EQAO’s Accounts Management Policy

Section 1: B2B—EQAO Reporting

B2B, a type of electronic commerce (e-commerce), is the exchange of products, services or information between businesses. A B2B transaction (data files and reports) is conducted between EQAO and external stakeholders (public schools, school boards and the Ministry of Education).

Appendix 1: B2B—EQAO Reporting—Characteristics and Management

Section 1: B2B—EQAO Reporting

Roles and Responsibilities

  • Access to data and reports is role-based (see Appendix 1 for details on accounts management).
  • Users are to confirm that they are the authorized users when requested to do so by EQAO.
  • The Ontario Public Service (OPS) Information Technology Services (ITS) Division of the Government of Ontario (GO) provides EQAO with a B2B Identity and Access Management (IAM) solution that meets EQAO’s business needs; addresses GO-ITS Standards for Identity, Authentication and Authorization (IAA); and aligns with OPS IAM Strategy.
  • The EQAO B2B production team implements an OPS B2B IAM.
  • The use of personal devices—including (but not limited to) personal computers, cellphones and tablets—is strictly forbidden for accessing EQAO reports and data files. Only the school’s or board’s equipment shall be used for downloading reports and data files.
  • Boards
    • ensure the protection of privacy and security of information (including personal information) that EQAO shares with them, including when the information is shared with schools under their jurisdiction;
    • determine which staff members require access and the skills required according to the access granted;
    • inform EQAO as soon as an employee, who has access to the data or reports, is no longer working for the board; and
    • inform school board users of the EQAO systems at least once a year on the contents of this section (Section 1) of EQAO’s Accounts Management Policy.
  • Boards and Ministry staff ensure that reports and data files shared by EQAO are used only for the purposes for which they have been shared according to the objects of the Education Quality and Accountability Office Act (EQAO Act) and the Education Act as identified in EQAO’s Notice of Collection.
  • It is expected that the data shared with the Ministry should not be used for duplication of tasks already carried out by EQAO.

Privileges—Power BI Reports:

Access to reports will be role-based according to the following rules per report level:

  • Provincial-level reports: All roles have access to suppressed (aggregate data suppressing counts below 10) reports.
  • School-board-level reports: Every school board account has access to unsuppressed (aggregate data including all counts, even below 10) reports for its board and suppressed reports for other boards. Additionally, access to suppressed reports for all boards is also given to the following roles: principal; educator/teacher; IT school contact.
  • School-level reports: Every school account has access to unsuppressed reports for its school and suppressed reports for other schools. Board accounts have access to unsuppressed reports for all the schools in their board and suppressed reports for all the schools in other boards.
  • EQAO’s and the Ministry of Education’s role-authorized staff have access to all reports.

Privileges—Data File Sharing:

Access to files will also be role-based and according to the following rules per type of file level:

  • Provincial-level data: Access to aggregate suppressed and unsuppressed data files is granted to IT board contacts, directors of education, superintendents and the Ministry of Education’s Education Statistics and Analysis Branch (ESAB) role-authorized users.
  • School-board-level data: Access to suppressed and unsuppressed aggregate data of the board and schools is granted for all identified board contacts of the specific board reported.
  • School-level data: Schools’ requests of Individual Student Data (ISD) or Student Questionnaire (SQ) form data files will be directed to their respective board and will be provided on a case-by-case basis. Board roles (IT board contact, director of education and superintendent) will have access to ISD/SQ data for the schools under their jurisdiction. The Ministry of Education’s ESAB users will have access to all schools’ ISD/SQ data.
  • EQAO’s and the Ministry of Education’s ESAB role-authorized staff have access to all data files.

Re-identification:

  • Authorized users who have access to aggregated and depersonalized information shall not attempt to re-identify any individual from the information.

Audits:

  • Audits of all accounts happen automatically every six months.
  • School boards may audit school accounts at least once a year.
  • EQAO may audit school boards’ accounts at least once every year.

Reports Restricted to School Boards:

  • The reports available for boards only are the Indigenous Self-Identification, Detailed Special Education Needs, Detailed Accommodation, and Teacher Questionnaire, Principal Questionnaire (TQPQ) reports.
  • Results by Indigenous self-identification or special-education-needs status will be released securely for use by schools and school boards in their planning activities. These results shall not be released publicly.

Security:

  • PINs or passwords will not be used in place of encryption, as SharePoint Online automatically encrypts files.
  • Given that personal information will be disclosed in the ISD file to boards, the Ministry (and schools if requested) must follow Azure privacy and security practices.

Privacy, Incidents and Breach Management:

A support model developed between EQAO and ITS will encompass the following:

  • Boards ensure the protection of personal information that EQAO shares with them (they may develop policies and procedures to accomplish this).
  • All B2B-related inquiries/incidents will be reported to EQAO’s communications desk.
  • If a potential privacy breach is reported, it will be routed based on the details of the breach.
    • If it is related to an EQAO internal event, EQAO will follow the EQAO internal privacy breach procedure for further investigation.
    • If it is related to the B2B IAM solution, EQAO will report the breach to ITS in the same way as any incident.
  • All breaches will go through the standard incident management process and be routed by the Service Desk (SD) agent accordingly to the proper support group depending on the nature of the breach—through Data Centre Operations (DCO) and Cyber Security Division (CSD).

