bcerac.ca€¦ · web viewpia# [assigned by your privacy office(r)] please note: this document...

This generic Privacy Impact Assessment (PIA) template and its contents are intended to be used and modified by authorized members. Non-members should obtain written consent for any use or modifications of this document. Also, remove this page from the final, completed version of your PIA.

Privacy Impact Assessment for [Microsoft 365 Education A3]

PIA# [assigned by your privacy office(r)]

Note to Districts:

Instructions within RED text in this document should be removed from the final version of your District’s PIA and the GREEN text throughout the document should be replaced with information specific to your district.

Your school district has chosen to implement Microsoft 365 Education A3. By completing this Privacy Impact Assessment, it will help your district ensure compliance with the Freedom of Information and Protection of Privacy Act (FIPPA) and your school district’s relevant Use Policy. It will also provide documentation on your school district’s transparency processes when introducing new programs or services that may involve the collection, use and disclosure of personal information. With heightened sensitivity about personal information, this PIA demonstrates to all stakeholders the due diligence that is applied to new services and initiatives within the school district.

To assist with the deployment of these services, this PIA has been partially completed. Review and edit this document carefully to ensure it accurately reflects the intent and scope of your initiative. Areas where information from your district is required are indicated in the template. It is your district’s responsibility to ensure that all information in this PIA is accurate and complete.

Please note: This document does not constitute legal advice to any person. The comments and opinions expressed in this document are to help illustrate the content needed to complete a School/District PIA. This information does not constitute Focused Education or OIPC approval of the initiative being consulted on or fetter the Commissioner’s discretion should the initiative later be the subject of a complaint or investigation. It remains the responsibility of the school districts to ensure that they comply with their duties and obligations under applicable laws and are compliant with the Freedom and Protection of Privacy Act.

1 | P a g e



Enquiry BC: Privacy and Access Helpline Victoria: 250-356-1851 Vancouver: 604-660-2421 & elsewhere in BC toll-free:1 800-663-7867.


2 | P a g e

Why complete a PIA?

A PIA is a tool to help Schools/Districts ensure compliance with applicable privacy legislation. This document helps mitigate and evaluate many of the unintended risks and consequences that can develop as a result of not anticipating multiple perspectives and circumstances with a new system or project. As part of the process, schools/districts are taking the appropriate steps to ensure that parents, students and educators understand what measures are taken with regards to the safety and security of personal information and the importance of informed consent.

Section 69 (5.3) of the Freedom of Information and Protection of Privacy Act (FIPPA) requires the head of a public body to conduct a privacy impact assessment (PIA) in accordance with the directions of the minister responsible for FIPPA.

School/District staff need to contact the privacy office(r) or PIA Drafter, at their School/District, to determine internal policies for review and signing-off of a Privacy Impact Assessment. Staff may submit PIAs to their Superintendent of Schools for consideration. If you have any questions about this PIA template or FIPPA in general, you may contact the designated PIA Drafter as noted in this document or call the provincial Privacy and Access Helpline at Enquiry BC as noted below. Completed PIA’s must be retained in a secure location at the School/District for the purposes of a Privacy Commissioner’s Audit.

Note: This process can help identify and reduce many of the unintended risks and consequences that may potentially jeapordize student and educator privacy and security issues.

What if the initiative does not include personal information?

Best practices indicate that School/Districts’ may want to complete Part 1 of the PIA (Questions 1-4) and submit it along with the signature pages to their privacy office(r) for safe keeping even if it is thought that no personal information is involved. This process ensures that the initiative has been accurately assessed to meet the requirements of FIPPA while helping districts communicate, monitor, and educate staff about new initiatives.

Note: The definition of personal information is: Recorded information about an identifiable individual other than contact information.

The following examples are a non-exhaustive list of personal information: Name, address, email address or telephone number; Age, sex, religious beliefs, sexual orientation, marital or family status, blood type; Information about an individual’s health care history, including a physical or mental disability; Information about an individual’s education, financial, criminal or employment history; Social Insurance Number (SIN) and Personal Education Number (PEN); and Personal views, opinions, religious or political beliefs or associations.



Part 1 – General

Name of District: <Name> Board of Education – SD <##>PIA Drafter: <Name, Title of School District Contact>Email: <Email of School District Contact> Phone: <Number of SD Contact>Program Manager: <Name, Title of initiative contact, if different from PIA Drafter>Email: < Alternate to the above> Phone: <Alternate to the above>

<As this is a generic PIA template, each school district should review and customize the contents to accurately describe the configuration and use of Microsoft 365 Education A3 within your district.>

<Please do not remove any parts of the PIA. Where a section does not apply, enter “Not Applicable.”>

1. Description of the Initiative

School District ## and name has selected Microsoft 365 Education A3 (MS365 A3) for use in our district. The Microsoft 365 A3 suite is a super-set of Office 365 A3 which includes additional applications and services that support collaboration, communication, productivity, file storage and other tasks within the education realm.

The School District is conducting this Privacy Impact Assessment (PIA) to ensure these services are used in way that is compliant with the Freedom of Information and Protection of Privacy Act (FIPPA).

MS365 A3 is available to the School District through a group purchasing program offered by Educational Resource Acquisition Consortium or ERAC (now Focused Education Resources Society). The organization has entered into a Provincial Microsoft Licensing (PML) Agreement with Microsoft to deliver to their members MS365 A3 which will give all participants access to a full suite of Microsoft online hosted, web-based software solutions and/or the option to use components on-premises where applicable.

Microsoft is offering school districts an option to use MS365 A3 in three different ways:

As a web-based version which includes cloud-based services. As an on-premise version which is installed on devices locally and backed up on secure school district servers. As a hybrid configuration using both cloud-based and on-premise versions of applications

The PML provides for a 3-year Commitment to Participate for a term commencing April 1, 2018 and ending March 31, 2021. Volume licensing with Microsoft will be arranged through a channel partner, Softchoice, a Vancouver-based company. Softchoice does not have access to any data or personal information created or stored through Microsoft products and its participation is not the subject of further comment in this PIA.

Overview of ServicesPlease note: This document does not constitute legal advice to any person. The comments and opinions expressed in this document are to help illustrate the content needed to complete a School/District PIA. This information does not constitute Focused Education or OIPC approval of the initiative being consulted on or fetter the Commissioner’s discretion should the initiative later be the subject of a complaint or investigation. It remains the responsibility of the school districts to ensure that they comply with their duties and obligations under applicable laws and are compliant with the Freedom and Protection of Privacy Act.

3 | P a g e



<It is the district’s responsibility to assess all components it intends to deploy and customize this template to reflect its specific circumstances and configuration.>

In addition to MS Exchange email accounts and Office applications (Outlook, Word, Excel, PowerPoint, OneNote, Publisher and Access), our district will use the MS365 A3 components listed below. A full list of components included in Microsoft 365 A3, can be found here: https://bcerac.ca/wp-content/uploads/2018/10/Discover-Microsoft-365-Education.pdf

Azure Active Directory Premium 1 (AADP) is a cloud-based identity platform that authenticates users through a single sign-on system. AADP supports MS 365 A3 by providing an identity and access management service. AADP adds reporting and access functionality to Azure AD Basic. Our School District will ensure that personal identifiable information (such as thumbnail photos or phone numbers) is not synced to AADP. Further details and instructions and managing personal data within Azure Active Directory Premium are included in Appendix C.

Azure Information Protection is an encryption service for documents and e-mail within SharePoint/OneDrive and Exchange Online. The data resides within the country where those respective services store data at rest.

Bookings is a scheduling application that can be used to create appointments, send reminders, update or cancel appointments and book events. Data created within Bookings may include: names, phone numbers, email addresses, addresses and notes related to specific appointments. All content created in Bookings is stored within the school district’s Exchange Online mailbox.

Delve is a search and analytics function that allows users to find information available through their Office 365 applications, for example, shared documents within Word or Excel. Delve also provides individual analytics for users that could include time spent using email during a specific week, or the number of documents opened.

Forms is an online tool that can be used to create digital surveys, polls, forms and quizzes.

Flow is a cloud-based software that allows users to create and automate workflows and tasks across multiple applications and services. For example, Flow could be used to automatically save any Outlook email attachments to a user’s OneDrive. Administrators can use Microsoft’s data loss prevention functionality to control which services can share data within their Microsoft Flow deployment. This can prevent internal applications like SharePoint or OneDrive from interacting with external services like social media sites.

Microsoft indicates that Flow environments can be created in different regions and are bound to that geographic location. If an environment is created within the Canadian region, flows (i.e. automated workflows) that are created in that environment are routed to all datacenters in Canada. More information: https://docs.microsoft.com/en-ca/flow/environments-overview-admin

Minecraft Education Edition is a sandbox video game that allows players to build with a variety of different cubes in a 3D procedurally generated world. Other activities in the game include exploration, resource gathering,


4 | P a g e

https://docs.microsoft.com/en-ca/flow/environments-overview-admin

https://bcerac.ca/wp-content/uploads/2018/10/Discover-Microsoft-365-Education.pdf

https://bcerac.ca/wp-content/uploads/2018/10/Discover-Microsoft-365-Education.pdf



crafting, and combat. Minecraft Education Edition has no cloud components and is a game that runs on school district servers and network; play takes place PC-to-PC within the school district.

Office 365 Cloud App Security, a tool used to provide users with insight into suspicious activity in Office 365 so that situations can be investigated, and action taken, and if needed, to address security issues. It includes the provision of a set of security reports and alerts that act upon the Office 365 Audit log data, which resides within the customer’s tenant in Canada.

OneDrive is a file hosting, synchronization and sharing service. Documents created with Office 365 applications can be directly uploaded to OneDrive.

School Data Sync can be used to managed classes and set up to pull information from a school’s Student Information System (SIS) to create groups and classes within Microsoft Teams, Intune for Education, and other applications.

SharePoint is a web-based collaborative platform that can be used to create sites for storing and sharing documents and information.

Skype for Business is a communication tool that can be used for web conferencing, online meetings instant messaging, screen sharing and collaboration. Skype Meeting Broadcast is a feature of Skype for Business Online and Office 365 that enables users to schedule, produce and broadcast meetings for events to online audiences outside of the school district (e. g. French symposium between classes across Canada; Virtual field trips with museums, Vancouver Art Gallery, Aquarium, Science World, etc.).

Stream is an enterprise video service that allows users to upload, view, organize and share videos securely.

Sway is used to create interactive presentations and reports that can be quickly shared with anyone online. Images, videos and text are combined to create visual presentations that are optimized for touch screen and mobile displays.

Teams is a collaboration tool that provides a shared workspace where users can chat, meet, share files and work together.

Yammer is a private and secure enterprise social network that allows users to connect with other users (including outside organizations) to share information, collaborate, make group decisions and have discussions. Private messages can also be sent to one or many other Yammer users that are not shared publicly or posted to a Yammer group. All users with Office 365 accounts will have access to Yammer.

Microsoft Intune (formerly known as Windows Intune) is a cloud-based desktop and mobile device management tool that helps organizations provide their users with access to corporate applications, data, and resources from the device of their choice. This application utilizes access controls from Azure Active Directory and helps to secure school district data.


5 | P a g e



If using Intune, our School District will ensure no personally identifiable data is contained in the device registration nor for activities that may be performed on that device.

Microsoft indicates that Intune collects data to provide and troubleshoot the service. This data includes device names, Intune administrator contact data, hardware information (device name, manufacturer, OS, serial number, etc.), and application inventory (app name, version, install location, etc.). Intune does not collect information specific to user activities such as phone logs, contacts, email, calendar information, documents, text, SMS messages, video/photos, GPS information, or web browsing history.

MS365 A3 also provides productivity server licenses and client access licenses for Exchange, SharePoint, Skype for Business etc.

Cloud versions of MS365 A3 applications and services will be used in our School District with the following exceptions, which will be deployed on premises:

List applications that will be deployed on premises

Microsoft 365 A3 will provide: <Districts to ensure the following configuration description is accurate and customize as needed>

100GB mailboxes and unlimited archive mailboxes, if configured; 1 terabyte (TB) which is 1,024 gigabytes (GB) of OneDrive file storage per user; SharePoint Online shared storage of 1TB; plus, 10GB per user license within the tenant.

Based on this PIA, a checklist is included in Appendix B that will serve as a means for our School District to ensure that our use of the MS365 A3 meets the requirements set out in the FIPPA.

2. Scope of this PIA

This privacy impact assessment (PIA) addresses the provision of Microsoft 365 A3 users across the School District as detailed below, and our school district’s responsibilities for the use of the MS365 A3 applications, responsibilities in ensuring data security, authorized access and data residency controls and how they are established and managed.

Other applications offered by Microsoft may be added in the future however these do not fall within the scope of this PIA at the time of writing (January 2020). A separate or updated PIA would be completed by the School District before any changes or enhancements to the current Microsoft use would be considered for implementation.

Note: The Microsoft Home Use Program (HUP) for personal use, is out of the scope of this PIA.

This initiative involves the collection by the School District of <identify personal information that is used to provision user accounts> for the purposes of setting up the Microsoft 365 A3 accounts for users in our district. Our school district


6 | P a g e



will be collecting user emails (relating to educational, school-related purposes – i.e. only those addressed to educators and staff, and those to other students for school and not personal purposes), and any records or documents created in the collaborative application suite that are created for educational or other school-related purposes.

Information generated by using MS365 A3 may also include: <attendance records, grades, email content, assignments, participation in school programs and activities, schedules etc.>

Acceptable Use of MS365 A3 services

<Districts to customize the example text below to identify how acceptable use of MS 365A3 products is defined in the district, and how users are instructed on acceptable use of these programs.>

Use of MS365 A3 applications in our district is guided by the Acceptable Use of Technology Policy.

This policy:

sets out the specific educational and school-related uses for which the user accounts and services are expected to be used, along with the rules that constitute “appropriate use” of these accounts, and the risk of inappropriate or unintended use.

increases awareness of the potential impacts of sharing digital information online and the importance of protecting personal information.

clearly identifies in what circumstances users’ MS365 A3 account information will be monitored and/or viewed by administrators (e.g. only in resolving technical issues, or when inappropriate use is suspected, etc.).

Where applications are used inappropriately, the School District is considered to have care of the records and will for the purposes of FIPPA have custody and control of personal information exchanged.

3. Related Privacy Impact Assessments

<Note: This PIA template has been revised based on amendments to section 33.1(1)(p), (p.1) and (p.2) FIPPA which came into effect in Fall 2019.>

<Identify any PIAs that were previously completed for this initiative, or for related services.>


7 | P a g e



4. Elements of Information or Data

Data in MS365 A3 is distinguished into the three categories below:

Address book data collected when a user account is created User data includes Exchange e-mail body and attachment data Usage data

Address book data collected when a user account is created

This data is used to authenticate each authorized user in the MS365 A3 system and allow them to log in to applications.When creating accounts for users our school district, the principle of data minimization will be applied, meaning that only the minimum data necessary to create and authenticate user accounts will be collected for this purpose. To provision accounts, address book data disclosed to Microsoft will be: <District to customize this paragraph to accurately reflect data that will be disclosed to Microsoft and describe process for provisioning accounts for district users.>

User Generated Data

User generated data includes information within users’ email, documents, calendar entries, site content and any other information these users create or place within MS365 A3 applications and services. This information is created by the users within our district in the course of their appropriate daily use.

There are situations where user-generated data within the MS365 A3 applications could contain personal information. Examples of personal information that could potentially be generated by users include: calendar appointments, emails containing personal opinions or personal details of others, and presentations with images or video.

Our School District will make users aware of the potential impacts of creating and sharing records within MS365 A3 documents that contain personal information of themselves or others who engage with our district. If users of the MS365 A3 applications are to store and manage personal information of others, the privacy impacts need be considered, with additional training and guidance provided.

Users control their own user-generated content and the content which they receive from others, including the deletion of this user generated content.

System Usage Data

System usage data collected by Microsoft when users access and use MS365 A3 services, includes cookies error reports or analytics data, is used to improve the solution and to store a user’s preference and settings.


8 | P a g e



All our school district data in MS365 A3 is owned and controlled by our school district, as stated in Microsoft’s online Service Agreement. Administrative Access

Administrative access to the files and accounts owned by School District users will only be used for:

Technical maintenance In order to meet legal requirements to produce records In order to prevent misconduct/ensure compliance with the law

Use of / or access to student data by Microsoft support resources is tightly controlled, based upon the data type and specific support situations. Such access is temporary and authorized under section 33.1(1)(p) of FIPPA.

Microsoft states that no one at Microsoft has standing access to user data. Each data centre, regardless of the location, maintains industry standard certifications for security and privacy compliance, like ISO27001, ISO27018, SOC II, etc. The results of these audits are available to each customer within their Office 365 tenant through a tool called the Security and Compliance Centre. For an overview of how Microsoft managers customer data visit: https://www.microsoft.com/en-us/trustcenter/privacy/who-can-access-your-data-and-on-what-terms

In situations where it is determined that the MS365 A3 applications have been used inappropriately, our school district is considered to have care of the records and will for the purposes of FIPPA have control of personal information that was exchanged.


9 | P a g e

If personal information is involved in your initiative, please continue to the next page to complete your PIA.

If no personal information is involved, please submit Parts 1, 6, and 7 to your privacy office(r). They will guide you through the completion of your PIA.

https://www.microsoft.com/en-us/trustcenter/privacy/who-can-access-your-data-and-on-what-terms

http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/96165_03#section33.1



Part 2 – Protection of Personal Information

According to section 30 of FIPPA, “a public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.”

Note: Contractual Protections

Given the service provider relationship between Microsoft and our school district, the school district will be using its contract with Microsoft as one means through which the appropriate level of protection can be ensured for personal information. The Contract will reinforce Microsoft’s commitment to securing a promise from Microsoft to provide for the technological and security safeguards of personal information, including at a minimum those set out in Microsoft policies and terms of use.

The implications of these contractual provisions will be:

o Confirmation that our School District owns all content;o Confirmation that personal information will be stored, accessed or processed outside of Canada only as

noted in the circumstances described under Question 5 of this PIA;o School District content will be encrypted by Microsoft at rest and in transit;o That our School District will, to the extent possible, be informed of any request for disclosure;o That security tools including access control policies and audit capability are in placeo That any actual or suspected privacy breaches of personal information are reported to the district

Informed Consent

If applications that store personal information outside Canada will be used, our school district will arrange to collect signed consent forms acknowledging this disclosure and storage of information outside of Canada.

<Districts to customize general text below to describe their specific provisioning process. Below description includes creation of email accounts and usernames.>

When required, consent forms are collected at the district or school level and the district IT staff adds users with signed consent forms. Once our district office receives confirmation that an individual has provided consent, they will activate an email address and user account for that individual. FIPPA regulations respecting consent can be found here: F r e e d om of I nf o r m a t i o n a n d P r ot e c t i on of P r i v a c y Act Regulations s e c t i on 11 .

Microsoft states that they do not have access to school district usernames, nor do they need access to this information. Our district IT administrators are responsible for our own Office 365 tenant, include user account provisioning and deprovisioning.


10 | P a g e

http://www.bclaws.ca/civix/document/id/loo93/loo93/155_2012#section11



Users’ should ensure that files or documents, including emails created within MS365 applications are not to contain personal information (pertaining to themselves, students or parents within the district) unless they have been authorized by the district to use these applications for such purpose, and if the necessary consent has been obtained. For applications and services with US data residency, access outside of Canada and personal information must not be saved or stored within these unless an informed consent process is in place within the district, and the relevant student and parent have provided consent that is stored on file.

Users will also be made aware of the fact that those using (and consenting to the use of) Microsoft 365 A3 services and agreeing to applicable district policies may have their personal information disclosed to both authorized district and Microsoft staff for the purposes of correction, deletion or as required by law.

5. Storage or Access outside Canada

Microsoft indicates that they offer “in-Geo data residency” which means that, for Canadian-hosted applications, school district data is stored in two geographically distributed data centres located in Canada. As the district’s MS365 A3 tenant is provisioned in Canada, data for core Office 365 applications as well as other services is stored within the Canadian “Geo” within two distributed data centres in Toronto and Quebec City. Some services store customer data outside of Canada, in the United States. (Details are provided in the table on the next page, and further data residency information is available at: https://products.office.com/en-us/where-is-your-data-located?geo=Canada#Canada ).

Users’ data will be stored by Microsoft on servers in Toronto and Quebec, Canada and in the USA, as indicated in the table on the next page. Microsoft indicates that data may transit outside of Canada to arrive at the Canadian data centre endpoint from the Canadian starting point, even if it is stored at rest in Canada. Additionally, some functionality which is built into MS365 A3 (both Canada- and US-hosted applications) may process data on servers outside of Canada. Examples include: spell checker and tools which suggest colour themes for documents and presentations. Microsoft advises this data processing will take place in jurisdictions where data centres are available with the necessary capacity.

Information in the table below is based on the Microsoft website and their support pages and is current as of January 2020.

Component name Where data is stored

Azure Active Directory USA

Bookings* Canada*Delve Accesses data residing in other applicationsExchange Online Canada


11 | P a g e

https://products.office.com/en-us/where-is-your-data-located?geo=Canada#Canada

https://products.office.com/en-us/where-is-your-data-located?geo=Canada#Canada



Flow CanadaForms USAIntune USAOneDrive CanadaOneNote CanadaSchool Data Sync USASharePoint Online CanadaSkype for Business CanadaStream CanadaSway USATeams** Canada**Yammer USA

*Bookings - All content created in Bookings is stored within the school district’s Exchange Online mailbox.

**As of August 10, 2018, Teams provides data residency in Canada. All new Microsoft Teams users (those who were provisioned or who started using Teams after this date) in Canada will have data for conversations and chat stored at rest in Canada. Users who were already using Teams prior to August 10, 2018 continue to have data residency for their content stored at rest in the AMER geo (Americas – North and South with datacenters in Bay, California and Boydton, Virginia). Microsoft states that they will provide a migration feature to enable data migration for these existing Teams customers. Location of Teams data can be verified within the Office 365 Admin Portal.

The Location of data within the district’s current tenant can be verified in the Data Location card on the Organization Profile page in the Office 365 Admin Centre.


12 | P a g e



6. Data-linking Initiative - Not applicable for the use of MS365 A3 in this PIA.

In FIPPA, "data linking" and “data-linking initiative” are strictly defined. Answer the following questions to determine whether your initiative qualifies as a “data-linking initiative” under the Act. If you answer “yes” to all 3 questions, your initiative may be a data linking initiative and you must comply with specific requirements under the Act related to data-linking initiatives.

1. Personal information from one database is linked or combined with personal information from another database;

No

2. The purpose for the linkage is different from those for which the personal information in each database was originally obtained or compiled;

No

3. The data linking is occurring between either (1) two or more public bodies or (2) one or more public bodies and one or more agencies.

No

If you have answered “yes” to all three questions, please contact your privacy office(r) to discuss the requirements of a data-linking initiative.

7. Common or Integrated Program or Activity - Not applicable for the use of MS365 A3 in this PIA.

In FIPPA, “common or integrated program or activity” is strictly defined. Answer the following questions to determine whether your initiative qualifies as “a common or integrated program or activity” under the Act. If you answer “yes” to all 3 of these questions, you must comply with requirements under the Act for common or integrated programs and activities.

1. This initiative involves a program or activity that provides a service (or services);

Yes

2. Those services are provided through:(a) a public body and at least one other public body or agency working collaboratively to provide that service; or (b) one public body working on behalf of one or more other public bodies or agencies;

No

3. The common or integrated program/activity is confirmed by written documentation that meets the requirements set out in the FIPPA regulation.

No

Please check this box if this program involves a common or integrated program or activity based on your answers to the three questions above.


13 | P a g e



8. Personal Information Flow Diagram and/or Personal Information Flow Table

The diagram below illustrates the flow of information between the School District and Microsoft’s MS365 A3 services:

The District completes a PIA pertaining to the use of the MS365 A3 service for their district users use to go forward with this initiative providing that the implementation follows the attached provisions in the Appendix B checklist.

Before user accounts are activated, if services will store personal information outside Canada, users provide to the School District their signed, informed consent agreeing that personal information will be stored and accessed outside Canada.

Example:


14 | P a g e



Note: Examples can be removed, and additional lines can be added as needed.

Personal Information Flow Table

Description/Purpose Type FIPPA Authority

1. School District enters into agreement with Microsoft. No PI Collection

N/A & 26(c)

2. School District creates user accounts to provide access to Microsoft services.

Collection & Use

26(c) & 32(a)

3. Users create messages and other works and store emails and files on Microsoft servers in connection with educational, administrative or operational activities.

Use 32(a)

4. For the use of applications that store data outside Canada, the School District collects signed consent from users acknowledging that specified applications store personal data outside of Canada.

Storage & Access

30.1(a)

5. Information is used by educators, staff, and other professionals in the school system for the purposes for which the information was collected, or for a purpose that is consistent with the original purpose.

Use 32(a)

6. Information may be disclosed if the head of the public body determines that compelling circumstances exist that would affect anyone’s health or safety.

Disclosure 33.1(1)(m)

7. Personal Information in the Microsoft 365 A3 system can be disclosed to Microsoft in order to install, implement, maintain, repair, troubleshoot or upgrade the system.

Disclosure 33.1(1)(p)

8. Information in the Microsoft 365 A3 may be accessed and viewed by School District staff when travelling temporarily outside of Canada.

Disclosure 33.1(1)(e)

9. Personal information may transit outside of Canada en route to a Canadian data centre endpoint.

Disclosure 33.1(1)(p)

10. Personal information within applications is processed temporarily outside of Canada.

Disclosure 33.1(1)(p.1)

11. Applications, such as Azure Advice Directory, store user metadata outside Storage 33.1(1)(p.2)Please note: This document does not constitute legal advice to any person. The comments and opinions expressed in this document are to help illustrate the content needed to complete a School/District PIA. This information does not constitute Focused Education or OIPC approval of the initiative being consulted on or fetter the Commissioner’s discretion should the initiative later be the subject of a complaint or investigation. It remains the responsibility of the school districts to ensure that they comply with their duties and obligations under applicable laws and are compliant with the Freedom and Protection of Privacy Act.

15 | P a g e



of Canada.

9. Risk Mitigation

Users should be instructed on the potential impacts of sharing digital information online, the importance of protecting personal information and the appropriate use of the MS365 A3 applications. Personal information transmitted by email should be limited to mitigate privacy issues. There is a risk that users will use their school email addresses for non-work or non-school-related reasons, which may result in the unauthorized disclosure of personal information.

Risk Mitigation TableRisk Mitigation Strategy Likelihood Impact

1. Unauthorized access to user emails stored in Microsoft’s Canadian data centres.

Contractual requirements with Microsoft to secure the information and to report to the district any actual or suspected cases of unauthorized access.

Low High

2. Users use email address for non-work or non-school-related reasons, potentially exposing 3rd party information.

District Use Policy contains instructions to users on appropriate content when using this method of communication; training is provided for users.

Medium High

3. Inappropriate exposure of personal information could result in a breach.

District Use policy; training; incident management process.

Low High

4. Unauthorized individuals (including students) gain access the system.

All authorized users are issued individual accounts by the District and receive training and guidance regarding appropriate use. Passwords must have a degree of complexity that is compliant with provincial requirements. Sessions terminate automatically after <xx> minutes of inactivity.

Medium High

5. Vendor could change terms of use of the service.

School District terms of use are set for 3 years.Mandatory disclosure by the vendor in advance about any changes to terms to give school districts an opportunity to mitigate any FIPPA compliance issues.

Low Low


16 | P a g e



6. Inadvertent storage of data / information outside of Canada (e.g. Yammer)

Users within the school district are advised on the appropriate use of software and applications for which data resides outside of Canada are identified as inappropriate for storing this data.

Low Low

10. Collection Notice

Personal information collected by the School District in connection with Microsoft programs will be collected by the School District for the above noted purposes under the authority of s.26(c) of the Freedom of Information and Protection of Privacy Act (FIPPA). Personal information may also be accessed, disclosed or collected to facilitate interactions between users for the purposes of collaboration on an educational project under the authority of the School Act and s.27 of FIPPA. If you have any questions about this collection, please contact <List the title, business address, business phone number and email of person who can address questions about collection as described in this PIA>.

Read the relevant FIPPA sections at the following links: s. 26(c) and s. 27(2).

Part 3 – Security of Personal Information

11. Description of the physical security measures related to the initiative.

Microsoft

Microsoft indicates that physical access to the MS365 A3 and Microsoft Dynamics CRM Online data centers is controlled by a two-tier authentication, including proxy card access readers (card access badge required) and hand geometry biometric readers.

On a quarterly basis, the Microsoft Security Officer sends reports to the authorized Microsoft personnel with authority to approve data center access. The reports contain the list of persons who currently have access to the data centers. The authorized personnel audit the list to ensure all persons still require access and have the least privileged access level necessary to perform their job function.

School District

<Describe the additional physical security measures used in the School District to protect the computers and network.>


17 | P a g e

http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/96165_03#section27

http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/96165_03#section26



12. Description of the technical security measures related to the initiative.

Microsoft

All Microsoft 365 A3 and Microsoft Dynamics CRM Online personnel are accountable for their handling of user data. All access to MS365 A3 and Microsoft Dynamics CRM Online data by Microsoft personnel can be tracked and traced to the specific user.

Accountability is enforced by Microsoft through a set of system controls, including the use of unique usernames, data access controls, and auditing. Unlike generic usernames such as "Guest" or "Administrator," unique usernames are used to enforce accountability by linking user actions to a specific person (referred to as "binding"). Two-factor authentication, such as smart card logins using digital certificates or RSA tokens, is also used to further strengthen this binding.

Microsoft enforces role-based access and applies strict controls over which personnel roles and personnel will be granted access to customer data. Personnel access to the IT systems that store customer data is strictly controlled via Role-Based Access Control (RBAC). This is an approach to restricting system access to unauthorized users. Access control is an automated process that follows the separation of duties principle and the principle of granting least privilege. This process ensures that the engineer requesting access to these IT systems has met the eligibility requirements, such as a background screen, fingerprinting, required security training, and access approvals. In addition, the access levels are reviewed on a periodic basis to ensure that only users who have appropriate business justification have access to the systems. User access to data is also limited by user role. For example, system administrators are not provided with database administrative access.

As of January 2020, Microsoft has announced that Azure has achieved certification as a data processor for the new international standard ISO/IEC 27701 Privacy Information Management System (PIMS) for providing a comprehensive set of management and operational controls to help organizations demonstrate compliance with privacy laws and regulations.

School DistrictThe School District will ensure that personally identifiable information (e.g. such as phone number or thumbnail photos) is not synced to AADP unless appropriate consent has been received.

When receiving technical support from Microsoft, our school district can request confirmation of how soon Microsoft staff will lose their temporary access to personal information within the system (to ensure that the duration of temporary access does not greatly exceed the time necessary to resolve a technical issue.)

<Describe any additional technical security measures used in the School District to protect the computers and network i.e. encryption, passwords etc.>


18 | P a g e



13. Describe District Security Policies and provide contact details for someone who could answer further questions regarding these policies and procedures.

<Please note Microsoft’s Online Services Information Security Policy is available by contacting Microsoft’s Chief Information Security Officer>

Microsoft

The following links provide information about Microsoft’s privacy policies and procedures.

Microsoft Privacy Statement – https://privacy.microsoft.com/en-ca/privacystatement (updated as of January 2020).

Microsoft Online Service Terms – https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?mode=1

Microsoft’s Canadian Head Office is located at:1950 Meadowvale BlvdMississauga, OntarioL5N 8L9

Canadian Head Office: (905) 568-0434Customer Inquiries: (877) 568-2495

Any privacy concerns, complaints or questions can be directed through Microsoft’s online form here: https://privacy.microsoft.com/en-ca/privacy-questions

School District

<Identify district security policies and procedures documents.>

Contact

Name:Title:Email:Phone:

14. Access controls and/or ways in which you will limit or restrict unauthorized changes (such as additions or deletions) to personal information.


19 | P a g e

https://privacy.microsoft.com/en-ca/privacy-questions

https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?mode=1

https://privacy.microsoft.com/en-ca/privacystatement



Administrators in our school district have full control over the data in MS365 A3. This is for the purposes of account setup and deletion. Access to, or search of, the account content (users’ emails and data) by School District Administrators and Microsoft would only occur for the following purposes:

• For Technical maintenance. Such access by Microsoft is authorized under section 33.1(1)(p) of FIPPA.• In order to meet legal requirements to produce records under Canadian law. Such access and disclosure

are authorized under section 33.1(1)(t) of FIPPA.• To prevent misconduct/ensure compliance with the law (e.g. the School Act) at the request of the school

district in accordance with section 33.2(a) of FIPPA.

If law enforcement contacts Microsoft with a demand for school district data, Microsoft will attempt to redirect the law enforcement agency to request that data directly from the school district. If compelled to disclose school district data to law enforcement, Microsoft will promptly notify the school district and provide a copy of the demand unless legally prohibited from doing so.

No changes to personal information contained in the emails or data will occur except as by the users themselves within their own accounts, or unless they are informed.

Where the application is used inappropriately, our school district is considered to have care of the records and will for the purposes of FIPPA have custody and control of personal information exchanged.

15. Description on how you track and who has access to the personal information.

Statements issued by Microsoft indicate that its information security procedures around audits and controls are based upon the ISO 27001 standards and are documented in the Standard Response Document at http://www.microsoft.com/en-ca/download/details.aspx?id=26647 (click “Download” button, then select the document named “StandardResponsetoRequestforInformationWindowsAzureSecurityPrivacy.docx”).

All Microsoft employees and contractor staff represent that they have reviewed, and agree to adhere to, all policies within the Information Security Policy documents.

Microsoft has implemented and will maintain reasonable and appropriate technical and organizational measures, internal controls, and information security routines intended to help protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction. Each year, Microsoft undergoes third-party audits to validate that they have independent attestation of compliance with their policies and procedures for security, privacy continuity and compliance.

Microsoft states that all Microsoft employees and subcontractors with access to customer data are subject to the same access controls and security checks. This includes background checks, lockbox usage, and user roles and IDs. All employees and subcontractors are required to follow applicable intellectual property laws. Subcontractors who must have access to customer content are required to join the Microsoft Vendor Privacy Assurance Program and to meet Microsoft's privacy requirements by contract.


20 | P a g e

http://www.microsoft.com/en-ca/download/details.aspx?id=26647



Access to all Microsoft buildings is controlled, and access is restricted to those with card reader (swiping the card reader with an authorized ID badge) or biometrics for entry into datacenters.

Microsoft does not have standing access to their users’ names. Each district IT administrator is responsible for their own Office 365 tenant, including user account provisioning and deprovisioning, which is completed through the User Management Administrator Role.

School District

Administrator access will be limited to specific selected staff and tightly controlled through an approval process. Access to the data will be tracked, and activity will be monitored by review of log files. Access to individual mailboxes by non-owners of the mailboxes will be logged.

The right and responsibilities of the school district system administrator, outlined in our district’s <name specific use policy>, are as follows:

Identify and list district’s specific policy and / or regulation that apply

Part 4 – Accuracy/Correction/Retention of Personal Information

<As this is a template, districts to confirm the below suggested text is correct, and customize to answer this according to your district practices>

16. How is an individual’s information updated or corrected? If information is not updated or corrected (for physical, procedural or other reasons) please explain how it will be annotated? If personal information will be disclosed to others, how will the public body notify them of the update, correction or annotation?

Users may have access to their own personal information to correct it or update it themselves. Where this is not possible, they will be directed to system administrators who can update their information upon request.

OR

To modify their personal profile information stored with MS365 A3, users will have to contact the User Management Administrator(s) with their role / title to request changes to their profiles.

17. Does this initiative use personal information to make decisions that directly affect an individual(s)?

Yes. Assignments and other student work created within MS365 A3 applications are evaluated by educators to assess student progress and assign grades within classes.

OR


21 | P a g e



No.

18. If you answered “yes” to question 17, please explain the efforts that will be made to ensure that the personal information is accurate and complete.

<if the answer to Question 17 is “Yes”, customize the text below as needed>

The designated contact person below is responsible for providing access to, ensuring accuracy and completeness of, and making requested corrections to personal information held within the MS365 A3 program. Where corrections cannot or will not be made, this contact will annotate the records containing the information.

Name of designated contact person:Email / Phone number:

19. If you answered “yes” to question 17, do you have a records retention and/or disposition schedule that will ensure that personal information is kept for at least one year after it is used in making a decision directly affecting an individual?

<If you do not yet have a schedule, please document how these records will be kept until the schedule is in place. Please describe retention schedules that apply where retention exceeds the one-year requirement of FIPPA. Please contact your privacy office(r) and/or records office(r) if you require assistance.>


22 | P a g e



Part 5 – Further Information 20. Does the initiative involve systematic disclosures of personal information? If yes, please explain.

<For example: not applicable if your department does not have a regular exchange of personal information (both collection and disclosure) with the federal government to provide services to your staff and students.>

Please check this box if the related Information Sharing Agreement (ISA) is attached. If you require assistance completing an ISA, please contact your privacy office(r).

21. Does the program involve access to personally identifiable information for research or statistical purposes? If yes, please explain.

<For example: your district will disclose information to PhD students so that they can conduct research.>

Please check this box if the related Research Agreement (RA) is attached. If you require assistance completing an RA please contact your privacy office(r).

22. Will a personal information bank (PIB) result from this initiative? If yes, please list the legislatively required descriptors listed in section 69 (6) of FIPPA. Under this same section, this information is required to be published in a public directory.

The creation of individualized student, educator and staff user accounts may constitute a personal information bank within the meaning of section 69 of the Act, and reference to it will be included in the School District Personal Information Directory.

Title: Student, educator and staff user accounts Description: Education and schoolwork related and necessary communicationsLocation: Local School District servers and Microsoft servers in Ontario and Quebec and outside of CanadaAuthority: Section 26(a) Purposes: Educational, student assessment, operational, administrative usage

Authorized Users: Educators, school administrators, School District technical staff, students and other district-approved users


23 | P a g e

Please ensure Parts 6 and 7 are attached to your submitted PIA.



Part 6 – Privacy Office(r) Comments

This PIA is based on a review of the material provided to the Privacy Office(r) as of the date below. The PIA is a “living document” that needs to be periodically reviewed. Should there be substantial changes that may affect the privacy of our users, an update will be initiated. As part of our business practices, this PIA will be reviewed annually. If, in the future, any substantive changes are made to the scope of this PIA, the school district will complete a PIA Update and submit it to this Privacy Office(r).

Privacy Officer/Privacy Office Representative

Signature Date


24 | P a g e



Part 7 – Program Area Signatures

Program/Department Manager Signature Date

Contact Responsible for Systems Maintenance and/or Security (Signature not required unless they have been involved in this PIA.)

Signature Date

Head of School District, or designate Signature Date

If you have any questions, please contact your school district’s privacy office(s) or call the OCIO’s Privacy and Access Helpline at 250 356 1851 and email [email protected].

A final copy of this PIA (with all signatures) must be kept on record.


25 | P a g e

mailto:[email protected]

APPENDIX A: Sample Consent Form

<Customize this form to reflect your district’s use as needed.>

Our School District provides user accounts for Microsoft 365 A3 (MS365 A3) to <identify users in school district> for educational, communication and collaboration purposes. Each user will have their own secure login and password to access their email and files within MS365 A3, as well as OneDrive storage space.

While the majority of services that are a part of MS365 A3 store user data exclusively in Canada, the following services that will be used in our district store user data outside of Canada:

List MS services with data residency outside of Canada

The types of information stored in these services are: List types of data stored in MS services (for example: name, email address, student work, discussion content

etc.).

To comply with the BC Freedom of Information and Protection of Privacy Act (FIPPA), consent is required prior to storing personal information in these services.

The School District also makes efforts to instruct users of MS365 A3 about limiting the amount of personal information that they store and share using these services.

Consent:I understand that my information (if student is signing) / my child’s information (if parent is signing) in Microsoft 365 A3 may be stored outside Canada as outlined above.

This consent will be considered valid from the date at which it is signed until one year after the point at which the user named below is no longer with the School District.

Name of user or, if applicable, parent or guardian: _____________________________________

Signature of user or, if applicable, parent or guardian: ___________________________________

Date Signed (YYYY/MM/DD): __________________________________

User Details:

First Name: __________________________ Last Name:___________________________

Grade (if applicable): __________________ School: _______________________________


26 | P a g e

For questions, please contact: provide name and contact information of designated district privacy staff.


27 | P a g e

APPENDIX B

Confirmation and Checklist for Implementing Microsoft 365 Education A3 (MS365 A3)

School District: ____________________________________________________________________________

School District’s Microsoft 365 A3 Administrator: _________________________________________________

Email: _____________________________________________ Go-Live Date: _________________________

This checklist is completed to determine if our School District meets the criteria set out in this PIA. If our School District implementation does not meet the criteria of this checklist you will have to complete a PIA, in accordance with section 69(5.3) of the Freedom of Information and Protection of Privacy Act.

