questions - pia.bcerac.ca · web viewusers can use the office 365 apps (word, excel etc.) in the...

Privacy Impact Assessment for [Microsoft 365 Education A3]

PIA# <assigned by your privacy office(r)>

Enquiry BC – Privacy and Access Helpline. Victoria: 250-356-1851 Vancouver: 604-660-2421 and elsewhere in BC, toll-free: 800-663-7867

Please note: Nothing in this document constitutes legal advice to any person. The comments and opinions expressed in this document are to help illustrate the content needed to complete a School/District PIA. This information does not constitute ERAC or OIPC approval of the initiative being consulted on or fetter the Commissioner’s discretion should the initiative later be the subject of a complaint or investigation. It remains the responsibility of the school districts to ensure that they comply with their duties and obligations under applicable laws and are compliant with the Freedom and Protection of Privacy Act.

1 | P a g e

Why should I complete a PIA?

A PIA is a tool to help Schools/Districts ensure compliance with applicable privacy legislation. This document helps mitigate and evaluate many of the unintended risks and consequences that can develop because of not anticipating multiple perspectives and circumstances with a new system or project. As part of the process, schools/districts are taking the appropriate steps to ensure that parents, students and educators understand what measures are taken with regards to the safety and security of personal information and the importance of informed consent.

School/District staff need to contact the privacy office(r) or PIA Drafter, at their School/District, to determine internal policies for review and signing-off of a Privacy Impact Assessment. Staff may submit PIAs to their Superintendent of Schools for consideration. If you have any questions about this PIA template or FIPPA in general, you may contact the designated PIA Drafter as noted in this document or call the provincial Privacy and Access Helpline at Enquiry BC as noted below. Completed PIA’s must be retained in a secure location at the School/District for the purposes of a Privacy Commissioner’s Audit.

Note: This process can help identify and reduce many of the unintended risks and consequences that may potentially jeapordize student and educator privacy and security issues.

What if my initiative does not include personal information?

Best practices indicate that School/Districts’ should still complete Part 1 of the PIA and submit it along with the signature pages to their privacy office(r) even if it is thought that no personal information is involved. This process ensures that the initiative has been accurately assessed to meet the requirements of FIPPA.Note: The definition of personal information is: Recorded information about an identifiable individual other than contact information.The following examples are a non-exhaustive list of personal information:

Name, address, email address or telephone number; Age, sex, religious beliefs, sexual orientation, marital or family status, blood type; Information about an individual’s health care history, including a physical or mental disability; Information about an individual’s education, financial, criminal or employment history; Social Insurance Number(SIN) and Personal Education Number (PEN); and Personal views, opinions, religious or political beliefs or associations.

This template PIA is the property of ERAC and asserts copyright over its contents. ERAC provides authorization to its members in good standing to use and modify this document, but non-members must first obtain the written consent of ERAC for any use or modifications of this document.



NOTE TO DISTRICTS:

Instructions in RED text in this document should be removed from the final version of your District’s PIA. Also, remove the blue textbox above once you have completed this PIA. This personalized PIA becomes your district’s property and is managed under your authority, not ERAC.

The PIA district drafter completing this document needs to replace the GREEN text throughout the document with specific information attributed to their district.

We understand your District has chosen to make use of Microsoft 365 Education A3. By conducting this Privacy Impact Assessment, it will help your District ensure compliance with the Freedom of Information and Protection of Privacy Act (FIPPA); your School District’s Use Policy; and, provide documentation on your organization’s transparency processes when introducing new programs or services that may involve the collection, use and disclosure of personal information.

The purpose of a PIA is to ensure that the District complies with its obligations under FIPPA, and to ensure that, with heightened sensitivity about the use of personal information and privacy data, it demonstrates to all stakeholders the due diligence that is applied to new services and initiatives within the school district.

To help with your implementation we have included Appendix D, “Checklist and Confirmation List for Implementing Microsoft 365 Education A3”. In addition, to address any public concerns regarding user’s privacy, we make reference to the “Accountable Privacy Management in BC’s Public Sector” a guidance document issued by the Office of the Information and Privacy Commissioner of British Columbia in relation to public body compliance with privacy laws.

To assist you in the deployment of these services, this Privacy Impact Assessment (PIA) has been partially completed for you. Please review and edit this document carefully to ensure it accurately reflects the intent and scope of your initiative. We have done our best to indicate where information from your district is required. It is your responsibility to ensure that the information in this PIA is accurate and completed. However, under FIPPA responsibility for ensuring the PIA is complete and correct lies with each individual School District.

This privacy impact assessment (PIA) covers the provision of Microsoft 365 Education A3 cloud-based services for students and staff across BC.

Please note: This PIA is prepared for Districts intending to store student/staff emails and data on Microsoft servers located in Canada and the USA (as indicated in the table in section 5).

Please do not remove any parts of the PIA. Where a section does not apply, enter “Not Applicable.”


2 | P a g e

https://www.oipc.bc.ca/guidance-documents/1545



Name of District: <Name> Board of Education – SD <##>PIA Drafter: <Name, Title of School District Contact>Email: <Email of School District Contact> Phone: <Number of SD Contact>Program Manager: <Name, Title of initiative contact, if different from PIA Drafter>Email: < Alternate to the above> Phone: <Alternate to the above>

Part 1 – General

1. Description of the Initiative

The School District has selected Microsoft 365 Education A3 (MS365 A3) as e-communications service for its students and staff. MS365 A3 provides users with not only email services, but additional tools providing opportunities for the School District to modernize, increase agility and provide robust information security and privacy practices.

Currently, all email and related services offered by the School District are available through an “on premises” solution that is maintained by the School District. While the migration to MS365 A3 provides the School District with certain benefits, the School District recognizes that the use of a cloud-based or new on-premises solution gives rise to potential privacy issues. The School District is conducting this Privacy Impact Assessment (“PIA”) to ensure these services are offered in way that is compliant with the Freedom of Information and Protection of Privacy Act (FIPPA).

MS365 A3 is available to the School District through a group purchasing program offered by the Educational Resource Acquisition Consortium (ERAC). ERAC is a member-based organization that provides services to the K-12 education sector in BC and the Yukon. On behalf of its membership, ERAC has entered into a Provincial Microsoft Licensing (PML) Agreement with Microsoft to deliver to their members MS365 A3 which will give all participants access to a full suite of Microsoft online hosted, web-based software solutions and/or the option to use components for use on-premises where applicable.1

Microsoft is offering school districts an option to use one of two versions of Office 365 Education. The first version is a web-based version which include cloud-based services. The second is an on-premise version which is installed on devices locally and backed up on school district servers. The School District has the option to use on-premise versions of products, where available under the PML. Specifically:

1. Users can use the Office 365 apps (Word, Excel etc.) in the cloud – or still install and use the Office 2016 Pro clients (Word, Excel, etc.) locally on all District computers or do a combination of both.

