Administrative Procedure 140: Technology - Responsible Use and Security

Legal References

Education Act: Section 265 Duties of Principal; Education Act: Part XIII Behaviour, Discipline and Safety; R.R.O. Reg. 298: Section 20 Duties of Teachers; R.R.O. Reg. 298: Section 23 Requirements for Pupils; Guideline - Ontario Schools Code of Conduct; Criminal Code of Canada; Canadian Charter of Rights and Freedoms; Ontario Human Rights Code; Municipal Freedom of information and Protection of Privacy Act (MFIPPA); Personal Information Protection and Electronic Documents Act (PIPEDA), Policy/Program Memorandum 128 The Provincial Code of Conduct and School Board Codes of Conduct

Related References


1.0 Expectations for Technology Use
1.1 The Director of Education has established expectations with respect to technology and information resources, security procedures, and the roles and responsibilities of each individual in maintaining a secure computing environment.
1.2 Since students and staff members have access to digital tools and Internet resources as part of their teaching/learning/work experience, they each have a role in maintaining a secure computing environment. Also, trustees, School Council representatives, and partners and/or volunteers with approved access to technology at the school have the same responsibility for acceptable use and security in the computing environment.
1.3 Principals and supervisors are responsible for communicating expectations and ensuring compliance with the safe computing practices outlined in this Administrative Procedure.

2.0 Principles of the Use of Digital Resources
2.1 Information technology equipment and data owned by the board are to be used solely to further the board's objectives and to be consistent with the law, the Canadian Charter of Rights and Freedoms and the Ontario Human Rights Code. Employees should not use board-owned equipment for the creation or storage of personal information that they expect to remain private and confidential.
2.2 The Director recognizes and respects all disclosure and privacy protection obligations as required by the Municipal Freedom of information and Protection of Privacy Act.
2.3 Avon Maitland District School Board (AMDSB) information is a corporate resource with substantial value that must be protected from unauthorized modification, destruction or disclosure, whether intentional or inadvertent.

3.0 Secure and Protected Computing Resources
3.1 It is important for all users of AMDSB-owned equipment to practice responsible and ethical behavior in their computing activities. Many staff members have access to private and sensitive information that could injure other persons and/or diminish the reputation of AMDSB if lost or disclosed inadvertently.
3.2 With increasing dependence on electronic information systems for all aspects of day-to-day operations, it is essential that computing resources and information are secure and protected from disruption.
3.3 To protect the integrity of information stored on computers in schools and administration facilities, it is essential that responsible security practices are followed.
3.4 Individuals and the corporation may be held liable if software is not licensed or properly authorized or if information is not properly and securely stored.

4.0 Implementation Procedures
4.1 Everyone has a part in maintaining a secure computing environment and must adhere to the procedures outlined in this document.
4.2 All technology users approved by the Director or designate(s) are asked to read this document carefully.
4.3 Anyone with questions regarding this procedure should submit a TOPdesk ticket for follow-up by the Executive Officer of Information Technology.

5.0 Directions for Access and Use
5.1 Access to confidential information is restricted to those with a demonstrated "need to know" to the extent required to perform job functions.
5.2 Access to confidential electronic information will be granted only to appropriate individuals and work groups, as described below in Section 7.
5.3 Critical data are securely managed throughout the life cycle and backed up on a regularly scheduled cycle per the AMDSB Disaster Recovery Plan.
5.4 Information retention and equipment disposal practices ensure the continued protection of personal and corporate privacy.
5.5 All digital technology and software purchased by AMDSB belongs to the board and the board reserves the right to access, monitor and review all use, including email and Internet use, and file contents at any time.
5.6 The board reserves the right to review, access, monitor, delete or otherwise deal with any material stored on the AMDSB system.
5.7 Software and related intellectual property developed by staff members in the performance of their duties are the property of the district and may not be distributed or shared unless authorized in writing by the Director of Education or designate (refer to Administrative Procedure 440 Employee Conflicts of Interest).
5.8 All software residing on AMDSB technology must be installed in compliance with licensing requirements of the software's owners. Use of "pirated" software or software secured through unauthorized reproduction is strictly prohibited.
5.9 Passwords and related security codes must be always kept secure and disclosed only as provided for by the disclosure policies and practices of its owners.

