A recent report by the Saskatchewan information and privacy commissioner's office revealed that private information of 2,841 students was accidentally made public last year.
The records in question included students' names, identification numbers, phone numbers, grades and parent email addresses.
The school division, which is in southwest Saskatchewan and has more than 6,000 students in total, said the privacy breach occurred Jan. 28, 2020, and was due to "human error."
An IT worker with the school division inadvertently transferred some computer code containing the student files from a private account to a public account.
Search bot discovers files
According to commissioner Ron Kruzeniski's report, none of the files were downloaded and the school division confirmed the data was accessed by only three visitors.
The breach was discovered by a search "bot" that was crawling the internet. Soon, the IT department at the school division was alerted.
That's when IT staff changed the privacy settings and contained the breach.
Students, parents should have been notified: Kruzeniski
The school division notified two parents whose email addresses the bot found, but no other parents or students.
When asked why not, it argued a mass notification wasn't necessary because only one outside organization accessed the information.
"The school division did not provide appropriate notification of this breach," he said.
Kruzeniski suggested the division could put a notice onits website, post notices in public offices, put out media advisories or buy advertisements.
Preventing future breaches
The report said the school division plans to buy some upgraded software to make its system more secure.
It also reviewed privacy policies and procedures with its IT department.
Kruzeniski noted these are good first steps, but also said the school division should take a deeper look at the cloud software it's using.
CBC requested an interview with school division officials. They declined to comment.