aetb / Depositphotos.com
EDMONTON — Privacy commissioners in Ontario and Alberta say investigations into a major PowerSchool data breach show school boards and other educational bodies failed to meet key privacy and security obligations when using the widely adopted education technology platform.
The breach affected millions of Canadians and exposed weaknesses in how student information systems are managed across the country. The two commissioners conducted their investigations separately but coordinated their work through an information-sharing agreement because the incident spanned multiple jurisdictions.
Both reports reached similar conclusions. Investigators found that many school boards did not include required privacy and security provisions in their contracts with PowerSchool, lacked policies to monitor the company’s safeguards, did not limit remote access by PowerSchool staff to what was strictly necessary, and had inadequate breach-response plans.
The commissioners recommended that educational bodies review and renegotiate contracts with PowerSchool to meet provincial privacy law, implement stronger oversight of technical and security controls, restrict remote access to student records on an as-needed basis only, and develop proper protocols to respond to future breaches.
They also urged the Ontario and Alberta governments to use their procurement powers to strengthen the bargaining position of school boards when dealing with edtech providers. Both commissioners called for governments to supply technical guidance to help educational bodies evaluate privacy and cybersecurity risks.
Alberta commissioner Diane McLeod said the scale of the breach demonstrated serious vulnerabilities. “The risks to privacy caused by the PowerSchool breach were significant, for both the students as well as the adults affected,” she said. “Privacy does not happen on its own. It requires a concerted effort by public bodies to create and implement policies and procedures that ensure privacy is protected.”
Ontario commissioner Patricia Kosseim said better coordination would lead to better protection. “Such efforts would provide students, their parents and guardians, and educators with the personal information protection they deserve and an education system they can trust,” she said.
The Alberta commissioner operates independently and oversees compliance with the province’s access and privacy laws, including the Freedom of Information and Protection of Privacy Act and the Health Information Act.
Comments