2. The School District can give some staff email accounts in the cloud (O365/Outlook app) or keep all Outlook email accounts local. And again, users can do a combination of both. E.g. give students and some staff access to O365 A1 which also includes a basic email account) and for staff who handle sensitive information, keep their email running on their own email servers.

1 On-premises software is installed and runs on computers on the premises of the person or organization using the software rather than at a remote facility or in the cloud.Please note: Nothing in this document constitutes legal advice to any person. The comments and opinions expressed in this document are to help illustrate the content needed to complete a School/District PIA. This information does not constitute ERAC or OIPC approval of the initiative being consulted on or fetter the Commissioner’s discretion should the initiative later be the subject of a complaint or investigation. It remains the responsibility of the school districts to ensure that they comply with their duties and obligations under applicable laws and are compliant with the Freedom and Protection of Privacy Act.

3 | P a g e



3. The School District can run Windows 10 on-premises or they can move their entire operations to Azure or another cloud service or both. <Districts to confirm and complete details of how schools or Districts are intending to implement the services and update statement accordingly.>

While this PIA addresses both on-premise and cloud versions, at this time, the School District has elected to use <specify>. <A description of the product offering is set out below.>

The PML provides for a 3-year Commitment to Participate for a term commencing April 1, 2018 and ending March 31, 2021. ERAC arranges volume licensing with Microsoft through a vendor, Softchoice, a Vancouver based company. Softchoice does not have access to any data or personal information created or stored through Microsoft products and its participation is not the subject of further comment in this PIA.

<Note to Districts: Districts can choose to use cloud versions or if you choose, an “on- premise” version. I.e. You can choose to use the Office 2016 client or O365. Not all solutions have a premium version, but these can also be installed locally. Where solutions were developed as cloud solutions, you can use it in the cloud or not at all. This needs to be specified above. School districts electing the “on premise” version, will need to modify content below addressing the implications of use of the cloud-based system.>

Data Storage and Access

Microsoft has ensured that the Office 365 Education Software that the School District is proposing to implement will store personal information as indicated in the table in Section 5 of this PIA.

Personal information may be accessed from outside of Canada in the following circumstances: <Note: Edit the following text according to usage in your district.>

(1) where a staff member temporarily accesses Office 365 while working remotely, or

(2) during interactions with Microsoft help desk or support personnel who do not reside in Canada.

(3) during classroom activities that involve “pen-pal” initiatives with overseas schools which would involve the disclosure of a student’s name, email address and content outside of Canada.

These instances are authorized under FIPPA section 33.1.

Microsoft does not maintain standing access to customer data. Access is only granted to Microsoft staff through an audited process and only to perform maintenance and/or support activities. <This could differ depending on Districts implementation and in-classroom usage, other opportunities might also exist.> <Districts to confirm and update statement accordingly.>

Overview of Services


4 | P a g e



Microsoft 365 Education replaces: E Desktop suite and, as discussed in more detail below, includes AADP* (Azure Active Director Premium), Intune**, Minecraft*** and some server Licenses. The services and licenses included in the Agreement offering are shown in the attached component chart which also lists productivity servers SharePoint and Skype found under the heading Management and Security. To see the full list of components, see https://www.bcerac.ca/agreements/docs/Discover-Microsoft-365-Education.pdf

Office 365 A3 provides:

100GB mailboxes and unlimited archive mailboxes, if configured; 1 terabyte (TB) which is 1,024 gigabytes (GB) of OneDrive file storage per user; SharePoint Online shared storage of 1TB; plus, 10GB per user license with in the tenant. Office Pro Plus client license in one Stock Keeping Unit (SKU) or product number identifier.

As discussed above, Office 365 A3 services are based in Canada.

Microsoft indicates that it offers “in-Geo data” residency which means that School District data is stored in at least two geographically distributed data centers located in Canada. For more details go to https://products.office.com/en-us/where-is-your-data-located?geo=Canada#Canada .

MS365 A3 also includes:

Office 365 Cloud App Security, a tool used to provide users with insight into suspicious activity in Office 365 so that situations can be investigated, and action taken, if need, to address security issues. It includes the provision of a set of security reports and alerts that act upon Office 365 Audit log data, which resides within the customer’s tenant in Canada.

Skype Meeting Broadcast is a feature of Skype for Business Online and Office 365 that enables users to schedule, produce and broadcast meetings for events to online audiences outside of the school district (e. g. French symposium between classes across Canada; Virtual field trips with museums, Vancouver Art Gallery, Aquarium, Science World, etc.). By its nature, it’s not built for private data, nor would it be used for content containing personally identifiable information. <Districts to confirm and complete details of how schools or Districts use Skype for Meeting Broadcast and update wording accordingly. Note that phone numbers or profile photos if attached to student accounts would be considered personal information.>

Azure Active Directory Premium* (AADP) is a secure cloud identity platform that authenticates users through a single sign-on system. This facilitates easy access for users and management our staff and students safe online access to the cloud. AADP supports Office 365 by providing an identity and access management service. AADP adds reporting and access functionality to Azure AD Basic. The School District will ensure that personal identifiable information (such as phone number or thumbnail photos) is not synced to AADP.

Azure Information Protection is an encryption service for documents and e-mail within SharePoint/OneDrive and Exchange Online. The data resides in those services.


5 | P a g e

https://products.office.com/en-us/where-is-your-data-located?geo=Canada#Canada

https://www.bcerac.ca/agreements/docs/Discover-Microsoft-365-Education.pdf



Microsoft Intune** (formerly known as Windows Intune) is a cloud-based desktop and mobile device management tool that helps organizations provide their employees with access to corporate applications, data, and resources from the device of their choice. Intune is delivered out of Microsoft’s US data centers. This application utilizes access controls from Azure Active Directory and helps to secure school district data. The School District will ensure use of this service is compliant by ensuring that no personally identifiable data is contained in the device registration nor for activities that may be performed on that device. Microsoft Intune is therefore believed to be compliant.

Minecraft Education Edition*** is a sandbox video game that allows players to build with a variety of different cubes in a 3D procedurally generated world. Other activities in the game include exploration, resource gathering, crafting, and combat. Minecraft Education Edition has no cloud components – it’s a locally installed game and network play is PC to PC within the school district.

Based on this PIA, a checklist has been created that will serve as a means for our School District to ensure that our use of the MS365 A3 solution meets the requirements set out in the FIPPA. Where our School District meets all the criteria set out in the checklist, this PIA and the accompanying checklist, as provided in Appendix D, will serve as the School Districts’ PIA as required under s.69(5.3) of the FIPPA.