6.0 Responsibilities of Staff Members
6.1 Primary responsibility for security of information is vested with the supervisory officer designated by the Director to be responsible for the creation or assembly of the information (e.g., security of human resources records is vested with the Superintendent of Education (Human Resources)). A supervisory officer may delegate this responsibility to a principal or other manager.
6.2 All staff members are informed of this procedure through the annual Safe Schools/Vector mandatory training program. Secondary responsibility for the security of information is vested with the Information Technology department staff who manage information processing, transmission, and storage in compliance with the district's Records and Information Management Program and in consultation with the Enrolment and Information Manager.
6.3 Users of information are responsible for using it for the purposes intended and complying with control, access, and disclosure procedures.
6.4 Individual users are responsible for the information which is in their possession (downloaded onto their computer and/or portable data storage device).
6.5 Those responsible for its use and physical security must protect data, digital technology, and software at all times from physical damage, theft or unauthorized modification.
6.6 Any digital tool must not be left unattended when the power is on and confidential or critical information is being accessed. Users must log off or lock their devices when left unattended for a prolonged period of time. Users must log-off or lock their devices at the end of each workday.
6.7 Where confidential or sensitive information is stored on a computer's hard drive, every effort must be taken to ensure that the computer is physically secure, information is backed up, and sensitive materials are protected by logical access controls such as passwords.
6.8 Staff must follow the procedures outlined in Administrative Procedure 103 Management of Personal Information – Student.
Specifically, staff must ensure that:
6.8.1 Laptops, iPads, cell phones and electronic storage media are password protected to prevent unauthorized access;
6.8.2 Devices containing confidential information are kept under direct supervision of the staff member or stored in a secure, locked location when outside of the worksite;
6.8.3 Devices containing confidential information are not shared with individuals who do not have the rights or responsibilities to view the information contained on such devices (for example, family or friends); and
6.8.4 When using wireless devices confidential information is not transmitted over unsecured networks.

7.0 Cyber Security Practices
7.1 Cyber Security Incidents
7.1.1 All AMDSB employees are responsible for identifying and reporting possible cyber security events. There are many types of security incidents, and some require assistance from the Information Technology Services department to review and determine the nature and scope of the problem.
Examples of cyber security events which should be reported are:
7.1.1.1 User passwords shared with staff or students.
7.1.1.2 Internet browser (Google Chrome, Firefox, Microsoft Edge, or Safari) popups that will not shutdown.
7.1.1.3 Computers that have been infected with a virus, spyware or adware.
7.1.1.4 Unintentional sharing to data folders or files through Google, OneDrive, or AMDSB file servers.
7.1.1.5 Lost or theft of any AMDSB digital tools.
7.1.1.6 Phishing attempts through Google email.

7.1.2 Staff members are asked to submit a TOPdesk ticket in the case of a suspected cyber security event.

7.2 Software and Licenses
7.2.1 Individuals and the district may be held liable if software is not licensed or properly authorized or if information is not properly and securely stored.
7.2.2 Software License agreements must be honoured even if the software is not copyright protected. All software used for district operations must be installed in accordance with licensing agreements.
7.2.3 Original license agreements purchased either by Procurement or the Information Technology departments must be filed centrally.
7.2.4 Software purchased for home use is not licensed for use on board-owned equipment and therefore may not be installed on board computers.
7.2.5 It is against the law to copy commercial software that has not been placed in the public domain or distributed as "freeware." Software "piracy" (copying a commercial software product purchased by a party other than the user) injures everyone. It reduces the incentives for the software industry to invest in new projects, reduces the willingness of vendors to support board computing through discount programs, and makes violators vulnerable to criminal prosecution. Users are not permitted to remove software from the board system for use on other systems as this may amount to copyright infringement and expose both the individual and the board to liability.

7.3 Digital Technology Hardware
7.3.1 Computer equipment should be located securely to prevent damage by water, fire, or other disasters.
7.3.2 Laptop computers, iPads, and other mobile devices should be handled securely due to their high value and portability.
7.3.3 Staff and students must ensure their devices meet security conditions (antivirus, patches, no malware) to access the wireless network.
7.3.4 If any of these conditions are not met, the Network Authentication Control will deny access to the wireless network.
7.3.5 The use of Global Positioning System (GPS) tracker devices shall be permitted for geolocation tracking only. The recording of video or audio through such devices is not permitted. Parents shall notify the school Principal of any use of such devices.

