Administrative Procedure 140: Technology - Responsible Use and Security

Legal References

Education Act: Section 265 Duties of Principal; Education Act: Part XIII Behaviour, Discipline and Safety; R.R.O. Reg. 298: Section 20 Duties of Teachers; R.R.O. Reg. 298: Section 23 Requirements for Pupils; Guideline - Ontario Schools Code of Conduct; Criminal Code of Canada; Canadian Charter of Rights and Freedoms; Ontario Human Rights Code; Municipal Freedom of information and Protection of Privacy Act (MFIPPA)

Related References

1.0 Expectations for Technology Use
1.1 The Director of Education has established expectations with respect to technology and information resources, security procedures, and the roles and responsibilities of each individual in maintaining a secure computing environment.
1.2 Since students and staff members have access to digital tools and Internet resources as part of their teaching/learning/work experience, they each have a role in maintaining a secure computing environment. As well, trustees, school council representatives, and partners and/or volunteers with approved access to technology at the school have the same responsibility for acceptable use and security in the computing environment.
1.3 Principals and management personnel are responsible for communicating expectations and ensuring compliance with the safe computing practices outlined in this Administrative Procedure.

2.0 Principles of the Use of Digital Resources
2.1 Information technology equipment and data owned by the board are to be used solely to further the board's objectives and to be consistent with the law, the Canadian Charter of Rights and Freedoms and the Ontario Human Rights Code. Employees should not use board-owned equipment for the creation or storage of personal information that they expect to remain private and confidential.
2.2 The Director recognizes and respects all disclosure and privacy protection obligations as required by the Municipal Freedom of information and Protection of Privacy Act.
2.3 Avon Maitland District School Board (AMDSB) information is a corporate resource with substantial value that must be protected from unauthorized modification, destruction or disclosure, whether intentional or inadvertent.

3.0 Secure and Protected Computing Resources

3.1 It is important for all users of AMDSB-owned equipment to practice responsible and ethical behavior in their computing activities. Many staff members have access to private and sensitive information that could injure other persons and/or diminish the reputation of AMDSB if lost or disclosed inadvertently.
3.2 With increasing dependence on electronic information systems for all aspects of day-to-day operations, it is essential that computing resources and information are secure and protected from disruption.
3.3 In order to protect the integrity of information stored on computers in schools and administration facilities, it is essential that responsible security practices are followed.
3.4 Individuals and the corporation may be held liable in the event that software is not licensed or properly authorized or if information is not properly and securely stored.

4.0 Implementation Procedures

4.1 Everyone has a part in maintaining a secure computing environment and must adhere to the procedures outlined in this document.
4.2 All technology users approved by the Director or designate(s) are asked to read this document carefully.
4.3 Anyone with questions regarding this procedure should submit a TOPDesk ticket for follow-up by the Administrator of Information Technology.

5.0 Directions for Access and Use

5.1 Access to confidential information is restricted to those with a demonstrated "need to know" to the extent required to perform job functions.
5.2 Access to confidential electronic information will be granted only to appropriate individuals and work groups, as described below in Section 7.
5.3 Critical data are securely managed throughout the life cycle and backed up on a regularly scheduled cycle per the AMDSB Disaster Recovery Plan.
5.4 Information retention and equipment disposal practices ensure the continued protection of personal and corporate privacy.
5.5 All digital technology and software purchased by AMDSB, belongs to the board and the board reserves the right to access, monitor and review all use, including email and Internet use, and file contents at any time.
5.6 The board reserves the right to review, access, monitor, delete or otherwise deal with any material stored on the AMDSB system.
5.7 Software and related intellectual property developed by staff members in the performance of their duties are the property of the district, and may not be distributed or shared unless authorized in writing by the Director of Education or designate (see Administrative Procedure 440 Employee Conflicts of Interest).
5.8 All software residing on AMDSB technology must be installed in compliance with licensing requirements of the software's owners. Use of "pirated" software or software secured through unauthorized reproduction is strictly prohibited.
5.9 Passwords and related security codes must be kept secure at all times and disclosed only as provided for by the disclosure policies and practices of its owners.

6.0 Responsibilities of Staff Members

6.1 Primary responsibility for security of information is vested with the supervisory officer designated by the Director to be responsible for the creation or assembly of the information (e.g., security of human resources records is vested with the Superintendent of Education (Human Resources)). A supervisory officer may delegate this responsibility to a principal or other manager.

6.2 All staff members are informed of this procedure through the annual Safe Schools/Vector mandatory training program. Secondary responsibility for the security of information is vested with the Information Technology department staff who manage information processing, transmission, and storage in compliance with the district's Records and Information Management Program and in consultation with the Enrolment and Information Manager.

6.3 Users of information are responsible for using it for the purposes intended and complying with control, access and disclosure procedures.