Informed Consent

The Microsoft Agreement offers the above services to all BC school districts who have signed a Commitment to Participate form for the 3-year term (copy attached).

Participating staff and students will be approached to sign informed consent forms acknowledging that they understand and accept the District’s Use Policy (Use Policy) for M 365 A3, agree that personal information will be stored and accessed in the cloud from Canadian servers located in Ontario and Quebec.

Each School that is participating in the use of the product will facilitate the consent-gathering by sending home with every student a letter of intent <where districts have not informed parents> (Appendix A) along with a consent form (Appendix B). Where a student (or, as applicable, their guardian) declines to provide the consent the School District will identify an alternative program for the student.

<It is the responsibility of each School District to ensure that their consent forms meet the criteria set out in the Freedom of Information and Protection of Privacy Act Regulations section 11 (Appendix C). To ensure the consent is truly voluntary, school districts need to have an alternative for students who decline to provide consent>

Microsoft doesn’t have access to student and staff names, nor do they need access to this information. Each of our district IT administrators are responsible for our own Office 365 tenant, including user account provisioning and deprovisioning. The consent forms are collected at the district level and the district IT staff adds those students with signed consent forms.


6 | P a g e



A sample consent form is attached to this PIA as Appendix B. Once our district office receives confirmation that an individual is a registered student and has provided consent, they will activate an email address for that student, which will also provide student access to the other Office 365 services listed in Section II, Part 2.

T he u s e of the MS365 A3 s er vi c e i s n o t an e d u c a t i o n a l r e q u i r e m e n t f or s tu d e n t s . Students will not be obliged to use the email, and all school activities that rely on t h e u s e of s tu d e n t e m a i l m u s t a l l o w f or a n d a cc e p t a l ter na te e m a i l a d dre ss es or an e q u i v a l e n t m e a ns o f s tu d e n t p a r t i ci p a t i o n . At no time wi l l a student be denied participation in a school-sponsored event or activity because they have not registered for or consented to using an MS365 A3 email address.

School District Policy on Use of Technology (Use Policy)

Staff and students’ MS 3 6 5 A3 e m a i l a d dre ss es are i n t e n d ed t o a i d i n the e d u c at i o n a l pro c e s s a n d f a c i l i ta t e the i n s tru c t i o n of d i g i t al , a n d o n l i ne - b a s ed s k ill s to b et t er e q u i p th e m f or the w or k i ng wor l d . The School District has created and implement a Policy on the Use of MS365 A 3 (Use Policy) to set out the School District’s expectation of how the MS365 A3 account will be used. The Use Policy addresses awareness of the potential impacts of sharing digital information online and the importance of protecting personal information, as these are key components of digital literacy. <NB: School Districts should ensure that they develop such a policy in conjunction with this PIA>

Our Use Policy sets out the specific educational uses for which the email accounts are expected to be used, along with the rules as to what will constitute “appropriate use” of these accounts. The Use Policy also sets out, in very clear terms, to what degree and in w h at c i rc u m s ta n c e s , th ei r MS365 A3 a cc o u nt i n f or m at i on w i l l b e m o ni tored a n d /or v i e w e d b y a d m i n i s trat o r s (e.g. only in resolving technical issues, or when inappropriate use is suspected, etc.).

The Use Policy states that the expected use of the email addresses will be for school-based activities (i.e. emailing only other students, school faculty, or school administrators, and all other emailing activities fall within the scope of the ‘appropriate use’ section of the Use Policy). The School District will mitigate any privacy issues by limiting the personal information exchanged using School District email accounts. Additionally, only those individuals who have signed a consent will be issued a School District email account.

The Use Policy also directs faculty and administration as to what constitutes appropriate use of a student’s email address. For example, f a c u l t y a n d a d m i n i s tra t i on will be d i r e c ted t o o n l y u s e e m a i l a d dre s s f o r e d u c at i o n a l or sc h o ol -r e l at e d p urpo s e s . Faculty and administration a re made aware that any information that they send to student email addresses will be stored as indicated in the table in section 5 of this PIA.

Note: Training on the Use Policy will be provided to students, faculty and administrators in order that appropriate use is understood by all users of the MS365 A3 solution.

The Use Policy developed by the School District sets out the intended use of MS365 A3 for Education and the risk of inappropriate or unintended use. Where email is used inappropriately, the School District is considered to have care of the records and may for the purposes of FIPPA have custody and control of personal information exchanged.


7 | P a g e



The risks and their mitigating strategies are identified in Part 2, #9.


8 | P a g e



2. Scope of this PIA

This privacy impact assessment (PIA) covers the provision of Microsoft 365 A3 cloud-based services for staff and students across the School District as detailed below.

Note: The Microsoft Home Use Program (HUP) for School and District faculty’s personal use, is out of the scope of this PIA.

Below are the services offered by Microsoft 365 A3 and the accepted uses that fall within the scope of this PIA:

Service Accepted Use

EmailCloud-based Microsoft Exchange staff and student email accounts and calendars, on School District specific domains, with <## GB> of storage per user <School Districts need to edit this text and specify the amount of storage space they are prepared to provide their staff and students.>

Staff and Student mailboxes and calendar content will reside onMicrosoft-owned servers in Canada.

Student, or where necessary parental, consent for storage of student email in the cloud will be obtained via a hard copy form signed by students, or (where necessary) parents and returned to the school. The signed form will be scanned and saved on local file storage areas prior to a student’s account being activated. See Appendix B for a sample consent form.

Students will adhere to the terms of the Use Policy implemented by the School District, which defines:- appropriate use of the email accounts by students- appropriate use of the students’ email addresses by facultyand administration

- specific purposes for which administrative access to the accounts will be used

Office Web AppsCreate and edit Word, Excel, PowerPoint andOneNote documents using a web browser

<Districts need to identify accepted use of product>

Share Point Team sitesShare files and documents with classmates. Create team, study group or club sites. Up to 300 sub sites.

SharePoint sites:Use of SharePoint for collaboration with classmates on school-related topics, including setting up team sites. Files are stored on <Districts need to specify fi le storage location>.

Skype for Business Instant Messaging, Peer-to-peer VoIP and video, Desktop sharing, a u d i o - video conferencing.

Instant Messaging (IM) only.<Districts need to specify data storage locations>

Minecraft EducationThe Education Edition with a code builder.