7.4 Digital Technology Purchases
7.4.1 Any technology purchase must follow the procedures outlined in AP 516 Procurement (Purchasing) and IT purchasing guidelines.

7.5 Removable Media
7.5.1 Data may be stored on removable media with encryption software such as external hard drives.
7.5.2 Important data must be appropriately backed up.
7.5.3 When not in use, removable media must be placed in locked storage if the data contained are critical or confidential. Loss of data can occur if removable disks are stored near magnetic fields (telephones or monitors).
7.5.4 Instructions for safe and proper use provided with removable media must be followed. As with other computer equipment, foreign objects such as food, liquids and dust can cause damage to removable media. Excessive heat and direct sunlight may also cause damage to such media. Valuable data can be lost if media are not handled safely.
7.5.5 Students and staff may use Portable Storage Devices for the storage and transfer of documents between school and home, however the use of Google Drive for this purpose is recommended. The protocol for use of such devices by students is outlined in Appendix A.
7.5.6 Technology Responsible Use and Security - Code of Conduct for Students.

7.6 Contingency Plans/Backup
7.6.1 In cases of emergency, a TOPdesk ticket should be submitted, and the Executive Officer of Information Technology and/or Superintendent shall be notified immediately.
7.6.2 To protect critical information from loss in the event of theft or fire, all systems are backed up on a regular basis per the AMDSB Disaster Recovery Plan.

7.7 Password/User Authorization
7.7.1 Students and board employees will be provided with a unique login and password for accessing board technology and services.
7.7.2 Passwords are not to be posted in public access areas or near the computer itself. Individual user passwords must remain secure and must not be shared with anyone else.
7.7.3 Password reset processes are provided in The Core.

7.8 Electronic Mail, Conferencing & other On-line Communications
7.8.1 Board administrative staff will determine Internet programs, users, and protocols for standardization within Avon Maitland District School Board.
7.8.2 Following the process documented in Administrative Procedure 322 Electronic Monitoring, the Director of Education may designate ITS staff to monitor or check from time to time the contents of electronic messages carried on district computer networks. All communications, including those marked as private/confidential by the sender, may be monitored. Electronic mail originating from the district, like traditional mail, is to be used only to further the district's objectives and is the property of Avon Maitland District School Board. All communications are to use appropriate and respectful language while adhering to the law, the Canadian Charter of Rights and Freedoms and the Ontario Human Rights Code.
7.8.3 All Board email communication will be retained according to the data retention schedule. (refer to Administrative Procedure 196 Records Management).
7.8.4 See additional information in Appendix C, Google Workspace for Education, Terms and Conditions.

7.9 Online Publishing
7.9.1 All web pages hosted on the board's corporate site or provided by the board are considered the property of the Avon Maitland District School Board and must comply with the principles and standards set out in this procedure. These online publications must be developed in conjunction with the Communications and ITS departments. Online publishing must respect the administrative procedures and be consistent with copyright and other laws, the Charter of Rights and Freedoms and the Ontario Human Rights Code and the Municipal Freedom of Information and Protection of Privacy Act.

7.10 Public Cloud Computing
7.10.1 There are cloud-based services that provide an opportunity for communication and collaboration between teachers and parents. Many staff may wish to use these tools to increase parent engagement. Any system recommended by the Board will have security and privacy agreements in place. It is the responsibility of the staff member to review the safety parameters of the online tool, and these parameters are provided in The Core.
7.10.2 The board’s privacy and security requirements must be met before staff use collaboration services to communicate with parents. Therefore, staff must follow the process outlined below before any invitation is sent to parents to participate in communication/collaboration services.
7.10.2.1 Determine which parent/guardian/caregiver email will be used within the collaboration tool. This review may include custody and/or contact parameters outlined within custodial agreements. Please note: the approved parent/guardian/caregiver email address(es) are visible within Aspen.
7.10.2.2 Students 18 years of age or older must provide written consent at the school level before parental access is granted.

