complies with the requirements set out in subsections (1) and (2) (d) within one year after the date this regulation comes into force, the consent ceases to be effective on the date that is one year after the date this regulation comes into force.


33 | P a g e

APPENDIX B – Letter of Intent

Date: [Homeroom Teacher Name]

Re: Student Access to Microsoft Services

To: Parents/Guardians [Student First Name] [Student Last Name]

It is an exciting time for teaching and learning in our School District as we pursue our goal of helping all students to develop the skills to become learners, thinkers, innovators, collaborators and contributors. These are the

attributes of our School District learner that we have determined as being necessary for success in the 21st

century.

As we pursue our educational goals, we recognize the importance of creating 21st century learning competencies in an environment that provides tools for students that are relevant to their daily lives. To that end, we are entering into a Provincial Microsoft Licensing Agreement to deliver to our students and staff the Microsoft 365 Education A3 solution which will give all users access to a full suite of online hosted, web-based software.

As a result, the School District’s Learning Technology Department has been working to create a digital collaboration system that will connect students, parents and teachers. This system will provide access to educational programming and learning resources anytime, anywhere in a safe and secure web-based environment.

While recognizing the benefits of supporting digital literacy in learning environments, we must also be aware of the potential impacts of sharing digital information online and the necessity to protect our students’ personal information regardless of where it is stored or accessed. On the reverse of this letter you will find a consent form that will allow your student to gain access to this system which includes student e-mail. While this is not an educational requirement for your student, we hope that you will see the value in providing these tools for your son/daughter. If you choose to grant permission, please sign the consent form and return it to the school. Your student’s classroom teacher will then provide further instructions on how to access the new collaboration system. If you have further questions, please do not hesitate to contact me using the information listed below.

Sincerely,

Name:Title: Director of Instruction K – 12Email Address: Phone Number:


34 | P a g e

APPENDIX C – Sample Consent Form

<Please put on your District’s letterhead and customize to reflect your district’s use as needed.>

<In addition to students, anyone who has personal information being stored/managed within the school district’s MS365 A3 application (such as staff, parent volunteers, guest speakers etc.) should complete a consent form as data in applications may transit and be processed outside of Canada.>

School District <##> provides <students in Grades < X – Y> / educators / staff> with <Microsoft 365 A3 (MS365 A3) user accounts, including a district email account as well as <##> gigabytes of online file storage space> for educational, communication and class assignment storage purposes. Each user will have their own secure login and password to access their email and files within MS365 A3. The School District will ensure that personal identifiable information is not synced to the Azure Active Directory Premium data storage in the USA. <adjust or remove this sentence based on provisioning process in your district>

The creation and use of user email accounts involves a collection and use of personal information authorized by the School Act and section 26 of the Freedom of Information and Protection of Privacy Act. These tools may be used by educators to facilitate classroom instruction and student evaluation and they may also be used by students to complete and collaborate on school work (such as videos containing images of other students). Information stored in MS365 A3 will be held in users private accounts, however may be shared with other users for the purposes of collaboration.

There are circumstances where user-generated data within these applications could contain the personal information of users, in the following categories:

Evaluation (e.g. opinions about student work and assignments) Discussion or conversations data (e.g. in email or online chat or meeting tools) Images (including videos and photographs) Calendar appointments Content within presentations or other assignments Email addresses Medical absences

<School districts to add or remove categories as needed, as this list should be as exhaustive as possible.>

Microsoft stores data at rest for the MS365 A3 services for School District users on servers in Canada and in the United States. Users’ account data (such as name, email address, grade level, and school name) and usage data (such as emails and documents, calendar information, and any records created in the collaborative application suite) stored at rest on Canadian servers may be in transit outside of Canada on its path to the Canadian data centres (in Ontario and Quebec).

Additionally, data stored at rest in Canada may also be processed by functions within the MS 365 A3 applications that are running on servers outside of Canada. These functions include various customer value-added services such as on-line


35 | P a g e

templates, spell check; grammar check; international language availability and supported languages of Office 365 for applications with Canada or US data residency. Microsoft advises this data processing will take place in jurisdictions where data centres are available with the necessary capacity. All Microsoft data centres provide strict security measures to protect data.

In accordance with the BC Freedom of Information and Protection of Privacy Act (FIPPA), the disclosure of personal information outside of Canada, as described above, requires consent.

The School District is also making efforts to instruct users of MS365 A3 about limiting the amount of personal information that they use and exchange using these services. While stored inside the country, information in each user’s Microsoft 365 A3 account is subject to Canadian personal information protection laws. The School District is providing users with instruction on the appropriate use of technology as per our Appropriate Use Policy.

If you have any questions about the collection or use of student information using these tools, please contact <title, business address, business phone number>.

This form must be signed, dated and returned, before a District Microsoft 365 Education A3 account can be activated for the user named below.

Consent:I understand that my (if student is signing) information or my child’s (if parent is signing) information in the Microsoft 365 A3 Account may be used and disclosed as outlined above. I also understand and agree that my (if student is signing) information or my child’s (if parent is signing) information can be collected, used and shared through this application by other users for the purposes of group work, collaboration, and similar activities.

This consent will be considered valid from the date at which it is signed until one year after the point at which the user named below is no longer a student / staff member / educator within the School District . I also hereby acknowledge that I have read and understood the School District’s Policy which covers the appropriate use of Microsoft 365 A3.

Name of user or, if applicable, parent or guardian: _____________________________________

Signature of user or, if applicable, parent or guardian: ___________________________________

Date Signed (YYYY/MM/DD): __________________________________

User Details:

First Name: __________________________ Last Name:___________________________

Grade (if applicable): __________________ School: ______________________________


36 | P a g e

APPENDIX D

Confirmation and Checklist for Implementing Microsoft 365 Education A3 (MS365 A3)

School District: ____________________________________________________________________________

School District’s Microsoft 365 A3 Administrator: _________________________________________________

Email: _____________________________________________ Go-Live Date: _________________________

This checklist is completed to determine if our School District meets the criteria set out in this PIA. If our School District implementation does not meet the criteria of this checklist you will have to complete a PIA, in accordance with section 69(5.3) of the Freedom of Information and Protection of Privacy Act.

For the purposes of this Appendix, “Use Policy” has the same meaning as that established in the PIA – the School District’s Use Policy on the Use of Microsoft 365 A3.

Please enter an “X” under the appropriate answer to the following questions:

Yes NoNotification and ConsentA “Collection Notice”, meeting the requirements of section 27(2) of the Freedom of Information and Protection of Privacy Act has been provided to students/parents, either via the consent form or the letter of intent.

A signed consent form has been secured from all parents/students/users, and the consent form meets the requirements of section 11 of the Freedom of Information and Protection of Privacy Regulation.

Consent will be secured from students where they can exercise this right, and guardians (i.e. parents) will consent for students when they are incapable of exercising this right, pursuant to section 3 of the Freedom of Information and Protection of Privacy Regulation.

Students are not obligated to take part in the MS365 A3 program, and our district seeks to accommodate students when consent is not obtained.

UseThe School District has created a new, or implemented an existing Use Policy for students, which dictates what constitutes (or contradicts) “appropriate use” of the application. The Use Policy also very clearly outlines any monitoring that may take place, or any instances in which a Microsoft 365 A3 account would be suspended or revoked.

The School District will ensure that the Use Policy is widely distributed, and that parents, students, educators and administration are educated to, and in understanding of the contents of the Use Policy. The U s e P o l i c y should be provided with consent forms.

DisclosureOnly the names and School Districts of those who have signed consent forms (or, where applicable, a parent has signed a consent form) will be disclosed to Microsoft for the purposes of the Microsoft 365 A3 Program.

Access, Accuracy, Correction and Annotation (see section VI of this PIA)The School District has identified a contact person within the School District who is responsible for providing access to, ensuring accuracy and completeness of, and making requested corrections to personal information held within the Microsoft 365 A3 program. Where corrections cannot or will not be made, this contact will annotate the records containing the information.

School District Contact: _________________________________


37 | P a g e

Security (see section VII of this PIA)The School District has identified a contact person within the School District who is responsible for maintaining the security of the personal information held in the Microsoft 365 A3 system.

School District contact: __________________________________

Audit Logging (New Recommendation)Audit logging of non-owner access to accounts is enabled.

MonitoringEmail accounts will only be searched, seized, monitored, suspended, or revoked in accordance with the Use Policy established by the School District.Content of student account will only be searched for one of the following reasons:

technical maintenance in order to meet legal requirements to produce prevent misconduct/ensure compliance with the law (e.g. the School Act)

Records ManagementA r eco r d s r e t en t io n and disposition schedule has been created by the District. All records used to make a decision about an individual will must be k e p t f o r a t le a s t o n e y ea r as noted in Section 31 of FIPPA. The records disposition schedule, although not a PIA requirement, falls under the responsibility of the Chief Records Officer, BC Government, who is required to follow the new legislation for Records Management as of May 10, 2016.Privacy Management Program (New Recommendation)I acknowledge the Ministry of Education’s recommendation that a privacy management program be implemented within my school district, and further acknowledge that I am aware of the resources that are available to me to support this recommendation. Namely, the OIPC’s Accountable Privacy Management in BC’s Public Sector and the BC Government’s Privacy Management and Accountability Policy.

ScopeI understand the information and analysis in this PIA is limited to the interaction between Office 365 and the requirements set out in the FIPPA. It is the responsibility of our School District to review Microsoft’s Terms of Use/General Services Agreement. We have reviewed and complied with all obligations created by other legislation and policy, including but not limited to legal review of, and approvals for indemnities created by, Microsoft’s Terms of Use/General Services Agreement.

I understand that as the School District’s service provider, Microsoft and its subcontractors is considered a public body employee under the Freedom of Information and Protection of Privacy Act, and strictly within the scope of offering this service to the School District is thus bound by the same restrictions and requirements.

If you have answered ‘No’ to any of the above questions, a separate PIA will need to be completed before your Microsoft 365 A3 Program can be launched.

Checklist Completed By: ________________________________________ Signature: _______________________(Please Print)

Name of School District’s PIA Signatory: ____________________________________________________(Please Print)

Signature: _____________________________________________ Date: __________________________(YYYY-MM-DD)


38 | P a g e

http://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/privacy-policy

http://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/privacy-policy


https://www.oipc.bc.ca/news-releases/1949

APPENDIX E

Managing data within Azure Active Directory (instruction provided by Microsoft):

Objects in Azure Directory are synchronized from on-premises Windows Server Active Directory using the Azure AD Connect tool. The default approach is to keep the default attributes so a full GAL (Global Address List) can be constructed in the cloud. However, there are some attributes that school districts should not synchronize to the cloud since these attributes contain sensitive or PII (Personally identifiable information) data.

Below is an example:

School districts should review the list of attributes and identity those attributes that would contain sensitive or PII data and should not be synchronized. Then deselect those attributes during the installation and configuration of the Azure AD Connect tool.

<Note: As an alternative, school districts could get authorization to disclose personal outside Canada in Azure AD by collecting informed consent from users.>

Additional information:

Azure AD Connect Sync: Attributes Synchronized to Azure Active Directoryhttps://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized

How Microsoft Secures Data in Azure ADhttps://www.microsoft.com/en-us/microsoft-365/blog/2017/09/05/how-we-secure-your-data-in-azure-ad/

BC OIPC Cloud Computing Guidelines for Public Bodies https://www.oipc.bc.ca/guidance-documents/1427


39 | P a g e


https://www.microsoft.com/en-us/microsoft-365/blog/2017/09/05/how-we-secure-your-data-in-azure-ad/

https://www.microsoft.com/en-us/microsoft-365/blog/2017/09/05/how-we-secure-your-data-in-azure-ad/

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized