Background
This Administrative Procedure establishes a standardized process for acquiring and using technology within Grasslands Public Schools. It ensures alignment with organizational standards, cost-effectiveness, secure implementation, and compliance with privacy legislation.
Technology systems range from enterprise-wide platforms essential to Division operations to individual classroom applications piloted by teachers. This procedure applies a classification-based approach: Core, Common, and Innovative to ensure that governance requirements are proportionate to the scope and risk of each system.
Scope
This procedure applies to all information technology systems and resources used within Grasslands Public Schools, including hardware, installed software, cloud-based services, artificial intelligence tools (including generative AI and adaptive learning systems), and online classroom applications used for data processing, communication, instructional delivery, or system management.
This procedure does not apply to general-purpose electrical or mechanical equipment without computing functionality or network connectivity.
Definitions
Terms not defined in this procedure have the meanings assigned in Policy 310 – Information Security Charter and Policy 311 – Privacy and Access to Information.
Adaptive Learning System: An educational technology that assesses student performance and automatically adjusts instructional content, difficulty, pacing, or learning pathways. These systems create learner profiles and make automated decisions about the student's educational experience. Examples: IXL, DreamBox, Khan Academy, ALEKS, Lexia.
AI Inference: A conclusion, prediction, or classification generated by an artificial intelligence system based on patterns in data. When an AI inference relates to an identifiable individual (such as a predicted learning outcome, a behavioural risk score, or a proficiency estimate), it constitutes data derived from personal information under A.P. 323 – Privacy Management Section 6.
Approved Software List: The Division's published list of applications reviewed and approved for use. Staff must register their use of applications on this list annually.
Common System: Widely used but not critical to core operations. These systems serve specific groups, have a moderate scope, may integrate with one or two systems, and generally have a lifespan of 1–5 years. Examples: Department scheduling tools, specialized instructional software used across multiple schools, adaptive learning systems.
Core System: Essential to the operation of the organization, used by large numbers of people, broad in scope, integrates with many systems, and usually has a lifespan of 5–12 years. Examples: Student Information System, email, financial systems.
Generative AI: Artificial intelligence systems capable of generating new content based on user prompts, including text, images, audio, video, or code. Examples: ChatGPT, Microsoft Copilot, Claude, Google Gemini, DALL-E.
Innovative System: Emerging or pilot technologies not yet in widespread use. These systems are used by a small number of individuals, typically for a single task, have limited or no integration, and are expected to have a short lifespan (less than 1 year). Examples: A teacher piloting a new classroom app, testing a new tool before broader adoption.
Large Language Model (LLM): A type of generative AI system trained on large volumes of text data that generates human-like text in response to prompts. LLMs underpin many generative AI tools used for drafting, summarizing, coding, and conversational interfaces. Examples: the models powering ChatGPT, Claude, and Google Gemini.
Mature Minor: A student under the age of 18 who has been determined to have sufficient understanding and maturity to exercise their own privacy rights (including providing or withdrawing consent for the collection, use, or disclosure of their personal information) without requiring parental or guardian involvement. A mature minor determination considers the student's age, maturity, and the nature of the personal information involved, in accordance with A.P. 323 – Privacy Management Section 5(c).
Neglected System: A system, software, or infrastructure no longer supported by its developer or vendor. These present increased security risks and breaches involving neglected systems may not be covered under cyber liability insurance.
Personal Information (PI): Information about an identifiable individual as defined under Alberta privacy legislation. This is a broad definition that includes names, addresses, birthdates, student or employee ID numbers, and any identifier that can be tied back to an individual, including IP addresses and obfuscated usernames.
Privacy Impact Assessment (PIA): A process to evaluate the potential privacy effects of a project, system, or initiative and identify mitigation strategies. The PIA program (including statutory triggers, OIPC submission criteria, mandatory template use, and sign-off authority) is established in A.P. 323 – Privacy Management Section 9. From an acquisition perspective, a PIA is required for Core Systems and may be required for Common Systems at the Director of Technology's discretion.
Privacy Portal: The Division's online system for submitting application approval requests and the resulting approved-applications registry, accessible at https://privacy.grasslands.ab.ca.
System: A combination of hardware, software, services, or platforms that work together to fulfill a technological function. A system may include individual components (servers, applications, databases) and may support instructional, administrative, or operational needs.
System Owner: The individual responsible for overall oversight, management, and use of a specific technology system. Typically the person who initiates the request or purchases the system. For classroom tools, this is usually the teacher. For school-wide or department-wide systems, this may be the principal or department head.
Third-Party Vendor: Any external organization that provides products or services involving access to Division data or systems. Vendor relationships are governed by A.P. 322 – Third-Party and Vendor Risk Management.
Responsibilities
All Staff (Including Teachers)
- Use only approved applications for activities involving student or staff personal information.
- Submit requests for new applications by following the appropriate path for the system's classification: Innovative System requests through the Privacy Portal at https://privacy.grasslands.ab.ca; Common and Core System requests through the Director of Technology.
- Use standardized parent notification templates when required.
- Do not enter personal information into generative AI tools unless the tool has been specifically approved for that data type.
System Owners
- Initiate the system review process and participate in privacy and security assessments.
- Monitor the system for changes such as privacy policy updates, version upgrades, or new features, and report significant changes to the Technology Department.
- Collaborate with the Technology Department to maintain security.
- Support compliance efforts and assist with incident response activities if a breach occurs.
- Understand vendor obligations under A.P. 322 – Third-Party and Vendor Risk Management for systems under their ownership.
- Confirm with the Technology Department how the system is backed up. Division-managed, vendor-managed, or requires configuration per IM-004 Backup and Recovery Procedures.
School Administration and Department Leads
- Ensure staff understand and follow this procedure.
- Ensure System Owners for school-level or department-level systems fulfill their responsibilities.
- Escalate approval or risk concerns to the Technology Department as needed.
- Process parent opt-out requests for adaptive learning systems in accordance with Policy 311.
Technology Department
- Evaluate overall system risks and conduct security assessments.
- Maintain the Approved Software List.
- Process requests submitted through the Privacy Portal.
- Support compliance processes and ensure proper procurement.
- Manage decommissioning of neglected systems.
- Coordinate vendor assessments per A.P. 322 – Third-Party and Vendor Risk Management.
- Maintain documentation of opt-out capabilities for adaptive learning systems.
- Determine backup requirements for new systems during acquisition and ensure backup is configured or vendor coverage is confirmed per IM-004 – Backup and Recovery Procedures.
- Ensure relevant training is identified for users of newly approved systems per A.P. 327 – Security Awareness and Training.
Privacy Management Program
- Provide guidance and templates for privacy assessments, consent, and notification.
- Review Privacy Impact Assessments.
- Maintain documentation and records of approved systems.
- Support consistent interpretation of privacy legislation across departments.
- Maintain the Privacy Portal and Privacy Notification System.
Board of Education
- Review and approve risk assessments and mitigation strategies for Core Systems.
- Ensure the Division's risk posture aligns with strategic goals and compliance obligations.
Procedures
1. Classification
The Technology Department classifies systems to determine the appropriate approval process. Classification is based on scope, integration, and organizational impact.
| Classification | Scope | Integration | Lifespan | Approval Authority |
|---|---|---|---|---|
| Core | Division-wide, essential operations | Many systems | 5–12 years | Board of Education, Senior Administration |
| Common | Department or multi-school | 1–2 systems | 1–5 years | Senior Administration, Technology, Privacy Program |
| Innovative | Individual or small group, pilot | None or minimal | Less than 1 year | Technology, Privacy Program, School Administration |
2. Using pre-approved applications
Applications on the Approved Software List have already been reviewed for privacy and security compliance.
- Staff intending to use an application on the Approved Software List must register their use annually by selecting the "Using" button. This registration facilitates incident response and legal compliance.
- Applications requiring parental consent or notification must use the standardized templates provided on the Approved Software List.
- All approved applications remain subject to the responsibilities and terms outlined on the Approved Software List.
3. Requesting approval for new systems
Systems not on the Approved Software List require approval before use if they store or process personal information, connect to Division networks (excluding guest Wi-Fi), or will be used broadly (Common or Core classification).
- Do not use a system with student or staff personal information until approval is confirmed.
a. Innovative Systems
- Innovative Systems are emerging or pilot technologies with limited scope and short expected lifespan.
- Staff must submit a request through the Privacy Portal and communicate with the Director of Technology regarding the proposed use.
- The Technology Department and the Privacy Management Program evaluate the request in consultation with the requesting teacher and school administration.
- Approval decisions follow this matrix:
| Input and Feedback | Decision Maker | |
|---|---|---|
| Trustees | ||
| Senior Administration | ||
| Technology Department | ✓ | |
| Department Leaders | ||
| School Administration | ✓ | |
| Teachers | ✓ | |
| Privacy Management Program | ✓ |
Decision matrix – Innovative Systems
b. Common Systems
- Common Systems are used across departments or multiple schools but are not critical to core operations.
- Staff must submit a request to the Director of Technology.
- The Director of Technology may require a risk assessment and/or Privacy Impact Assessment prior to approval, depending on anticipated risk.
- Vendor assessment requirements under A.P. 322 apply to Common Systems.
- Approval decisions follow this matrix:
| Input and Feedback | Decision Maker | |
|---|---|---|
| Trustees | ||
| Senior Administration | ✓ | |
| Technology Department | ✓ | ✓ |
| Department Leaders | ✓ | ✓ |
| School Administration | ✓ | ✓ |
| Teachers | ✓ | |
| Privacy Management Program | ✓ |
Decision matrix – Common Systems
c. Core Systems
- Core Systems are essential to Division operations with broad scope and long lifespan.
- Core Systems require a formal project management plan established by the Technology Department.
- A Privacy Impact Assessment is required for all Core Systems that process or store personal information. PIA program rules (including statutory triggers, OIPC submission criteria, mandatory template use, and sign-off authority) are established in A.P. 323 – Privacy Management Section 9.
- A comprehensive risk assessment must be completed. Identified risks and mitigation strategies must be reviewed and approved by the Board of Education prior to purchase or implementation.
- Full vendor assessment under A.P. 322 is required, including independent audit evidence.
- Backup and recovery requirements shall be determined during the acquisition process. The Director of Technology shall confirm how the system will be backed up, who is responsible, and whether RPO/RTO requirements can be met before final approval.
- Approval decisions follow this matrix:
| Input and Feedback | Decision Maker | |
|---|---|---|
| Trustees | ✓ | |
| Senior Administration | ✓ | |
| Technology Department | ✓ | |
| Department Leaders | ✓ | |
| School Administration | ✓ | |
| Teachers | ✓ | |
| Privacy Management Program | ✓ |
Decision matrix – Core Systems
4. Artificial intelligence systems
This section applies to all AI tools, including generative AI and adaptive learning systems.
a. Data protection requirements
- The following information must never be entered into generative AI tools unless the tool has been specifically approved for that data type with appropriate data processing agreements in place:
- Student names or other direct identifiers.
- Student academic records, grades, or assessment results.
- Individual Education Plans (IEPs) or learning support documentation.
- Student medical, behavioral, or discipline information.
- Staff personnel information.
- Any information classified as Restricted or Confidential under A.P. 313.
- Staff may use approved generative AI tools with de-identified information, publicly available information, or their own work product (e.g., draft documents, lesson plans without student information).
