100 - General Administration
200 - Instructional Programs & Materials
300 - Students
400 - Personnel and Employee Relations
500 - Business Administration

Administrative Procedure 180

Access To Information And Protection of Privacy

Background

The Access to Information Act (ATIA) and the Protection of Privacy Act (POPA) along with corresponding Regulations came into effect on June 11, 2025, replacing the former Freedom of Information and Protection of Privacy Act (FOIP). The legislation aims to strike a balance between the public’s right of access to records and the individual’s right to privacy, as those rights relate to information held by public bodies in Alberta. The ATIA and POPA apply to the operations of the Division and to the records and data under the custody and control of Valhalla Community School. The school authority will manage information in a manner that supports a commitment to providing the public with access, which is subject to specific limitations under the ATIA, while fulfilling its obligations to safeguard the confidentiality of personal information in its records and to protect personal information from unauthorized access, collection, use, disclosure, and destruction.

Definitions

Access: A person’s right to view or copy records [ATIA s. 6].

Electronic record: A record that exists at the time a request for access is made or is routinely generated by a public body, which can be any combination of texts, graphics, data, audio, pictorial, or other information in a digital form that is created, maintained, archived, retrieved or distributed by a computer system.

Employee: includes a person who performs a service for the public body as an appointee, volunteer or student or under contract or agency relationship with the public body. [POPA s. 1]

Formal Access Request: An official request made for information which is not available by other means, under the ATIA and accompanied by the initial fee if required [ATIA s. 7(2)].

Personal information: Recorded information about an identifiable individual, including various contact details, identifying numbers, physical or mental health information, gender identity, sexual orientation, and other characteristics [POPA s. 1(q)].

Privacy breach: loss of, unauthorized access to or unauthorized disclosure of personal information in the custody or under control of the public body where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss, unauthorized access or unauthorized disclosure. [POPA s. 10(2)]

Privacy Impact Assessment (PIA): A process of analysis that helps to identify and address potential privacy risks that may occur in the operation of a new or redesigned project, and helps eliminate or reduce those risks to an acceptable level [POPA s. 26].

Record: Information in any form, including notes, images, audiovisual recordings, emails, text messages, drawings, photographs, and any other information that is written, photographed, recorded, or stored in any manner, and includes electronic records [ATIA s. 1(f), 1(u)].

Transitory Records: Information of temporary usefulness that is needed only for a limited period of time in order to complete a routine action or prepare a final record. These may be copies of records that are retained as information or convenience by individuals who are not primarily responsible for them.

Procedures

1.The Superintendent has been designated by the school authority as the Access and Privacy Head of the School Authority, responsible for decisions under ATIA and POPA.
2. The Superintendent must direct how the school authority will:
2.1 Protect personal information under POPA Section 10(1) by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, and destruction.
2.2 Comply with an order of the Information and Privacy Commissioner under ATIA Section 66(1) or POPA Section 44(1).
2.3 Establish and implement a Privacy Management Program (PMP) in accordance with POPA s.25. This program must be proportional to the volume and sensitivity of the personal information the Division manages.
3. The Secretary-Treasurer has been designated as the Access & Privacy Coordinator in accordance with the provisions of ATIA and POPA and is responsible for the overall management of the Acts within the Division.
3.1 The Access & Privacy Coordinator must educate Division employees about how to collect, use, and disclose personal information in accordance with POPA.
3.2 The Access & Privacy Coordinator must respond to each formal request to obtain access to a school authority record under ATIA.
3.3 The Access & Privacy Coordinator must require each applicant to pay the school authority fees for services as provided for in the regulations under the ATIA unless the applicant is excused from paying all or part of a fee for services under ATIA Section 96.
4. Overseeing the development, implementation and maintenance of the division’s Privacy Management Program (PMP), ensuring all required components are in place within one year after POPA came into force. The PMP will be available to the public upon request.
5. After receiving a report about an actual or suspected privacy breach under POPA Section 10(2) by the school authority or a school authority employee, the Access & Privacy Coordinator must:
5.1 Report the incident to the Superintendent.
5.2 Report the incident to any person(s) whose personal information was affected, if there is a real risk of significant harm [POPA s. 10(2)(a)].
5.3 Report the incident to the Commissioner if applicable [POPA s. 10(2)(b)].
5.4 Report the incident to the Minister.
6. The Division employee who is authorized to collect, use, and disclose personal information must ensure to do so in accordance with the POPA.
6.1 No Division employee other than the Access & Privacy Coordinator may respond to a formal request to obtain access to a Division record under ATIA.
6.2 If a Division employee other than the Access & Privacy Coordinator receives a formal request to obtain access to a Division record under ATIA, then the Division employee must forward the request to the Access & Privacy Coordinator immediately.
6.3 Each Division employee must report any actual or suspected privacy breach or contravention of POPA by a Division employee, whether intentional or not, to the Access & Privacy Coordinator immediately.
6.3.1 The Division employee will not take any adverse employment action against a Division employee who, acting in good faith, reported an actual or suspected privacy incident or contravention of POPA by another Division employee to the Access & Privacy Coordinator [POPA s. 59(1)].

6.4 Division employees must protect all information while in their custody and control, ensuring the risk of unauthorized disclosure of personal or other confidential information is minimized [POPA s. 10(1)].
6.5 If a Division employee needs to collect personal information, they must make sure they have the authority to collect the personal information requested under POPA Section 4.
6.5.1 Ensure the personal information they collect is used in a way that is
consistent with the original purpose of collection under POPA Sections
12(1)(a) and 14.
1.6 Division employees can share personal information only with individuals or organizations that have the right of access under ATIA Section 6 or the consent of the individual about whom the information applies under POPA Section 13(1)(c).
6.6.1. If a Division employee is unsure whether or not they can share
information, they must consult with the Division Access & Privacy Coordinator.
1.7 Each Division employee who contravenes the ATIA or POPA or this
Administrative Procedure may be subject to disciplinary action up to and including termination of employment with the Division [ATIA s. 95, POPA s. 60].
2. The Division shall prepare and make available to the public an information directory. The Division must also publish a directory of its personal information banks [POPA s. 57].
3. No personal information may be collected by or on behalf of the Division unless the collection of that information is expressly authorized by an enactment of Alberta or Canada, is collected for the purposes of law enforcement, or relates directly to and is necessary for
an operating program or activity of the public body [POPA s. 4].
4. The Division may use or disclose personal information only for the purpose for which it was collected or compiled, or for a use consistent with that purpose, or if the individual the information is about has identified the information and consented to its use or disclosure in
the prescribed manner [POPA s. 12(1), 13(1), 14].
5. The Division has a duty to maintain accurate and complete personal information when that information is used to make decisions about the individual. POPA Section 7 permits an individual to request correction of an error or omission that has been made on their personal information [POPA s. 6, 7].
6. All publications, following their release, will be made available in the Division office for review by members of the public, or through free initial distribution, or on the Division’s home page on the Internet [ATIA s. 90, 9].
7. How to Process a Request for Access to Information:
7.1 To submit a formal ATIA request, contact the Division’s Access & Privacy Coordinator [ATIA s. 7(1), Access to Information Regulation (ATIR) s. 3(1)].
7.2 An initial application fee (indicated on the form) is required for all general information requests. At the discretion of the Division, additional fees may be levied in accordance with ATIA Section 96 and ATIR Schedule 1.
7.3 The Access & Privacy Coordinator shall determine whether or not the information is to be released under the terms of the ATIA, applying the specified exceptions to disclosure [ATIA Part 1 Division 2].
7.3.1 If the information is withheld in whole or in part, the requestor will be advised of their right to ask for a review of that decision by the
Commissioner under ATIA Section 14(1)(c)(iii).
7.4 Request for Information forms are available from all schools, the Division office and on the Division website. Collecting, Using, Retaining and Disclosing Personal information:
8. In accordance with POPA, the Division is authorized to collect, use, and disclose personal information when that information relates directly to and is necessary for an operating program or activity of the Division [POPA s. 4(c), 12, 13].
8.1 For the purposes of delivering educational programming and ensuring a safe and secure school environment, the Division is required under the provisions of the Education Act and its regulations to collect, use, and disclose personal information [POPA s. 4].
8.1.1 In such instances, employees of the Division may, without consent,
collect, use, and disclose personal information that is necessary for
performing a statutory duty of the Division or for operating a legally
authorized program of the Division. When collecting, using, or
disclosing information in this manner, the Division shall notify affected
parties of the purpose of collection, the specific legal authority, and
contact information for questions, and any intention to use the
information in an automated system [POPA s. 4, 5(2), 12, 13].
8.1.2 Some examples in which consent need not be obtained include:
13.1.2.1 Use of students’ names on lists such as honour rolls, scholarships, or other awards within the Division;
13.1.2.2. Providing Alberta Education with student information to meet
reporting requirements;
13.1.2.3. Annual Registration Form;
13.1.2.4. Producing and transferring student records;
13.1.2.5. Use of student’s names and pictures for yearbooks and student