Minecraft Education is an open-world game that promotes creativity, collaboration, and problem-solving in an immersive environment. This version adds features and controls for classrooms, specialty blocks and communication tools, and a tutorial for first-time educator use. <Districts need to specify data storage>


9 | P a g e

https://education.minecraft.net/support/faq/

https://products.office.com/en-ca/skype-for-business/online-meetings



Microsoft 365 A3 Educational Components Summary

1. Collaboration & Learninga. Office Online: web-based document editingb. Office client applications: Word, Excel, PowerPoint, Outlookc. Email and calendar, Instant Messenger (IM), Persistent Chat, Yammerd. File and content management: file storage, sharing, information discovery, Groups, Plannere. Minecraft: Education Edition with Code Builder

2. Classroom Toolsa. Microsoft Teams with classroom experiences, professional learning communities (PLC), and staff

i. teams3. OneNote Class Notebook, Sway

4. Inclusive classroomsa. Learning Tools, Accessibility Checker, Office Lens

5. Voice and Videoa. Skype for Business

6. Compliancea. Legal Hold, eDiscovery search and export

7. Analyticsa. Delve

8. Management & Securitya. Intune for Educationb. School Data Sync, Data Loss Prevention, Office 365 Rights Managementc. Office 365 A3: Cloud App Security for Office 365, Skype Meeting Broadcastd. Enterprise Mobility Suite (EMS) A3: Intune for Education, Azure Active Directory P1, Azure

Information Protection P1, Advanced Threat Analytics

3. Related Privacy Impact Assessments

This Microsoft 365 A3 PIA replaces the Office 365 PIA provided by the BC Government where some of the data was stored in the US Cloud.

ERAC has submitted a draft of this PIA to the Office of the Information & Privacy Commissioner for British Columbia (OIPC) and BC Ministry of Education.


10 | P a g e



4. Elements of Information or Data

This initiative involves the collection by the School District of: student name, (parent name where applicable) and School District for the purposes of setting up the Microsoft 365 A3 accounts. The School District will be collecting student emails (relating to educational purposes – i.e. only those addressed to faculty and staff, and those to other students for school and not personal purposes), and any records created in the collaborative application suite that are created for educational purposes.

MS365 A3 distinguishes between three types of data in the service:

• User data includes Exchange e-mail body and attachment data• Address book data collected when a user account is created• Usage data

All this data is owned directly by the School District, whose administrative resources have full control over the data in MS365 A3. Administrative access to the student mailbox content by School District staff and/or teachers will only be used for the purposes set out in the Use Policy, and will not fall outside of the following reasons for search:

• Technical maintenance• In order to meet legal requirements to produce records• Prevent misconduct/ensure compliance with the law (e.g. the School Act)

Use of or access to student data by Microsoft support resources is tightly controlled, based upon the data type and specific support situations. Such access is temporary and authorized under section 33.1(1)(p) of FIPPA.

No one at Microsoft has standing access to customer data. Each data center, regardless of the location, maintains industry standard certifications for security and privacy compliance, like ISO27001, ISO27018, SOC II, etc. The results of these audits are available to each customer within their Office 365 tenant through a tool called the Security and Compliance Center. For an overview of how Microsoft manages customer data see: https://www.microsoft.com/en-us/trustcenter/privacy/who-can-access-your-data-and-on-what-terms .


11 | P a g e

If personal information is involved in your initiative, please continue to the next page to complete your PIA.

If no personal information is involved, please submit Parts 1, 6, and 7 to your privacy office(r). They will guide you through the completion of your PIA.

https://www.microsoft.com/en-us/trustcenter/privacy/who-can-access-your-data-and-on-what-terms

https://www.microsoft.com/en-us/trustcenter/privacy/who-can-access-your-data-and-on-what-terms



Part 2 – Protection of Personal Information

Contractual Protections

Given the service provider relationship between Microsoft and the School District, the School District will be using its contract with Microsoft as one means through which the appropriate level of protection can be ensured for personal information. The Contract will reinforce Microsoft’s commitment to securing a promise from Microsoft to provide for the technological and security safeguards of personal information, including at a minimum those set out Microsoft policies and terms of use.

The implications of these contractual provisions will be:o Confirmation that the School District owns all content;o Confirmation that no personal information will be stored or accessed outside of Canada (unless otherwise

noted in Section 1 and in the table in Section 5 of this PIA);o School District content will be encrypted;o The contract is governed by the laws of British Columbia and Canada;o That the School District will, to the extent possible, be informed of any request for disclosure.

5. Storage or Access outside Canada

Student/Staff emails and/or files will be stored by Microsoft on servers in Toronto, Ontario and Quebec City, Quebec, Canada and in the USA, as indicated in the table below. The data will be managed through information and consent forms. Students and their parents will be made aware of the fact that those using (and consenting to the use of) Microsoft 365 A3 Educational serves and agreeing to our Districts Use Policy may have their personal information disclosed to both authorized district and Microsoft staff for the purposes of correction, deletion or as required by law (i.e. court order).

Component name What it does Where it stores dataAzure Active Directory Authorization / Authentication USAExchange Online Email CanadaOneDrive File storage CanadaOneNote Collaboration CanadaProject Online Project management CanadaSchool Data Sync School information system

synchronizationUSA

SharePoint Collaboration CanadaSkype for Business Voice, video & Meetings CanadaYammer Collaboration USA


12 | P a g e



6. Data-linking Initiative* - Not applicable for the use of MS365 A3 in this PIA.In FIPPA, "data linking" and “data-linking initiative” are strictly defined. Answer the following questions to determine whether your initiative qualifies as a “data-linking initiative” under the Act. If you answer “yes” to all 3 questions, your initiative may be a data linking initiative and you must comply with specific requirements under the Act related to data-linking initiatives.

1. Personal information from one database is linked or combined with personal information from another database;

no

2. The purpose for the linkage is different from those for which the personal information in each database was originally obtained or compiled;

no

3. The data linking is occurring between either (1) two or more public bodies or (2) one or more public bodies and one or more agencies.

no

If you have answered “yes” to all three questions, please contact your privacy office(r) to discuss the requirements of a data-linking initiative.

7. Common or Integrated Program or Activity* - Not applicable for the Office 365 in this PIA.In FIPPA, “common or integrated program or activity” is strictly defined. Answer the following questions to determine whether your initiative qualifies as “a common or integrated program or activity” under the Act. If you answer “yes” to all 3 of these questions, you must comply with requirements under the Act for common or integrated programs and activities.

1. This initiative involves a program or activity that provides a service (or services);

no

2. Those services are provided through:(a) a public body and at least one other public body or agency working collaboratively to provide that service; or (b) one public body working on behalf of one or more other public bodies or agencies;

no

3. The common or integrated program/activity is confirmed by written documentation that meets the requirements set out in the FIPPA regulation.

no

Please check this box if this program involves a common or integrated program or activity based on your answers to the three questions above.

8. Personal Information Flow Diagram and/or Personal Information Flow Table


13 | P a g e



The diagram below illustrates the flow of information between the School District and Microsoft’s MS365 A3 services:

• School District enters into a 3-year the Provincial Microsoft Licensing Agreement commencing April 1, 2018 – March 31, 2021 for the provision of MS365 A3 for students and staff onsite use.

