[CBC: Curio.ca]
PIA# [assigned by your privacy office(r)]
Enquiry BC – Privacy and Access Helpline. Victoria: 250-356-1851 Vancouver: 604-660-2421 and elsewhere in BC, toll-free: 800-663-7867
Part 1 - General
Name of District: / <Name> Board of Education – SD <##>PIA Drafter: / <Name, Title of School District Contact>
Email: / <Email of School District Contact> / Phone: / <Number of SD Contact>
Program Manager: / <Name, Title of initiative contact, if different from PIA Drafter>
Email: / < Alternate to the above / Phone: / <Alternate to the above>
<Note to Districts>
<The RED text in this document should be removed from the final version of your District’s PIA.
We understand your District has chosen to make use ofthe BC Digital Classroom’s à la carte product by subscribing to CBC/Radio-Canada (CBC) Curio.ca. By completing this Privacy Impact Assessment it will help ensure that your District is in compliance with the Freedom of Information and Protection of Privacy Act (FIPPA) when introducing a new programor initiatives that involve the collection, use and disclosure of personal information.
In an attempt to assist you in the deployment of this service, thisgeneric Privacy Impact Assessment (PIA) template is provided for you to personalize. Please review and edit your document carefully to ensure it accurately reflects the intent and scope of your initiative. It is your responsibility to ensure that the information in this PIA is accurate and complete.>
Please do not remove any parts of the PIA. Where a section does not apply, enter “Not Applicable.”
1.Description of the Initiative
Educational Resource Acquisition Consortium (ERAC) is a cooperative member based organization. Our School District has an active membership with ERAC who provides a range of services available to its members including evaluating,licensingandacquiringprint, software, and digital learning resources.The organization works in partnership with their members, BC public school districts as well as independent schools. Their goal is to support quality education for public and independent K-12 students.
This Privacy Impact Assessment (PIA) is to facilitate our BC School District who has a subscription to the BC Digital Classroom Core Collection and in addition, wishes to subscribe to the CBC/Radio-Canada, CBC’s online mediastreaming platform called Curio.ca designedfor educators and students. In preparation for the usage of the website, it is essentialto ensure that these services are offered in a way that is compliant with the Freedom of Information and Protection of Privacy Act (FIPPA).
Curio.ca is for the Canadian educational communityand provides educators and students with access to high-quality Canadian digital learning resources in French and English. It is aligned with theBC curricula to meetclassroom needs support learning(e.g. news reports, documentaries, dramas, children’s programming, archival material and teacher resource guides). Educators and students can organize content based on their specific needs, share content with other users, and use the full range of features available on Curio.ca.
Curio.ca and its content may only be used for educational and student research purposes and not for any commercial or profit-making purposes.
2.Scope of this PIA
As part of ERAC’s due diligence, ERAC has an established rigorous, criteria-based evaluation process for evaluating classroom products that have come to their attention via membership recommendations. Using ERAC trained BC classroom teachers as evaluators, products are placed into an online collection. Once they have met the provincial standards and are appropriate for use in BC classrooms, an approval is granted and an ERAC agreement is made with the vendor.
Curio.ca is an additional option of ERAC’s online collection of learning resources and has been granted approval in which an agreement has been made with the vendor, CBC/Radio-Canada, for the ERAC membership.The ERAC agreementexpires on June 30, 2018.
The intended users are: K – 12 students, classroom subject teachers, non-enrolling specialist teachers, students for non-instructional purposes, authorized Student Teachers on practicum, and Educational Assistants.
<DISTRICT NOTE:Please see sample consent form to be tailored to your District’s needs. For further help with collection notices please seeTip Sheet forConsent Disclosure located on the ERAC website.
3.Related Privacy Impact Assessments
It is our understanding that there is not a current CBC Curio.ca PIA submitted to the Office of the Information & Privacy Commission of British Columbia (OPIC) or BC Ministry of Education.
Should students or parents create a private account and privately use this product at home, the District has no way to monitor them to protect their private information once creating a personal account with the vendor. The user’s contract will be between the user and the vendor and subject to the Terms and Conditions set out by the vendor, which include Curio.ca’s terms of use ( and the general terms of use for CBC websites (
This PIA excludes any personal privacy or security risks for students and parents using the product independent of their school’s classroom.
Security and Use of Passwords
For viewing Curio.ca outside of the school site, users can create an account with their own personal username and password.Users can create a personalized profile and have the ability to select preferences, organize content based on their specific needs, share content with other users, and use the full range of features available on Curio.ca.The use of Curio.ca outside of the school site is not covered under the scope of this PIA.
Once users complete the online registration form, they will receive instructions by email on how to activate their personal Curio.ca account and how to set up their personal profile and preferences.
Users are responsible for keeping their username and password confidential, and must not share this information or allow it to be used bythird parties. Users are responsible for preventing unauthorized people form accessing Curio.ca and its content with a user’s username and password. Users must notify CBC immediately if their login information is compromised or if there is any actual or potential security breach.
<Please confirm within your district whether any other PIAs for related projects should be listed here, and remember to include them if this PIA is to be updated in the future. If the district does not want the students to create individual accounts then this must be communicated to the educators.
4.Elements of Information or Data
Curio.ca offers a subscription license to access its online media streaming platform of educational content.
As a subscriber to Curio.ca, IP authentication allows educators and students in our District’s schools to access content from any location within the school (or any computer on the school network) without having to create an account. To create playlists or use other personalized features, users will need to create a personal account.
Content can be embedded or linked within a school’s password-protected intranet, school portal or courseware.
Content can be shared on publicly accessible websites, but only through the use of hyperlinks, or unless special permissions has been granted by CBC to embed or post their content.
Usage Data
The two kinds of information that CBC can obtain about users are: aggregate information and personal information.
Personal Information
The term personal information is defined as information about an identifiable individual that is recorded in any from with some specific exceptions for the purposes of Access to Information Act.
This could be, but is not limited to, a user’s first and last name, e-mail address, home address, telephone number, fax number, credit card number, information contained a résumé, or personal view and opinions.
All student access to Curio.ca within schools is anonymous. Curio.ca retains no personal data on students.
Educators who use Curio.ca’s playlist and annotation features must create an account. Any personal information educators provide to CBC/Radio-Canada to create their account is protected by the Federal Privacy Act and CBC/Radio-Canada’s privacy policy and governed by CBC/Radio-Canada’s Submission Guidelines as well as applicable laws.
Aggregate Information
Aggregate information is anonymous data that websites use to help improve the quality of the web pages and to administer the Site such as IP addresses, browser type and domain name.
CBC does use tools including web analytics software, data management’s platforms, customer relationship, management and advertising targeting technology. Most data collected by these tools is aggregated and used for statistical analysis purposes. CBC collects information using digital markers and analyzes data to evaluate the performance of its digital platforms (including Curio.ca)and to optimize the online experience. This aggregated data is used for research, planning and reporting purposes. It is also used to provide an enhanced experience and allow CBC to make better recommendations, serve more relevant advertisements, and make more content that is relevant for users.
CBC may perform statistical analyses of user behaviour and characteristics, to improve design and navigation andgather marketing information. Only aggregate data from these analyses, not personal data, isused for this purpose.
Web Browser Cookies
Our District’s users should be aware that certain non-personal information and data may be automatically collected by the CBC through the use of “cookies” as outlined under Privacy on the Internet. Through cookies, a web site can recognize repeat users, facilitate the user’s access to and use of the site, and track usage behaviour to improve content. CBC uses cookies only for the above-mentioned purposes and will not use them to identify users or to track non-CBC usage.
In the course of serving advertisement to CBC website, third-party advertisers may place or recognize a unique cookie on users’ browser. Users who do not want cookies placed on their computers by the CBC can disable cookies by adjusting the relevant preferences in their web browser, however, this may impact some functions of CBC websites.
If users have no problem accepting cookies, but wish to be informed of their appearance, they may turn on a warning prompt by adjusting the relevant setting in their web browser.
IP Authentication
CBC Curio.causes an IP authentication service to enable institutional users (such as school districts) to displayCBC content within our school network range without creating an account. However, if users would like to create playlists and use other personalized features of Curio.ca, the users will need to create an account.
To enable IP authentication for a CBC Curio.ca licence, our district will provide the CBC with the public IP addresses of the computers that users and students are using to access content.
CBC does not share IP information with any third parties or use it for purposes other than statistical analysis and enabling online features for IP authenticated computers.
By signing up to a CBC platform, a user agrees that CBC may use the GPS location reported by user’s device. CBC use user’s location data in order to send user relevant alerts and localize content. Location data may also be used to target advertising and for reporting and statistical purposes.
Part 2 – Protection of Personal Information
In the following questions, delete the descriptive text and replace it with your own.
5.Storage or Access outside Canada
Curio.ca does not retains personal data on students and all student access is anonymous.Any data collected is stored within Canada (in Montreal, Quebec).
All personal information collected is governed by the federal PrivacyAct and by CBC/Radio-Canada’s Personal Information Policy and Privacy Protection.
