Student privacy breached with website upload, says Sask. privacy commissioner
Regina Public Schools works to contain breach, implement privacy recommendations
Students' personal information and privacy was breached by a teacher's actions but Regina Public Schools has made "reasonable efforts" to contain the breach, according to Saskatchewan's Information and Privacy Commissioner.
Ronald Kruzeniski wrote that a concerned individual had flagged his office last fall, with the person saying he had been using a Google search to look up information when he came across student information uploaded to a church website.
"My office accessed the website and noted there were over 2,000 documents that had been uploaded to the subdirectory," he wrote in a Dec. 19 investigation report, noting items such as students' photos, grades and birth dates were uploaded. In total, 77 students may have had their information accessed by an unknown person or people.
A teacher at Regina's W.F. Ready School uploaded the information to the church website, mistakenly believing he was the only one, as the website administrator, with access to the documents for work purposes.
The division did not have the authority to disclose personal information to the public without individuals' consent, said Kruzeniski. He detailed five steps to deal with the privacy breach, including containing the breach and talking to the people affected.
Containing breach, informing families
The teacher deleted the files from his personal computer and the website, while Regina Public Schools used Google Webmaster tools to re-crawl the church's website. The division confirmed that all the files containing students' information were removed from Google's cache completely by Oct. 14, 2017, according to Kruzeniski's report.
Darren Boldt, a deputy director with Regina Public Schools, said that the division also contacted the families of the 77 students whose information was uploaded without their knowledge, and explained what had occurred. Most were grateful for the division's efforts, said Boldt.
"There was very little concern after they found out the kind of information that was available," he said.
Privacy is something we take seriously, and we expect our staff as well to follow our procedures and take that privacy seriously as well.- Darren Boldt, Regina Public Schools
He noted that the division does give each teacher a password-protected laptop and that teachers have access to the division's internal storage in which to save files.
"Privacy is something we take seriously, and we expect our staff as well to follow our procedures and take that privacy seriously as well."
Recommendations for future
In his report, Kruzeniski wrote he applauded the division's approach to notifying all those affected and answering any questions with phone calls.
Kruzeniski made further recommendations for the division, including creating explicit guidelines around record-keeping and only storing records on Regina Public Schools' computer network. Other students whose information may have been available online should also be contacted and informed of the breach, he wrote.
He recommended that employees should sign annually that they have read and understood guidelines on confidentiality. He further suggested all employees should receive Local Authority Freedom of Information and Protection of Privacy (LA FOIP) training, which Boldt said was already taking place.
The division would be working to strengthen privacy measures, said Boldt. "We will be enacting all of those recommendations in one way, shape or form," he said.