6.4 Individual users are responsible for the information which is in their possession (downloaded onto their computer and/or portable data storage device).

6.5 Those responsible for its use and physical security must protect data, digital technology and software at all times from physical damage, theft or unauthorized modification.

6.6 Any digital tool must not be left unattended when the power is on and confidential or critical information is being accessed. Users must log-off or lock their devices when left unattended for a prolonged period of time. Users must log-off or lock their devices at the end of each workday.

6.7 Where confidential or sensitive information is stored on a computer's hard drive, every effort must be taken to ensure that the computer is physically secure, information is backed up, and sensitive materials are protected by logical access controls such as passwords.

6.8 Staff must follow the procedures outlined in Administrative Procedure 103 Management of Personal Information – Student.
Specifically, staff must ensure that:
6.8.1 Laptops, iPads, cell phones and electronic storage media are password protected to prevent unauthorized access;
6.8.2 Devices containing confidential information are kept under direct supervision of the staff member or stored in a secure, locked location when outside of the worksite;
6.8.3 Devices containing confidential information are not shared with individuals who do not have the rights or responsibilities to view the information contained on such devices (for example, family or friends); and
6.8.4 When using wireless devices confidential information is not transmitted over unsecured networks.

7.0 Cyber Security Practices

7.1 Cyber Security Incidents
7.1.1 All AMDSB employees are responsible for identifying and reporting possible cyber security events. There are many types of security incidents and some require assistance from the Information Technology Services department to review and determine the nature and scope of the problem. Examples of cyber security events which should be reported are: User passwords shared with staff or students Internet browser (Google Chrome, Firefox, Microsoft Edge, or Safari) popups that will not shutdown Computers that have been infected with a virus, spyware or adware Unintentional sharing to data folders or files through Google, OneDrive, or AMDSB file servers Lost or theft of any AMDSB digital tools Phishing attempts through Google email.

7.1.2 Staff members are asked to submit a TOPDesk ticket in the case of a suspected cyber security event.

7.2 Software and Licenses
7.2.1 Individuals and the district may be held liable if software is not licensed or properly authorized or if information is not properly and securely stored.
7.2.2 Software License agreements must be honoured even if the software is not copy-right protected. All software used for district operations must be installed in accordance with licensing agreements.
7.2.3 Original license agreements purchased either by Procurement or the Information Technology departments must be filed centrally.
7.2.4 Software purchased for home use is not licensed for use on board-owned equipment and therefore may not be installed on board computers.
7.2.5 It is against the law to copy commercial software that has not been placed in the public domain or distributed as "freeware." Software "piracy" (copying a commercial software product purchased by a party other than the user) injures everyone. It reduces the incentives for the software industry to invest in new projects, reduces the willingness of vendors to support board computing through discount programs, and makes violators vulnerable to criminal prosecution. Users are not permitted to remove software from the board system for use on other systems as this may amount to copyright infringement and expose both the individual and the board to liability.

7.3 Digital Technology Hardware
7.3.1 Computer equipment (including monitors, system units, printers, keyboards, external disk drives, scanners, keypads, cables, etc.) must be located where they will be secure and as free as reasonably possible from damage by water, fire, or other disasters.
7.3.2 Laptop computers, iPads and other related mobile equipment must be handled securely, as the high value and portability of these devices makes them desirable theft items.
7.3.3 Personal computer equipment (laptops, personal data devices, etc.) may not be directly connected (hard-wired) to the board's LAN or WAN for security reasons. However, personal computer equipment may be connected to the board's wireless network Staff and students must ensure that their computer/device meets the following conditions: the device must have an up-to-date antivirus program running; operating system security patches must be up to date; p2p programs (such as Frostwire) must not be running; and there must be no viruses, worms, malware, etc. on the device.

7.3.4 If any of these conditions are not met, the Network Authentication Control will deny access to the wireless network.

7.4 Digital Technology Purchases
7.4.1 Any technology purchases must follow the procedures outlined in AP 516: Procurement (Purchasing) and IT purchasing guidelines.

7.5 Removable Media
7.5.1 Data may be stored on removable media with encryption software such as external hard drives.
7.5.2 Important data must be appropriately backed up.
7.5.3 When not in use, removable media must be placed in locked storage if the data contained are critical or confidential. Loss of data can occur if removable disks are stored near magnetic fields (telephones or monitors).
7.5.4 Instructions for safe and proper use provided with removable media must be followed. As with other computer equipment, foreign objects such as food, liquids and dust can cause damage to removable media. Excessive heat and direct sunlight may also cause damage to such media. Valuable data can be lost if media are not handled safely.
7.5.5 Students and staff may use Portable Storage Devices for the storage and transfer of documents between school and home, however the use of Google Drive for this purpose is recommended. The protocol for use of such devices by students is outlined in Appendix B: Technology Responsible Use and Security - code of conduct for Students.