For the purposes of this Appendix, “Use Policy” has the same meaning as that established in the PIA – the School District’s Use Policy on the Use of Microsoft 365 A3.

Please enter an “X” under the appropriate answer to the following questions:

Yes NoNotification and ConsentA “Collection Notice”, meeting the requirements of section 27(2) of the Freedom of Information and Protection of Privacy Act has been provided to students/parents, either via the consent form or a letter of intent.

Where applications disclose and / or store information outside Canada, a signed consent form has been secured from all parents/students/users, and the consent form meets the requirements of section 11 of the Freedom of Information and Protection of Privacy Regulation.

When consent is required, it will be secured from students (where they can exercise this right), and guardians (i.e. parents) will consent for students when they are incapable of exercising this right, pursuant to section 3 of the Freedom of Information and Protection of Privacy Regulation.

Students are not obligated to take part in the MS365 A3 program, and our district seeks to accommodate students when consent is not obtained.

UseThe School District has created a new, or implemented an existing Use Policy for students, which dictates what constitutes (or contradicts) “appropriate use” of the application. The Use Policy also very clearly outlines any monitoring that may take place, or any instances in which a Microsoft 365 A3 account would be suspended or revoked.

The School District will ensure that the Use Policy is widely distributed, and that parents, students, educators and administration are educated about the contents of the Use Policy.

DisclosureWhere applications disclose and / or store information outside Canada, only the information of those who have signed consent forms (or, where applicable, a parent has signed a consent form) will be disclosed to Microsoft for the purposes of the Microsoft 365 A3 Program.Access, Accuracy, Correction and Annotation (see section VI of this PIA)The School District has identified a contact person within the School District who is responsible for providing access to, ensuring accuracy and completeness of, and making requested corrections to personal information held within the Microsoft 365 A3 program. Where corrections cannot or will not be made, this contact will annotate the records containing the information.

School District Contact: _________________________________

Please note: Nothing in this document constitutes legal advice to any person. The comments and opinions expressed in this document are to help illustrate the content needed to complete a School/District PIA. This information does not constitute ERAC or OIPC approval of the initiative being consulted on or fetter the Commissioner’s discretion should the initiative later be the subject of a complaint or investigation. It remains the responsibility of the school districts to ensure that they comply with their duties and obligations under applicable laws and are compliant with the Freedom and Protection of Privacy Act.

28 | P a g e

Security (see section VII of this PIA)The School District has identified a contact person within the School District who is responsible for maintaining the security of the personal information held in the Microsoft 365 A3 system.

School District contact: __________________________________

Audit Logging (New Recommendation)Audit logging of non-owner access to accounts is enabled.

MonitoringEmail accounts will only be searched, seized, monitored, suspended, or revoked in accordance with the Use Policy established by the School District.Content of student account will only be searched for one of the following reasons:

technical maintenance in order to meet legal requirements to produce prevent misconduct/ensure compliance with the law (e.g. the School Act)

Records ManagementA r eco r d s r e t en t io n and disposition schedule has been created by the District. All records used to make a decision about an individual will must be k e p t f o r a t le a s t o n e y ea r as noted in Section 31 of FIPPA. The records disposition schedule, although not a PIA requirement, falls under the responsibility of the Chief Records Officer, BC Government, who is required to follow the new legislation for Records Management as of May 10, 2016.Privacy Management Program (New Recommendation)I acknowledge the Ministry of Education’s recommendation that a privacy management program be implemented within my school district, and further acknowledge that I am aware of the resources that are available to me to support this recommendation. Namely, the OIPC’s Accountable Privacy Management in BC’s Public Sector and the BC Government’s Privacy Management and Accountability Policy.

ScopeI understand the information and analysis in this PIA is limited to the interaction between MS 365 A3 and the requirements set out in the FIPPA. It is the responsibility of our School District to review Microsoft’s Terms of Use / General Services Agreement. We have reviewed and complied with all obligations created by other legislation and policy, including but not limited to legal review of, and approvals for indemnities created by, Microsoft’s Terms of Use/General Services Agreement.

I understand that as the School District’s service provider, Microsoft and its subcontractors are considered a public body employee under the Freedom of Information and Protection of Privacy Act, and strictly within the scope of offering this service to the School District is thus bound by the same restrictions and requirements.

If you have answered ‘No’ to any of the above questions, a separate PIA will need to be completed before your Microsoft 365 A3 Program can be launched.

Checklist Completed By: ________________________________________ Signature: _______________________(Please Print)

Name of School District’s PIA Signatory: ____________________________________________________(Please Print)

Signature: _____________________________________________ Date: __________________________(YYYY-MM-DD)


29 | P a g e

http://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/privacy-policy

http://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/privacy-policy

https://www.oipc.bc.ca/guidance-documents/1545

https://www.oipc.bc.ca/news-releases/1949

APPENDIX C

Managing data within Azure Active Directory (based on direction provided by Microsoft):

Objects in Azure Directory are synchronized from on-premises Windows Server Active Directory using the Azure AD Connect tool. The default approach is to keep the default attributes so a full GAL (Global Address List) can be constructed in the cloud. However, there are some attributes that school districts should not synchronize to the cloud since these attributes contain sensitive or PII (Personally identifiable information) data.

Below is an example:

Personal information of students cannot be disclosed outside of Canada unless there is an appropriate legal authority in place, such as consent.

School districts should review the list of attributes in Active Directory and identity those attributes that would contain sensitive or PII data and should not be synchronized. Then deselect those attributes during the installation and configuration of the Azure AD Connect tool.

Additional information:

Azure AD Connect Sync: Attributes Synchronized to Azure Active Directoryhttps://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized

How Microsoft Secures Data in Azure ADhttps://www.microsoft.com/en-us/microsoft-365/blog/2017/09/05/how-we-secure-your-data-in-azure-ad/


30 | P a g e

https://www.microsoft.com/en-us/microsoft-365/blog/2017/09/05/how-we-secure-your-data-in-azure-ad/

https://www.microsoft.com/en-us/microsoft-365/blog/2017/09/05/how-we-secure-your-data-in-azure-ad/

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized