Privacy Reports

 

 

 

 

 

          PRIVACY COMPLAINT REPORT

 

           PRIVACY COMPLAINT NO. MI10-5

 

            Ottawa-Carleton District School Board

 

               March 3, 2011

 

 

 

 

 

 

 

 

PRIVACY COMPLAINT REPORT

 

 

 

PRIVACY COMPLAINT NO.                   MI10-5

 

 

 

INVESTIGATOR:                                       Mark Ratner

 

 

 

INSTITUTION:                                            Ottawa-Carleton District School Board

 

 

 

SUMMARY OF COMMISSIONER INITIATED COMPLAINT:

 

In October of 2010, the Information and Privacy Commissioner/Ontario (IPC) was contacted by the Ottawa-Carleton District School Board (the Board) to advise that it will be conducting a survey (the survey) of Board students. The Board explained that the survey was voluntary, and would consist of questionnaires provided to Board students that would be completed by either the students themselves (for students in grades 7-12) or by students’ parents (for students in Junior Kindergarten (JK) to grade 6). At that time, the Board requested that the IPC review, and provide comments on, the planned survey.

 

The Board’s plans with respect to the survey were later reported in the media. After that time, the IPC was contacted by some parents who had children enrolled in schools in the Board, and who had expressed concerns about the survey. The concerns expressed by these parents included:

 

•         concerns regarding the potential uses of the information collected through the survey;

•         concerns regarding potential errors or inaccuracies in survey data;

•         concerns regarding certain questions on the survey questionnaire, particularly the question related to sexual orientation (which only appears on the survey for students in grades 7-12);

•         concerns relating to the lack of anonymity of the survey; and

•         concerns relating to the process of withholding consent to a child’s participation in the survey, and how such consent is enforced.

 

The IPC decided to open a Commissioner-initiated privacy investigation in order to assess whether the Board’s implementation of the survey was in accordance with the provisions of the Municipal Freedom of Information and Protection of Privacy Act (the Act).

In response to the IPC’s request, the Board agreed to postpone the implementation of the survey until after the IPC’s investigation had been completed.

 

Background

 

The following background information concerning the survey was provided by the Board.

 

As noted above, the survey consists of two separate questionnaires. The questionnaire regarding students in JK to grade 6 is addressed to parents or guardians and is intended to be completed by parents or guardians at home on their child’s behalf. This questionnaire would be sent home with students, and parents or guardians would have the option of completing the survey online, or on paper questionnaires sent home.

 

The questionnaire directed at students in grades 7-12 is intended to be completed independently by students in school in computer labs, or in paper format. The Board has also stated that students in grades 7-12 will also have the option of completing the survey at home.

 

As noted, the Board has also stated that the survey is intended to be voluntary, and students, parents, and guardians have the option of not participating in the survey. The Board has indicated that prior to the survey taking place, a letter addressed to parents and guardians will be sent home, which elaborates on the manner in which parents, guardians, and students may choose to withhold their consent and not participate in the survey.

 

The letter explains that the survey is voluntary. Parents, guardians, and students may choose not to complete the survey or skip certain questions. Enclosed with the letter is a form that may be used by parents or guardians of students in grades 7-12 to opt-out of their child’s participation in the survey.

 

The two survey questionnaires are similar in nature as both contain questions relating to the following:

 

•         the child’s country of birth and ethnicity, including whether the child has Aboriginal origins;

•         any disabilities the child may have;

•         languages spoken;

•         parents’ education level and employment status;

•         religious affiliation; and

•         the child’s perception of his or her school experience.

 

The survey that is administered to students in grades 7-12 includes additional questions that are not included on the JK-6 questionnaire. Among these additional questions are questions related to the student’s sexual orientation and questions relating to the student’s plans after high school.

 

 

 

The Board has addressed the rationale underlying its decision to undertake the survey. In this respect, the Board has explained that the implementation of the survey represents a movement towards a “student-centred pedagogy,” representing a teaching style that incorporates different student learning styles as well as different instructional needs.

 

The Board has stated that the data that will be collected as a result of the survey’s implementation will be used to:

 

•         understand the unique and diverse composition of the student population;

•         identify student populations that may require extra help;

•         identify the need for new or enhanced programs to help student success; and

•         promote positive school climate initiatives.

 

The Board has explained that the data obtained from the survey will be used to create aggregate reports, including:

 

•         Board-wide report of the student population based on demographic information;

•         Reports on the student population on a per school basis; and

•         Reports that may link survey data with other achievement data that is currently in the custody of the Board.

 

In addition, the Board has also explained that the information obtained from the survey will be used to satisfy Ministry of Education (Ministry) requirements respecting Aboriginal self-identification.

 

The Board has stated that each survey questionnaire contains a unique survey number, and does not contain any additional information that can be used to identify a student. The presence of unique survey numbers on questionnaires allows the Board to link survey responses with existing achievement data that is currently maintained by the Board in a database. A detailed description of the way in which the linking of data takes place appears below.

 

As noted above, the Board has agreed to delay the implementation of the survey until after this investigation has been completed. I would like to acknowledge and thank the Board for its cooperation in this regard.

 

DISCUSSION:

 

The following issues were identified as arising from the investigation:

 

Is the information “personal information” as defined in section 2(1) of the Act?

 

At issue in this investigation is the information that will be obtained by the Board through the survey. The survey questionnaire requests the provision of information related to the following: students’ country of birth; languages spoken; ethnicity; parents’ education and employment status. In the case of the surveys administered to students in grades 7-12, the questionnaire also requests information concerning students’ sexual orientation and plans after leaving high school.

The survey questionnaires do not request information such as student names, addresses, or students’ Ontario Education Number (OEN). However, each survey contains a survey number that is unique for every Board student. The survey numbers can be linked to identifiable information contained in a database that is maintained by the Board.

 

Section 2(1) of the Act states, in part:

 

“personal information” means recorded information about an identifiable individual, including,

 

(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

 

(b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

 

(c) any identifying number, symbol or other particular assigned to the individual,

 

(d) the address, telephone number, fingerprints or blood type of the individual,

 

(e) the personal opinions or views of the individual except if they relate to another individual,

 

[emphasis added]

….

 

In order for information to qualify as personal information, there has to be a reasonable expectation that an individual can be identified if that information is disclosed [see Order PO-1880, upheld on judicial review in Ontario (Attorney General) v. Pascoe, [2002] O.J. No. 4300 (C.A.)].

 

With respect to the question of whether the data obtained through the survey can be used to identify an individual, the Board has stated:

 

Although the survey does not include a student name or student number and therefore the completed survey itself would not “identify” a student’s personal information, the survey does include a survey number which is separately secured, but can be linked to the student number.

 

The Board has acknowledged that each survey contains a unique survey number that may be linked to identifiable student information that is maintained by the Board. Because the survey data may be linked to identifiable information, I am satisfied that there is a reasonable expectation that an individual could be identified from the survey data.

 

I further note that the type of information collected through the survey (e.g., information about a student’s ethnic origin, religion, and education) is the sort of information that qualifies as “personal information” under section 2(1) of the Act.

 

Based on the above, I am satisfied that the information collected through the survey qualifies as personal information under section 2(1) of the Act. The Board concurs with this conclusion.

 

Would the collection of the “personal information” be in accordance with section 28(2) of the Act?

 

In this instance, the personal information collected is the information contained on the survey questionnaires that will be distributed to Board students and parents.

 

Section 28(2) of the Act states:

 

No person shall collect personal information on behalf of an institution unless the collection is expressly authorized by statute, used for the purposes of law enforcement or necessary to the proper administration of a lawfully authorized activity.

 

Section 28(2) of the Act establishes a basic prohibition on the collection of personal information that is subject to three exceptions. In order for a given collection of personal information to be permissible, the institution in question must demonstrate that the collection in question is either (1) expressly authorized by statute, (2) used for the purposes of law enforcement, or (3) necessary to the proper administration of a lawfully authorized activity.

 

In this case, the Board has taken the position that the collection of personal information at issue is permitted under the third branch of section 28(2); namely, that it is necessary to the proper administration of a lawfully authorized activity.

 

In order to demonstrate that a given collection of personal information is necessary to the proper administration of a lawfully authorized activity, the institution in question must first show that the activity in question is lawfully authorized, and second, the institution must demonstrate that the collection of the personal information is necessary to the proper administration of that lawfully authorized activity.

 

With respect to the question of whether the activity in question (i.e., the implementation of the survey) is lawfully authorized, the Board has made reference to a number of statutory provisions contained in Ontario’s  Education Act , including section 169.1(1)  of the Education Act , which states:

 

 

 

(1)  Every board shall,

 

(a) promote student achievement and well-being;

 

(b)  ensure effective stewardship of the board’s resources;

 

(c) deliver effective and appropriate education programs to its pupils;

 

(d) develop and maintain policies and organizational structures that,

 

(i) promote the goals referred to in clauses (a) to (c), and

 

(ii) encourage pupils to pursue their educational goals;

 

….

 

The Board has also made reference to the provisions of the Education Act  that set out the duties and powers of school boards. With respect to the duties of boards, section 170(1)  of the Education Act  states, in part:

 

Every board shall,

            …

6. provide instruction and adequate accommodation during each school year for the pupils who have a right to attend a school under the jurisdiction of the board;

 

Section 171(1)  of the Education Act  sets out the powers of school boards and states, in part:

 

A board may,

            …

8. provide instruction in courses of study that are prescribed or approved by the Minister, developed from curriculum guidelines issued by the Minister or approved by the board where the Minister permits the board to approve courses of study;

 

The Board has explained the way in which the survey will assist it in meeting its obligations under the Education Act  and has stated:

 

The student survey will provide the [Board] with information on student demographics (e.g., racial, ethnic, and family background, gender, age, language, country of origin and sexual orientation) as well as student well-being (student experience in school, quality of education, sense of belonging to school environment, etc.). This information will provide the [Board] with a better understanding of our student population and their experience at school, which is essential to our responsibility for promoting student well-being. 

 

In sum, it is the position of the Board that the survey will provide it with useful demographic information, as well as information regarding the perceptions of students, parents, and guardians on students’ educational experience at school. Based on the provisions of the Education Act  cited above, I am satisfied that the implementation of this survey will further the Board’s pursuit of its statutory responsibilities and therefore constitutes a “lawfully authorized activity” under section 28(2) of the Act.

 

Having determined that the survey constitutes a lawfully authorized activity, it is now necessary to determine whether the collection of personal information is necessary to the achievement of this lawfully authorized activity.

 

In this respect, the Board has stated:

 

It is important to recognize that the [Board’s] responsibility for student well-being is not independent of our responsibility for student achievement. The Education Act  requires the [Board] to “promote student achievement and student well-being”. The [Board] maintains that to do this, it is necessary to connect the data collected from the survey with student achievement data. In so doing, the [Board] will have aggregate information from which it can make informed decisions regarding the priorities established in our Board Improvement Plan, our school improvement plans, and future program reviews, research opportunities and partnerships. More specifically, this will allow the [Board] to better understand and differentiate student needs which will build capacity for developing or enhancing programs and interventions to help our most vulnerable students; identifying and eliminating systemic barriers to student achievement; allocating resources to where they are most needed; and advocating for resources and funding from external partners to support student learning.

 

In sum, the Board has taken the position that the collection of identifiable information through the survey will allow it to link that information with student achievement data, which will, in turn, allow it to better understand and differentiate student needs, and lead to better educational outcomes.

 

The Board has also specifically addressed the portions of the questionnaire that query whether the child has Aboriginal origins. In this respect, the Board has made reference to a Ministry[1] directive that mandates that school boards should strive to:

 

consult on, develop, and implement strategies for voluntary, confidential Aboriginal student self-identification, in partnership with local First Nation, Métis, and Inuit parents and communities.

The Board has stated that it has been working in partnership with local First Nation, Métis and Inuit parents in the development of the survey.

 

In assessing whether the collection of personal information in this instance is necessary to the proper administration of a lawfully authorized activity, I have considered MC06-63, which involved the Toronto District School Board (TDSB). The recommendations and findings in MC06-63 are relevant here because it concerned a student survey that collected data that was similar to the survey and data collected by the Board in this circumstance.  In MC06-63, the IPC concluded that the collection of student data that was identifiable through a questionnaire constituted a permissible collection of personal information under the Act.

 

In this case, I am also satisfied that the collection of the personal information through the survey is necessary to the proper administration of a lawfully authorized activity. I am in agreement with the Board that through the collection of the information in question, the Board will be able to link the responses of individual students with existing achievement data. By making such linkages, the Board will endeavour to identify sources for differences in achievement among students, and will be able to further its goal to promote “student achievement and well-being” as required under section 169.1  of the Education Act . I further note that the collection of information relating to Aboriginal self-identification will also serve to further the Board’s mandate under the Education Act .

 

Based on all of the above, I am therefore satisfied that the collection of the personal information through the survey is permissible under section 28(2) of the Act.

 

Will the Board provide students and parents with Notice of Collection in accordance with section 29(2) of the Act?

 

The requirement to provide Notice of Collection in connection with a given collection of personal information is set out in section 29(2) of the Act, which states:

 

If personal information is collected on behalf of an institution, the head shall inform the individual to whom the information relates of,

 

(a) the legal authority for the collection;

 

(b) the principal purpose or purposes for which the personal information is intended to be used; and

 

(c) the title, business address and business telephone number of an officer or employee of the institution who can answer the individual’s questions about the collection. 

 

In sum, an institution engaged in the collection of personal information is required to provide the individuals that are the subject of the collection with information pertaining to: the legal authority for the collection, the principal purpose or purposes for which the information is going to be used, and contact information for an individual who can answer questions about the collection.

 

The Board has stated that the following Notice will appear on every survey questionnaire:

 

Notice of Collection

 

Personal information on this form is collected under the authority of the Education Act, RSO 1990, Ch. E.2  as amended, sections 169.1, 170(1), and 171(1). The information collected will be used for three primary purposes:

•         to develop a demographic profile of our student population by district and by school;

•         to allow for the  self-identification of aboriginal students; and

•         to better understand the learning needs of particular sub-groups of students.

The data will be used to better support student achievement and well-being and will inform our District and school improvement planning process. It will also inform future decisions about programs, research and partnership opportunities. The analysis of the survey information will focus on aggregates by District and schools, not individual students. The information collected on this form is confidential and will be protected. Questions regarding this collection may be directed to [contact information].

 

As this Notice is on the survey questionnaire, it can be read by the parents of students in grades JK-6 who fill out the survey on their child’s behalf, and by the students in grades 7-12 who complete the questionnaire on their own behalf.

 

I note that the Notice makes reference to the legal authority for the collection of the information, the primary purposes of the collection, and provides the contact information of an individual who may answer questions about the collection. In this respect, I am satisfied that the Notice meets the statutory requirements contained in section 29(2) of the Act.

 

In addition to the statutory requirements, I am of the view that it is crucial that the Board communicate clear information to parents, guardians and students regarding the nature and purpose of the survey. The need for clear information is also important because the Board has stated that the survey is voluntary. In order for parents, guardians and students to make an informed choice as to whether or not to participate in the survey, it is necessary that they be provided with detailed and accurate information regarding the Board’s planned uses of the survey data, particularly with respect to data that may be linked with identifiable data.

 

In this respect, the Board has explained that in the fall of 2010, it provided additional information regarding the survey to parents and students in a variety of ways, including: a postcard campaign, letter from the Director of the Board, communication from school principals, and information on the Board’s website.

 

In addition, the Board has stated that, prior to implementing the survey, it intends to send home a letter addressed to parents or guardians with every student. The letter would also be posted on the Board’s website, and released to the media. The letter would also be announced in a telephone voicemail to the parents and guardians of all Board students.

 

A draft of that letter has been provided to the IPC for review. I note that the letter includes the following:

 

•         An explanation of the reasons why the Board has decided to undertake the survey;

•         An explanation as to the voluntary nature of the survey;

•         An explanation as to the various options as to how parents and students may complete the survey, including instructions on how to opt-out of completion;

•         A summary of the planned phases of the analysis of survey data, which describe the planned uses of the data, including the voluntary self-identification of students who are Aboriginal, and the fact that information pertaining to Aboriginal identification will be included on student profiles and reported to the Ministry;

•         A diagram explaining the way in which survey data will be linked with existing student achievement data, as well as the measures in place to protect data during linking; and

•         A form that can be completed by parents or guardians of children in grades 7-12 indicating that they would like to complete the survey at home, or that they do not want their child to complete the survey.

 

I have reviewed the letter in question along with the additional communications materials. I am pleased that the Board intends to provide parents and guardians with detailed information concerning the survey, including the planned uses of survey data.

 

I also note that the communications materials in question make clear that parents, guardians, and students have the option of not participating in the survey, and describe the way in which such consent may be withheld.

 

I also note that the information materials, including the Notice of Collection, make reference to the fact the survey will be used to facilitate the voluntary self-identification of Aboriginal students.

 

I conclude that the Board has satisfied the Notice requirements under section 29(2) of the Act.

 

Are the uses of the personal information in accordance with section 31 of the Act?

 

The Board has identified six “phases” of analysis that will constitute its uses of the data obtained through the survey. These six phases of analysis include:

 

1.      Analysis of the survey results at the Board level. The Report generated to facilitate this analysis will contain a Board wide profile of the student population. The Board notes that any published Report will only contain results where there are sufficient numbers of students to maintain confidentiality.

2.      Responses to surveys will be linked with names for the purpose of identifying Aboriginal students. As noted, such linking will take place in order to comply with a Ministry directive respecting Aboriginal self-identification. Where students elect to complete the survey, and self-identify as Aboriginal, that information will be recorded on their student profile. This information will be used to fulfill reporting requirements to the Ministry, to seek additional resources, and to inform the development of programs and services.

 

3.      Linking of survey data and student achievement data for the purposes of creating Reports that profile the student population on a school-by-school basis. With respect to this phase, results will only be publicly reported where there are sufficient numbers of students to maintain confidentiality.

 

4.      Linking of survey data with student achievement data. Analysis will consider factors identified in the survey at the sub-group level. The linking will take place to identify the extent to which the factors identified may influence student achievement of the sub-group population in order to better understand the learning needs of the sub-group. The Board has currently identified the following sub-groups for further analysis: English Language Learners, Gender, Special Education Students, and Aboriginal Students, and has further stated that it may identify additional sub-groups in the future.

 

5.      Linking of survey data with student data to analyze issues of school climate, and how factors identified through the survey may contribute to school climate issues, and ultimately impact upon student achievement. This phase will require the provision of identifiable student data in order to disaggregate data by school. The Board further notes that this phase may also include an analysis of survey data and student achievement data.

 

6.      This phase involves analysis of additional factors that impact on student achievement including parental engagement. The specific factors to be considered will be identified as a result of information learned from the Board wide profile.

 

In order to consider whether the uses of personal information described above are permitted under the Act, it is necessary to consider the rules respecting the permissible uses of personal information that are set out in section 31 of the Act, which states:

 

An institution shall not use personal information in its custody or under its control except,

 

(a) if the person to whom the information relates has identified that information in particular and consented to its use;

 

(b) for the purpose for which it was obtained or compiled or for a consistent purpose; or

 

(c) for a purpose for which the information may be disclosed to the institution under section 32 or under section 42 of the Freedom of Information and Protection of Privacy Act.

 

Section 31 establishes a basic prohibition on the use of personal information that is subject to a number of exceptions. In order to demonstrate that a given use of personal information is permissible under the Act, the institution in question must demonstrate that the use in question accords with at least one of the section 31 exceptions.

 

Although six phases of analysis have been referenced by the Board above, I note that only phases 2-6 involve the use of personal information. Phase 1 describes a use of anonymous data that is not linked to identifiable information. Accordingly, it is not necessary to deal with the use of information contemplated under phase 1.

 

With respect to phases 2-6, I will consider whether these uses are permissible under section 31(a) of the Act, which permits the use of personal information in cases where an individual “has identified that information in particular and consented to its use.”

 

I note that the Board has taken the position that participation in the survey is voluntary, and that parents or guardians have the option of withholding consent to their child’s participation in the survey.

 

In this case, the Board has elaborated on the way that it intends to communicate information about the survey, which is described above. In sum, the Board will be using various forms of communication (including the Board’s website, the media and letters to parents and guardians) to disseminate information concerning the various uses of data obtained through the survey.

 

As described above, the letter sent to parents or guardians details all of the various planned uses of survey data, and provides a form for parents or guardians to complete to indicate that they do not want their child to participate in the survey.

 

In my view, the existence of the communications materials, including the letter and accompanying opt-out form entail that parents, guardians, and students who have not decided to opt-out of participating will therefore have “identified that information in particular [i.e., the survey data] and consented to its use” as required under section 31(a) of the Act.

 

Based on the above, I am satisfied that the uses of data contemplated by the Board are in accordance with section 31 of the Act.

 

I now turn to address section 31(b) of the Act, which permits the use of personal information “for the purpose for which it was obtained or compiled or for a consistent purpose.” I will consider the application of this section of the Act for the 5 phases of data analysis described above that involve the use of personal information (phases 2-6).

 

As noted, phase 2 of the Board’s research involves the linking of survey responses and student data for the purpose of the voluntary identification of Aboriginal students. The Board has elaborated on this particular use of data and has stated:

 

For those students who choose to complete the survey and who choose to self-identify as Aboriginal, that information will be recorded in their individual student information profile. Identifiable information relating to Aboriginal self-identification will not be reported publicly. The information will be used to fulfill reporting requirements to the Ministry of Education, to seek additional resource supports for Aboriginal students through grant funding and/or partnership opportunities and to inform the development of programs and services to meet the learning needs of this particular student population.

 

In sum, the Board has stated that the information pertaining to Aboriginal self identification will be used by the Board for, among other things, fulfilling reporting requirements established by the Ministry respecting confidential Aboriginal self-identification.

 

In order to determine whether section 31(b) applies to make this use permissible, it is first necessary to determine the original purpose of the collection. Second, it is necessary to assess whether the information in question is used for the same purpose or a purpose that is consistent with the original purpose of the collection.

 

As noted above, I have already concluded that the information in question is collected for the purpose of furthering the Board’s statutory duties. I will now turn to the second part of the section 31(b) analysis.

 

In this case, I am satisfied that the use of the personal information also takes place for the purpose of furthering the Board’s pursuit of its statutory obligations. As noted, section 169.1  of the Education Act  requires, among other things, that school boards promote student achievement and well-being; that boards ensure effective stewardship of their resources; and that boards deliver effective and appropriate education to pupils. All of these objectives may be furthered through the use of information about students who voluntarily identify themselves as Aboriginal. As the Board has explained, its use of the information obtained from the questions on the survey will allow it to seek resource supports for Aboriginal students, and will also inform program development.

 

Accordingly, in this respect, I am satisfied that the Board’s purpose of using the information pertaining to Aboriginal self-identification is the same as the purpose for which the information is collected; namely the pursuit of its statutory rights and obligations under the Education Act . I therefore conclude that the use of personal information contemplated under phase 2 accords with section 31(b) of the Act.

 

I will now address the uses of personal information contemplated in phases 3-6 of the Board’s research together, as these phases all involve analysis using identifiable information to fulfill various goals as follows: profile of student population on a school-by-school basis (phase 3); analysis of student needs and achievement on a student sub-group basis (phase 4); analysis of data pertaining to the atmosphere and climate of specific schools (phase 5); and the analysis of how specific factors may impact upon student achievement (phase 6).

 

While the uses of personal information described above are disparate, I am satisfied that they all serve to further the Board’s pursuit of its statutory obligations under the Education Act . By engaging in the analysis described above, the Board will be able to gain insight into how various factors influence student experiences and learning. The product of this analysis will inform policy and program development, thereby promoting student achievement and well-being, which is a clear statutory obligation of the Board.

 

I am therefore satisfied that the uses of personal information described in phases 3-6 are for the same purpose as the original purpose of the collection; namely, satisfying the Board’s statutory obligations under the Education Act . I am therefore satisfied that these uses are in accordance with section 31(b) of the Act.

 

Based on all of the above, I am satisfied that the uses of data contemplated by the Board are in accordance with section 31 of the Act.

 

Are the disclosures of the personal information in accordance with section 32 of the Act?

 

The provision of information to the Ministry of Education in order to facilitate the voluntary self-identification of Aboriginal students constitutes a disclosure of personal information under the Act. The Board has confirmed that it will be providing the Ministry with the OENs of students who self-identify as Aboriginal.