Training

  • Training will be provided to the EQAO communications desk staff on breaches and incidents management.

Appendix 1: B2B—EQAO Reporting—Characteristics and Management

Principal

Description

  • Has access to EQAO reporting.
  • Has no access to data files; if this is requested, principals will be referred to their respective board. Direct access will be decided on a case-by-case basis.

Personal Information (PI) Contained

  • No, with the exception of an approved direct access to data files.

Authorized Users

  • School boards have a limited set of approvers (5), who approve for school- and board-level access.

Access Request

  • To request access, requesters use the entitlement management portal (Microsoft portal part of B2B) to make the request.
  • The configured approvers receive the outstanding request.
  • They verify the requesters’ validity and either approve or deny access.

Expiration

  • There are two levels of expiration: one requested when the account was set up, and the other is no expiration (unlimited).
  • If the principal has not logged in for six months, the system will automatically block the account.
  • After one year of non-use, the account will be deleted from the OPS tenant.
  • To reopen the account, a new request must be made.

Revocation

  • Any revocation will be done by school boards.
  • EQAO will revoke only if asked by a board, or if EQAO finds that a user was using the information in a manner that is not in accordance with this policy or that violated the Freedom of Information and Protection of Privacy Act (FIPPA) or the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).

Scheduled Audit

  • An automatic audit happens every six months.
  • At minimum, school boards should audit accounts at least once a year because principals may change schools or boards.

Board Staff Contact (Primary/Junior/Grade 9/OSSLT Assessment Board Contact)

Description

  • Has access to EQAO reporting.
  • Has no access to data files; if this is requested, board staff will be referred to their respective IT board contact.

Personal Information (PI) Contained

  • No.

Authorized Users

  • School boards have a limited set of approvers (5), who approve for school- and board-level access.

Access Request

  • To request access, requesters use the entitlement management portal (Microsoft portal part of B2B) to make the request.
  • The configured approvers receive the outstanding request.
  • They verify the requesters’ validity and either approve or deny access.

Expiration

  • There are two levels of expiration: one requested when the account was set up, and the other is no expiration (unlimited).
  • If the assessment board contact has not logged in for six months, the system will automatically block the account.
  • After one year of non-use, the account will be deleted from the OPS tenant.
  • To reopen the account, a new request must be made.

Revocation

  • Any revocation will be done by school boards.
  • EQAO will revoke only if asked by a board, or if EQAO finds that a user was using the information in a manner that is not in accordance with this policy or that violated FIPPA or MFIPPA.

Scheduled Audit

  • An automatic audit happens every six months.
  • At minimum, school boards should audit accounts at least once a year because authorized school board staff may change.

Information Technology (IT) Board Contact

Description

  • Has access to EQAO reporting.
  • Receives the aggregate and elemental data (downloaded files).

Personal Information (PI) Contained

  • Yes (all PI in the data files).

Authorized Users

  • School boards have a limited set of approvers (5), who approve for school- and board-level access.

Access Request

  • To request access, requesters use the entitlement management portal (Microsoft portal part of B2B) to make the request.
  • The configured approvers receive the outstanding request.
  • They verify requesters’ validity and either approve or deny access.
  • Some boards may have an automatic integration for updated users.

Expiration

  • There are two levels of expiration: one requested when the account was set up, and the other is no expiration (unlimited).
  • If the IT board contact has not logged in for six months, the system will automatically block the account.
  • After one year of non-use, the account will be deleted from the OPS tenant.
  • To reopen the account, a new request must be made.

Revocation

  • Any revocation will be done by school boards.
  • EQAO will revoke only if asked by a board, or if EQAO finds that a user was using the information in a manner that is not in accordance with this policy or that violated FIPPA or MFIPPA.

Scheduled Audit

  • An automatic audit happens every six months.
  • At minimum, school boards should audit accounts at least once a year because authorized school board staff may change.

Director of Education/Superintendent

Description

  • Has access to EQAO reporting.
  • Receives the aggregate and elemental data (downloaded files).

Personal Information (PI) Contained

  • Yes (all PI in the data files).

Authorized Users

  • School boards have a limited set of approvers (5), who approve for school- and board-level access.

Access Request

  • To request access, requesters use the entitlement management portal (Microsoft portal part of B2B) to make the request.
  • The configured approvers receive the outstanding request.
  • They verify requesters’ validity and either approve or deny access.
  • Some boards may have an automatic integration for updated users.

Expiration

  • There are two levels of expiration: one requested when the account was set up, and the other is no expiration (unlimited).
  • If the director of education or superintendent has not logged in for six months, the system will automatically block the account.
  • After one year of non-use, the account will be deleted from the OPS tenant.
  • To reopen the account, a new request must be made.

Revocation

  • Any revocation will be done by school boards.
  • EQAO will revoke only if asked by a board, or if EQAO finds that a user was using the information in a manner that is not in accordance with this policy or that violated FIPPA or MFIPPA.

Scheduled Audit

  • An automatic audit happens every six months.
  • At minimum, school boards should audit accounts at least once a year because authorized school board staff may change.

Educator/Teacher

Description

  • Has access to EQAO reporting.
  • Has no access to data files; if this is requested, the teacher or educator will be referred to the respective IT board contact.

Personal Information (PI) Contained

  • No.

Authorized Users

  • School boards have a limited set of approvers (5), who approve for school- and board-level access.

Access Request

  • To request access, requesters use the entitlement management portal (Microsoft portal part of B2B) to make the request.
  • The configured approvers receive the outstanding request.
  • They verify requesters’ validity and either approve or deny access.
  • Some boards may have an automatic integration for updated users.

Expiration

  • There are two levels of expiration: one requested when the account was set up, and the other is no expiration (unlimited).
  • If the educator or teacher has not logged in for six months, the system will automatically block the account.
  • After one year of non-use, the account will be deleted from the OPS tenant.
  • To reopen the account, a new request must be made.

Revocation

  • Any revocation will be done by school boards.
  • EQAO will revoke only if asked by a board, or if EQAO finds that a user was using the information in a manner that is not in accordance with this policy or that violated FIPPA or MFIPPA.

Scheduled Audit

  • An automatic audit happens every six months.
  • At minimum, school boards should audit accounts at least once a year because authorized school staff may change schools or boards.

IT School Contact

Description

  • Has access to EQAO reporting.
  • Has no access to data files; if this is requested, IT school contacts will be referred to their respective IT board contact.

Personal Information (PI) Contained

  • No.

Authorized Users

  • School boards have a limited set of approvers (5), who approve for school- and board-level access.

Access Request

  • To request access, requesters use the entitlement management portal (Microsoft portal part of B2B) to make the request.
  • The configured approvers receive the outstanding request.
  • They verify requesters’ validity and either approve or deny access.
  • Some boards may have an automatic integration for updated users.

Expiration

  • There are two levels of expiration: one requested when the account was set up, and the other is no expiration (unlimited).
  • If the IT school contact has not logged in for six months, the system will automatically block the account.
  • After one year of non-use, the account will be deleted from the OPS tenant.
  • To reopen the account, a new request must be made.

Revocation

  • Any revocation will be done by school boards.
  • EQAO will revoke only if asked by a board, or if EQAO finds that a user was using the information in a manner that is not in accordance with this policy or that violated FIPPA or MFIPPA.

Scheduled Audit

  • An automatic audit happens every six months.
  • At minimum, school boards should audit accounts at least once a year because authorized school staff may change.

EQAO PI User

Description

  • Has access to EQAO reporting for all schools and school boards.
  • Receives the aggregate and elemental data for all schools and school boards (downloaded files).

Personal Information (PI) Contained

  • Yes (all PI in the data files).

Authorized Users

  • EQAO has a limited set of approvers, who approve EQAO PI users.

Access Request

  • To request access, requesters use the entitlement management portal (Microsoft portal part of B2B) to make the request.
  • The configured approvers receive the outstanding request.
  • They verify requesters’ validity and either approve or deny access.

Expiration

  • There are two levels of expiration: one requested when the account was set up, and the other is no expiration (unlimited).
  • If the EQAO PI user has not logged in for six months, the system will automatically block the account.
  • After one year of non-use, the account will be deleted from the OPS tenant.
  • To reopen the account, a new request must be made.

Revocation

  • Any revocation will be done by EQAO if it finds that a user was using the information in a manner that is not in accordance with this policy or that violated FIPPA or MFIPPA.

Scheduled Audit

  • An automatic audit happens every six months.
  • At minimum, EQAO should audit accounts at least once a year.

Ontario Government PI User

Description

  • Has access to EQAO reporting for all schools and school boards.
  • Receives the aggregate and elemental data for all schools and school boards (downloaded files).

Personal Information (PI) Contained

  • Yes (all PI in the data files).

Authorized Users

  • EQAO has a limited set of approvers, who approve Ministry PI users.

Access Request

  • To request access, requesters use the entitlement management portal (Microsoft portal part of B2B) to make the request.
  • The configured approvers receive the outstanding request.
  • They verify requesters’ validity and either approve or deny access.

Expiration

  • There are two levels of expiration: one requested when the account was set up, and the other is no expiration (unlimited).
  • If an Ontario Government PI user has not logged in for six months, the system will automatically block the account.
  • After one year of non-use, the account will be deleted from the OPS tenant.
  • To reopen the account, a new request must be made.

Revocation

  • Any revocation will be done by EQAO if it finds that a user was using the information in a manner that is not in accordance with this policy or that violated FIPPA or MFIPPA.

Scheduled Audit

  • An automatic audit happens every six months.
  • At minimum, EQAO should audit accounts at least once a year. .
Skip to content