7.10.3 Teachers are reminded that public cloud tools should not be used for posting student marks or schoolwork.

7.11 Technology Responsible Use Practices for All Approved Users
7.11.1 Digital technology users approved by the Director or designate(s) with access to computers at the schools and administrative offices include students, employees, trustees, School Council representatives, and partners/volunteers with approved access.
7.11.2 All approved digital technology users are required to use technology and the district's information resources in accordance with this administrative procedure.
7.11.3 Unacceptable or inappropriate use includes, but is not limited to:
7.11.3.1 Activities which may damage equipment;
7.11.3.2 Downloading, copying, viewing or transmitting any material which is in violation of any federal or provincial statute or regulation such as copyrighted material; threatening or obscene material; hateful, racist or discriminatory material;
7.11.3.3 Any breach of security on local and remote sites including use or attempted use of another user's account; unlawful entry or attempted entry into any network system; any attempt to gain unauthorized access to view, alter, copy, share or destroy data and the creation and/or willful transmission of computer viruses or virus hoaxes; and
7.11.3.4 Activities supporting private business or commercial ventures except in the appropriate conference designated by the Information Technology Department.
7.11.3.5 Creation or using a VPN (Virtual Private Network) or Proxy Server other than the board’s authorized VPN system.
7.11.3.6 Any breach in privacy occurring on any technology within the Avon Maitland District School Board must follow our procedure outlined within AP 194 Privacy and Breach Protocol.
 
8.0 Reserved Right to Limit Use
8.1 The board, in its sole discretion, has the right to limit individual or organizational use at any time without notice.
8.2 Network etiquette must be followed, including using appropriate and respectful language, the avoidance of the distribution of nuisance or junk mail and the efficient use of on-line time.
8.3 Users must follow personal safety measures including, but not limited to, the following:
8.3.1 Report to school staff any unusual or suspicious communication with others;
8.3.2 Do not divulge any personally identifying information over the Internet; and
8.3.3 Never agree to meet with strangers with whom they have communicated on the Internet.

8.4 Inappropriate use of the district's digital technology resources will result in consequences. In the event of actions which may violate the law, the police will be informed.

9.0 Canada's Anti-Spam Legislation (CASL)
9.1 Canada's Anti-Spam Legislation (CASL) prohibits the sending of a commercial electronic message (CEM) to an electronic address unless the sender complies with the following three requirements. The sender:
9.1.1 Obtains the consent of the intended recipient;
9.1.2 Provides certain identification information of the sender; and
9.1.3 Provides an unsubscribe mechanism.

9.2 Anyone who is unsure as to whether or not an electronic message being sent to an electronic address is a CEM should consult with the Enrolment and Information Services Manager prior to sending any such message.
9.3 No one is permitted to use their AMDSB issued email address to promote or advertise participation in non-board or personal commercial activities, including fundraising awareness to individual Google mailboxes or an individual's external email address.
9.4 Schools often communicate with parents and students by emailing newsletters or other forms of communication. If these electronic communications include encouraging participation in a commercial activity as described in the definition section above, then written consent of the recipient must be obtained prior to sending such a message. This written consent is captured on the Student Registration Form and tracked within the Aspen student record. Principals are responsible to ensure all electronic mailing lists used by the school office staff or teaching staff contain only the email addresses for which CASL consent has been received.
9.5 A CEM must also include an unsubscribe mechanism through which a recipient of a CEM may indicate that they no longer wish to receive such messages.
9.6 The sender must specify in the CEM that the recipient may unsubscribe to future CEMs by replying to the CEM and indicating "unsubscribe" in the subject line. The following statement must be included within the footer of each CEM:

"This message is being sent on behalf of the Avon Maitland District School Board and/or your child's school in compliance with the Canadian Anti-Spam Legislation. Questions regarding this electronic communication may be referred to the principal of the school or the Enrolment and Information Manager at the Education Centre. You may unsubscribe from receiving these messages by replying to this email with "unsubscribe" in the subject line".

9.7 Any requests to unsubscribe must be acted upon no later than 10 business days from receipt of it. The email address must be removed from the mailing list.
9.8 For schools, the Aspen record should be updated and the printed copy of the unsubscribe email should be placed in the documentation folder of the OSR with the original student registration form. For example, if a school sends newsletters electronically to parents and/or students and the newsletter contains from time to time, promotions or advertisements to sell products or services including for fundraising events, and a parent or student has indicated they do not wish to receive CEMs, then the person's electronic address will be removed and the newsletter or other communication will be sent home with the student.
9.9 School Principals should strive to ensure that only one person is responsible for maintaining a list of electronic addresses to which CEMs are sent and that person must be notified of any unsubscribe requests or revocation of consent.
9.10 All departments of the board should follow procedures for maintaining electronic addresses for the purposes of commercial electronic messages and deleting those addresses that request to unsubscribe. Consultation with the Enrolment and Information Manager may be required. An "opt out" option must be included within the email and the following statement must be included in the body of commercial electronic messages.

10.0 Artificial Intelligence (AI)
Artificial Intelligence (AI) represents a significant advancement in educational tools. AI is designed to augment, not replace, the human element in teaching. Appendix D provides guidelines for the use of Artificial Intelligence within the Avon Maitland District School Board.

11.0 Definitions
 
Academic Integrity: A commitment to and demonstration of honest and moral behavior in an academic setting. This principle involves acknowledging others' contributions and avoiding plagiarism, and it extends to maintaining high academic standards in teaching, curriculum, and fostering sound research processes.

AI Literacy: AI literacy refers to the knowledge, skills, and attitudes associated with how artificial intelligence works, including its principles, concepts, and applications, as well as how to use artificial intelligence, such as its limitations, implications, and ethical considerations.

Artificial Intelligence (AI): AI refers to the capability of computers or algorithms to mimic intelligent human behavior, such as reasoning, learning, and problem-solving. It encompasses a broad field within computer science, focused on developing intelligent machines that can perform tasks that typically require human intelligence.

Bring Your Own Device (BYOD): Digital tools that are not the property of the Avon Maitland District School Board.

Canada's Anti-Spam Legislation (CASL): Regulations requiring any individuals or organizations that send commercial electronic messages (CEM) to obtain express consent from all Canadian recipients.

Cyber Security Event: Any incident to gain unauthorized access to or misuse Board digital tools, networks or services.

Deepfake: A specific kind of synthetic media where a person in an image or video is swapped with another person's likeness and can be used to create and/or manipulate text, audio, visuals and other multimedia content.

Digital Literacy: The ability to use digital technology, communication tools, or networks to access, manage, integrate, evaluate, and create information. It involves the skill to use information ethically and effectively.

Digital Tools: Portable or static computing technology which can be used for the purpose of communication, data management, word processing, and accessing a network.

Ethical Use: In the context of technology and GenAI, ethical use refers to using these tools in a morally sound way, respects individual rights, and does not cause harm. This includes considering the impact of technology on privacy, security, and societal norms.

Generative Artificial Intelligence (GenAI): A type of AI that can generate new content or data based on the inputs it receives. GenAI often involves the use of machine learning models to create outputs that are novel and not explicitly programmed.

Generative Pre-Trained Transformer (GPT): A type of artificial intelligence model primarily used for natural language processing tasks. GPT models are widely used in various applications, such as chatbots, content generation, language translation, and more. They are known for their ability to generate text that is often indistinguishable from text written by humans.

Hallucination (in AI context): Refers to instances where AI systems generate false or misleading information. This can occur due to limitations in the AI’s understanding or the data it has been trained on.

Large Language Models (LLMs): These are advanced AI models trained on vast datasets to process and generate human-like outputs. LLMs can understand and respond to queries, create content, and even engage in conversation.

Internet: Global communications network connecting digital devices all over the world through which individuals can interact and share information.

Malware: Malicious software installed on a computer, server, or network device.
 
Misinformation: The spread of false or inaccurate information, often without malicious intent. Misinformation can be due to errors, misunderstandings, or lack of information.

Phishing: Email, telephone or text message sent by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

Ransomware: Type of malware which locks down a data file or folder until an organization pays the hacker a fee.

Triangulation of Data: The use of multiple methods, sources, or data points to assess and evaluate students' conversations, observations, and products. This approach increases the reliability and validity of the results or findings.

Users: Any person (employees, students, trustees, or visitors) who uses Avon Maitland District School Board’s digital tools or networks.

Appendix A - Technology Responsible Use - Code of Conduct for Students (please see pdf)
Appendix B - Internet/Intranet Protocol Acceptable Use (please see pdf)
Appendix C - Google Workspace for Education Terms and Conditions (please see pdf)

Revised September 2024