Auditing

Audit records are kept within PASI to assist with troubleshooting, privacy breach investigations, and to support business processes triggered by the change of information. Auditing within the PASI Core is performed at two levels:

In addition to the auditing performed by PASI, PASI Clients are also required to perform auditing when information shared with PASI is accessed and/or updated via the PASI Client in order to maintain compliance with the PASI Usage Agreement. From the PASI Usage Agreement:

The School Authority shall ensure that its SIS creates and maintains audit trails and records sufficient to fully support investigations into any privacy or security breach that may occur.

At a minimum, the audit record shall identify all individuals who have accessed a particular student's information, or attempted such access without proper authority, including:

  • unique user IDs for users who accessed or attempted to access the information,
  • the status of each access attempt (successful or unsuccessful),
  • the dates, times, IP addresses, physical locations and workstations at which access was obtained or attempted,
  • whether the student record was changed and, if so, what changes were made,
  • any system errors or messages that were generated as a result of the access or attempted access.

It is expected that if a breach of privacy was to occur, that the PASI Client would have this information available, and could provide such audit information to Alberta Education if required.

Audit trail records (log) will be tracked within PASI and each PASI Client can send required audit information to PASI. The PASI Client can:

  • Create an audit trail for each data change within PASI (insert, update, delete) or student inquiry,
  • Send PASI the audit information such as user name of the individual that made the request to the student data as well as the date/time and a record of the change(s) made (refer to above).

PASI will capture this audit information in such a manner to support monitoring and auditing when a breach has occurred. Note however that PASI Client applications may also need to maintain a full audit log within the SIS especially for transactions such as student inquiries where the PASI Core is not called by the application.