7.6 Contingency Plans/Backup
7.6.1 In cases of emergency, a TOPDesk ticket should be submitted and the Administrator of Information Technology and/or Superintendent will be notified immediately.
7.6.2 To protect critical information from loss in the event of theft or fire, all systems are backed up on a regular basis per the AMDSB Disaster Recovery Plan.

7.7 Password/User Authorization
7.7.1 Board employees will be provided with a unique login and password for accessing board technology and services.
7.7.2 Passwords are not to be posted in public access areas or near the computer itself. Individual user passwords must remain secure and must not be shared with anyone else.

7.8 Electronic Mail, Conferencing & other On-line Communications
7.8.1 Board administrative staff will determine Internet programs, users, and protocols for standardization within Avon Maitland District School Board.
7.8.2 Following the process documented in Administrative Procedure 322: Electronic Monitoring, the Director of Education may designate ITS staff to monitor or check from time to time the contents of electronic messages carried on district computer networks. All communications, including those marked as private/confidential by the sender, may be monitored. Electronic mail originating from the district, like traditional mail, is to be used only to further the district's objectives and is the property of Avon Maitland District School Board. All communications are to use appropriate and respectful language while adhering to the law, the Canadian Charter of Rights and Freedoms and the Ontario Human Rights Code.
7.8.3 Email communication for Board personnel will be archived for up to two years from the date of the original communication.
7.8.4 For further clarification, review the Email Protocols document, attached Appendix C. The provisions outlined in AP 140 Technology: Responsible Use and Security apply when using board email both during and outside regular working hours.

7.9 Online Publishing
7.9.1 All web pages hosted on the board's corporate site or provided for by the board are considered the property of the Avon Maitland District School Board and must comply with the principles and standards set out in this procedure.
These online publications must be developed in conjunction with the Communications and ITS departments. Online publishing must respect the administrative procedures and be consistent with copyright and other laws, the Charter of Rights and Freedoms and the Ontario Human Rights Code and the Municipal Freedom of Information and Protection of Privacy Act.

7.10 Public Cloud Computing
7.10.1 There are cloud based services that provide an opportunity for communication and collaboration between teachers and parents. Many staff may wish to use these tools to increase parent engagement. Any system recommended by the Board will have security and privacy agreements in place.
7.10.2 The board’s Privacy and Security requirements must be met before staff use collaboration services to communicate with parents. Therefore, staff must follow the process outlined below before any invitation is sent to parents to participate in communication/collaboration services.
7.10.3 Determine which parent/guardian email will be used within the collaboration tool. This review may include custody and/or contact parameters outlined within custodial agreements. Please note: the approved parent/guardian email address(s) are visible within Aspen.
7.10.4 Students 18 years of age or older must provide written consent at the school level before parental access is granted.
Teachers are reminded that public cloud tools should not be used for posting student marks or schoolwork.

7.11 Technology Responsible Use Practices for All Approved Users
7.11.1 Digital technology users approved by the Director or designate(s) with access to computers at the schools and administrative offices include students, employees, trustees, school council representatives, and partners/volunteers with approved access.
7.11.2 All approved digital technology users are required to use technology and the district's information resources in accordance with this administrative procedure.
7.11.3 Unacceptable or inappropriate use includes, but is not limited to: Activities which may damage equipment; Downloading, copying, viewing or transmitting any material which is in violation of any federal or provincial statute or regulation such as copyrighted material; threatening or obscene material; hateful, racist or discriminatory material; Any breach of security on local and remote sites including use or attempted use of another user's account; unlawful entry or attempted entry into any network system; any attempt to gain unauthorized access to view, alter, copy, share or destroy data and the creation and/or willful transmission of computer viruses or virus hoaxes; and Activities supporting private business or commercial ventures except in the appropriate conference designated by the Information Technology Department. Creation or using a VPN (Virtual Private Network) or Proxy Server other than the board’s authorized VPN system. Any breach in privacy occurring on any technology within the Avon Maitland District School Board must follow our procedure outlined within AP 194 Privacy and Breach Protocol.

8.0 Reserved Right to Limit Use
8.1 The board, in its sole discretion, has the right to limit individual or organizational use at any time without notice.
8.2 Network etiquette must be followed, including using appropriate and respectful language, the avoidance of the distribution of nuisance or junk mail and the efficient use of on-line time.
8.3 Users must follow personal safety measures including, but not limited to, the following:
8.3.1 Report to school staff any unusual or suspicious communication with others;
8.3.2 Do not divulge any personally identifying information over the Internet; and
8.3.3 Never agree to meet with strangers with whom they have communicated on the Internet.

8.4 Use of the Internet is an integral part of the educational experience in many school programs and schools must inform parents that their child will use the Internet. This communication will be shared with parents/guardians each Fall.
8.5 Inappropriate use of the district's digital technology resources will result in consequences. In the event of actions, which may violate the law, the police will be informed.

9.0 Canada's Anti-Spam Legislation (CASL)

9.1 Canada's Anti-Spam Legislation (CASL) prohibits the sending of a commercial electronic message (CEM) to an electronic address unless the sender complies with the following three requirements. The sender:
9.1.1 obtains the consent of the intended recipient;
9.1.2 provides certain identification information of the sender; and
9.1.3 provides an unsubscribe mechanism.

9.2 Anyone who is unsure as to whether or not an electronic message being sent to an electronic address is a CEM should consult with the Administrator of Information Services prior to sending any such message.

9.3 No one is permitted to use their AMDSB issued email address to promote or advertise participation in non-board or personal commercial activities, including fundraising awareness to individual Google mailboxes or an individual's external email address.

9.4 Schools often communicate with parents and students by emailing newsletters or other forms of communication. If these electronic communications include encouraging participation in a commercial activity as described in the definition section above, then written consent of the recipient must be obtained prior to sending such a message. This written consent is captured on the Student Registration Form and tracked within the Aspen student record. Principals are responsible to ensure all electronic mailing lists used by the school office staff or teaching staff contain only the email addresses for which CASL consent has been received.

9.5 A CEM must also include an unsubscribe mechanism through which a recipient of a CEM may indicate that they no longer wish to receive such messages.

9.6 The sender must specify in the CEM that the recipient may unsubscribe to future CEMs by replying to the CEM and indicating "unsubscribe" in the subject line. The following statement must be included within the footer of each CEM.
This message is being sent on behalf of the Avon Maitland District School Board and/or your child's school in compliance with the Canadian Anti-Spam Legislation. Questions regarding this electronic communication may be referred to the principal of the school or the Enrolment and Information Manager at the Education Centre. You may unsubscribe from receiving these messages by replying to this email with "unsubscribe" in the subject line.

9.7 Any requests to unsubscribe must be acted upon no later than 10 business days from receipt of it. The email address must be removed from the mailing list.

9.8 For schools, the Aspen record should be updated and the printed copy of the unsubscribe email should be placed in the documentation folder of the OSR with the original student registration form. For example, if a school sends newsletters electronically to parents and/or students and the newsletter contains from time to time promotions or advertisements to sell products or services including for fundraising events, and a parent or student has indicated they do not wish to receive CEMs, then the person's electronic address will be removed and the newsletter or other communication will be sent home with the student.

9.9 School Principals should strive to ensure that only one person is responsible for maintaining a list of electronic addresses to which CEMs are sent and that person must be notified of any unsubscribe requests or revocation of consent.

9.10 All departments of the board should follow procedures for maintaining electronic addresses for the purposes of commercial electronic messages and deleting those addresses that request to unsubscribe. Consultation with the Enrolment and Information Manager may be required. An "opt out" option must be included within the email and the following statement must be included in the body of commercial electronic messages.

10.0 Digital Citizenship
10.1 Today's world is vastly different than the world was a decade ago, a year ago and even a month ago. The explosion of technology has vastly changed the way students learn as well as our view of community and what it means to be part of and interact within that community. As such, while the base qualities of being a good citizen haven't changed, the notion of citizenship must now encompass the idea of being a good digital citizen. Today's students need to have the skills to actively participate in the complexities of digital spaces in a positive, responsible and safe manner.
11.0 Definitions

Bring Your Own Device (BYOD) - Digital tools that are not the property of the Avon Maitland District School Board

Canada's Anti-Spam Legislation (CASL) - Regulations requiring any individuals or organizations that send commercial electronic messages (CEM) to obtain express consent from all Canadian recipients

Cyber Security Event - Any incident to gain unauthorized access to or misuse Board digital tools, networks or services.

Digital Citizenship - The safe, responsible and ethical use of technology by students and staff following accepted norms and rules to support collaboration and learning and the development of a positive digital footprint.

Digital tools - portable or static computing technology which can be used for the purpose of communication, data management, word processing, and accessing a network.

Internet - Global communications network connecting digital devices all over the world through which individuals can interact and share information.

Phishing - Email, telephone or text message sent by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

Ransomware - Type of malware which locks down a data file or folder until an organization pays the hacker a fee.

Users - Any person (employees, students, trustees, or visitors) who uses Avon Maitland District School Board’s digital tools or networks.

Malware - Malicious software installed on a computer, server, or network device.

Appendix A - Technology Responsible Use - Code of Conduct for Students (please see pdf)
Appendix B - Internet/Intranet Protocol Acceptable Use (please see pdf)
Appendix C - Google Workspace for Education Terms and Conditions (please see pdf)

Revised December 2022