- AI-generated inferences about identifiable individuals (such as predicted learning outcomes, behavioural risk scores, proficiency estimates, or engagement classifications) constitute data derived from personal information under A.P. 323 – Privacy Management Section 6. The data matching, derived data, and non-personal data requirements in A.P. 323 Section 6 apply to AI inference outputs, including authorized purpose restrictions, human oversight obligations, and destruction requirements.
b. Approval requirements
- Generative AI tools must be approved before use with students or for processing Division data, following the approval path appropriate to the system's classification (Section 3). Only tools on the Approved Software List may be used for Division purposes.
- Adaptive learning systems are classified as Common Systems or Core Systems and require approval through the applicable decision matrix. A Privacy Impact Assessment is required for all adaptive learning systems prior to deployment due to collection of student performance data and automated decision-making, in accordance with A.P. 323 – Privacy Management Section 9.
- AI-assisted features within applications already on the Approved Software List (such as grammar suggestions, smart compose, or search suggestions) do not require separate approval, provided they do not collect additional personal information or make decisions about individuals.
c. Adaptive learning system requirements
- Adaptive learning systems that profile student performance and automatically adjust content must include documentation of opt-out procedures before deployment. Schools must be prepared to offer reasonable alternatives that achieve equivalent learning outcomes, in accordance with Policy 311.
- Teachers remain responsible for instructional decisions and student assessment. Adaptive learning systems provide supplementary data but do not replace teacher professional judgment. Student performance data from adaptive learning systems may inform but shall not solely determine course placements, special education assessments, or report card grades.
- Parents shall be notified when adaptive learning systems are used with their children, using templates published in the Privacy Notification System. Notification shall include the name and purpose of the system, types of data collected, how the system adapts content, and how to request an opt-out.
d. Student use
- Student use of generative AI tools is permitted only with explicit teacher authorization and guidance. Teachers have discretion to permit, restrict, or prohibit generative AI use for specific assignments based on educational objectives.
- Unauthorized use of generative AI to complete assignments constitutes academic dishonesty when the assignment is intended to assess the student's own knowledge, skills, or understanding.
5. Enhanced review categories
Certain technology categories require enhanced review regardless of their Core, Common, or Innovative classification due to heightened privacy or ethical considerations.
a. Biometric and Emotional AI Systems
- The following technology categories require Privacy Impact Assessment in accordance with A.P. 323 – Privacy Management Section 9, and Senior Administration approval, regardless of system classification:
- Systems that collect or analyze biometric data (facial recognition, eye tracking, voice patterns, physiological indicators).
- Systems that attempt to infer emotional, psychological, or cognitive states.
- Systems that make automated recommendations about student placement, intervention, or identification.
- Senior Administration approval shall be informed by the completed PIA and any required vendor assessment under A.P. 322. Where a system involves novel technology, sensitive data categories, or significant ethical considerations, Senior Administration may refer the approval decision to the Board of Education before deployment.
- Enhanced review does not prohibit such systems but ensures appropriate oversight. Legitimate educational uses, such as eye-tracking for developmental screening or speech analysis for reading assessment, may be approved through this process with explicit informed parental consent.
- Covert use of biometric or emotional analysis, without the knowledge and consent of the individual and their parent, is prohibited.
b. Automated Notification Requirements
- Systems that process personal information using automated means to generate content, make decisions, recommendations, or predictions require notification to affected individuals at the time of collection, in accordance with POPA Section 5(2)(d) and Policy 311.
- As part of the approval workflow, the Technology Department shall determine whether a system triggers automated notification requirements and ensure appropriate notification mechanisms are documented in the Privacy Notification System before deployment.
6. Third-party vendors
- When a Common or Core System involves a third-party vendor storing, processing, or accessing Division data, the vendor assessment requirements of A.P. 322 – Third-Party and Vendor Risk Management apply.
- A.P. 322 specifies contract requirements, security assessments, and ongoing monitoring obligations based on the system's classification.
- Vendor assessment is not currently required for Innovative Systems, recognizing the pilot nature and limited scope of these systems. This may evolve as Innovative System usage expands.
- System Owners are responsible for monitoring vendor communications and reporting material changes (such as privacy policy updates or ownership changes) to the Technology Department.
7. Ownership
- All technology systems must have a designated System Owner.
- The System Owner is typically the person who initiates the request or purchases the system.
- System Owners collaborate with the Technology Department throughout the system lifecycle on privacy, security, compliance, and operational matters.
8. Purchasing technology
- All technology systems requiring approval under this procedure must be purchased through the Technology Department.
- Centralized purchasing ensures proper asset management, adherence to licensing agreements, consistency in implementation, and accountability.
- Emergency purchases under the authorities defined in A.P. 326 – Technical Security Controls (e.g., emergency security remediation) may bypass the standard approval matrix; such purchases shall be reported to Senior Administration as soon as practicable.
9. Neglected systems
- Systems no longer supported by their developer or vendor are considered neglected systems.
- Neglected systems present increased security risks. Breaches involving neglected systems may not be covered under cyber liability insurance.
- Neglected systems must be decommissioned as soon as practicable, or as determined by the Director of Technology. Decommissioning procedures (including data sanitization, license recovery, and physical disposal) are defined in A.P. 314 – IT Asset Management and IM-016 – Hardware Asset Management and Secure Disposal.
Related procedures
This procedure serves as the primary framework for technology acquisition and use. The following procedures provide additional requirements for specific contexts:
| Procedure | When It Applies |
|---|---|
| A.P. 322 – Third-Party and Vendor Risk Management | When a system involves an external vendor storing, processing, or accessing Division data. Specifies vendor assessments, contract requirements, and ongoing monitoring. |
| A.P. 313 – Data Classification | When determining how to handle and protect information. Specifies classification levels and handling requirements. |
| A.P. 321 – Information Security Incident Response | When a security incident or breach occurs involving a technology system. Specifies reporting and response procedures. |
| A.P. 323 – Privacy Management | When privacy collection, consent, data matching, Personal Information Bank, or Privacy Impact Assessment requirements apply. Specifies privacy operational procedures. |
| A.P. 325 – Chain of Custody | When evidence handling, legal holds, or authorized information requests about staff are required. Specifies chain of custody and evidence procedures. |
| A.P. 326 – Technical Security Controls | When emergency security action is required, including emergency patch deployment and emergency expenditure under Director of Technology authority. |
| A.P. 327 – Security Awareness and Training | When users of newly approved systems require training on safe and appropriate use. |
| SI-001 – PASI Security Controls Compliance | When a system connects to or exchanges data with PASI. Specifies PASI-specific security controls and compliance evidence. |
Review
This procedure shall be reviewed annually or following:
- Significant changes to privacy legislation (POPA, ATIA, M-Reg 143/2025)
- Major security incidents involving technology acquisition or use
- Changes to the Division's technology infrastructure or governance structure
- Direction from Senior Administration or the Board of Education
Cross reference
- Policy 310 – Information Security Charter
- Policy 311 – Privacy and Access to Information
- A.P. 313 – Data Classification
- A.P. 314 – IT Asset Management
- A.P. 321 – Information Security Incident Response
- A.P. 322 – Third-Party and Vendor Risk Management
- A.P. 323 – Privacy Management
- A.P. 325 – Chain of Custody
- A.P. 326 – Technical Security Controls
- A.P. 327 – Security Awareness and Training
- A.P. 328 – Risk Management Framework
- A.P. 505 – Electronic Surveillance
- SI-001 – PASI Security Controls Compliance
- FORM-IM-001 – Staff Technology User Agreement
- IM-004 – Backup and Recovery Procedures
- IM-008 – Privacy Impact Assessment Procedures
- IM-016 – Hardware Asset Management and Secure Disposal
Legal reference
- Protection of Privacy Act, SA 2024, c P-28.5
- Protection of Privacy (Ministerial) Regulation, Alta Reg 143/2025
- Access to Information Act, SA 2024, c A-1.4
- Education Act, SA 2012, c E-0.3