Electronic Record Systems

Electronic storage of student or employee data is acceptable. The same rules apply to electronic information as if the information were recorded on paper.

Because of the nature of electronic storage, the data may be stored offsite or outside of Saskatchewan. Necessary protections must be required to ensure that providers are able to meet the requirements of LAFOIP. This requirement should be included in the contract with the service provider.

Access to electronic databases is becoming a concern and focus for privacy commissioners (highlighted by some recent issues with health databases). The close scrutiny and high standards imposed on the health system are very likely to be imposed on the education system as well. Boards of education store equally sensitive information, including health data of students, and will be legally liable for any misuse of the system.

Security of the system can be considered from two different perspectives:

  1. External:
    • Appropriate firewalls, encryption, access codes, password protocols, etc. must be incorporated into the system.
    • The system must be monitored for external threats and action must be taken when threats are detected.
    • Periodic reviews of technical requirements and contractual provisions with providers should be made to ensure protections are as up-to-date as possible.
  2. Internal:
    • Employee negligence or employee misconduct can be more of a threat than external hackers.
    • Strategies such as the following can be used to reduce the chance of breaches:
      • establish appropriate-use policies;
      • educate employee on appropriate use and consequences of non-compliance;
      • monitor system for breaches, including regular audits and spot-checks; and
      • enforce consequences of breaches.