• The District then completes a PIA pertaining to the use of the MS365 A3 service for student and staff use to go forward with this initiative providing that the implementation follows all of the attached provisions in the Appendix D checklist. (Confirmation List for Microsoft 365 A3).

• Students or their parent or guardian, where applicable, provide to the School District their signed informed consent (see Appendix B) for their information to be disclosed and stored in the Microsoft 365 Canadian Cloud. Our School District will create and activate the email accounts for our users.

Note: Examples can be removed, and additional lines can be added as needed.


14 | P a g e



Personal Information Flow TableDescription/Purpose Type FIPPA

Authority1. School District enters into agreement with Microsoft. No PI

CollectionN/A 26(c)

2. School District collects consent from student or parent. Collection 26(c)

3. School District creates student accounts. Collection & Use

26(c) and 32(a)

4. Students create messages and other works and store emails and files on Microsoft servers in connection with instructional activities.

Use 32(a)

5. Student emails capture personal information of other students. Collection 27(1)(a)(i)

6. Information is collected from students during their years in our schools for the purposes of providing educational services.

Collection 26(c)

7. Information is used by educators, counsellors, administrative staff, and other professionals in the school system for the purposes for which the information was collected, or for a purpose that is consistent with the original purpose.

Use 32(a)

8. Information may be disclosed if the head of the public body determines that compelling circumstances exist that would affect anyone’s health or safety.

Disclosure 33.1(1)(m)

9. Information in the Microsoft 365 A3 system can be disclosed to Microsoft (Canada) in order to install, implement, maintain, repair, troubleshoot or upgrade the system.

Disclosure 33.1(1)(p)

10. Information in the Microsoft 365A3 may be access and viewed by staff when travelling temporarily outside of Canada.

Storage & Access

33.1(1)(e)


15 | P a g e



9. Risk Mitigation

Student emails and/or files will be stored on servers as indicated in the table in section 5 of this PIA . This use and storage as well as the storage of such information in the cloud will be managed through locally created information and consent forms. Students and their parents will be made aware of the fact that those using (and consenting to the use of) MS365 A3 will have their personal information servers as indicated in the table in section 5 of this PIA.

There is a risk that students will use their school email addresses for personal reasons. This may lead to personal information being voluntarily transmitted by a student outside of Canada, such as where a student is an international student and is corresponding with family or friends outside of Canada. Students will be instructed in the consent, the Use Policy and by personnel not to use their email account for these purposes. This is an inherent risk to the personal use of public body resources, but this risk will be managed by notification and supervision. This will also be addressed in the terms of the consent.

Our District retains student email content for <XX> years. <Districts to identify and enter their retention schedule, specifying length of time and conditions under which this data is retained.>

To ensure that School District faculty and administration are not exposed to any risk that their personal information will be collected or transmitted through the students’ MS365 A3 email accounts, they will be instructed through the Use Policy to only use student emails for educational or school purposes and not to include any personal information in those emails.

Risk Mitigation TableRisk Mitigation Strategy Likelihood Impact

1. Student and staff emails and/or files stored on Canadian Cloud.

Letter provided to parents; signed consent forms required local.

High Low

2. Students use email address for personal reasons, potentially exposing 3rd party information.

District Use Policy covering intended and acceptable use of the services; training for students. Disclosure in consent.

Low Low

3. SD staff and faculty communicate with students via student email accounts; risk of their personal information contained in student emails.

District Use Policy contains instructions to faculty and staff on appropriate content when using this method of communication with students; training for faculty and staff.

Low High

4. Inappropriate exposure of personal information could result in a breach.

District Use policy; training; incident management process.

Low High


16 | P a g e



5. Exposure to personal information due to ExpressRoute, which sends traffic through the USA in all cases, impacting Exchange, SharePoint, and other O365 and Azure components.

The School District will use a Controlled – Distributed Information, Exchange Online Connectivity Workaround for Canada Go Local to obtain a direct inbound connection to the endpoint location in Ontario without data travelling outside of Canada, instead of following the default path to the closest & most optimal endpoint via normal connection routing behavior.A more direct approach is accomplished with targeted Exchange Online endpoints which exist in the Canadian Data Centers. The Implementation is accomplished by specific mappings of our local DNS on our network to those provided by Microsoft.

Low High

6. Unauthorized individuals (including students) gain access the system.

All authorized users are issued individual accounts by the District and receive training regarding appropriate use. Passwords must have a degree of complexity that is compliant with provincial requirements. Sessions terminate automatically after <xx> minutes of inactivity.

Medium High

7. Vendor could change terms of use of the service.

School District terms of use are set for 3 years. Low Low

10. Collection Notice

Collection notice is included on the consent form.

“Any personal information collected by the School District in connection with Microsoft programs will be collected by the School District for the above noted purposes under the authority of s.26(c) of the Freedom of Information and Protection of Privacy Act (FIPPA) and the School Act. Personal information may also be accessed, exchanged or collected to facilitate interactions between students (such as videos containing images of other students) for the purposes of collaboration on an educational project under the authority of the School Act and s.27 of FIPPA. If you have any questions about this collection, please contact <List the title, District’s business address, business phone and person that can speak to this PIA>.

Please see sample consent form in Appendix B.


17 | P a g e



Part 3 – Security of Personal Information

11. Description of the physical security measures related to the initiative.

Microsoft

Microsoft indicates that physical access to the MS365 A3 and Microsoft Dynamics CRM Online data centers is controlled by a two-tier authentication, including proxy card access readers (card access badge required) and hand geometry biometric readers.

On a quarterly basis, the Microsoft Security Officer sends reports to the authorized Microsoft personnel with authority to approve data center access. The reports contain the list of persons who currently have access to the data centers. The authorized personnel audit the list to ensure all persons still require access and have the least privileged access level necessary to perform their job function.

School District

<Describe the additional physical security measures used in the School District to protect the computers and network.>

12. Description of the technical security measures related to the initiative.

Microsoft

All Microsoft 365 A3 and Microsoft Dynamics CRM Online personnel are accountable for their handling of user data. All access to MS365 A3 and Microsoft Dynamics CRM Online data by Microsoft personnel can be tracked and traced to the specific user.

Accountability is enforced by Microsoft through a set of system controls, including the use of unique user names, data access controls, and auditing. Unlike generic user names such as "Guest" or "Administrator," unique user names are used to enforce accountability by linking user actions to a specific person (referred to as "binding"). Two-factor authentication, such as smart card logins using digital certificates or RSA tokens, is also used to further strengthen this binding.

