Grasslands Public Schools Policy Handbook Grasslands Public Schools
Sign in
Home
live
Administrative Procedure

AP-323 — Privacy Management

Section Three: General School Administration
Effective Date: May 26, 2026 Last Reviewed: May 26, 2026

Background

Grasslands Public Schools collects and manages significant volumes of personal information that must be protected.

This Administrative Procedure establishes the operational privacy procedures required under the Division's Privacy Management Program. It addresses privacy and security training, privacy complaint handling, correction of personal information, personal information collection and notification, consent standards, data matching and derived data, Personal Information Banks, Privacy Impact Assessments, and access to information request procedures.

Scope

This procedure applies to all employees, contractors, volunteers, and students of Grasslands Public Schools who handle or have access to personal information. It also applies to any individual who submits a privacy complaint, requests correction of personal information, or submits an access to information request to the Division.

Definitions

Terms not defined in this procedure have the meanings assigned in Policy 310 – Information Security Charter and Policy 311 – Privacy and Access to Information.

Access to Information (ATI) Request: A formal request under the Access to Information Act (ATIA) for access to records in the custody or control of the Division, used when information cannot be obtained through routine channels.

Annotation: A note attached to or associated with a record of personal information indicating that the individual has requested a correction and describing the requested change, applied when the Division determines that a correction will not be made.

Complainant: An individual who submits a privacy complaint to the Division.

Data Derived from Personal Information: Data created by data matching that identifies any individual whose personal information was used in the data matching.

Data Matching: Linking personal information between two or more databases or other electronic sources of information.

Linkage: A connection made between a record of personal information and the individual's requested correction, ensuring that both the original information and the requested correction are accessible together.

Non-Personal Data: Data, including data derived from personal information, that has been generated, modified, or anonymized so that it does not identify any individual, and includes synthetic data.

POPA PIA Template: The Privacy Impact Assessment template published by the Office of the Information and Privacy Commissioner of Alberta under POPA. Public bodies submitting PIAs to the Commissioner are required to use this template.

Privacy Complaint: A formal expression of dissatisfaction regarding the Division's handling of personal information, including the collection, use, disclosure, retention, or protection of personal information. A privacy complaint is distinct from a privacy breach report under A.P. 321.

Responsibilities

Access and Privacy Coordinator (Associate Superintendent Business Services)

The Superintendent delegates POPA powers and duties to the Access and Privacy Coordinator under section 55 of POPA. The formal delegation instrument, including the specific powers delegated, conditions, and restrictions, is recorded in CG-003 – Delegation of Authority Under POPA. Section 55(1) of POPA prohibits the delegate from further delegating any power or duty received under this delegation.

Director of Technology

Privacy Management Program

Site Coordinators (School Principals)

System Owners (as defined in A.P. 312)

All Staff

Procedures

1. Privacy and security training

Privacy training is a mandatory component of the Division's Privacy Management Program under M-Reg 143/2025 s.6(1)(d). This section establishes the Division's privacy-specific training requirements, which are distinct from the security awareness training referenced in Policy 310 and the CIRT training in A.P. 321.

a. General privacy training

  1. All Division employees, contractors, volunteers, and students who handle personal information shall complete privacy training within 30 days of commencing their role and annually thereafter.
  2. General privacy training shall cover:
    1. Overview of POPA obligations relevant to the Division.
    2. What constitutes personal information and why it must be protected.
    3. The Division's privacy governance framework (Policy 311, A.P. 312, A.P. 320, A.P. 321, A.P. 322, A.P. 323).
    4. How to recognize and report a potential privacy breach.
    5. Privacy complaint process and individual rights.
    6. Data classification basics under A.P. 313.
    7. Consent requirements and notification obligations.
    8. Individual rights including access and correction.

b. Training expiry and renewal

  1. Privacy training has a 12-month expiry period. Staff who do not complete renewal training within 12 months of their last completion are considered non-compliant.
  2. The Director of Technology shall maintain a training tracking system that records completion dates and generates renewal notifications at least 30 days before expiry.

c. Enhanced training for designated roles

  1. The following roles shall complete enhanced privacy training annually, in addition to general privacy training:
    1. System Owners: Training on privacy obligations specific to system ownership, vendor monitoring, Privacy Impact Assessment participation, and breach recognition for their systems.
    2. Site Coordinators (School Principals): Training on site-level privacy obligations, handling privacy inquiries from parents, consent and notification processes, and privacy complaint intake.
  2. Enhanced training content shall be developed and reviewed by the Access and Privacy Coordinator in coordination with the Director of Technology.

d. Training curriculum

  1. The following training topics shall be included in privacy training, organized by audience. The Access and Privacy Coordinator shall ensure training materials address each topic at the appropriate depth for the audience.
  2. All staff (general privacy training):
    1. Privacy principles under POPA (collection limitation, purpose specification, consent, use and disclosure limitation, accuracy, safeguards, transparency, individual access, accountability).
    2. What constitutes personal information; examples relevant to the school division context (student records, parent contact information, staff personnel files).
    3. Lawful collection, use, and disclosure of personal information; when consent is required and when statutory authority permits collection without consent.
    4. Student data handling: obligations when working with student cumulative files, IPPs, behavioural records, and photographs.
    5. Recognizing and reporting a potential privacy breach; what to report, when, and to whom (per A.P. 321).
    6. The privacy complaint process and individual rights (access, correction) under A.P. 323.
    7. Data classification basics; understanding classification levels and handling requirements under A.P. 313.
    8. Clear desk, clear screen, and secure printing practices.
    9. Consent and notification requirements for school activities (photographs, technology use, field trips).
    10. Retention obligations; not destroying records prematurely and not retaining personal information beyond the authorized period (per IM-009).
  3. Enhanced training (System Owners, Site Coordinators, administrative staff):
    1. Privacy Impact Assessments: purpose, when required, System Owner responsibilities, and the PIA process under IM-008.
    2. Vendor privacy obligations: understanding vendor risk tiers, data processing agreements, and monitoring requirements under A.P. 322 and IM-007.
    3. Incident response: roles in the privacy breach response process, RROSH assessment, and notification obligations under A.P. 321.
    4. Data classification application: classifying information in practice, applying sensitivity labels, handling mixed-classification records under A.P. 313.
    5. Access control principles: least privilege, role-based access, and access review participation under A.P. 320 and IM-006.
    6. Site Coordinator responsibilities: handling privacy inquiries from parents, consent and notification processes, coordinating records searches for ATI requests under A.P. 324.

e. Delivery methods

  1. Privacy training shall be delivered through the following methods:
    1. Onboarding training: General privacy training shall be completed within 30 days of commencing a role, as part of new employee, contractor, or volunteer orientation. Training may be delivered online or in person.
    2. Annual refresher: All staff shall complete annual refresher training. Refresher training may be delivered online and shall be tracked by the Director of Technology.
    3. Role-specific modules: Enhanced and specialized training shall be delivered through dedicated sessions (in person or virtual) tailored to the audience. Role-specific modules shall be offered at least annually.
    4. Just-in-time training: Brief targeted training may be provided in response to specific events (for example, a privacy incident, a new system rollout, or a legislative change) and does not replace annual requirements.

f. Tracking and compliance monitoring

  1. The Director of Technology shall maintain a training tracking system that records, for each individual: training modules completed, completion dates, expiry dates, and compliance status. The tracking system shall support automated renewal notifications.
  2. The Director of Technology shall generate compliance reports periodically and provide them to the Access and Privacy Coordinator. Reports shall identify individuals who are non-compliant or approaching expiry.
  3. Compliance rates shall be reported to Senior Administration as required.

g. Annual review of training content

  1. The Access and Privacy Coordinator shall review all training content annually, in coordination with the Director of Technology, to ensure materials reflect current legislative requirements, Division policies and procedures, OIPC guidance, and lessons learned from privacy complaints and incidents.

h. Integration with security awareness training

  1. Privacy training may be delivered alongside the Division's security awareness training program but shall be tracked separately to ensure that privacy-specific content is completed.
  2. Security awareness training (covering phishing recognition, password security, device security, and incident reporting) is governed by A.P. 327 – Security Awareness and Training. Joint delivery coordination and separate tracking requirements are defined in this section and in A.P. 327.

i. Records and compliance

  1. Training completion records shall be maintained for a minimum of three years.
  2. The Director of Technology shall report training compliance rates to Senior Administration as required.
  3. Staff who fail to complete required training within the prescribed timelines may have their access to systems containing personal information restricted until training is completed, in accordance with A.P. 320.

2. Privacy complaints

The Division shall maintain a process for receiving and responding to privacy complaints as required under M-Reg 143/2025 s.6(1)(b)(i)(C). A privacy complaint is distinct from a privacy breach report; breach reports are handled under A.P. 321.

a. What constitutes a privacy complaint

  1. A privacy complaint is a formal expression of dissatisfaction regarding the Division's collection, use, disclosure, retention, protection, or accuracy of personal information. Examples include:
    1. An individual believes their personal information was collected without proper authority.
    2. An individual believes their personal information was disclosed without authorization.
    3. An individual believes the Division has not adequately protected their personal information.
    4. An individual believes the Division has not responded appropriately to a correction or access request.
  2. If a complaint describes circumstances that may constitute a privacy breach (unauthorized access, disclosure, or loss of personal information), the Access and Privacy Coordinator shall also initiate the incident response process under A.P. 321.

b. Who may complain

  1. Any individual whose personal information is in the custody or control of the Division may submit a privacy complaint. For students under the age of 18, a parent or guardian may submit a complaint on the student's behalf.

c. Submission method

  1. Privacy complaints shall be submitted in writing to the Access and Privacy Coordinator. Written complaints may be submitted by letter, email, or through the Privacy Portal. Individuals may use the Privacy Complaint Submission Form in IM-023 – Privacy Complaint Handling to structure their complaint.
  2. Oral complaints shall be accepted and documented by the receiving staff member. The staff member shall record the date, the complainant's name and contact information, and the substance of the complaint, and shall forward the documented complaint to the Access and Privacy Coordinator within one business day.

d. Acknowledgement

  1. The Access and Privacy Coordinator shall acknowledge receipt of a privacy complaint within five business days. The acknowledgement shall assign a unique complaint file number, confirm the complaint has been received, and provide an estimated timeline for response.

e. Investigation

  1. The Access and Privacy Coordinator shall investigate the complaint, which may include:
    1. Reviewing relevant records and system logs.
    2. Interviewing staff involved in the matter.
    3. Consulting with the Director of Technology on technical matters.
    4. Reviewing applicable policies and legislative requirements.
  2. The investigation shall be completed and a response provided within 30 business days of receipt of the complaint. If additional time is required, the complainant shall be notified of the delay and the reason.

f. Outcomes

  1. Upon completing the investigation, the Access and Privacy Coordinator shall determine one of the following outcomes:
    1. Substantiated: The complaint is supported by the evidence, and corrective action is required.
    2. Not substantiated: The complaint is not supported by the evidence.
    3. Partially substantiated: Some aspects of the complaint are supported, and partial corrective action is required.

g. Written notification

  1. The complainant shall be notified in writing of the outcome of the investigation, including:
    1. A summary of the findings.
    2. Any corrective action taken or planned.
    3. The complainant's right to request a review by the Office of the Information and Privacy Commissioner (OIPC) if dissatisfied with the outcome.
  2. The written response shall follow the Complaint Response Letter Template in IM-023 – Privacy Complaint Handling.

h. Right to escalate to the OIPC

  1. Under POPA, an individual must first make a complaint to the Division before requesting a review by the OIPC. The Division's complaint response shall inform the complainant of this right.

i. Documentation and retention

  1. The Access and Privacy Coordinator shall maintain records of all privacy complaints, including the complaint, investigation notes, outcome, and any corrective action. Complaint records shall be retained for a minimum of three years.

j. Periodic reporting

  1. The Access and Privacy Coordinator shall include a summary of privacy complaints in the periodic privacy report to Senior Administration, including the number of complaints received, outcomes, and any systemic issues identified.

3. Correction of personal information

  1. An individual whose personal information is in the custody or control of the Division may request correction of that information.

a. Submission method

  1. Correction requests shall be submitted in writing to the Access and Privacy Coordinator, identifying the personal information believed to be incorrect and the correction requested.

b. Supporting evidence

  1. The individual shall provide supporting evidence for the requested correction. The evidence must be of the same nature and at least the same quality as the information required when the original collection took place. For example, a request to correct a date of birth should be supported by an official document such as a birth certificate.

c. Opinions and professional judgment

  1. The Division must not correct an opinion, including a professional or expert opinion, regardless of the individual's request. Opinions reflect the view of the author at the time they were recorded.
  2. If no correction is made because the information is an opinion or because the supporting evidence is insufficient, the Access and Privacy Coordinator shall annotate or link the personal information with the relevant and material portion of the requested correction.

d. Timeline

  1. The Access and Privacy Coordinator shall give written notice to the individual within 30 business days after the correction request is received, or any longer period allowed by the Information and Privacy Commissioner. The notice shall inform the individual whether the correction has been made or whether an annotation or linkage has been made.

e. Transfer to another public body

  1. If the personal information was collected by another public body or if another public body created the record containing the personal information, the Access and Privacy Coordinator may transfer the correction request to that body within 15 business days of receipt. The individual shall be notified of the transfer as soon as possible.

f. Duty to notify third parties

  1. Upon correcting, annotating, or linking personal information, the Access and Privacy Coordinator shall notify any other public body or third party to whom the information was disclosed during the one year before the correction was requested.
  2. The Access and Privacy Coordinator may dispense with third-party notification if the correction, annotation, or linkage is not material and the individual agrees in writing that notification is not necessary.

g. Retention

  1. Personal information used to make a decision about an individual shall be retained for a minimum of one year from the date of the decision, ensuring the individual has a reasonable opportunity to obtain access to the information and request correction.

4. Personal information collection and notification

  1. When collecting personal information directly from an individual, the Division shall inform the individual of the purpose of the collection, the legal authority for the collection, and the contact information of an official who can answer questions about the collection.
  2. Where personal information will be used in an automated system, notice shall be provided at the time of collection in accordance with POPA s.5(2)(d).
  3. Forms used to collect personal information must be limited to information needed for the specific purpose and must include the required notification statements. The Privacy Management Program shall provide templates and guidance. For photograph and media consent specifically, see IM-029 – Photograph and Media Consent Procedures.
  4. The use of cookies, analytics, and other tracking technologies on Division websites shall be disclosed to visitors. Where personal information is stored or processed outside Alberta, individuals shall be notified of the jurisdictions involved.

Consent is one basis for the collection, use, or disclosure of personal information. However, the Division's authority to collect, use, and disclose personal information most often derives from the Education Act or from POPA itself. Consent is required only where collection, use, or disclosure is not otherwise authorized by law. Where consent is required, the form requirements (oral, electronic, or written) are governed by the Protection of Privacy Regulation, Alta Reg 132/2025 ("Reg 132/2025"), section 2.

