5.4.1 SECURITY OF INFORMATION

All Edmonton Police Commissioners and staff are responsible for the security and protection of Edmonton Police Commission (Commission) information against unauthorized access and use.

The safeguarding of information is paramount as required by the Protection of Privacy Act (POPA). All Commission members and staff will strictly adhere to the guidelines and procedures outlined as they relate to the security of sensitive and other information.

Definitions:

Disclosure – Disclosure means to release, transmit, reveal, expose, show, provide copies of, tell the contents of, or give personal information by any means to someone. It includes oral transmission of information by telephone, or in person; provision of personal information on paper, by facsimile or mail; and electronic transmission through electronic mail, data transfer or the internet.

Information – Information may mean, but is not limited to, operational or administrative records, knowledge or data, regardless of how it is stored or kept. It can include electronic data, written or printed information, and verbal conversation.

Information Technology Resources (IT Resources) – IT resources refer to all hardware, software, and supporting infrastructure owned by, or under the custodianship of the Commission or the Edmonton Police Service (Service) that is used to create, retrieve, manipulate, transfer, and store electronic information. This includes ,but is not limited to, computers, file systems attached to these computers, operating systems running on these computers, software packages supported by these operating systems, wired and wireless networks, telecommunication and mobile devices, , data stored on or in transit on the above, as well as electronic identities used to identify and authenticate the users of the aforementioned resources.

Personal Information – Is defined in s.1(q) of POPA and is recorded information about an identifiable individual, including the following:

i. An individual’s name, home or business address, home or business telephone number, home or business email address, or other contact information, except where the individual has provided the information on behalf of the individual’s employer or principal in the individual’s capacity as an employee or agent,

ii. An individual’s race, national or ethnic origin, colour or religious or political beliefs or associations,

iii. An individual’s age, gender identity, sex, sexual orientation, marital status or family status,

iv. an identifying number, symbol or other particular assigned to the individual,

v. An individual’s fingerprints, other biometric information, blood type, genetic information or inheritable characteristics,

vi. information about an individual’s health and health care history, including information about an individual’s physical or mental health,

vii. information about an individual’s educational, financial, employment or criminal history, including criminal records where a pardon has been given,

viii. anyone else’s opinions about an individual, and

ix. an individual’s personal views or opinions, except if they are about someone else.

Privacy Breach – is the loss, unauthorized assess, or unauthorized disclosure of protected information, including personal information or individually identifying information. A breach may be the result of inadvertent errors or deliberate actions by commissioners, staff, agents, contractors, third parties, or intruders. Breaches also encompass the improper disposal of any printed or digital documents related to the protected information listed above.

Record – means a record as defined in s. 1(u) in the Access to Information Act (ATIA) and means any electronic record or other record in any form in which information is contained or stored, including information in any written, graphic, electronic, digital, photographic, audio or other medium, but does not include any software or other mechanism used to store or produce the record.

Procedures:

  1. The Commission’s Executive Director will ensure that all Commissioners and staff receive appropriate privacy training with respect to their responsibilities under this policy.
  2. Commission members and staff will immediately report any breaches of privacy to the Executive Director.

Guidelines:

  1. All Commission members and staff will comply with all privacy legislation and Commission, City of Edmonton (City) and Edmonton Police Service (Service) Information Technology (IT) policies, procedures, protocols and directives when using or accessing City, Service, and Commission information, systems, and resources.
  2. All Commission members and staff are required to sign a confidentiality agreement binding them to their responsibility to protect the privacy and confidentiality they hold during their term in office or employment with the Commission.
  3. All Commission members and staff will be issued a secure email address, and all Commission business and communications shall be conducted through this issued email only.
  4. The Commission Chair and Vice Chair may be issued a cell phone at the beginning of their term if required.
  5. IT resources are made available to Commission members and staff who are then responsible for using those resources in an effective and efficient manner.
  6. Commission members and staff will not provide access to Commission, City, or Service information to any non-Commission members or staff.
  7. Any sensitive or non-public information sharing or disclosure that is required beyond the Commission, City, or Service for business purposes must be security cleared by the Commission’s Executive Director (ED).
  8. All personal information of both Commissioners and staff will be protected in accordance with POPA and will not be distributed unless lawfully permitted.
  9. Commission members and staff will not allow unauthorized access to a Commission computer, iPad, laptop, phone or any of their accounts nor share any of their passwords. This includes restricted access to any video and audio surveillance owned and operated by the Commission for security purposes. NOTE: If a commissioner or staff member is using a personal device for Commission business, this same guideline applies.
  10. All Commission computers and other devices must be logged off when not in use.
  11. All information storage media and hard copy documents, including but not limited to, computer hard drives, laptops, smartphones, USB sticks, paper files and reports containing non-public information must be physically secured when not in use.
  12. When using portable storage devices, the information it contains should be encrypted and the device must be secured in a manner to prevent loss or theft.
  13. Only the approved electronic meeting management platform and software will be used for Commission meeting materials and will not be forwarded or copied to other devices including personal devices.
  14. Commission members and staff should not access or send non-public information on an insecure wireless network.
  15. The use of printed materials is to be avoided as much as possible outside of the Commission office and Commission information should not be photocopied or faxed using equipment outside of the Commission office.
  16. In the event of a lost or stolen Commission issued device, Commission members and staff must immediately notify the Service’s IT Help Desk and report this loss to the ED.
  17. In the event of a commissioner or staff member suspects a privacy breach, actual or potential, and regardless of whether the matter seems minor, it must be reported to the Commission’s ED as soon as possible.
  18. All Commission, City, and Service information records (electronic and hardcopy), materials and equipment must be returned to the Commission office upon expiry of a Commissioner’s term or staff employment with the Commission.

Procedures:

  1. The Commission’s Executive Director will ensure that all Commissioners and staff receive appropriate privacy training with respect to their responsibilities under this policy.
  2. Commission members and staff will immediately report any breaches of privacy to the ED who will follow the procedures outlined in Appendix G – Commission’s Privacy Management Program and Procedures.

References:

  1. Access to Information Act, RSA 2024
  2. Protection of Privacy Act, RSA 2024
  3. Appendix G – EPC Privacy Management Program and Procedures

Revised September 18, 2025