Government Report Blasts Canadian Schools' Failures in PowerSchool Breach
Canadian government privacy and information commissioners said schools and educational bodies there lacked proper contractor oversight and safeguards, exacerbating the harms for more than 5 million students and educators from the PowerSchool data breach late last year (see 2501220057). The Ontario and Alberta information and privacy commissioners Tuesday released the findings of their investigations into the late-December breach of the California-based edtech provider (see 2502110031).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Based on their findings, the commissioners recommended that schools review and renegotiate agreements with PowerSchool “to include the recommended privacy and security related provisions” that “meet the requirements of applicable provincial public sector privacy law.” In addition, they should limit remote access to information systems to an “as-needed basis” and ensure there are adequate breach policies and procedures.
Schools should also “implement effective monitoring and oversight over PowerSchool’s technical and security safeguards” to make sure they comply “with applicable provincial public sector privacy law and leading industry standards,” such as conducting privacy impact assessments.
Though the reports were separate, the investigations were coordinated. Some common findings were that many schools “failed to include certain privacy and security-related provisions in their contractual agreements with PowerSchool to ensure” privacy law requirements were met, and they “lacked adequate breach response plans or protocols.”
Additionally, the educational bodies “failed to limit remote access to their student information systems by PowerSchool support personnel” to only what was necessary and “lacked policies and procedures to effectively monitor and oversee PowerSchool’s technical and security safeguards to ensure the company complied with its contractual terms and conditions.”
“It is essential to remember that privacy does not happen on its own,” Alberta Information and Privacy Commissioner Diane McLeod said. “It requires a concerted effort by public bodies to create and implement policies and procedures that ensure privacy is protected.”
“There is no way around this," she added. "It simply must be done."
PowerSchool's breach also potentially exposed the data of millions of students and educators in the U.S., resulting in state lawsuits and an arrest (see 2509030059).