| Policy Code | 311 |
|---|---|
| Adoption Date | May 26, 2026 |
| Amendment Date | — |
| Cross Reference | Policy 101, Policy 102, Policy 310, AP-312, AP-313, AP-320, AP-321, AP-322, AP-323, AP-324, AP-325, AP-328, AP-505, CG-002 |
| Legal Reference | Education Act, SA 2012, c E-0.3; Protection of Privacy Act, SA 2024, c P-28.5; Access to Information Act, SA 2024, c A-1.4 |
Grasslands Public Schools shall protect the privacy of personal information in its custody or control, shall provide individuals and the public with access to information in accordance with applicable legislation, and shall maintain a privacy governance framework that meets the requirements of the Protection of Privacy Act and the Access to Information Act. This policy establishes the principles and framework for privacy protection and access to information across the Division, including the Division's website and online services.
PREAMBLE
Grasslands Public Schools is committed to protecting the privacy of students, staff, parents, and all individuals whose personal information is collected in the course of delivering educational programs and services. The Division also recognizes the public's right to access information held by public bodies, balanced against the need to protect personal privacy and confidential information.
As a public body in Alberta, the Division is subject to the Protection of Privacy Act (POPA) and the Access to Information Act (ATIA). POPA establishes obligations to protect the privacy of personal information held by public bodies, including mandatory privacy management programs, breach notification, and restrictions on collection, use, and disclosure of personal information. ATIA establishes the public's right to access records in the custody or control of public bodies, subject to limited and specific exceptions.
DEFINITIONS
Access to Information Act (ATIA): Alberta legislation that provides the public with a right of access to records held by public bodies, subject to limited exceptions.
Personal Information: Recorded information about an identifiable individual, as defined in the Protection of Privacy Act.
Protection of Privacy Act (POPA): Alberta legislation that establishes obligations for public bodies regarding the protection of personal information, including requirements for privacy management programs, breach notification, and restrictions on collection, use, and disclosure.
Protection of Privacy (Ministerial) Regulation, Alta Reg 143/2025 ("M-Reg 143/2025"): The Alberta regulation that gives effect to POPA, including the components of a Privacy Management Program (s.6), Privacy Impact Assessment requirements (s.7), real risk of significant harm determination (s.4), human oversight of automated systems (s.3(2)), and the definition of high-sensitivity personal information (s.1).
Protection of Privacy Regulation, Alta Reg 132/2025 ("Reg 132/2025"): The Alberta regulation that defines administrative, physical, and technical safeguards (s.1) and establishes the requirements for oral, electronic, and written consent (s.2).
SCOPE
This policy applies to all personal information and records in any format that are in the custody or under the control of Grasslands Public Schools, including information stored electronically on servers, databases, cloud services, computers, and mobile devices; information in paper records, files, and documents; information collected through the Division website and online services; video, audio, and photographic records; and information transmitted electronically by any means.
This policy applies to all individuals who interact with Division information systems or whose personal information is held by the Division, including students and their parents or guardians, all employees, trustees, contractors, consultants, service providers, volunteers, and visitors to Division websites and facilities.
ROLES AND RESPONSIBILITIES
The Board of Education designates the Superintendent as the Head of the Public Body for purposes of POPA and ATIA.
The Associate Superintendent Business Services shall act in the capacity of Access and Privacy Coordinator for the Division, responsible for overseeing compliance with POPA and ATIA, coordinating the Division's Privacy Management Program, and serving as the primary contact for privacy and access to information matters.
The principal shall be the site coordinator for the purposes of the Protection of Privacy Act and the Access to Information Act. Site coordinators are responsible to ensure the protection of personal information at their sites and to direct inquiries about disclosure of information to the Access and Privacy Coordinator.
Senior Administration is accountable for privacy and access to information compliance within their respective areas of responsibility. All staff are responsible for protecting personal information in their custody and reporting potential privacy breaches immediately.
GUIDELINES
Privacy Management Program
The Division shall establish and maintain a Privacy Management Program as required under POPA.
The Privacy Management Program shall include documented policies, procedures, and practices to ensure compliance with POPA and to govern the collection, use, disclosure, and protection of personal information.
The Privacy Management Program shall be proportionate to the volume and sensitivity of the personal information in the custody and control of the Division.
The Division's Privacy Management Program is documented in CG-002 – Privacy Management Program Overview, which serves as the publicly available summary required under POPA s.25(3).
Privacy principles
Grasslands Public Schools adheres to the following privacy principles in all activities involving personal information:
Collection Limitation: Personal information shall only be collected where authorized by law or where directly related to and necessary for an operating program or activity of the Division.
Purpose Specification: The purpose for collecting personal information shall be identified at or before the time of collection.
Consent: Personal information shall be collected directly from the individual wherever possible, with appropriate notice and, where required, consent.
Use Limitation: Personal information shall only be used for the purpose for which it was collected, or for a use consistent with that purpose, unless consent is obtained or use is authorized by law.
Disclosure Limitation: Personal information shall only be disclosed as authorized under POPA or with the consent of the individual.
No Sale of Personal Information: The Division shall not sell personal information or use it for marketing or advertising purposes.
Accuracy: Personal information shall be as accurate, complete, and current as necessary for the purposes for which it is used.
Safeguards: Personal information shall be protected by reasonable security safeguards appropriate to the sensitivity of the information.
Transparency: The Division shall be open about its policies and practices regarding the management of personal information.
Individual Access: Individuals have the right to access their personal information held by the Division and to request corrections where appropriate.
Accountability: The Division is accountable for personal information in its custody or control.
Collection, use, and disclosure
The Division collects, uses, and discloses personal information only as authorized or required by POPA and the Education Act. Personal information shall be collected directly from the individual wherever possible, used only for the purpose for which it was collected or a consistent purpose, and disclosed only as authorized under POPA or with the individual's consent. The Division shall not sell personal information or use it for marketing or advertising purposes.
Records management
The Division shall maintain a directory of Personal Information Banks as required under POPA and shall retain personal information used to make decisions about individuals for at least one year from the date of the decision. Records shall be retained and disposed of in accordance with the Division's records retention schedules and applicable legal requirements.
Access to information
The public has a right to access records in the custody or control of the Division, subject to the exceptions set out in ATIA. The Division shall make information available through routine channels wherever possible; a formal request under ATIA should be the avenue of last resort. Individuals have the right to access their own personal information and to request corrections where they believe an error or omission exists.
Technology and privacy
Technology systems that collect, use, or process personal information shall be subject to privacy impact assessment and approval requirements proportionate to the sensitivity of the information involved. The Division shall not use automated systems as the sole basis for decisions that significantly affect individuals. Online services shall collect only the personal information necessary for the intended purpose.
Privacy breaches
All suspected or confirmed privacy breaches shall be reported immediately. Where a breach creates a real risk of significant harm, the Division shall notify affected individuals, the Minister, and the Office of the Information and Privacy Commissioner without unreasonable delay, as required under POPA.
COMPLIANCE
The Division recognizes that privacy and access violations have unique circumstances. Violations of this policy will be evaluated based on the nature of the violation, the harm incurred, any previous violations by the individual, and mitigating factors.
Sanctions resulting from violations of this policy may include:
Verbal warning
Written warning
Removal or restriction of access rights
Dismissal
Legal action