Is Your School Board’s IT Asset Disposal Compliant with Ontario Bill 194?

On May 13, 2024, the Ontario Government introduced Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, which includes the proposed Enhancing Digital Security and Trust Act, 2024 (EDSTA). This bill aims to strengthen cybersecurity for public sector organizations, including school boards, children’s aid societies, and other public institutions.

As part of these changes, Bill 194 will amend the Freedom of Information and Protection of Privacy Act (FIPPA), creating new requirements for how public institutions manage their information and technology, particularly regarding asset disposal and data privacy. A Greentec IT Asset Disposal expert can work with your board to become fully compliant with the new legislation. 

Key Changes for School Boards

1. Annual Reporting Requirements: Section 34 mandates that the head of each school board report annually to the Privacy Commissioner on incidents involving the theft, loss, or unauthorized disclosure of personal information. To comply, school boards must track all IT assets that store personal data, including those being disposed of. Missing devices such as laptops or hard drives must be assessed for security risks and reported.
2. Risk Management & Privacy Safeguards: Section 40(5) requires school boards to implement reasonable measures to protect personal information against theft, loss, or unauthorized use. This includes ensuring that records are safeguarded against copying, modification, or disposal without authorization.
3. Privacy Impact Assessments: School boards will need to conduct Privacy Impact Assessments (PIAs), detailing the safeguards in place to protect personal information. If an asset is lost or stolen, the assessment must evaluate the risks to individuals and outline steps to prevent further incidents.
4. Improved Asset Disposal Procedures: Many school buildings were designed before technology was being regularly used in schools, and lack secure storage for retired devices. As a result, IT assets like laptops and hard drives are often stored unsafely in classrooms, hallways, or closets. Bill 194 requires that devices are properly wiped of all data before disposal. Many school boards across Ontario lack the necessary personnel and technology to ensure that asset disposal is managed in full compliance with regulations. School boards will need to either invest in secure asset management systems or outsource this process to IT asset disposal (ITAD) companies. Greentec offers secure, lockable containers for collecting and storing retired devices, along with guaranteed data destruction and chain-of-custody services to ensure that each device is properly tracked from collection to disposal.
5. Breach Notification: Section 40.1 requires the head of an institution to notify both the Commissioner and the affected individuals in cases of theft, loss, or unauthorized use of personal information, if there is a real risk of significant harm. The notification must include information on how individuals can mitigate the risk or file complaints with the Privacy Commissioner.
6. Whistleblower Protections: Section 57.1 protects individuals who report potential violations of the Act. If a staff member, such as a teacher or IT staff, notices that discarded devices are not properly stored, they can report the issue anonymously to the Commissioner without fear of reprisal.

Impact on School Boards

School boards will need to reassess their IT asset management strategies to comply with these new regulations. This will include ensuring that devices are securely stored, tracked, and wiped of all data when no longer in use. Given the complexity and resource-heavy nature of this process, many school boards will need to either invest in better systems or work with ITAD providers to ensure compliance. 

By adopting best practices for asset disposal and data security, school boards can mitigate privacy risks and align with the upcoming regulatory changes under Bill 194. Consult with one of our Greentec IT Asset Disposal experts about Bill 194 and ensure your Board is fully prepared for the upcoming regulations.