Microsoft enforces role-based access and applies strict controls over which personnel roles and personnel will be granted access to customer data. Personnel access to the IT systems that store customer data is strictly controlled


18 | P a g e



via Role-Based Access Control (RBAC). Access control is an automated process that follows the separation of duties principle and the principle of granting least privilege. This process ensures that the engineer requesting access to these IT systems has met the eligibility requirements, such as a background screen, fingerprinting, required security training, and access approvals. In addition, the access levels are reviewed on a periodic basis to ensure that only users who have appropriate business justification have access to the systems. User access to data is also limited by user role. For example, system administrators are not provided with database administrative access.

School DistrictUnder the guidance of Microsoft, our School District will use the Controlled – Distributed Information, Exchange Online Connectivity Workaround for Canada Go Local to obtain a direct inbound connection to the endpoint location in Ontario without data travelling outside of Canada. <Each School District needs to setup their own technical controls and can obtain the appropriate documentation from Microsoft distributed under the Microsoft Non- Disclosure Agreement (NDA).>

<Describe any additional technical security measures used in the School District to protect the computers and network i.e. encryption, passwords etc.>

13. Describe District Security Policies and provide contact details for someone who could answer further questions regarding these policies and procedures.

<School Districts must identify their policies and contact name (Please also add to the checklist in Appendix D). In addition, please note Microsoft’s Online Services Information Security Policy is available by contacting Microsoft’s Chief Information Security Officer.>


19 | P a g e

https://blogs.technet.microsoft.com/perryclarke/2012/05/16/managing-access-to-the-exchange-online-service/



14. Access controls and/or ways in which you will limit or restrict unauthorized changes (such as additions or deletions) to personal information.

Administrators in the School Districts have full control over the data in MS365 A3. This is for the purposes of account setup and deletion. Access to or search of the account content (student and staff emails and files) by School District Administrators and Microsoft would only occur for the following purposes:

• For Technical maintenance. Such access by Microsoft is authorized under section 33.1(1)(P) of FIPPA.• In order to meet legal requirements to produce records under Canadian law. Such access and disclosure are

authorized under section 33.1(1)(t) of FIPPA.• Prevent misconduct/ensure compliance with the law (e.g. the School Act) in accordance with section 33.2(a) of

FIPPA.

No changes to personal information contained in the emails or files will occur except as by the students or staff themselves within their own accounts.

Microsoft Privacy Statement: May 1, 2018 at the writing of this document. <School Districts need to confirm the date as policies are refreshed periodically.>

https://privacy.microsoft.com/en-us/privacystatement

The following Microsoft privacy statement explains what personal data Microsoft collects from users, through their interactions with users and through their products, and how they use that data.

o Microsoft collects data to operate effectively and provide you the best experiences with their products. You provide some of this data directly, such as when you create a Microsoft account, administer your organization’s licensing account.

o Windows is a personalized computing environment that enables you to seamlessly roam and access services, preferences and content across your computing devices. Rather than residing as a static software program on your device, key components of Windows are cloud-based, and both cloud and local elements of Windows are updated regularly, providing you with the latest improvements and features.

o Microsoft uses the data they collect to operate their business and provide you the products they offer, which includes using data to improve their products and personalize your experiences. They also may use the data to communicate with you, for example, informing you about your account, security updates and product information. Microsoft does not use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files to target ads to you.

o The Microsoft products intended for use by your organization and are administered to you by your organization may be subject to your organization's policies, if any. If your organization is administering your use of the Microsoft products, please direct your privacy inquiries to your administrator.


20 | P a g e

https://privacy.microsoft.com/en-us/privacystatement



o The Enterprise and Developer Products enable you to purchase, subscribe to or use other products and online services from Microsoft or third parties with different privacy practices, and those other products and online services will be governed by their respective privacy statements and policies.

Microsoft Services Agreement: https://www.microsoft.com/en-us/servicesagreement/

15. Description on how you track and who has access to the personal information.

Statements issued by Microsoft indicate that its information security procedures around audits and controls are based upon the ISO 27001 standards and are documented in the Standard Response Document at http://www.microsoft.com/en-us/download/details.aspx?id=26647 (click “Download” button, then select document named “StandardResponsetoRequestforInformationWindowsAzureSecurityPrivacy.docx”).

All Microsoft employees and contractor staff represent that they have reviewed, and agree to adhere to, all policies within the Information Security Policy documents.

Microsoft has implemented and will maintain reasonable and appropriate technical and organizational measures, internal controls, and information security routines intended to help protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction. Each year, Microsoft undergoes third-party audits to validate that they have independent attestation of compliance with their policies and procedures for security, privacy continuity and compliance.

All Microsoft employees and subcontractors with access to customer data are subject to the same access controls and security checks. This includes background checks, lockbox usage, and user roles and IDs. All employees and subcontractors are required to follow applicable intellectual property laws. Subcontractors who must have access to customer content are required to join the Microsoft Vendor Privacy Assurance Program and to meet Microsoft's privacy requirements by contract.

Access to all Microsoft buildings is controlled, and access is restricted to those with card reader (swiping the card reader with an authorized ID badge) or biometrics for entry into datacenters.

In the School Districts, administrator access will be limited to specific selected staff and tightly controlled through an approval process. Access to the data will be tracked, and activity will be monitored by review of log files. Access to individual mailboxes by non-owners of the mailboxes will be logged. With this feature, individuals can run a non-owner mailbox access report. See Appendix D.


21 | P a g e

http://www.microsoft.com/en-us/download/details.aspx?id=26647

https://www.microsoft.com/en-us/servicesagreement/



Part 4 – Accuracy/Correction/Retention of Personal Information

16. How is an individual’s information updated or corrected? If information is not updated or corrected (for physical, procedural or other reasons) please explain how it will be annotated? If personal information will be disclosed to others, how will the public body notify them of the update, correction or annotation?

Students will have access to their own personal information and may correct it or update it themselves. Where this is not possible, students will be directed to system administrators.

17. Does this initiative use personal information to make decisions that directly affect an individual(s)?

Yes. Student grades are issued based on personal information that is created using MS365 A3.

18. If you answered “yes” to question 17, please explain the efforts that will be made to ensure that the personal information is accurate and complete.

This initiative will not result in the collection of any new personal information, but instead involves the use of different tool for the collection, creation and sharing of student work. Regular policies and practices in place at the school district concerning the completeness and accuracy of personal information continue to apply.

Further, the School District has identified a contact person within the School District who is responsible for providing access to, ensuring accuracy and completeness of, and making requested corrections to personal information held within the MS365 A nb3 program. Where corrections cannot or will not be made, this contact will annotate the records containing the information.

19. If you answered “yes” to question 17, do you have a records retention and/or disposition schedule that will ensure that personal information is kept for at least one year after it is used in making a decision directly affecting an individual?

The School District will retain all information used to make decisions about students for at least one year . The School District will agree and sign-off on this term to make use of this PIA.


