Private information of 2,841 students accidentally released: Sask. privacy commissioner

·2 min read
The Chinook School Division was the subject of a report by Saskatchewan's information and privacy commissioner after more than 2,800 student files were accidentally made public. (Google Street View - image credit)
The Chinook School Division was the subject of a report by Saskatchewan's information and privacy commissioner after more than 2,800 student files were accidentally made public. (Google Street View - image credit)

A recent report by the Saskatchewan information and privacy commissioner's office revealed that private information of 2,841 students was accidentally made public last year.

The records in question included students' names, identification numbers, phone numbers, grades and parent email addresses.

The school division, which is in southwest Saskatchewan and has more than 6,000 students in total, said the privacy breach occurred Jan. 28, 2020, and was due to "human error."

An IT worker with the school division inadvertently transferred some computer code containing the student files from a private account to a public account.

Search bot discovers files

According to commissioner Ron Kruzeniski's report, none of the files were downloaded and the school division confirmed the data was accessed by only three visitors.

The breach was discovered by a search "bot" that was crawling the internet. Soon, the IT department at the school division was alerted.

That's when IT staff changed the privacy settings and contained the breach.

Matthew Howard/CBC
Matthew Howard/CBC

Students, parents should have been notified: Kruzeniski

The school division notified two parents whose email addresses the bot found, but no other parents or students.

When asked why not, it argued a mass notification wasn't necessary because only one outside organization accessed the information.

Kruzeniski disagreed.

"The school division did not provide appropriate notification of this breach," he said.

Kruzeniski suggested the division could put a notice onits website, post notices in public offices, put out media advisories or buy advertisements.

Preventing future breaches

The report said the school division plans to buy some upgraded software to make its system more secure.

It also reviewed privacy policies and procedures with its IT department.

Kruzeniski noted these are good first steps, but also said the school division should take a deeper look at the cloud software it's using.

CBC requested an interview with school division officials. They declined to comment.

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting