[Matific]
PIA# [assigned by your privacy office(r)]
Enquiry BC – Privacy and Access Helpline. Victoria: 250-356-1851 Vancouver: 604-660-2421 and elsewhere in BC, toll-free: 800-663-7867
Part 1 – General
Name of District: / <Name> Board of Education – SD <##>PIA Drafter: / <Name, Title of School District Contact>
Email: / <Email of School District Contact> / Phone: / <Number of SD Contact>
Program Manager: / <Name, Title of initiative contact, if different from PIA Drafter>
Email: / < Alternate to the above / Phone: / <Alternate to the above>
<Note to Districts>
REMOVE THERED TEXT IN THIS DOCUMENT WHEN YOU PUBLISH YOUR DISTRICT’S FINAL PIA VERSION.
<We understand your District has chosen to make use of the online program Matific. By conducting a Privacy Impact Assessment, it will help your District identify your privacy risks and ensure compliance with the Freedom of Information and Protection of Privacy Act (FIPPA). When introducing any new program or initiative that involves the collection, the use and disclosure of personal informationin a PIA needs to be completed.>
<To assist you in the deployment of this program, this Privacy Impact Assessment (PIA) has beenpartially completed for you. Please review and edit this document carefully to ensure it accurately reflects the intent and scope of your initiative. It is your responsibility to ensure that the information in this PIA is accurate and complete.
Please do not remove any parts of this PIA. Where a section does not apply, enter “Not Applicable.”
1.Description of the Initiative
This Privacy Impact Assessment (PIA) is to facilitate our School District in the provision of a web-based software program called Matific.The programprovides activities and lessons that focus on mathematical concepts for Kindergarten through Grade 6. It aligns with the new BC curriculum and provides the opportunity to create lessons based on specific learning outcomes.The product is designed to provide a variety of learning and teaching options in a number of ways including lessons to introduce concepts, playlists for students to practice mathematics and provide user support with worksheets and games. Teachers can use these resources for whole class learning, small group support, or individual review and enrichment at home or school.
Vendor:Slate Science Inc. is the parent company and has Matific corporate offices in New York, United States, Sydney,Australia and Tel Aviv, Israel. Matificis currently available in 26 different languages and aligned to local mathematics curricula in 46 countries.They copyrighted their product in 2013. The North American business address is: 37 E 28th Street Suite 600 New York, NY 10016 USA.
2.Scope of this PIA
Our District has entered into alicensed subscription agreement withMatific.Attached please find a signed copy of this agreement. The initial offering of this product isbased upon an evaluated and approved assessment for BC schools and was conducted by our Educational Resources Acquisition Consortium (ERAC).
ERAC is a cooperative member based organization. The organization works in partnership with their members which includes the BC public school districts as well as many independent schools throughout the province. Their goal is to support quality education for public and independent K-12 students. A range of services are available to its members including evaluating,licensing,acquiringprint, software, and digital learning resources.
As part of ERAC’s due diligence, ERAC has an established rigorous, criteria-based evaluation process for evaluating products that are recommended by their membership. ERAC evaluators are trained BC classroom teachers. Once an educational product has met the provincial standards and are deemed appropriate for use in BC classrooms, an approval is granted, and an agreement is made with the vendor.
Upon completion of this Privacy Impact Assessment, theMatific mathematics programis ready for deployment toteacher’s and their K – 6 students at each of the following elementary schools in our District.A consent form will be sent by our teaching staff from each of the schools and collected from each parent and/or guardian to ensure that they are aware that their child has been given permission to use this product. Your child’s privacy will be protected by our assigning an anonymous user name for the purposes of logging into the program and tracking their personal progress.See Appendix A-Bfor consent forms.
The intended users for this program are: K – 6 students, classroom subject teachers, non-enrolling specialist teachers, authorized Student Teachers on practicum and Educational Assistants. Only authorized educators will manage and reset their own and students’passwords.
The <name>District will organize teachers so that they can create multiple classes under their teacher account by assigning a unique email address. Teachers will either enter individual student aliases or upload an Excel file with their class list. Teachers can edit their own account and their students by going to a profile page unique to their account. All user data is stored on Matific servers located in Quebec, Canada as of December 31, 2017.
Under the direction of our district, the Matific technical support staff can access our district’s data for purposes such as corrections and deletions of our accounts. All accounts will be active for one year only unless advised otherwise stipulated in a consent notice to the parent/guardian.
Students are not to create their own accounts or able to create their own games.As mentioned earlier, teachers will create class accounts and assign an alias name to each student intheir classes. To ensure personal information is not used for an account holder, the teacher has the ability to remove personalized accounts and reassign an alias name in its place. Enrolling teachers have will a secure and confidential paper reference key to associate the assigned alias to their student names and, may use the results to report on the student’s progress.
Matific can be run on all versions of Mac and Windows operating systems. Tablets may download the program and run offline. Please note that Matificwill store the user alias account data in Canada.
According to Matific’s Privacy Policy, the data stored in Matificservers, as of December 31st, 2017, all student data will be hosted on Canadian servers and is compliant with the hosting requirements of Canadian Privacy Laws and that data hosted in Canada does not require individual parental consent.
is not shared with any third parties for those limited purposes provided that you have given permission. Questions regarding their Privacy Policy and practices can contact: or .
<District Staff Note: To accommodate several Matific classes, a teacher may need additional institutional email accounts to accommodate several classes. The vendor can give you details on what they can provide.Teachers using alias for their students may be keeping a paper reference copy of the student’s name and grades locked in a secure drawer to protect their identities and privacy. See: Help Center – Teachers.
TheMatific Premium version is not within the scope of this PIA where students have 24/7 access and episodes are assigned for homework. If at a later date, schools that choose to use this advance product, will need to amendment this PIA and complete the appropriate consent requirements.
3.Related Privacy Impact Assessments
It is our understanding that at this time, that there are no current PIAs submitted to the Office of the Information & Privacy Commission for British Columbia or BC Ministry of Education.
<Please confirm within your district whether any other PIAs or related projects should be listed here.Remember to amend this PIA when any changes have been made with respect to the use, storage or inclusion of any personal information.>
4.Elements of Information or Data
Matific offers a subscription license to access their web-based product. Teachers will record the students’ user names; results; along with the following data fields for the purposes of grading and accessing the product. First Name (Student); Last Name (Student); Grade (Student); First Name (Teacher); and, Last Name (Teacher).Although first and last names are required they will not be the actual names of the teachers or students.As mentioned earlier, alias will be used and encouraged. For example, a teacher named John Smith could use" Teacher" as his first name and "One" as his second name.All users will be encouraged to use an alias for the purposes of protection of the individual’s privacy.
Allanonymous user datais being stored on a server within Canada in the province of Quebec. If you have any questions regarding this product, please email them at .
Web browser cookies
Matific may use "cookies" to enhance User experience. The User's web browser places cookies on their hard drive for record-keeping purposes and sometimes track information about them. Users may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.
Part 2 – Protection of Personal Information
5.Storage or Access outside Canada
No– Fictitious student and teacher accounts will be stored and accessing servers in Quebec, Canada. View the details of theTerms of Matific-.Matific uses the stored student and teacher data to improve Matificcustomer service. The student’s teacher will access the stored data for the purposes of helping students learn and assessing their progress. The vendor will access this data for teacher initiated support callsrelating to how teachers and students use the services and resources; and to provide web site enhanced customer experience and productimprovements.
6.Data-linking Initiative*
Not applicable.
In FIPPA, "data linking" and “data-linking initiative” are strictly defined. Answer the following questions to determine whether your initiative qualifies as a“data-linking initiative” under the Act. If you answer “yes” to all 3 questions, your initiative may be a data linking initiative and you must comply with specific requirements under the Act related to data-linking initiatives.- Personal information from one database is linked or combined with personal information from another database;
- The purpose for the linkage is different from those for which the personal information in each database was originally obtained or compiled;
- The datalinking is occurring between either (1) two or more public bodies or (2) one or more public bodies and one or more agencies.
If you have answered “yes” to all three questions, please contact your privacy office(r) to discuss the requirements of a data-linking initiative.
7.Common or Integrated Program or Activity*
Not applicable.
In FIPPA, “common or integrated program or activity” is strictly defined. Answer the following questions to determine whether your initiative qualifies as “acommon or integrated program or activity” under the Act. If you answer “yes” to all 3 of these questions, you must comply with requirements under the Act for common or integrated programs and activities.- This initiative involves a program or activity that provides a service (or services);
- Those services are provided through:
(b) one public body working on behalf of one or more other public bodies or agencies; / no
- The common or integrated program/activity is confirmed by written documentation that meets the requirements set out in the FOIPP regulation.
Please check this box if this program involves acommon or integrated program or activity based on your answers to the three questions above.
* Please note: If your initiative involves a “data-linking initiative” or a “common or integrated program or activity”, advanced notification and consultation on this PIA must take place with the Office of the Information and Privacy Commissioner (OIPC). Contact your public body’s privacy office(r) to determine how to proceed with this notification and consultation.
For future reference, public bodies are required to notify the OIPC of a” data-linking initiative” or a “common or integrated program or activity” in the early stages of developing the initiative, program or activity. Contact your public body’s privacy office(r) to determine how to proceed with this notification.
8.Personal Information Flow Diagram and/or Personal Information Flow Table
Not applicable.
Both a flow diagram and a table must be included if the PIA is related to a common or integrated program or activity or a data-linking initiative.
For ease of reference, the collection, use, and disclosure authorities in FIPPA can be found in the appendices. If you do not know what the relevant authorities are, please contactyour privacy office(r).
Depending on the complexity of your initiative, you may choose to provide one general diagram for the initiative, and more specific diagrams for particular components. If multiple organizations will collect, use, or disclose personal information, the diagram should identify how each organization is involved in the initiative.
Example:
Examples can be removed and additional lines added as needed.
Personal Information Flow TableDescription/Purpose / Type / FIPPA Authority
1. / Student Consent and Parental Authorization is sought to start using the program with K – 6 students / Collection / 26(d)
2. / Student uses Program for course work or on own time, and program collects information about student and performance. / Use / 32(a), 32(b)
3. / Teacher access course work for purposes of assessment / Use
disclosure / 32(a), 32(b),
33.1(b),
33.2(a), 33.2(c)
9.Risk Mitigation Table
Please identify any privacy risks associated with the initiative and the mitigationstrategies that will be implemented. Provide details of all such strategies. Also, please identify the likelihood (low, medium, or high) of this risk happening and the degree of impact it would have on individuals if it occurred.
Examples can be removed and additional lines added as needed.
Risk Mitigation TableRisk / Mitigation Strategy / Likelihood / Impact
1. / Employees could access personal information and use or disclose it for personal purposes / Oath of Employment; contractual terms, etc. / Low / Low
2. / Requests may not actually be from client (i.e. their email address may be compromised) / Implementation of identification verification procedures. / Low / Low
3. / Client’s personal information is compromised when transferred to the service provider / Transmission is encrypted and over a secure line / Low / Medium
4. / Inherent risks in sending personal information to a parent/guardian via email. / Policy developed to inform parent/guardian of risks and ask if they would like the information via a different medium, such as through the mail. / Medium / Medium
10.Collection Notice
Where this initiative is collecting anonymous information, and associating it directly with personal information it can directly affect the individuals learning outcomes achieved in the product.We will ensure that all individuals involved are told the following:
- The purpose for which the information is being collected is for educational purposes and may include the grading of the students work and reporting on student progress.
b.The personal information that is being collected is directly related to, and necessary for, operating the student’s program in the classroom.
c.School District #____ business address is______Our business telephone number of a District officer or employee who can answer questions about the collection of personal information as listed under Part 2 – Scope of PIA.
<DISTRICT NOTE:Please see sample consent form in Appendix A to be tailored to your District’s needs. For further help with collection notices please seeTip Sheet for Consent & Disclosure located on the ERAC website.
Part 3 – Security of Personal Information
If this PIA involves an information system, or if it is otherwise deemed necessary to do so, please consult with your public body’s privacy office(r) and/or security personnel when filling out this section. They will also be able to tell you whether you will need to complete a separate security assessment for this initiative.
11.Please describe the physical security measures related to the initiative (if applicable).
According to Matific ( they have adopted appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of our personal information, username, password, transaction information and data stored on their Site. Sensitive and private data exchange between the Site and our Users happens over a SSL secured communication channel and is encrypted and protected with digital signatures.
12.Please describe thetechnical security measures related to the initiative (if applicable).
For example: user access profiles assigned on a need-to-know basis.
13.Does your District/School rely on any security policies?
Please describe any specific policies and procedures and provide contact details for someone who could answer further questions regarding these policies and procedures.
14.Please describe any specific policies and procedures and provide contact details for someone who could answer further questions regarding these policies and procedures.
<For example program/department manager or designated Privacy Office(e) as indicted on Program Area Signatures listed in Part 7 of this document>.
15.Please describe any access controls and/or ways in which you will limit or restrict unauthorized changes (such as additions or deletions) to personal information.
<For example: role-based access.>
16.Please describe how you track who has access to the personal information.
For example: audit trails or physical sign-in and sign-out of files.
Part 4 – Accuracy/Correction/Retention of Personal Information
17.How is an individual’s information updated or corrected?If information is not updated or corrected (for physical, procedural or other reasons) please explain how it will be annotated?If personal information will be disclosed to others, how will the public body notify them of the update, correction or annotation?