Student privacy breached with website upload, says Sask. privacy commissioner

Students' personal information and privacy was breached by a teacher's actionsbut Regina Public Schools has made "reasonable efforts" to contain the breach, according to Saskatchewan's Information and Privacy Commissioner.

Ronald Kruzeniskiwrote that aconcerned individual had flagged his office last fall, with the person sayinghehad been using a Google search to look up informationwhen he came across student information uploaded to a church website.

"My office accessed the website and noted there were over 2,000 documents that had been uploaded to the subdirectory," he wrote in aDec. 19 investigation report, noting items such as students' photos, grades and birth dates were uploaded. In total, 77 students may have had their information accessed by an unknown person or people.

A teacher at Regina's W.F. Ready School uploaded the information to the church website, mistakenly believing he was the only one, as the website administrator, with access to the documents for work purposes.

The division did not have the authority to disclose personal information to the public without individuals' consent, saidKruzeniski. He detailed five steps to deal with the privacy breach, including containing the breach and talking to the people affected.

Containing breach, informing families

The teacher deleted the files from his personal computer and the website, while Regina Public Schools used Google Webmaster tools to re-crawl the church's website. The division confirmed that all the files containing students'informationwereremoved from Google's cache completely by Oct. 14, 2017, according toKruzeniski's report.

DarrenBoldt, a deputy director with Regina Public Schools, said that the division also contacted the families of the 77 students whose information was uploaded without their knowledge, and explained what had occurred. Most were grateful for the division's efforts, said Boldt.

"There was very little concern after they found out the kind of information that was available," he said.

Privacy is something we take seriously, and we expect our staff as well to follow our procedures and take that privacy seriously as well.- Darren Boldt, Regina Public Schools

He noted that the division does give each teacher a password-protected laptop and that teachers have access to the division's internal storage in which to save files.

"Privacy is something we take seriously, and we expect our staff as well to follow our procedures and take that privacy seriously as well."

Recommendations for future

In his report, Kruzeniskiwrotehe applauded the division's approach to notifying all those affected and answering any questions with phone calls.

Kruzeniskimade further recommendations for the division, including creating explicit guidelines around record-keeping and only storing records on Regina Public Schools' computer network. Other students whose information may have been available online should also be contacted and informed of the breach, he wrote.

He recommended that employees should sign annually that they have read and understood guidelines onconfidentiality. He further suggested allemployees should receive Local Authority Freedom of Information and Protection of Privacy (LAFOIP) training, whichBoldtsaid was already taking place.

The division would be working to strengthen privacy measures, said Boldt. "We will be enacting all of those recommendations in one way, shape or form," he said.