Administrative Procedure

AP-320 — Information Access Control

Section Three: General School Administration

Effective Date: May 26, 2026 Last Reviewed: May 26, 2026

Background

This Administrative Procedure establishes the access control framework for Grasslands Public Schools information systems. It defines the principles, requirements, and responsibilities for granting, managing, reviewing, and revoking access to Division information and systems.

This procedure aligns with the NIST Cybersecurity Framework 2.0 Protect function (PR.AA – Identity Management, Authentication, and Access Control) and supports the Division's compliance with the PASI Usage Agreement and the PASI Security Controls required by Alberta Education for access to PowerSchool, PASIprep, and other provincial student information systems.

Scope

This procedure applies to all Division information systems, including administrative systems, instructional applications, cloud services, network infrastructure, and any system that stores, processes, or transmits Division data.

Systems connected to provincial repositories, including PowerSchool and PASIprep, are subject to additional requirements under the PASI Usage Agreement. These requirements are documented in SI-001 – PASI Security Controls Compliance.

This procedure applies to all individuals who access Division information systems, including employees, contractors, students, and third parties.

Definitions

Terms not defined in this procedure have the meanings assigned in Policy 310 – Information Security Charter and Policy 311 – Privacy and Access to Information.

Authentication: The process of verifying the identity of a user, device, or system before granting access. Authentication typically involves one or more factors: something you know (password), something you have (token or device), or something you are (biometric).

Authorization: The process of determining what actions an authenticated user is permitted to perform and what resources they may access.

Elevated Access: Access rights that exceed standard user permissions, including administrative privileges, access to sensitive data, or the ability to modify system configurations. Also referred to as privileged access.

Information Controller: The individual accountable for monitoring security compliance and reporting security incidents for a specific system or group of systems. For PASI-connected systems, this role is assigned to the SIS Coordinator.

Least Privilege: The principle that users should be granted only the minimum access rights necessary to perform their job functions.

Multi-Factor Authentication (MFA): An authentication method that requires two or more independent verification factors before granting access.

Need-to-Know: The principle that access to information should be limited to individuals who require that information to perform their assigned duties.

Provisioning: The process of creating user accounts and granting access rights to information systems.

User Lifecycle: The stages of a user's relationship with Division systems, from initial account creation (provisioning) through role changes to account termination (deprovisioning).

Procedures

1. Access control principles

a. Need-to-Know and Least Privilege

1. Access to information and systems shall be granted based on legitimate business or educational need.
2. Users shall be granted only the minimum access rights necessary to perform their assigned duties.
3. Access rights shall not be granted based solely on organizational position or seniority.

b. Default Deny

4. Access to information and systems is forbidden unless expressly permitted.
5. Access control configurations shall deny access by default and permit only explicitly authorized access.

c. Segregation of Duties

6. Where operationally feasible, critical functions shall be divided among different individuals to reduce the risk of error or fraud.
7. No single individual should have complete control over a critical process from initiation to completion.

d. Individual Accountability

8. All users shall be issued a unique identifier for their exclusive use.
9. Users are responsible for all actions performed under their credentials.
10. Shared or group accounts are prohibited except where explicitly approved by the Director of Technology for specific operational requirements, documented, and subject to compensating controls.

2. Authentication requirements

a. User Identification

11. All users shall be issued a unique identifier (username) that is not easily associated with their identity by unauthorized parties.
12. User identifiers shall not be reused. When a user account is terminated, the identifier shall be retired.
13. The format and issuance of user identifiers is defined in IM-005 – User Account Administration.

b. Password Requirements

14. Access to Division information systems shall require authentication using a secure logon process.
15. Users shall protect authentication credentials from unauthorized use and shall not share credentials with any other person.
16. Password complexity, length, expiration, and history requirements are defined in IM-005 – User Account Administration.

c. Multi-Factor Authentication

17. Multi-factor authentication is required for:
    1. Remote access to internal Division systems (VPN, remote desktop).
    2. Access to systems containing Restricted or Confidential information as classified under A.P. 313 – Data Classification.
    3. Privileged or administrative access to any system.
    4. Access to cloud services that store Division data.
18. MFA requirements may be satisfied through Division-managed solutions including Microsoft Authenticator, hardware tokens, or other methods approved by the Director of Technology.

3. Authorization requirements

a. Formal Provisioning

19. User accounts shall be created only upon formal authorization through the processes defined in IM-005 – User Account Administration.
20. Authorization for staff accounts requires confirmation of employment status from Human Resources or Payroll.
21. Authorization for student accounts requires enrollment in the Student Information System and a signed Student Technology User Agreement (FORM-IM-002).
22. Access rights shall be granted based on the user's role and business or educational need, as defined in system-specific access rights documentation.

b. Role-Based Access

23. Access rights shall be assigned based on defined roles rather than individual requests where possible.
24. Standard access rights for each role are documented in system-specific operational documents, including SI-002 – System Access Rights: Student Information Systems for PASI-connected systems.
25. Requests for access beyond standard role-based rights require documented justification and approval from the System Owner (as defined in A.P. 312 – Technology Acquisition and Use) and the Director of Technology.

c. Elevated Access

26. Elevated or privileged access shall be restricted to individuals with a documented need and appropriate technical competence.
27. Requests for elevated access require approval from the Director of Technology and shall be documented in the Privileged Access Rights Record.
28. Elevated access shall be granted for specific systems and purposes, not as blanket administrative rights.
29. Users with elevated access shall use standard user accounts for routine activities and elevated credentials only when required for administrative tasks.

4. User lifecycle management

a. Provisioning

30. Accounts shall be created following the procedures in IM-005 – User Account Administration.
31. New users shall complete the applicable Technology User Agreement (FORM-IM-001 for staff, FORM-IM-002 for students) prior to access being granted.
32. Access rights shall be assigned based on the user's role at the time of provisioning.

b. Changes

33. When a user's role or responsibilities change, their access rights shall be reviewed and adjusted within five business days of notification.
34. Role changes shall be processed per IM-005 – User Account Administration.
35. Users transferring between schools or departments shall have access rights adjusted to reflect their new role; access to previous role systems shall be removed unless continued access is justified and documented.

c. Termination

36. Access to all Division systems shall be disabled immediately upon notification of employment termination, contract end, or student withdrawal.
37. Upon staff termination, the supervisor shall be notified of procedures for accessing work files per IM-005.
38. Terminated accounts shall not be deleted for a minimum of 30 days to allow for data retention review and potential audit needs.
39. The termination process is defined in IM-005 – User Account Administration.

5. Access reviews

a. Scheduled Reviews

40. Access rights for all users shall be reviewed at least annually to ensure that unauthorized privileges have not been obtained and that access remains appropriate for current roles.
41. Elevated and privileged access rights shall be reviewed annually with enhanced scrutiny.
42. Reviews shall be documented using the procedures in IM-006 – Access Review Procedures.

b. Triggered Reviews

43. Access reviews shall also be conducted following:
    1. Significant security incidents affecting access controls.
    2. Organizational restructuring affecting roles and responsibilities.
    3. System reclassification under A.P. 312.
    4. Direction from Senior Administration or audit findings.

c. Review Responsibilities

44. System Owners (as defined in A.P. 312) are responsible for reviewing access to systems under their ownership.
45. The Director of Technology is responsible for coordinating the annual review process and maintaining review records.
46. The Information Controller for PASI-connected systems (SIS Coordinator) is responsible for ensuring PASI-specific review requirements are met per SI-001.

6. Logging and monitoring

a. Logging Requirements

47. Access to systems containing personal information shall be logged.
48. Logs shall capture, at minimum:
    1. Authentication events (successful and failed login attempts).
    2. Access to records containing personal information.
    3. Administrative actions (account creation, modification, deletion).
    4. Changes to access control configurations.
49. Activities of operators and administrators shall be logged, protected, and subject to regular review.

b. Log Protection

50. Audit logs shall be protected from unauthorized access, modification, and deletion.
51. Logs shall be retained in accordance with Division records retention requirements and for a minimum period sufficient to support incident investigation.

