Ontario and Alberta Information and Privacy Commissioners have released the findings of their investigations into a massive privacy breach involving PowerSchool education technology (edtech) used by schools in their respective provinces.
The incident, which affected millions of Canadians across the country, highlights the importance of educational bodies, including school boards, maintaining high standards for protecting sensitive personal information of their students and educators, including when using service providers.
Although they issued separate investigation reports, the Ontario and Alberta commissioners coordinated their investigations under a memorandum of understanding to enhance collaboration and information-sharing in the handling of cross-jurisdictional investigations. Both reports have key findings in common, including that some or all of the educational bodies:
- failed to include certain privacy and security-related provisions in their contractual agreements with PowerSchool to ensure that the educational bodies meet the requirements of applicable provincial public sector privacy law;
- lacked policies and procedures to effectively monitor and oversee PowerSchool's technical and security safeguards to ensure the company complied with its contractual terms and conditions, including in respect of user access privileges for remote support personnel and the use of multi-factor authentication;
- failed to limit remote access to their student information systems by PowerSchool support personnel for only as long as necessary to address specific technical issues; and,
- lacked adequate breach response plans or protocols.
The Ontario and Alberta commissioners made recommendations to address the findings in their respective reports, including that the educational bodies:
- review and, as needed, renegotiate agreements with PowerSchool to include the recommended privacy and security-related provisions to ensure that the educational bodies meet the requirements of applicable provincial public sector privacy law;
- implement effective monitoring and oversight over PowerSchool's technical and security safeguards to ensure they are compliant with applicable provincial public sector privacy law and leading industry standards, including by conducting a privacy impact assessment of their student information system;
- limit remote access to their student information systems on an as-needed basis only; and
- ensure they have adequate policies and procedures to respond to breaches in the future.
Both Ontario and Alberta commissioners call on their respective governments to support the education sector by using their procurement lever to strengthen the bargaining power of educational bodies when negotiating agreements with edtech service providers and that will enable educational bodies to meet their privacy law requirements. The commissioners also call on their respective governments to provide educational bodies with the technical guidance or assistance needed to assess the privacy and cybersecurity posture of edtech vendors. This would assist educational bodies in carrying out their monitoring and oversight responsibilities.
"One of my office's highest priorities is to identify, facilitate and support opportunities to enhance access and privacy education and protections for children and youth," said Diane McLeod, Information and Privacy Commissioner of Alberta. "The investigation reports from my office and the office of my counterpart in Ontario establish beyond a doubt that the risks to privacy caused by the PowerSchool breach were significant, for both the students as well as the adults affected. It is essential to remember that privacy does not happen on its own. It requires a concerted effort by public bodies to create and implement policies and procedures that ensure privacy is protected. There is no way around this. It simply must be done. I believe the recommendations in our reports, including those to government, set out a path that, if followed, will ensure that appropriate actions are taken."
"This type of sector-wide coordination and cooperation among school boards, strongly supported by our respective governments, would strengthen contract negotiations with edtech service providers, as well as the oversight and monitoring measures necessary to ensure compliance with their obligations under the Acts," said Patricia Kosseim, Information and Privacy Commissioner of Ontario. "Most importantly, such efforts would provide students, their parents and guardians, and educators with the personal information protection they deserve and an education system they can trust."
Through the OIPC, the Information and Privacy Commissioner of Alberta performs the responsibilities set out in Alberta's access to information and privacy laws, the Access to Information Act, the Protection of Privacy Act, the Freedom of Information and Protection of Privacy Act during the transition period, the Health Information Act, and the Personal Information Protection Act. The Commissioner operates independently of government.
Learn more:
