The province’s Privacy Commissioner is launching an investigation into a recent privacy breach involving the PowerSchool app.

A 19-year-old American college student recently pleaded guilty to hacking into the PowerSchool system and stealing the data of millions of students and teachers in a ransomware attack.

While both the hacker and the PowerSchool system is based in the U.S., the fact that the provincial school system uses the app makes it responsible for how information on students and staff is collected, stored and used.

Provincial privacy commissioner, Kerry Hatfield will focus her investigation on the Department of Education’s use of PowerSchool, including the department’s decisions and practices surrounding what information it collects, and how long the data collected on students and teachers is retained in PowerSchool.

Hatfield’s investigation will include other matters relevant to the department’s use of PowerSchool which may have either mitigated or exacerbated the impact of the breach.

According to the Privacy Commissioner;

“This breach involved MCP numbers, social insurance numbers, health details, and other sensitive information about current and former students and teachers in this Province going back a number of years. Before launching this investigation I felt it was appropriate to give the Department sufficient time to assess the impact of the breach, notify those who were impacted, and take steps to adjust its policies and practices. It has now had ample opportunity to do so.”

“We have been in communication with the Department since receiving notification of the breach and we understand that the Department has already taken a number of positive steps. The purpose of my investigation is not only to assess whether the Department has responded adequately to the breach, but also to ensure that measures taken by the Department to prevent future occurrences of this nature are sufficient. People have a right to expect that when a public body collects their sensitive personal information that it will do so in accordance with the law. That means that a public body shouldn’t collect more personal information than necessary, that it will take reasonable steps to protect the information it holds, and that it will retain that information for only as long as needed and then securely destroy it.”

Federal privacy commissioner Philippe Dufresne launched an investigation under the Personal Information Protection and Electronic Documents Act back in February.