Last fall, when the COVID-19 pandemic steered students away from schools and into their homes, school boards and schools needed to pivot on a dime and be certain that the online tools and data management systems they adopted kept students’ personal information safe and secure. Following a long shutdown, public schools across the province have welcomed students back into the classroom, but many of the online educational tools are here to stay.
Ontario’s municipal privacy law, MFIPPA, requires that public school boards and schools ensure that online tools and data management systems properly protect students’ personal information. Despite this, it is not unusual for my office to hear from concerned parents and guardians about the adequacy of the privacy and security measures used by their kids’ schools.
To help schools navigate this tricky terrain and support compliance, my office has posted a new webinar for teachers and school administrators on their access and privacy obligations under MFIPPA. It offers a refresher on MFIPPA requirements and includes details about recent investigations by my office related to the use of cloud-based data management systems by two of the largest public school boards in the province.
Both these investigation reports bring to light the responsibility of institutions to maintain strong oversight over their service providers and to ensure the personal information they transfer to their service provider for processing is managed in accordance with Ontario’s privacy laws.
The York District School Board (YDSB) investigation involves the use of Edsby, a cloud-based data management service that stores and processes student attendance information. Our investigation found that while the YDSB had included appropriate provisions in its contract with CoreFour Inc. (Edsby’s parent company), it did not have reasonable oversight measures in place to ensure fulfillment of the contract and prevent security vulnerabilities. To address this, our report recommends the school board strengthen and document the steps they have taken to ensure CoreFour has fulfilled the mandatory security requirements of their agreement. This includes, among other measures, confirming the company has implemented the recommendations made in an independent security assessment and having information security policies and controls that align with recognized standards.
The second investigation was the result of a privacy complaint from the parent of a Toronto District School Board student who alleged that the board’s use of G Suite for Education did not comply with MFIPPA. G Suite for Education (now called Google Workspace for Education) is a set of Google services and tools tailored for schools to help them collaborate and streamline online learning and instruction. Our report recommends the board make changes to how it provides notices of collection to parents and students to improve transparency. It also recommends the board improve its oversight of Google’s security practices by requesting regular security briefings and evidence of compliance with contractual commitments from Google. The board should also review any significant developments in the scope of Google’s services and features to determine whether it needs to update its privacy and security assessments.
These investigations and our recommendations align with our strategic priority Children and Youth in a Digital World. Our goal in this priority area is to champion the access and privacy rights of Ontario’s children and youth by promoting their digital literacy and the expansion of their digital rights while holding institutions accountable for protecting the children and youth they serve.
To this end, our Guide to Privacy and Access in Ontario Schools outlines the obligations school boards, teachers, and administrators have under MFIPPA. We also have several fact sheets for teachers, administrators, and parents on selecting and safely using online learning platforms.
If you enjoy podcasts, a recent episode of the IPC’s Info Matters podcast explores the importance of teaching kids about privacy.
And stay tuned, there’s more… in the coming weeks, we’ll also be introducing a new and exciting privacy resource just for kids. Even though privacy is a serious matter, learning about privacy can still be fun!
For all of the two million public school students in Ontario, parents, teachers, school administrators, and staff, I wish you a safe and successful school year.
This post is also available in: French