  1. Consent is required when the Division collects personal information for a purpose not authorized under section 4 of POPA, when the Division uses personal information for a purpose not consistent with the original purpose of collection and not otherwise authorized under section 14 of POPA, or when the Division discloses personal information in circumstances not authorized under section 13 of POPA.
  2. Consent is not required where the collection, use, or disclosure is authorized or required by the Education Act, POPA, or another enactment of Alberta or Canada.
  1. Consent may be obtained in the following forms (Reg 132/2025 s.2):
    1. Written consent: The individual signs a consent form or provides consent through a signed document. Written consent is required for disclosures of Restricted or Confidential personal information under A.P. 313, disclosures to parties outside Canada, and any disclosure where the individual's clear, documented agreement is necessary.
    2. Electronic consent: The individual provides consent through an authenticated electronic process, such as checking a box in a Division portal or responding to an email from a verified account. Electronic consent is acceptable for routine collection and use activities, including registration for online services and approval for application use.
    3. Oral consent: The individual provides verbal agreement, which is documented by the receiving staff member including the date, time, parties involved, and the specific consent given. Oral consent is acceptable only for time-sensitive situations where written or electronic consent is impracticable, and must be followed up with written or electronic confirmation where possible.
  1. For students under the age of 18, consent shall be obtained from a parent or guardian unless the student is determined to have the capacity to consent independently, considering the student's age, maturity, and the nature of the personal information involved.
  2. For routine educational activities authorized under the Education Act, parental notification, rather than consent, is generally sufficient. Consent templates shall clearly distinguish between notification and consent.
  1. Individuals may withdraw consent at any time by notifying the Division in writing. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.
  2. Upon withdrawal of consent, the Division shall cease the collection, use, or disclosure that relied on that consent, unless another legal authority applies. The Division shall inform the individual of any consequences of withdrawal, including any impact on service delivery.
  1. Implied consent is not sufficient for the collection, use, or disclosure of personal information. Where consent is the legal basis for an activity, consent must be express (written, electronic, or oral as described above) per Reg 132/2025 s.2. This requirement does not apply to activities authorized by another legal authority, such as collection under the Education Act, video surveillance under A.P. 505, or other statutory authorities under POPA s.4. Activities operating under statutory authority require notification rather than consent.

f. Record-keeping

  1. The Division shall maintain records of consent obtained, including the form of consent, the date, the specific purposes consented to, and any withdrawal. Consent records shall be retained for a minimum of one year after the consent is no longer relied upon.
  2. The Privacy Management Program shall provide standardized consent templates for common collection and disclosure scenarios. For photograph and media consent, use the tiered consent model and forms in IM-029 – Photograph and Media Consent Procedures.

6. Data matching, derived data, and non-personal data

The Division may engage in data matching and the creation of derived data and non-personal data to support educational programs, research, and operational planning. These activities are subject to specific requirements under POPA and M-Reg 143/2025.

a. Authorized purposes

  1. The Division may carry out data matching to create data derived from personal information only for one or more of the following purposes:
    1. Research and analysis.
    2. Planning, administering, delivering, managing, monitoring, or evaluating a program or service.
    3. One or more prescribed purposes under POPA.
  2. The Division may create non-personal data only for the same authorized purposes listed above.

b. Derived data restrictions and destruction

  1. Data derived from personal information may only be used for the purpose for which it was originally created.
  2. As soon as reasonably possible after the original purpose is fulfilled, the Division must destroy the data derived from personal information or transform it into non-personal data.
  3. Disclosure of data derived from personal information is prohibited except to the public body that originally provided the personal information for the purpose for which the derived data was created, or to the Office of Statistics and Information for the purposes of the Office of Statistics and Information Act.

c. Human oversight

  1. In accordance with M-Reg 143/2025 s.3(2), the Division must implement human oversight, auditing, and validation measures for systems used for creating data derived from personal information or non-personal data to ensure the accuracy and reliability of the data.
  2. The Director of Technology, in coordination with the Access and Privacy Coordinator, shall establish and maintain appropriate oversight processes for any system used to create derived data or non-personal data.

d. Non-personal data creation requirements and record-keeping

  1. Non-personal data is "created" when the Division transforms personal information, or data derived from personal information, into a form from which individuals cannot be identified or re-identified. Each such transformation whether through aggregation, suppression, generalization, synthesis, or another method is a creation event triggering the record-keeping requirements below:
    1. A description of the personal information or data derived from personal information used to create the non-personal data.
    2. The purpose for creating the non-personal data.
    3. The method used for creating the non-personal data.
    4. The assessment performed to ensure that the identity of individuals cannot be identified or re-identified from the data.
  2. The Division must identify potential sources of bias in non-personal data, including bias inherited from the source personal information, bias introduced by the de-identification method, and bias arising from suppression of small populations, and document these in the creation record. Where bias materially affects the reliability of the data for its intended purpose, this shall be disclosed to users of the data.
  3. Records of non-personal data creation shall be retained for a minimum of three years.

e. Approval process

  1. Before conducting data matching or creating derived data, the requesting department shall submit a request to the Access and Privacy Coordinator describing the intended purpose, the data sources involved, and the planned use and retention period.
  2. The Access and Privacy Coordinator shall determine whether the activity meets the authorized purposes under POPA and whether a Privacy Impact Assessment is required.

f. Prohibition on sale

  1. The Division shall not sell personal information, data derived from personal information, or non-personal data in any circumstances or for any purpose.

7. Personal Information Banks

  1. Under POPA s.58, the Division is required to maintain and publish a directory of its Personal Information Banks. The directory enables the public to know what categories of personal information the Division holds and the purposes for which it is held.
  2. System Owners are responsible for identifying when a system under their ownership constitutes a Personal Information Bank and notifying the Access and Privacy Coordinator.
  3. The PIB directory shall include for each bank:
    1. The title or name.
    2. The location.
    3. The types of personal information contained.
    4. The categories of individuals the information pertains to.
    5. The purpose of collection and how information is used or disclosed.
    6. The legal authority for collection.
  4. The Access and Privacy Coordinator shall maintain the PIB directory and publish it at https://governance.grasslands.ab.ca/pib-directory, in fulfillment of the publication requirement under POPA s.58.

8. Access to information request procedures

The Access to Information Act (ATIA) provides the public with a right of access to records in the custody or control of the Division. This section establishes the procedures for processing formal ATI requests.

a. Routine disclosure

  1. Wherever possible, requests for information should be accommodated through routine disclosure without requiring a formal ATI request. Staff should direct requestors to publicly available information, including the Division website, published policies, and school communications.
  2. When routine disclosure is not possible or the requestor specifically invokes ATIA, a formal ATI request shall be processed under this section.

b. Submission

  1. A formal ATI request must be made in writing and directed to the Access and Privacy Coordinator. The request may be submitted by letter, email, or by completing the Division's Request to Access Information Form available on the Division website.
  2. An applicant may make an oral request if their ability to read or write English is limited, or if they have a physical disability or condition that impairs their ability to make a written request. Oral requests shall be documented by the receiving staff member and forwarded to the Access and Privacy Coordinator.

c. Fees

  1. The Division is authorized to charge fees for services related to ATI requests in accordance with the Access to Information Act Regulation. The Access and Privacy Coordinator shall inform the applicant of any applicable fees before processing the request.

d. Timeline

  1. ATI requests shall be processed within the timelines established under ATIA. The Access and Privacy Coordinator shall provide a response or an extension notice within the time required by the Act.

e. Exceptions

  1. The Access and Privacy Coordinator shall review responsive records and apply any exceptions authorized under ATIA. Where an exception applies to only part of a record, the remainder shall be disclosed.

f. Applicant identity protection

  1. Staff must not reveal the identity of an ATI applicant in any communication, formal or informal, with any other individual unless the other individual requires the identity to search for responsive records.

g. Right of review

  1. If the applicant is dissatisfied with the Division's response, they may request a review by the OIPC. The Division's response shall inform the applicant of this right.

h. Documentation

  1. The Access and Privacy Coordinator shall maintain records of all ATI requests, including the request, responsive records, exceptions applied, and response. Records shall be retained in accordance with Division retention requirements.

9. Privacy Impact Assessments

The Division shall conduct a Privacy Impact Assessment (PIA) when required under POPA s.26 and M-Reg 143/2025 s.7. A PIA identifies and addresses privacy and security risks associated with the collection, use, or disclosure of personal information in new or substantially changed information systems, administrative practices, programs, or services. Operational guidance for completing PIAs (including the joint intake process, evidence assembly, supporting document production, and OIPC submission procedures) is provided in IM-008 – Privacy Impact Assessment Procedures.

a. When a PIA is required

  1. A PIA is required for a new information system, administrative practice, program, or service, or a substantial change to an existing one, that involves the collection, use, or disclosure of personal information, where one or more of the following factors apply (M-Reg 143/2025 s.7(1)):
    1. The personal information is deemed to be of high sensitivity under M-Reg 143/2025 s.1, including biometric information, financial information, or personal information about a minor, senior, or vulnerable individual.
    2. The activity involves the personal information of a significant percentage of the population the Division serves.
    3. The activity involves data matching between two or more public bodies.
    4. The activity is part of a common or integrated program or service.
    5. The activity involves the development or use of innovative technology.
    6. The loss of, unauthorized access to, or unauthorized disclosure of the personal information could result in significant harm.
  2. Because students are minors, virtually all systems that collect or process student personal information automatically meet the high-sensitivity threshold under M-Reg 143/2025 s.1. System Owners shall treat the high-sensitivity classification as the default for student-facing systems, not the exception.
  3. The Division's acquisition-context PIA triggers under A.P. 312 (including PIA requirements for Core Systems, adaptive learning systems, and biometric or emotional AI systems) operate alongside the statutory triggers in this section. Either a statutory trigger or an acquisition trigger is sufficient to require a PIA.

b. When a PIA must be submitted to the Commissioner

  1. A PIA shall be submitted to the Office of the Information and Privacy Commissioner (OIPC) when one or more of the following factors apply (M-Reg 143/2025 s.7(5)):
    1. The personal information is deemed to be of high sensitivity under M-Reg 143/2025 s.1.
    2. The activity involves the personal information of a significant percentage of the population the Division serves.
    3. The activity involves data matching between two or more public bodies.
    4. The activity is part of a common or integrated program or service.
    5. The activity involves the development or use of innovative technology.
  2. A PIA conducted because of a significant-harm risk only (that is, where no other factor in clause lxxxviii applies) is not required to be submitted to the Commissioner. The Commissioner may nonetheless request a copy of the PIA under POPA s.27(1)(j).
  3. Because most Division PIAs involve high-sensitivity personal information about minors, most Division PIAs require submission to the OIPC. System Owners shall not assume a PIA is internal-only without confirmation from the Access and Privacy Coordinator.

c. Mandatory use of the OIPC POPA PIA Template

  1. The Division shall use the OIPC POPA PIA Template for all PIAs prepared under this procedure, whether or not the PIA is submitted to the Commissioner. The structure and format of the template shall not be modified.
  2. The Access and Privacy Coordinator shall verify that the most current version of the OIPC POPA PIA Template is in use before each PIA is initiated. Operational guidance for version verification is provided in IM-008.

d. Sign-off authority

  1. A PIA submitted to the OIPC shall include a cover letter signed by the head of the public body or by a person to whom signing authority has been delegated under POPA s.55. The Division's standing delegation is recorded in CG-003 – Delegation of Authority Under POPA.
  2. The cover letter shall be on Division letterhead and shall meet the form requirements established by the OIPC.

e. Privacy Management Program reference

  1. The Division's Privacy Management Program, established under POPA s.25, is documented in CG-002 – Privacy Management Program Overview. CG-002 shall be referenced or attached to PIA submissions as required by the OIPC POPA PIA Template.
  2. Once CG-002 has been submitted to the OIPC and assigned a file number, subsequent PIA submissions may reference the CG-002 file number rather than re-attaching the document, provided no material changes have occurred since submission.

f. Recordkeeping and amendment

  1. Each PIA shall be assigned a Division reference number using the relevant Grasslands project number under A.P. 312. Amendments to a previously completed PIA shall use an appended suffix indicating the amendment number (for example, [project number]-A1, [project number]-A2).
  2. PIAs and supporting attachments shall be retained in accordance with the retention requirements established for privacy management records under IM-009 – Records Retention Schedule.
  3. A PIA shall be amended when the underlying information system, administrative practice, program, or service undergoes a substantial change affecting the collection, use, or disclosure of personal information. Amendment workflow is defined in IM-008.

Review

This procedure shall be reviewed every three years by the Access and Privacy Coordinator, or earlier if triggered by:

Cross reference

Legal reference