22 | P a g e



Part 5 – Further Information

20. Does the initiative involve systematic disclosures of personal information? If yes, please explain.- Not applicable if used in the context of this PIA. Proceed to number 22.

<For example: not applicable if your department does not have a regular exchange of personal information (both collection and disclosure) with the federal government to provide services to your staff and students.>

Please check this box if the related Information Sharing Agreement (ISA) is attached. If you require assistance completing an ISA, please contact your privacy office(r).

21. Does the program involve access to personally identifiable information for research or statistical purposes? If yes, please explain.

- Not applicable if used in the context of this PIA. Proceed to number 22.

<For example: your public body will not disclose information to PhD students so that they can conduct research.>

Please check this box if the related Research Agreement (RA) is attached. If you require assistance completing an RA please contact your privacy office(r).

22. Will a personal information bank (PIB) result from this initiative? If yes, please list the legislatively required descriptors listed in section 69 (6) of FIPPA. Under this same section, this information is required to be published in a public directory.

The creation of individualized student email accounts may constitute a personal information bank within the meaning of section 69 of the Act, and reference to it will be included in the School District Personal Information Directory.

Title Student Email Account Description: Student work product and related communications.Location: Local School District servers and Microsoft servers in Ontario and QuebecAuthority: Section 26(a) and the School ActPurposes: Educational and student assessmentAuthorized Users: Educators, school administrators and School District technical staff


23 | P a g e

Please ensure Parts 6 and 7 are attached to your submitted PIA.



Part 6 – Privacy Office(r) Comments

This PIA is based on a review of the material provided to the Privacy Office(r) as of the date below. If, in future, any substantive changes made to the scope of this PIA, the school district will complete a PIA Update and submit it to Privacy Office(r).

<Please add any additional relevant information that you deem important to the completion of this PIA>

A final copy of this PIA (with all signatures) must be kept on record.


24 | P a g e



Part 7 – Program Area Signatures

Program/Department Manager Signature Date

Contact Responsible for Systems Maintenance and/or Security (Signature not required unless they have been involved in this PIA.)

Signature Date

Head of School District, or designate Signature Date

Privacy Officer/Privacy Office Representative

Signature Date

If you have any questions, please contact your school district’s privacy office(s) or call the OCIO’s Privacy and Access Helpline at 250 356 1851.


25 | P a g e

APPENDIX A – Letter of Intent

Date [Homeroom Teacher Name]

Re: Student Access to Microsoft Services

To: Parents/Guardians [Student First Name] [Student Last Name]

It is an exciting time for teaching and learning in our School District as we pursue our goal of helping all students to develop the skills to become learners, thinkers, innovators, collaborators and contributors. These are the

attributes of our School District learner that we have determined as being necessary for success in the 21st

century.

As we pursue our educational goals, we recognize the importance of creating 21st century learning competencies in an environment that provides tools for students that are relevant to their daily lives. To that end, we are entering into a Provincial Microsoft Licensing Agreement to deliver to our students and staff the Microsoft 365 Education A3 solution which will give all users access to a full suite of online hosted, web-based software.

As a result, the School District’s Learning Technology Department has been working to create a digital collaboration system that will connect students, parents and teachers. This system will provide access to educational programming and learning resources anytime, anywhere in a safe and secure web-based environment.

While recognizing the benefits of supporting digital literacy in learning environments, we must also be aware of the potential impacts of sharing digital information online and the necessity to protect our students’ personal information regardless of where it is stored or accessed. On the reverse of this letter you will find a consent form that will allow your student to gain access to this system which includes student e-mail. While this is not an educational requirement for your student, we hope that you will see the value in providing these tools for your son/daughter. If you choose to grant permission, please sign the consent form and return it to the school. Your student’s classroom teacher will then provide further instructions on how to access the new collaboration system. If you have further questions, please do not hesitate to contact me using the information listed below.

Sincerely,

Name:Director of Instruction K – 12Email Address: Phone Number:


26 | P a g e

APPENDIX B – Sample Consent Form

<Please put on your District’s letterhead and edit to personalize as needed.>

Page 1

School District <##> provides students in Grades < X – Y> with a district email account as well as <##> gigabytes of online file storage space for educational communication and class assignment storage purposes. Each student will have their own secure login and password to access their email and files. The School District will ensure that personal identifiable information (such as phone number or thumbnail photos) is not synced to the Azure Active Directory Premium data storage in the USA, that permits a single sign-on user experience. The creation and use of student email accounts involves a collection and use of personal information authorized by the School Act and section 26 of the Freedom of Information and Protection of Privacy Act. These tools may be used by educators to facilitate classroom instruction and student evaluation and they may also be used by students to collaborate on school work (such as videos containing images of other students). If you have any questions about the collection or use of student information using these tools, please contact <title, business address, business phone number>.

Microsoft stores data at rest for the MS365 A3 services for School District staff, teachers and students as indicated in the table below. Student’s account data (such as name, email address, grade level, and school name) and a student’s usage data (such as student emails and documents, calendar information, and any records created in the collaborative application suite) will not be accessible outside of Canada, except in very limited circumstances such as to allow Microsoft to trouble shoot technical issues, when staff are temporarily travelling outside of Canada and require access to information or when students voluntarily send email messages to individuals outside of Canada. The School District is also making efforts to instruct students about limiting the amount of personal information that they use and exchange using these services. While stored inside the country, information in your child’s Microsoft 365 A3 account is subject to Canadian personal information protection laws. The School District is providing students with instruction on the appropriate use of technology as per our District’s Use Policy.


27 | P a g e

Component name What it does Where it stores dataAzure Active Directory Authorization / Authentication USAExchange Online Email CanadaOneDrive File storage CanadaOneNote Collaboration CanadaProject Online Project management CanadaSchool Data Sync School information system

synchronizationUSA

SharePoint Collaboration CanadaSkype for Business Voice, video & Meetings CanadaYammer Collaboration USA

Consent:

I understand that my (if student is signing) information or my child’s (if parent is signing) information in the Microsoft 365 A3 Account may be collected, used and disclosed for the purposes outlined above. I also understand and agree that my (if student is signing) information or my child’s (if parent is signing) information can be collected, used and shared through this application by other students for the purposes of group work, collaboration, and similar activities. This consent will be considered valid from the date at which it is signed until one year after the point at which the student named below is no longer a student within the School District . I also hereby acknowledge that I have read and understood the School District’s Policy on the Use of Microsoft 365 A3 (Use Policy).

Name of student or, if applicable, parent or guardian: _____________________________________

Signature of student or, if applicable, parent or guardian: ___________________________________

Date Signed (YYYY/MM/DD): __________________________________

This form must be returned, signed and dated, before a District Microsoft 365 Education A3 account can be activated for the student named below.

