This week’s post is written by an Education IT specialist and CEO of The Process Pros, Jim Laplante. 

 

Data privacy and protection are paramount and Canadian schools are on the brink of a significant shift. Bill C-27 is reshaping Canada’s privacy laws with three key components: the Artificial Intelligence and Data Act (AIDA), the Personal Information and Data Protection Tribunal Act (DPTA), and, crucial for schools, the Consumer Privacy and Protection Act (CPPA).

Bill C-27 passed second reading in the House of Commons. The bill is currently being considered by the Standing Committee on the Industry and Technology with some proposed changes including a focus on the rights of minors. 

How Does the Consumer Privacy and Protection Act Protect Minors?

The CPPA in its current form mandates several key adjustments for K-12 schools. Notably, it requires the establishment of comprehensive privacy management programs, ensuring that consent for sharing student data is clear and documented. Sharing of data with third parties will need to be tracked and, when requested, reported. Schools are now required to implement stringent safeguarding measures, including robust data governance structures and periodic reviews of privilege settings. 

The act also advises on the anonymization and de-identification of data sets. It introduces specific security breach notification protocols, delineates retention periods for data outside the scope of provincial education acts, and enhances data portability.  

Interestingly, the tribunal mentioned above will have the authority to fine institutions, including K-12 schools, who are not compliant with these new privacy laws.  Examples of fines for K-12 schools have been seen in the European Union, under GDPR,  where a school  processed data without sufficient legal basis, or failed to implement adequate measures to protect the data in their care. 

Quebec is leading by example

Quebec is showcasing what future privacy laws adaptations may look like for K-12 schools across the country. The province emphasizes the need for a designated privacy officer. It also enforces transparent information protection policies, thorough privacy impact assessments for third-party data transfers, with clear communication regarding data collection and usage. 

Quebec is a leader in individual data rights, aligning with mature privacy frameworks like the GDPR. The province enforces rights to access, rectification, cessation of dissemination, and data portability, alongside regulations on AI and biometric data use.

What This Means for Schools

As seen with other data privacy legislation, there will be some kind of grace period for implementation.  If Canada follows the example of the recent EU AI Act then implementation could be staged. For schools to be compliant, they need to move quicker.   

The expectations in Quebec are that schools must:

• Have a privacy officer (Person in Charge).
• Policies must ensure private info protection – including a data retention and destruction framework, defined roles and responsibilities (data governance), a complaints handling process, and all must be published on their website.
• Conduct a Privacy Impact Assessment (PIA) for all 3rd party apps. Most K-12 schools could have between 120 and 160 apps.
• Post a notice at time of collection of private data – as well as notice of identification, location and profiling.
• Ensure the security of their private data when outsourcing – 3rd parties must implement security measures in line with the sensitivity of the data, ensure personal information is not retained after the completion of the agreement, must  inform the privacy officer of a breach without delay, and keep records of every transfer to a third party.
• Retain a register of confidentiality incidents for 5 years and report if appropriate.
• Be able to report on what private information they have and what they have shared to 3rd parties, if requested (The right to know).
• Change data if it is incorrect (the right to rectification).
• Under certain circumstances, have all an individual’s private data removed from all systems (the right to be forgotten).
• Be able to provide a copy of their private data to individuals upon request (the right to portability.

Final Thoughts

As we navigate these changes, it’s crucial for schools to stay informed and proactive. The protection of our students’ private information is not just a legal obligation but a moral one, underscoring our commitment to their safety and well-being in the digital age. 

 About the Author

Jim LaPlante began his career as a Physics and Calculus teacher, and after 5 years in that role transitioned into IT leadership. As an IT and Innovation Director in Canadian Accredited Independent Schools (CAIS) schools since 2004, he has been active in driving the evolution of technology in education. In his role at Upper Canada College, Jim oversaw a spectrum of responsibilities, from managing the Help Desk and classroom technology integration to leading initiatives in Data and Analytics. His diverse contributions extended beyond UCC, he has been on numerous CAIS accreditation teams and co-hosted national forums on crucial topics such as 21st Century Classroom Design, School Infrastructure, and the Internet of Things, and the Evolution of 1:1 Programs in Independent Schools. Jim’s commitment to education is underscored by his involvement in strategic initiatives like new timetable development, UCC’s Design Thinking and Digital Innovation Program, and the Principal’s Innovation Fund. His extensive experience uniquely positions him to support schools in developing and implementing AI strategies, crafting comprehensive short and long-range plans for IT departments, and conducting thorough privacy and cybersecurity reviews. Jim has a BSc in Biophysics from the University of Western Ontario and a BEd from the University of Toronto. Recently he has completed Osgoode Certificates in Education Law, and Cybersecurity and Privacy Law.

https://www.theprocesspros.ca/