 

Section 32 of the Act states in part:

 

An institution shall not disclose personal information in its custody or under its control except,

 

(a) in accordance with Part I;

 

(b) if the person to whom the information relates has identified that information in particular and consented to its disclosure;

 

(c) for the purpose for which it was obtained or compiled or for a consistent purpose;

 

(d) if the disclosure is made to an officer, employee, consultant or agent of the institution who needs the record in the performance of their duties and if the disclosure is necessary and proper in the discharge of the institution’s functions;

 

….

 

Section 32 contains a prohibition on the disclosure of personal information that is subject to a number of exceptions. In order to demonstrate that a given disclosure of personal information is permissible, the institution in question must demonstrate that the disclosure accords with at least one of the section 32 exceptions.

 

I will first consider whether the disclosure is permissible under section 31(b).

 

In this case, the Notice of Collection, which is reproduced above, states that one of the purposes of the survey is to allow for the self identification of Aboriginal students.

 

In addition, the letter that is sent to parents notes that one of the uses of the survey data will be to facilitate the voluntary self identification of Aboriginal students, and that data concerning such identifications will be disclosed to the Ministry. As noted above, the letter states that completion of the survey is voluntary for parents, guardians, and students, and an opt-out form is included with the letter.

 

Because of these communications materials, as well as the opportunity to opt-out of participation, I am satisfied that someone who has made a choice to identify themselves or their child as Aboriginal through the survey “has identified that information in particular and consented to its disclosure” as required under section 32(b) of the Act.

 

I will now turn to consider the application of section 31(c) of the Act, which permits the disclosure of personal information “for the purpose for which it was obtained or compiled or for a consistent purpose”.

 

As noted above, the Ministry requires information pertaining to Aboriginal self-identification as part of its First Nation, Métis, and Inuit Education Policy Framework.

 

With respect to the purpose of the collection, I concluded above that the Board collects the information pertaining to Aboriginal self-identification to further the pursuit of its statutory duties under the Education Act , including the promotion of student achievement and well-being. In this regard, the Board has stated that the information collected:

 

[w]ill be used to fulfill reporting requirements to the Ministry of Education, to seek additional resource supports through grant funding and/or partnership opportunities and to inform the development of programs and services to meet the learning needs of this … student population.

 

I am satisfied that the information in question is disclosed for the same purpose as the purpose for which it was originally collected. By providing this information to the Ministry, the Board is satisfying a policy directive of the Ministry, which is among the reasons why the information was originally collected. The provision of this information to the Ministry will also promote student achievement and well-being, which is also a purpose underlying the original collection.

 

I am therefore satisfied that the disclosure of information pertaining to Aboriginal self-identification to the Ministry is also permissible under section 32(c) of the Act.

Based on all of the above, I am satisfied that the disclosure of OENs of students who self-identify as Aboriginal to the Ministry is a permitted disclosure under section 32 of the Act.

 

Does the Board have in place reasonable measures to prevent unauthorized access to the records created through the survey as required under section 3 of Regulation 823, made pursuant to the Act?

 

Section 3 of Regulation 823, made pursuant to the Act states, in part:

 

(1)  Every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.

 

(2)  Every head shall ensure that only those individuals who need a record for the performance of their duties shall have access to it.

 

….

 

This provision requires that institutions implement measures that are reasonable to prevent unauthorized access to records in its custody or control, and mandates that such measures should take into account the nature of the records in question. The provision further limits the individuals within the institution who may have access to a record to those who need such access in the performance of their duties.

 

The requirement to prevent unauthorized access to records applies throughout the life-cycle of a given record, from the point at which it is collected or otherwise obtained, through all of its uses, and up to and including its eventual disposal.

 

In this case, the Board has set out the measures it has implemented to prevent unauthorized access to the personal information contained in the survey, and I will address each component below.

 

Security during the administration of the survey

 

In terms of the security measures in place at the time the survey data is obtained from students, the Board has explained that the administration of the survey for students in grades JK-6 is different from the administration of the survey for students in grades 7-12.

 

With respect to the survey that is administered to students in grades JK-6, the Board has explained that surveys will be sent home to the parents or guardians in a sealed envelope which will be addressed to the child’s parent or guardian. Parents have the option of completing either the paper copy of the survey provided, or completing the survey online.

 

For surveys that are completed on paper, each survey contains a cover page, which includes the student’s name. Parents are instructed to remove the cover page, complete the survey, and place the survey into a pre-addressed envelope, which is then returned by the student to the school. The Board notes that teachers and administrative staff are not permitted to open the sealed surveys. The returned surveys will be collected and securely stored on-site until they are transferred to the third party service provider for compilation.

 

With respect to the survey administered to students in grades 7-12, the Board has explained that most surveys will be completed by students online in school computer labs. However, the Board has also stated that it will provide students in grades 7-12 with the option of completing the surveys on-line at home, or in paper format at school or at home. In this regard, the Board has stated that “[t]he school will work with the student to ensure that students who want to complete the survey do so in the format in which he or she is most comfortable.”

 

Where surveys are completed via computers at school, students will be provided with a survey number, which is used to log-on to the survey. Once the student completes the survey, he or she is instructed to hit “submit” and the survey is transmitted to the third party service provider, and can no longer be accessed at the school.

 

Teachers are instructed to advise students of the voluntary nature of the survey, and ask that students respect the confidential nature of the survey. The Board has provided the IPC with instructions provided to teachers, which include the following directions:

           

The survey is confidential – Given the personal nature of some of the questions, please provide a respectful and confidential environment – as best possible in your computer lab.

           

The survey is generally completed in approximately 20 minutes. Students must be seated at a computer. As best possible in your computer lab, please ensure spacing for privacy.

 

Please encourage respectful behaviour regarding student privacy and confidentiality. However, please anticipate different finishing times for your students, and the needs of students not participating.

 

Reminder: Please anticipate that some students may not wish to do the survey or may have been advised by their parent/guardian not to complete the survey. Again, while we are encouraging all students to participate, the survey is voluntary.

 

The Board has also addressed situations where parents or guardians have withdrawn the consent of their child to participate in a survey as follows:

 

Where a parent does not wish his or her child to complete the survey, written notice shall be provided to the school principal. The principal shall maintain a list of students by class who do not have consent to complete the survey and shall provide such list to the classroom teacher. Classroom teachers will be instructed NOT to issue the survey to that student. Without a survey number, a student cannot complete the on-line survey. Classroom teachers will review the instructions for survey completion at the start of the class. As a part of that instructional message, the teacher shall remind the students that where a parent has not provided consent, the student should refrain from completion of the survey. 

 

I have considered the measures that have been put into place by the Board to prevent unauthorized access to records containing personal information during the administration of the survey. In my view, the Board has paid due regard to the protection of privacy during this stage of the process, and I am satisfied that the measures described above constitute reasonable measures to prevent unauthorized access.

 

Security in custody of the third party service provider

 

As noted, once the survey questionnaires have been completed, they are provided to a third party service provider, where they are entered into a database. The third party service provider maintains the data obtained from the survey in a secure location until a report is generated and approved by the Board. The Board has further stated that the service provider will only have access to the survey numbers associated with returned questionnaires, and will not have access to identifiable student data.

 

The Board has also stated that the service provider will be responsible for conducting Phase 1 of the analysis of the survey data, which consists of analysis of non-identifiable data.

 

Although the service provider will not maintain identifiable personal information, I will consider whether the measures in place to protect the non-identifiable information in question obtained from the survey questionnaires are adequate.

 

In 2001, the IPC published Best Practices for Protecting Individual Privacy in Conducting Survey Research[2] (Best Practices). The Best Practices establishes guidelines for institutions to follow in order to collect and maintain survey data in a privacy protective manner.

 

One practice that is applicable in this case is the practice that applies to service providers who assist in the conduct of survey research. In this respect, Best Practice #3 states:

 

Where an external consultant or private company conducts the research, establish a contractual agreement to ensure that personal information is collected, retained, used, disclosed and disposed of, in accordance with the Acts.

 

In this case, the Board has entered into a contractual agreement with the service provider, and the contractual agreement does set out the service provider’s obligations to protect the information in question. A copy of this agreement has been provided to the IPC for review.

 

Having considered the nature of the information provided to the third party service provider (including the fact that the service provider cannot identify an individual from the information in question), as well as the contracted obligations in question, I am satisfied that the Board has implemented reasonable measures to prevent unauthorized access to the records in question as required under section 3 of Regulation 823.

 

Security measures during linking of data

 

Because the Board is engaged in the linking of survey responses with existing achievement data it is crucial that steps be taken to reduce the risk of identification. The Best Practices address this issue and provide guidance on the way in which data obtained from surveys should be linked with other data. Best Practice #7 states:

 

If the survey cannot be carried out anonymously, design it so that all personal information is replaced with a special code that can only be used to link the survey data to personal information when it is necessary to do so (i.e., a coded survey).

 

The Board has provided the IPC with detailed information pertaining to the way in which survey data will be linked with existing information, and the measures in place to prevent access to survey data during this process.

 

The Board has noted that it employs a Manager of Quality Assurance in the Curriculum Services Department, who is responsible for supervising a small team of research staff, including two research officers and two research analysts. The Board has further stated that any linking of data will be conducted by a research officer under the approval and direction of the Manager of Quality Assurance. In addition, the Board has also noted that it employs a Data Administrator who is responsible for managing requests for information.

 

The Board has also elaborated on the circumstances under which survey data will be linked with existing data as follows:

 

The linking can only be undertaken once the survey data has been compiled by the third party service provider and delivered to the [Board]. The linking of survey data will be done by district staff and will only be done once the Quality Assurance Division has detailed the specific parameters of the research reports that will be generated on the population sub-groups. The Manager of Quality Assurance and the Data Administrator will engage in a series of discussions about the available data, the reports to be generated, and the data required to generate those reports, for the purposes of ensuring that the data being requested properly supports the request. A formal request will be made by the Manager of Quality Assurance to the Data Administrator for action.

 

The Board has explained that in order to carry out the linking, it will create a third unique identifier that will be used in conjunction with the two existing identifiers (OENs and survey numbers). The Board has further stated that the linking of data will take place through the deployment of three separate databases as follows:

 

•         Database 1, which contains student data, achievement data, and OENs;

•         Database 2, which contains, survey data and survey numbers, but not student achievement data or OENs; and

•         Database 3, which is the database accessed by researchers, and contains the third unique identifier, along with achievement data and survey data, but does not contain student names, OENs, or survey numbers.

 

The Board has also explained that it will utilize two data files that will be used to map the OEN to the survey number, and to map the survey number to the third unique identifier.

 

Under the system described above, the research officers would only have access to Database 3 when conducting analysis that involves linking of data. Database 3 will contain all the data required to conduct the research, but would not contain student identifiers (i.e., names, OENs, or survey numbers). As such, the research can be conducted without connecting survey responses with information that can be used to identify individual students.

 

I note that Best Practice #7, noted above, makes reference to the practice of institutions adopting a “special code” that is used to link data. In this case, the Board’s use of the unique identifier would function as the special code contemplated by Best Practice #7.

 

The Board has also addressed the governance structure that will be in place to oversee potential uses of the survey data including linkages of data. The Board has explained that it has an Equity and Diversity Steering Committee (EDC) that is responsible for overseeing the Board’s equity and diversity framework, including the student survey. In this regard, the Board has stated:

 

As the district moves from the operational elements of the survey to the analytical elements of the survey, the EDC will continue to play a role in terms of ensuring that the survey analysis planned is consistent with the intent of the survey and the stated purposes of collection, and is consistent with our responsibility to balance student achievement and well being. 

 

With respect to any potential decisions on access to survey data, including any potential external or internal research requests, the Board has stated that the responsibility for making these decisions rests with the Board’s Director’s Executive Council. With regard to these decisions, the Director’s Executive Council would consider the advice and recommendations of the EDC and the Manager of Quality Assurance.

 

I have considered the information provided by the Board regarding the steps it intends to take to protect student privacy when linking data. I am pleased with the detailed information provided by the Board, and I am satisfied that the measures described—including measures pertaining to the security of the databases and the governance structure in place—constitute “reasonable measures to prevent unauthorized access to the records” as required in section 3(1) of Regulation 823.

Destruction of Data

 

The Board has explained that it intends on retaining the survey data for the length of the project. Currently, it expects the project to last for 3 to 4 years. After that time, it will be retained for six years in inactive storage, in accordance with the Board’s applicable retention policy.

 

The Board has addressed the manner in which the survey data will be destroyed once it is no longer required. In this regard, the Board has stated:

 

The survey data will be disposed of in accordance with the [Board’s] records destruction practices. … [T]here are established practices in place which support the secure transfer of custody and the safe destruction of records. Electronic records are degaussed, sanitized or mechanically destroyed in a manner to ensure that the records cannot be recreated. Paper records are similarly handled and are shredded. The [Board] normally works with an experienced third party service provider and undertakes appropriate contractual and privacy agreements with the service provider.

 

In this case, I am satisfied that the Board’s plans with respect to the destruction of data are adequate, and constitute reasonable measures to prevent unauthorized access to records.

 

Conclusion on measures to protect against unauthorized access

 

I want to note that the security measures put in place by the Board to prevent unauthorized access to records may appear more stringent than what was recommended in MC06-63, referred to above.  The recommendations made in MC06-63 were based on the TDSB’s position that it had not “formalized” a plan to link the student survey data to student achievement data that was already in its custody.   In fact, the final report recommends that before any actions are taken to engage in such linking, our office should be consulted. 

 

In the circumstances before me, the Board has stated that it intends to link the survey data with student achievement data and that is the context in which I must assess the reasonableness of the measures taken. 

 

Section 3(1) of Regulation 823 states that measures put in place should take “into account the nature of the records to be protected.”   I am very pleased that the Board has done this by electing to implement rigorous measures to protect the personal information that is collected through the survey.

 

Based on all of the above, I am satisfied that the Board has implemented reasonable measures to prevent unauthorized access to records as required under section 3(1) of Regulation 823, made pursuant to the Act.

 

 

 

 

CONCLUSION:

 

I have reached the following conclusions based on the results of my investigation:

 

1.            The information collected through the survey qualifies as “personal information” under section 2(1) of the Act.

 

2.            The collection of the personal information is in accordance with section 28(2) of the Act.

 

3.            The Board’s Notice of Collection satisfies the requirements under section 29(2) of the Act.

 

4.            The Board’s contemplated uses of personal information are in accordance with section 31 of the Act.

 

5.            The Board’s contemplated disclosure of the personal information is in accordance with section 32 of the Act.

 

6.            The Board has implemented reasonable measures to prevent unauthorized access to records as required under section 3 of Regulation 823, made pursuant to the Act.

 

 

 

 

 

Original Signed by:                                                                             March 3, 2011

Mark Ratner Investigator