Note: Parents cannot consent on behalf of any student that is of capable mind and maturity to consent for themselves. In addition, students for whom consent is not provided they will have access to an alternative resource.

Student Details: __________________________________

Student First Name: __________________________ Student Last Name:___________________________

Grade: ____________________________ Student School: ______________________________


28 | P a g e

APPENDIX C – Consent Respecting Personal Information

<For School Districts not using the consent form in Appendix B, their consent form must meet the requirements of the following sections of the FIPPA Regulation.>

11 (1) For the purposes of section 26 (d), 30.1 (a), 32 (b) and 33.1 (1) (b) of the

Act, consent must

(a) be in writing, and

(b) be done in a manner that specifies

(i) the personal information for which the individual is providing

consent, and

(ii) the date on which the consent is effective and, if applicable,

the date on which the consent expires.

(2) In addition to the requirements of subsection (1) of this section, for the purposes of [...]

(d) section 33.1 (1) (b) of the Act, consent must be done in a manner that

specifies

(i) to whom the personal information may be disclosed, (ii) if

practicable, the jurisdiction to which the personal

information may be disclosed, and

(iii) the purpose of the disclosure of the personal

information.

(3) Subject to subsection (4), a consent under section 33.1 (1) (b) of the Act that was given before

the date this regulation comes into force and is still effective on the date this regulation comes

into force, continues to be effective in accordance with its terms.

(4) Unless a consent described in subsection (3) complies with the requirements set out in subsections (1) and (2) (d) within one year after the date this regulation comes into force, the consent ceases to be effective on the date that is one year after the date this regulation comes into force.


29 | P a g e

APPENDIX D

Checklist and Confirmation List for Implementing Microsoft 365 Education A3 (MS365 A3)

School District: ____________________________________________________________________________

School District’s Microsoft 365 A3 Administrator: _________________________________________________

Email: _____________________________________________ Go-Live Date: _________________________

This checklist is completed to determine if our School District meets the criteria set out in this PIA. If our School District implementation does not meet the criteria of this checklist you will have to complete a PIA , in accordance with section 69(5.3) of the Freedom of Information and Protection of Privacy Act.

For the purposes of this Appendix, “Use Policy” has the same meaning as that established in the PIA – the School District’s Use Policy on the Use of Microsoft 365 A3.

Please enter an “X” under the appropriate answer to the following questions:

Yes NoNotification and ConsentA “Collection Notice”, meeting the requirements of section 27(2) of the Freedom of Information and Protection of Privacy Act has been provided to students/parents, either via the consent form or the letter of intent.

A signed consent form has been secured from all parents/students, and the consent form meets the requirements of section 11 of the Freedom of Information and Protection of Privacy Regulation.

Consent will be secured from students where they can exercise this right, and guardians (i.e. parents) will consent for students when they are incapable of exercising this right, pursuant to section 3 of the Freedom of Information and Protection of Privacy Regulation.

Students are not obliged to take part in the M 365 A3 program, and alternative measures are provided in all instances where an M 365 A3 interaction is requested of students.

UseT h e S cho o l Di s tr i c t h a s c r ea t e d a ne w , o r i m p le m ent e d a n e x is t in g U s e P ol i c y fo r s t u d e n t s , w hic h d i c t a t e s w ha t c on s t i t u t e s ( o r c on t r a d i c t s ) “ a p p r op r i a te u s e ” o f t h e a p p l i c a t i on . The Use Policy also very clearly outlines any monitoring that may take place, or any instances in which a Microsoft 365 A3 account would be suspended or revoked.

The School District will ensure that the Use Policy is widely distributed, and that parents, students, faculty and administration are educated to, and in understanding of the contents of the Use Policy. The U s e P o l i c y should be provided with consent forms.

DisclosureOnly the names and School Districts of those students who have signed consent forms (or, where applicable, a parent has signed a consent form) will be disclosed to Microsoft for the purposes of the Microsoft 365 A3 Program.

Access, Accuracy, Correction and Annotation (see section VI of this PIA)The School District has identified a contact person within the School District who is responsible for providing access to, ensuring accuracy and completeness of, and making requested corrections to personal information held within the Microsoft 365 A3 program. Where corrections cannot or will not be made, this contact will annotate the records containing the information.

School District Contact: _________________________________


30 | P a g e

Security (see section VII of this PIA)The School District has identified a contact person within the School District who is responsible for maintaining the security of the personal information held in the Microsoft 365 A3 system.

School District contact: __________________________________ Audit Logging (New Recommendation)Audit logging of non-owner access to accounts is enabled.

MonitoringStudent email accounts will only be searched, seized, monitored, suspended, or revoked in accordance with the Use Policy established by the School District.Content of student account will only be searched for one of the following reasons:

technical maintenance in order to meet legal requirements to produce prevent misconduct/ensure compliance with the law (e.g. the School Act)

Records ManagementA r eco r d s r e t en t io n and disposition schedule has been created by the District. All records used to make a decision about an individual will must be k e p t f o r a t le a s t o n e y ea r as noted in Section 31 of FIPPA. The records disposition schedule, although not a PIA requirement, falls under the responsibility of the Chief Records Officer, BC Government, who is required to follow the new legislation for Records Management as of May 10, 2016.Privacy Management Program (New Recommendation)I acknowledge the Ministry of Education’s recommendation that a privacy management program be implemented within my school district, and further acknowledge that I am aware of the resources that are available to me to support this recommendation. Namely, the OIPC’s Accountable Privacy Management in BC’s Public Sector and the BC Government’s Privacy Management and Accountability Policy.ScopeI understand the information and analysis in this PIA is limited to the interaction between Office 365 and the requirements set out in the FIPPA. It is the responsibility of our School District to review Microsoft’s Terms of Use/General Services Agreement. We have reviewed and complied with all obligations created by other legislation and policy, including but not limited to legal review of, and approvals for indemnities created by, Microsoft’s Terms of Use/General Services Agreement.

I understand that as the School District’s service provider, Microsoft is considered a public body employee under the Freedom of Information and Protection of Privacy Act, and strictly within the scope of offering this service to the School District is thus bound by the same restrictions and requirements.

If you have answered ‘No’ to any of the above questions, a separate PIA will need to be completed before your Microsoft 365 A3 Program can be launched.

Checklist Completed By: ________________________________________ Signature: _______________________(Please Print)

Name of School District’s PIA Signatory: ____________________________________________________(Please Print)

Signature: _____________________________________________ Date: __________________________(YYYY-MM-DD)


31 | P a g e

http://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/privacy-policy

http://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/privacy-policy

https://www.oipc.bc.ca/guidance-documents/1545

https://www.oipc.bc.ca/news-releases/1949

questions - pia.bcerac.ca · web viewusers can use the office 365 apps (word, excel etc.) in the...

Documents