c. Monitoring and Review

52. Logs shall be reviewed regularly for anomalies and potential security incidents.
53. Anomalies or suspected incidents shall be reported and handled per A.P. 321 – Information Security Incident Response.
54. The frequency and method of log review is defined in IM-006 – Access Review Procedures. Detailed logging standards, event types, retention periods, and review procedures for security events beyond access logging are defined in IM-014 – Logging and Monitoring Standards.

d. Proactive Privacy Monitoring

55. In accordance with M-Reg 143/2025 s.6(2)(a)(iii), the Division shall maintain a proactive monitoring program for information systems that hold personal information, data derived from personal information, or non-personal data.
56. The Director of Technology and the Access and Privacy Coordinator shall jointly conduct an annual privacy risk assessment that includes:
    1. Identification and review of all systems containing personal information.
    2. Assessment of whether security measures for each system remain appropriate to the sensitivity and classification of the data held.
    3. Review of access patterns for anomalies or inappropriate access.
    4. Verification that active logging is in place for systems containing personal information.
    5. Assessment of whether data classification under A.P. 313 remains appropriate for each system.
57. The Director of Technology shall maintain a privacy risk registry documenting identified risks, risk ratings, mitigation actions, and responsible parties. The registry shall be reviewed and updated at least annually. The privacy risk registry is maintained as part of the broader information security risk registry under IM-021 – Information Security Risk Registry.
58. Security assessments shall be conducted on systems containing personal information as determined by the annual privacy risk assessment. The scope and frequency of assessments shall be proportionate to the system's classification under A.P. 312 and the sensitivity of the data held.
59. The results of the annual privacy risk assessment and any significant findings shall be reported to Senior Administration. The privacy monitoring checklist in IM-006 – Access Review Procedures shall be completed as part of the annual review cycle.

7. Secure transmission

a. Protection of Information in Transit

60. Information classified as Restricted or Confidential under A.P. 313 shall be protected when transmitted electronically.
61. Student personal information transmitted via email shall be limited to what is necessary for the purpose and shall use available protective measures.
62. Unencrypted transmission of Restricted or Confidential information (as classified under A.P. 313) to external recipients is prohibited.

b. PASI-Connected Systems

63. Information transmitted to or from PASI-connected systems shall be appropriately protected in accordance with the PASI Security Controls.
64. Staff shall not transmit student records from PASI-connected systems via personal email accounts.

c. Available Protections

65. Staff shall use available email security features, including confidential mode and restricted sharing, when transmitting sensitive information.
66. For highly sensitive transmissions, staff should consult the Technology Department regarding secure file transfer options.
67. The Director of Technology shall maintain guidance on secure transmission methods and make this available to staff.

8. PASI-connected systems

a. Applicability

68. PowerSchool and PASIprep are classified as Core Systems under A.P. 312 and are subject to the PASI Security Controls required by Alberta Education under the PASI Usage Agreement.
69. Compliance requirements and implementation details are documented in SI-001 – PASI Security Controls Compliance.

b. Access Rights

70. Access rights for PASI-connected systems are defined in SI-002 – System Access Rights: Student Information Systems.
71. Changes to standard access rights for PASI-connected systems require approval from the Assistant Superintendent and documentation in the Privileged Access Rights Record.

c. Information Controller

72. The SIS Coordinator serves as the Information Controller for PASI-connected systems and is accountable for:
    1. Monitoring security compliance for PASI-connected systems.
    2. Reporting security incidents to the Director of Technology.
    3. Ensuring access review requirements are met.
    4. Maintaining access rights documentation.
73. The SIS Coordinator shall escalate security incidents to the Director of Technology and, where personal information is involved, to the Access and Privacy Coordinator per A.P. 321.

9. External party access

a. Third-Party Requirements

74. Third parties requiring access to Division systems are subject to the requirements of A.P. 322 – Third-Party and Vendor Risk Management.
75. Security requirements shall be communicated to external parties prior to granting access.
76. Confidentiality and data protection terms shall be established through contract prior to access.

b. Access Controls

77. External party access shall be limited to the specific systems and data necessary for the contracted purpose.
78. External party accounts shall be clearly identified as such and shall be subject to all authentication requirements in this procedure.
79. External party access shall be removed immediately upon contract termination or when no longer required.

c. Information Exchange

80. Disclosures of personal information to third parties require authorization from the Access and Privacy Coordinator, except where a delay may risk significant harm to health or safety.
81. Information exchange agreements between the Division and external organizations shall be documented.
82. Procedures and controls for protecting exchanged information shall be established and communicated to both parties.

Responsibilities

Director of Technology

• Hold overall accountability for access control implementation.
• Maintain IM-005, IM-006, and general access control procedures.
• Approve elevated access requests.
• Coordinate annual access reviews.
• Maintain guidance on secure transmission methods.
• Approve exceptions to standard access requirements.
• Implement appropriate security awareness and training programs per A.P. 327.

SIS Coordinator (Information Controller for PASI Systems)

• Monitor security compliance for PASI-connected systems.
• Report security incidents to the Director of Technology.
• Maintain SI-001 and SI-002.
• Ensure annual access review completion for PASI-connected systems.
• Document privileged access for PASI-connected systems.

System Owners (as defined in A.P. 312)

• Authorize access to systems under their ownership.
• Participate in access reviews for their systems.
• Report access anomalies or concerns.

Access and Privacy Coordinator (Associate Superintendent Business Services)

• Coordinate the Division's compliance with POPA and ATIA.
• Oversee the Division's Privacy Management Program (per CG-002).
• Respond to Access to Information requests and privacy complaints.
• Provide guidance on privacy and access matters to Division staff.
• Authorize disclosures of personal information to third parties.
• Maintain the Division's directory of Personal Information Banks.
• Ensure Division forms comply with privacy requirements.
• Manage privacy breach response and notification in coordination with A.P. 321.
• Review access controls for privacy compliance.
• Receive escalations involving personal information.
• Advise on access control requirements for systems processing personal information.

School Administration (Site Coordinators)

• Authorize school-level access appropriate to roles.
• Notify the Technology Department of staff departures and role changes.
• Ensure staff complete required user agreements.
• Ensure protection of personal information at their site.
• Review forms used to collect personal information at the school.
• Direct privacy and access inquiries to the Access and Privacy Coordinator.
• Ensure staff are aware of privacy obligations.

All Staff

• Protect credentials from unauthorized use.
• Report suspected unauthorized access immediately.
• Use only authorized systems and access levels.
• Complete required user agreements and training.

Review

This procedure shall be reviewed every three years or following:

• Significant security incidents affecting access controls
• Changes to the PASI Usage Agreement or Security Controls
• Changes to applicable legislation (POPA, ATIA, M-Reg 143/2025)
• Direction from Senior Administration or the Board of Education

Cross reference

• Policy 310 – Information Security Charter
• Policy 311 – Privacy and Access to Information
• A.P. 312 – Technology Acquisition and Use
• A.P. 313 – Data Classification
• A.P. 321 – Information Security Incident Response
• A.P. 322 – Third-Party and Vendor Risk Management
• A.P. 323 – Privacy Management
• A.P. 326 – Technical Security Controls
• A.P. 327 – Security Awareness and Training
• A.P. 328 – Risk Management Framework
• CG-002 – Privacy Management Program Overview
• FORM-IM-001 – Staff Technology User Agreement
• FORM-IM-002 – Student Technology User Agreement
• IM-005 – User Account Administration
• IM-006 – Access Review Procedures
• IM-008 – Privacy Impact Assessment Procedures
• IM-014 – Logging and Monitoring Standards
• IM-021 – Information Security Risk Registry
• SI-001 – PASI Security Controls Compliance
• SI-002 – System Access Rights: Student Information Systems
• SI-003 – External System Data Exchange and Access Control

Legal reference

• Protection of Privacy Act, SA 2024, c P-28.5
• Protection of Privacy (Ministerial) Regulation, Alta Reg 143/2025
• Access to Information Act, SA 2024, c A-1.4
• Education Act, SA 2012, c E-0.3
• PASI Usage Agreement (Alberta Education)