identification cards;
13.1.2.6. Use of students’ names and related contact information for
absenteeism verification.
13.2 Consent shall be sought when personal information is used and/or disclosed for purposes which are not necessary for performing a statutory duty of the Division or for
operating a legally authorized program of the Division, in accordance with POPA Section 12(1)(b) or 13(1)(c).
13.2.1. Consent may be sought as the need arises or multiple consents may be sought during the school opening procedure.
13.2.2. With the exception of the provisions established in this Administrative Procedure, consent must be obtained in writing [Protection of Privacy Regulation (POPR) s. 2(3)].
13.2.3. The instrument for collecting the requested consent must:
13.2.3.1. Specify the personal information to which the consent relates.
13.2.3.2. Specify to whom the personal information may be disclosed and how the personal information may be used.
13.2.3.3. Specify the date on which the consent is effective and, if applicable, the date on which the consent expires.
13.2.3.4. Indicate that consent is voluntary. Indicate that consent may be
revoked at any time and indicate the person to contact.
13.2.3.5. Be retained by the school or originating department for a period of no less than one year past the expiry date of the consent.
13.2.4. When consent has been requested but has been denied, or no answer has been received, the Division cannot use or disclose the information in question.
13.3. Rules surrounding the use of electronic consent:
13.3.1. The Division may collect consent in electronic form in addition to normal practices of collecting consent in writing, in accordance with POPR Section 2(4).
13.3.2. Except where prohibited by law or this Procedure, the Division may collect consent in electronic form for all uses and disclosures where consent is obtained under POPA Section 12(1)(b) and 13(1)(c).
13.3.3. Electronic consent must:
13.3.3.1. Be provided in a manner consistent with the electronic signature requirements in ATIR Section 7(2)(a) and POPR. 2(4)(a) and be clearly associated with the electronic consent.
13.3.3.2. Be producible or reproducible at any time.
13.3.4. Prior to implementing electronic consent, departments should consult with the Access & Privacy Coordinator.
13.4 Records containing personal information must be stored and disposed of in a manner that maintains the confidentiality of the information, through reasonable security arrangements
[POPA s. 10(1)].
13.5 Records containing personal information must be accessed only by authorized persons and must be used in a manner that maintains the confidentiality of the information [POPA s. 10(1)].
13.6. Transitory records must be destroyed when they are no longer required. The handling of all
other records should adhere to Division retention and destruction schedule.
13.7. Unless otherwise permitted by POPA, personal information must be disclosed for the
purpose for which it was collected or for a use consistent with that purpose [POPA s. 13(1)(b),
14].
13.8. Each time personal information is collected directly from individuals, affected individuals are to be notified of the purposes for the collection, the specific legal authority for collecting the
information, and who to contact if they have any questions [POPA s. 5(2)].
13.9. Students and members of the public can take photos or videos of students at school activities that are open to the general public. These activities include, but are not limited to, sporting events, graduation ceremonies, field trips, concerts, and cultural programs. It is beyond
the Division’s ability to control the use, or further distribution, of personal information acquired in these instances, although the disclosure of personal information at public events may be
considered an unreasonable invasion of privacy if the individual objects.

 Privacy Impact Assessment (PIA):

14 When required by POPA Section 26(1) and POPR Section 7, the Division must prepare a PIA.
This is required for new, or substantial changes to existing, administrative practices, programs, projects or services, especially those involving high sensitivity information, data matching, common/integrated programs, or innovative technology.
14.1 Departments must inform the Access & Privacy Coordinator of any assessments prior to undertaking any such formal privacy review. The Access & Privacy Coordinator will provide templates and instructions on how to complete privacy assessments, and shall provide feedback to the relevant department(s) throughout the process.
14.2 Completed privacy impact assessments are to be signed by relevant department heads and the Access & Privacy Coordinator.

 

References: Education Act
Access to Information Act
Access to Information Regulation
Protection of Privacy Act
Protection of Privacy Regulation
Personal Information Protection and Electronic Documents Act
Electronic Transactions Act
Administrative Procedure
180 Records Management
320 Student Records
402 Personnel Records