School division updates policies, training after privacy breach
The Regina Public School Division is addressing policy gaps after a teacher uploaded more than 2,000 documents, many containing students’ information, to a public website.
Some of the information was online for 15 months before the privacy breach was reported to the Office of the Saskatchewan Information and Privacy Commissioner on Sept. 1. The documents have since been removed.
“We take it very, very seriously and we take families’ privacy very, very seriously,” said Darren Boldt, a deputy director of the school division.
“We worked really hard, had our IT personnel involved in every step to make sure that we didn’t miss anything. There was a lot of hours put into this …”
The teacher at W.F. Ready School posted student assignments, letters to parents, photos, birthdates, grades and passwords to his church website beginning in May 2016.
“He had uploaded the documents to a subdirectory of the church’s website, mistakenly believing he would be the only person, as the website administrator, to be able to access the documents,” wrote privacy commissioner Ronald Kruzeniski in his report dated Dec. 19.
“This was so that he could access the documents from anywhere he had internet access, so he could do his work as a teacher more efficiently.”
Boldt couldn’t speak to whether the teacher was disciplined. “This was not done in malice in any way, it was an innocent mistake, however a mistake that did cause the privacy breach to happen,” said Boldt.
The division is working to apply the privacy commissioner’s six recommendations after the incident, which Boldt believes is the first such privacy breach for a school division in the province. They include updating policies, creating guidelines, and training staff in privacy law.
On Sept. 5, the privacy commissioner’s office began its investigation. It notified the school division, which took immediate action.
The division downloaded the documents from the church website to determine what information was shared.
On Sept. 6, the teacher deleted the documents from his hard drive, a flash drive and from the website.
The documents, however, remained in a Google cache — a backup version stored in the search engine. Resolving that issue with Google’s assistance was only completed on Oct. 14.
Looking at the server logs and IP addresses, the school division found that 77 students’ information had potentially been accessed.
“There were a few people who were concerned, as people have the right to be concerned because it is their private information,” said Boldt, who was able to contact 74 of those students’ families.
“I think it really helped when we could describe the exact document and even show them. … Some of the things that one might worry about, in terms of identity theft and maybe credit worries, are kind of alleviated when you’re talking about 12-yearolds.”
One of the documents accessed in the breach was a digital phone book listing all families in the school. The division mailed letters to all families listed to alert them on Monday, at the privacy commissioner’s recommendation.
The commissioner stated that the school division should prohibit storing student information on teachers’ personal computers.
“I think it would be atypical for someone to save that kind of information at home” on a personal device, said Boldt.
All teachers are provided with password-protected laptops. The school division has servers for data storage for all staff.
But, “If it happened once, we need to inform our staff that it isn’t appropriate to do that,” he added.
The commissioner found that six different administrative policies “do not provide explicit and practical guidance to teachers as to how to maintain records.”
All employees should have and sign a copy of the administrative procedure on confidentiality, he added.
The commissioner recommended the division create guidelines about which records teachers should be keeping, for how long, and how those records should be stored. Certain records, like final marks and exams, have to be kept until a student is 25. But the commissioner argued that other documents, like classroom seating charts, should be disposed of at the end of the school year.
Boldt said the procedures are being updated to be more specific.
The commissioner further recommended that the school division provide Local Authority Freedom of Information and Protection of Privacy (LA FOIP) training to all employees.
Boldt said he started that process even prior to this investigation, meeting with principals and staff prior to September. That work is continuing.
This was not done in malice in any way, it was an innocent mistake, however a mistake that did cause the privacy breach.