Any educator information collected is governed by the CBC/Radio-Canada policy on the collection, use and disclosure of personal information in accordance with all requirement set out in the Privacy Act, this policy can be read in full at:
6.Data-linking Initiative*
In FIPPA, "data linking" and “data-linking initiative” are strictly defined. Answer the following questions to determine whether your initiative qualifies as a“data-linking initiative” under the Act. If you answer “yes” to all 3 questions, your initiative may be a data linking initiative and you must comply with specific requirements under the Act related to data-linking initiatives.- Personal information from one database is linked or combined with personal information from another database;
- The purpose for the linkage is different from those for which the personal information in each database was originally obtained or compiled;
- The data linking is occurring between either (1) two or more public bodies or (2) one or more public bodies and one or more agencies.
If you have answered “yes” to all three questions, please contact your privacy office(r) to discuss the requirements of a data-linking initiative.
7.Common or Integrated Program or Activity*
In FIPPA, “common or integrated program or activity” is strictly defined. Answer the following questions to determine whether your initiative qualifies as “acommon or integrated program or activity” under the Act. If you answer “yes” to all 3 of these questions, you must comply with requirements under the Act for common or integrated programs and activities.- This initiative involves a program or activity that provides a service (or services);
- Those services are provided through:
(b) one public body working on behalf of one or more other public bodies or agencies; / No
- The common or integrated program/activity is confirmed by written documentation that meets the requirements set out in the FIPPA regulation.
Please check this box if this program involves acommon or integrated program or activity based on your answers to the three questions above.
* Please note: If your initiative involves a “data-linking initiative” or a “common or integrated program or activity”, advanced notification and consultation on this PIA must take place with the Office of the Information and Privacy Commissioner (OIPC). Contact your public body’s privacy office(r) to determine how to proceed with this notification and consultation.
For future reference, public bodies are required to notify the OIPC of a” data-linking initiative” or a “common or integrated program or activity” in the early stages of developing the initiative, program or activity. Contact your public body’s privacy office(r) to determine how to proceed with this notification.
8.Personal Information Flow Diagram and/or Personal Information Flow Table
<Both a flow diagram and a table must be included if the PIA is related to a common or integrated program or activity or a data-linking initiative.>
Not Applicable.
Example:
Note:The examples below can be removed and additional lines added as needed.
Personal Information Flow TableDescription/Purpose / Type / FIPPA Authority
1. / Student Consent and Parental Authorization is sought to start using the program and collect personal information. / Collection / 26(d)
2. / Student uses Program for course work or on own time. / Use / 32(a), 32(b)
3. / Service request transferred to service provider contracted by school district / Disclosure & Use / 33.2(c) and 32(a)
9.Risk Mitigation Table
Please identify any privacy risks associated with the initiative and the mitigationstrategies that will be implemented. Please provide details of all such strategies. Also, please identify the likelihood (low, medium, or high) of this risk happening and the degree of impact it would have on individuals if it occurred.
Note: The examples below can be removed and additional lines added as needed.
Risk Mitigation TableRisk / Mitigation Strategy / Likelihood / Impact
1. / Employees could access personal information and use or disclose it for personal purposes / Oath of Employment; contractual terms, etc. / Low / Low
2. / Request may not actually be from client (i.e. their email address may be compromised) / Implementation of identification verification procedures / Low / Low
3. / User’s personal information is compromised when transferred to the service provider / Transmission is encrypted and over a secure line / Low / Medium
4. / Vendor could change terms of use of the service / School District reviews terms of use periodically / Low / Medium
10.Collection Notice (of Information)
CBC does not collect information that personally identifies individuals except when users provide such specific information on a voluntary basis. There may be occasions where specific personal information is requested before a user can enter certain sections of a CBC sit or use specific features such as Curio.ca’s expanded functions like playlists and sharing.
In all such cases, CBC will collect only information that is voluntarily provided the user and undertakes that such information will be kept strictly confidential. Personal information provided to the CBC to gain access to any CBC site will not be sold or made available to a third party.
Unless otherwise authorized by the Privacy Act, CBC shall inform any individual from whom it collects personal information of the purpose for which the information is being collected; and wherever possible, collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates, except, where the individual authorizes otherwise.
Personal information that has been used by CBC for an administrative purpose shall be retained for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information.
CBC shall take all reasonable steps to ensure that personal information that is used or an administrative purpose is as accurate, up-to-date and complete as possible. All CBC employees, who collect, maintain and/or use personal information, are responsible for insuring that the collection, use and disclosure of information is carried out in accordance with CBC’s policy and relevant procedures related to privacy.