[Learning A-Z:Writing Solution]
PIA#[assigned by your privacy office(r)]
Enquiry BC – Privacy and Access Helpline. Victoria: 250-356-1851 Vancouver: 604-660-2421 and elsewhere in BC, toll-free: 800-663-7867
Part 1 – General
Name of District: / <Name> Board of Education – SD <##>PIA Drafter: / <Name, Title of School District Contact>
Email: / <Email of School District Contact> / Phone: / <Number of SD Contact>
Program Manager: / <Name, Title of initiative contact, if different from PIA Drafter>
Email: / < Alternate to the above / Phone: / <Alternate to the above>
This template PIA is the property of ERAC and asserts copyright over its contents. ERAC provides authorization to its members in good standing to use and modify this document, but non-members must first obtain the written consent of ERAC for any use or modifications of this document.
Please do not remove any parts of the PIA. Where a section does not apply, enter “Not Applicable.”
<The RED text in this document should be removed from the final version of your District’s PIA.
<We understand your District has chosen to make use of the online Learning A-Z: Writing. By conducting this Privacy Impact Assessment it will help your District ensure compliance with the Freedom of Information and Protection of Privacy Act (FIPPA) when introducing new programs or iniativies that involve the collection, use and disclosure of personal information.>
<In an attempt to assist you in the deployment of this program, this Privacy Impact Assessment (PIA) has beenpartially completed for you. Please review and edit this document carefully to ensure it accurately reflects the intent and scope of your initiative. It is your responsibility to ensure that the information in this PIA is accurate and complete.>
1.Description of the Initiative
Our School District has an active membership with ERAC who provides a range of services available to its members including evaluating,licensingandacquiringprint, software, and digital learning resources. ERAC is a cooperative member based organization. The organization works in partnership with their members, BC public school districts as well as independent schools. Their goal is to support quality education for public and independent K-12 students.
As part of ERAC’s due diligence, ERAC has an established rigorous, criteria-based evaluation process for evaluating products that have come to their attention via membership recommendations. Using ERAC trained BC classroom teachers as evaluators, products are placed into an online collection. Once they have met the provincial standards and are appropriate for use in BC classrooms an approval is granted and an agreement is made with the vendor.
This Privacy Impact Assessment (PIA) is to facilitate School District Name> in the provision of implementing Learning A-Z: Writingservicesforstudents and teachers in our districtand toensurethattheseservicesareofferedinwaythatiscompliantwith theFreedomofInformation andProtection ofPrivacyActs.69(5.3)(“FIPP Act”) as of <September 01, 2016>.
Writing A-Z provides the differentiated materials and instruction tools K-6 educators can use to teach writing in the classroom. With an extensive collection of resources differentiated at 5 developmental levels, teachers can easily provide the lessons and activities their students need to improve their writing skills. The product also delivers a set of eLearning tools students can use to practice their creative and process writing skills and submit assignments to their teacher online.
Vendor: LZEL Inc. 2016 offers educational services online and develops software and hardware product that serve students. The company was incorporated in 2009 and is based in Dallas, Texas as a subsidiary of Cambium Learning Group Inc. 17855 North Dallas Parkway, Suite 400 Dallas, TX 75287 US Tel: 214-932-9500
2.Scope of this PIA
Our District has entered into a licensed subscription agreement with Learning A-Z. The agreement with the vendor commences onSeptember 01, 2017 and expires on August 31, 2018>.
Note:Home users that create personal students and parents accounts are out of the scope of this PIA.
Upon completion of this Privacy Impact Assessment, the program is ready for deployment to teacher’s and their K – 7 students at each of the following elementary schools in our District.> A consent form will be sent by the teaching staff from each of the schools and collected from each parent and/or guardian to ensure that they are aware that their child has been given permission to use this product and that the child’s privacy will be protected by assigning anonymous user names for the purposes of logging into the program and tracking personal progress. See Appendix A and B for parent consent and teacher agreement.
The intended users are: K – 6 students, classroom subject teachers, non-enrolling specialist teachers, students for non-instructional purposes, authorized Student Teachers on practicum, and Educational Assistants. Supervising teachers manage their users and reset the passwords. Students are not able to create their own games or accounts at school. The product runs on all versions of Mac and Windows operating systems. Tablets may download the program and run offline. Learning A-Z stores user anonymous data in the United States of America.
3.Related Privacy Impact Assessments
It is our understanding that this new project has no current PIAs with OIPC or BC Ministry of Education.
Should students or parents create a private account and privately use this product at home, the District will have a way of monitoring or supervising the user in protecting their private information once creating a personal account with the vendor. The user’s contract will be between the user and the vendor and subject to the Terms and Conditions set out by the vendor. This PIA does not cover any personal privacy or security risks for students and parents using the product independent of their school’s classroom.
Note: to ensure that personal information is not used for account creation, a notice to the parents along with staff training, the teacher is shown how to define and assign the user name and password for each student. The teacher will submit the required information on behalf of their students using an alias.
Please confirm within your district whether any other PIAs for related projects should be listed here, and remember to include that this if this PIA is to be updated update in the future.
.
4.Elements of Information or Data
The Learning A-Z: Writingoffers a subscription license to access their web-based product. Teachers will record the students’ user names; results; along with the following data fields for the purposes of grading and accessing the product. First Name (Student); Last Name (Student); Grade (Student); First Name (Teacher); and, Last Name (Teacher). Although first and last names are required they do not need to be the actual names of the teachers or students as noted in Section 5: Account Activity by Teacher and Parent Users.For example, a teacher named John Smith could use" Teacher" as his first name and "One" as his second name.Theuser datais being stored on a server outside of Canada.
Part 2 – Protection of Personal Information
In the following questions, delete the descriptive text and replace it with your own.
5.Storage or Access outside Canada
Yes – the student and teacher anonymous accounts will be stored and accessing servers outside of Canada to use theLearning A-Z:Writing.The storage of the student and teacher data is viewed by the Learning A-Z staff to improve customer service by having access to relevant data for teacher initiated support calls; the data provides an understanding of the user aggregated group and how they use the services and resources; and to provide web site improvements in customer experience and product improvements.
Account Holder Information
Teachers can create multiple classes under the same teacher account but each account requires a unique email address as shown in the example below.Teachers will be enteringfictitious student identities individually or they can upload an Excel file with their entire class. Teachers can edit their own account and their students by going to their teacher portal that provides access to all of the services we have purchased. User data stored on the servers in the US.
Example:
Email / First Name / Last Name / User Name / RoleIgreensmith1@esri / Student / Two / StudentBC1 / Student
Igreensmith1@esri / Student / Three / StudentBC2 / Student
Igreensmith1@esri / Student / Four / StudentBC3 / Student
School administrators can view and assign students to classes/teachers within their school. The Learning A- Ztechnical support staff can access the district’s data for support purposes and are available by contacting them at 1-866-889-3729 or .
The data stored in the Learning A – Z:Reading Solution is not shared with any third parties except for those limited purposes provided that we have given them permission. Questions regarding their Privacy Policy and practices can contact customer support as noted above or go to
6.Data-linking Initiative*
In FOIPPA, "data linking" and “data-linking initiative” are strictly defined. Answer the following questions to determine whether your initiative qualifies as a“data-linking initiative” under the Act. If you answer “yes” to all 3 questions, your initiative may be a data linking initiative and you must comply with specific requirements under the Act related to data-linking initiatives.- Personal information from one database is linked or combined with personal information from another database;
- The purpose for the linkage is different from those for which the personal information in each database was originally obtained or compiled;
- The datalinking is occurring between either (1) two or more public bodies or (2) one or more public bodies and one or more agencies.
If you have answered “yes” to all three questions, please contact your privacy office(r) to discuss the requirements of a data-linking initiative.
7.Common or Integrated Program or Activity*
In FOIPPA, “common or integrated program or activity” is strictly defined. Answer the following questions to determine whether your initiative qualifies as “acommon or integrated program or activity” under the Act. If you answer “yes” to all 3 of these questions, you must comply with requirements under the Act for common or integrated programs and activities.- This initiative involves a program or activity that provides a service (or services);
- Those services are provided through:
(b) one public body working on behalf of one or more other public bodies or agencies; / No
- The common or integrated program/activity is confirmed by written documentation that meets the requirements set out in the FOIPP regulation.
Please check this box if this program involves acommon or integrated program or activity based on your answers to the three questions above.
* Please note: If your initiative involves a “data-linking initiative” or a “common or integrated program or activity”, advanced notification and consultation on this PIA must take place with the Office of the Information and Privacy Commissioner (OIPC). Contact your public body’s privacy office(r) to determine how to proceed with this notification and consultation.
For future reference, public bodiesare required to notify the OIPC of a” data-linking initiative” or a “common or integrated program or activity” in the early stages of developing the initiative, program or activity. Contact your public body’s privacy office(r) to determine how to proceed with this notification.
8.Personal Information Flow Diagram and/or Personal Information Flow Table
No applicable
For ease of reference, the collection, use, and disclosure authorities in FIPPA can be found in the table below. If you do not know what the relevant authorities are, please contact your privacy office(r).
Both a flow diagram and a table must be included if the PIA is related to a common or integrated program or activity or a data-linking initiative.
For ease of reference, the collection, use, and disclosure authorities in FOIPPA can be found in the Personal Information Flow Table on the next page. If you do not know what the relevant authorities are, please contactyour privacy office(r).
Example:
Examples can be removed and additional lines added as needed.
Personal Information Flow TableDescription/Purpose / Type / FOIPPA Authority
1. / Student Consent and Parental Authorization is sought to start using the program and collect personal Information / Collection / 26(d)
2. / Student uses Program for course work or on own time. / Use / 32(a), 32(b)
3. / Teacher access course work for purposes of assessment / Use
Disclosure / 32(a), 32(b),
33.1(b),
33.2(a), 33.2(c)
9.Risk Mitigation Table
Please identify any privacy risks associated with the initiative and the mitigationstrategies that will be implemented. Please provide details of all such strategies. Also, please identify the likelihood (low, medium, or high) of this risk happening and the degree of impact it would have on individuals if it occurred i.e. teachers recording student names and assigning user names and passwords and securing in a safe and secure place despite having been trained to do so etc.>
Examples can be removed and additional lines added as needed.
Risk Mitigation TableRisk / Mitigation Strategy / Likelihood / Impact
1. / Employees (teachers) could access personal information and use or disclose it for personal purposes / Oath of Employment; contractual terms, etc. / Low / Low
2. / Requests may not actually be from client (i.e. their email address may be compromised). / Implementation of identification verification procedures. / Low / Low
3. / Client’s personal information is compromised when transferred to the service provider. / Alias user and password name transmission is encrypted and over a secure line. / Low / Medium
4. / Inherent risks in sending personal information to a parent/guardian via email. / Policy developed to inform parent/guardian of risks and ask if they would like the information via a different medium, such as through the mail. / Medium / Medium
10.Collection Notice
Where our initiative is collecting personal information directly from individuals we ensure that all individuals involved are told the following:
The purpose for which the information is being collected is for educational purposes including the grading of the students work.
The personal information that is being collected is directly related to, and necessary for, operating the student’s program in the classroom.
School District # ____ the business address is ______and our business telephone number of a District officer or employee who can answer questions about the collection is listed under Part’s 1 – General
NOTE: Please see sample consent form to be tailored to your District’s needs. For further help with collection notices please see the “Collection Notice Tip Sheet” located on the CIO’s website.
Please include your proposed wording for a collection notice and where it will be located for individuals to read before collection takes place. You can also attach a screen shot or a copy of your form where the collection notice would be located. For further help with collection notices please see the “Collection Notice Tip Sheet” located on theCIO’s website.
Part 3 – Security of Personal Information
If this PIA involves an information system, or if it is otherwise deemed necessary to do so, please consult with your public body’s privacy office(r) and/or security personnel when filling out this section. They will also be able to tell you whether you will need to complete a separate security assessment for this initiative.
11.Please describe the physical security measures related to the initiative (if applicable).
For example: locked teacher cabinets/desks for student’s log-on and passwords kept in securely stored laptops.>
12.Please describe the technical security measures related to the initiative (if applicable).
For example: user access profiles assigned to enrolling teachers on a need-to-know basis.
13.Does your branch/department rely on any security policies?
Refer to your District’s, “Acceptable Technology Use Policy” and any specific policies and procedures that provide contactdetails for someone who could answer further questions regarding these policies and procedures for this product.>
14.Please describe any specific policies and procedures and provide contact details for someone who could answer further questions regarding these policies and procedures.
<For example program/department manager or designated Privacy Office(e) as indicted on Program Area Signatures listed in Part 7 of this document>.
15.Please describe any access controls and/or ways in which you will limit or restrict unauthorized changes (such as additions or deletions) to personal information.
For example: role-based access.
16.Please describe how you track who has access to the personal information.
For example: audit trails or physical sign-in and sign-out of files.
Part 4 – Accuracy/Correction/Retention of Personal Information
17.How is an individual’s information updated or corrected?If information is not updated or corrected (for physical, procedural or other reasons) please explain how it will be annotated?If personal information will be disclosed to others, how will the public body notify them of the update, correction or annotation?
At the discretion of an assigned designated teacher, the student personal data can permanently be deleted from the user’s Learning A-Z reading program.
18.Does your initiative use personal information to make decisions that directly affect an individual(s)? If yes, please explain.
Yes, results can be used for grading. Or – No, results are supplementary and used only as an aid.>
19. If you answered “yes” to question 17, please explain the efforts that will be made to ensure that the personal information is accurate and complete.
<For example: each enrolling teacher will check to see that the information is correctly obtained from the vendor’s web site for each student participating in the program.>