Why FIPPA compliance in Canadian schools matters. A lot.

canada flag button on a mac computer

FIPPA—the Freedom of Information Protection and Privacy Act—means that student and staff information must be stored and accessed only in Canada at all times, whether in print or on servers, whether we’re talking names or photos separate or together. Pretty straightforward.

What’s the implication for the high school yearbook companies? If a company has any student’s info in Google, Dropbox, email programs hosted outside of Canada, file sharing programs hosted outside of Canada, or if pages are being printed or assembled outside of Canada, everyone is at risk. What kind of risk?

Section 74.1 of the act states:

“(4) If a corporation commits an offence under this section, an officer, director or agent of the corporation who authorizes, permits or acquiesces in the commission of the offence also commits an offence, whether or not the corporation is prosecuted for the offence.

(5) A person who commits an offence under this section is liable

(a) in the case of an individual, other than an individual who is a service provider, to a fine of up to $2 000,

(b) in the case of a partnership that is or individual who is a service provider, to a fine of up to $25 000, and

(c) in the case of a corporation, to a fine of up to $500 000.”

So, teachers, yearbook representatives, yearbook companies, school boards—can be fined individually.

Some are under the impression that the consent forms going home are covering yearbook requirements, but we’ve yet to see or hear of one. Here is the list of requirements a consent form needs to have.

(To confirm any information, please contact the Office of the Information and Privacy Commissioner directly at 1-800-663-7867. Let them know what we’ve said in this blog post specifically, and ask for confirmation.)

What do we know about major yearbook companies operating in Canada? All but one print in the US or China. That one company that does not print outside of Canada may or may not be entirely FIPPA compliant.

In order to be FIPPA compliant, a company needs:

  • to print in Canada and have yearbook content in Canada at all times, even through the binding process
  • company email programs hosted on a server physically located in Canada
  • file uploads, sharing and management hosted on a server physically located in Canada
  • any photos or info on social media sites about teachers and students—names or photos—needs express consent on paper by the students and the staff.

Even a single photo mismanaged violates FIPPA. Students sending photo files through their own personal Gmail or Hotmail addresses to a company violates FIPPA.

Why would anyone be worried about this?  you might wonder. Why would parents really care?

Our half-serious answer to that is: Have you never seen Sleeping with the Enemy?! Some people are living under new identities with their children to escape domestic abusers (we’ve known such people); there are parents working for Canadian intelligence, military or law enforcement whose lives and children’s lives have been threatened (we know such people), and then there are stories like last year’s hacking by China into Canadian education government. Or the more recent hack of America that was said to be, “Security-wise, [possibly] the worst breach of personally identifying information ever.” And facial recognition software that currently exists can now link people in photographs to their Facebook profiles in seconds. It’s advances like this that cause Mark Wuergler, a senior cybersecurity researcher at Immunity Inc., to say,

“Personal information is just as valuable as passwords today,”

For whatever reason, China is “building a massive database of Americans’ personal information.” (We have more to say about problems with printing in China.)

The argument has been made that businesses are only bound by PIPA, not FIPPA. This is untrue for yearbook companies. The minute a company is contracted with a public body, which all public schools are, they are no longer bound merely by PIPA, they are bound by FIPPA.

Teachers are rightfully quite nervous about it all. “Danielle” at SD62 said, “We must become informed, and it is our duty as teachers to know how Privacy Laws have changed recently AND how they effect us and our teaching. Whew… Now, where to find the time? My answer: make time. This matters.”

Julia Hengstler, a faculty of Ed professor writing about FIPPA with regards to social media and cloud computing compares school board transitions toward FIPPA compliance to being like “seismic upgrading.”

Fortunately, clumsy stages toward FIPPA compliance and fears over compliance are unnecessary. Summit Yearbooks has taken the time to ensure that we are 100% compliant (even though it means we cannot use Google Apps for Business, sadly).

  • Our website and email are hosted on servers located in Canada.
  • Your school’s yearbook CampSite—where file management happens, where design resources are accessed, where your school community blog is located, where your Learning Management System is located with tutorials and quizzes, where your school surveys are located—ALL created and hosted in Canada.
  • Our application that allows any student to upload photos to your school CampSite to be used in the yearbook is entirely made and hosted in Canada.

In addition, we are:

  • local and grassroots in every way
  • design and writing professionals
  • creative wunderkinds
  • offering the fastest turnaround in the industry
  • environmentally conscientious, consulting with Victoria-based zero waste professionals
  • equal opportunity employers, politically progressive and 100% supportive of teachers
  • transparent, with an accessible digital foot print—not a faceless, profit-driven multi-million dollar corporation.

We are looking forward to meeting with you, creating design literate, entrepreneurial future working Canadians. We welcome your ideas!

Please contact us with questions and concerns.

Leave a Reply