The province’s privacy commissioner says the onus is on government to ensure that companies they deal with live up to their contractual obligations in privacy protection.

Kerry Hatfield yesterday released her report on the cyber attack involving PowerSchool, and the actions of the public bodies responsible for safeguarding personal information.

The PowerSchool cyber attack, which involved jurisdictions across North America, was the province’s second largest privacy breach, affecting some 285,000 Newfoundlanders and Labradorians.

Hatfield says it’s not enough to leave it to the company to ensure that the appropriate privacy procedures are in place and that personal information is protected, it’s up to the public bodies involved to ensure that a company is living up to its obligations.

“I have kids in school myself, and we’re reliant on the department to ensure these security measures are in place. But I think one of the key findings I want people to be aware of is that it’s not just what’s in the contract, is that the follow-up has to happen. There has to be really strict, systematic monitoring to verify that these big tech companies are actually not just saying they’re going to do something in a contract, but they’re actually doing it.”

The provincial government meanwhile says it is taking “proactive steps” to safeguard against future privacy breaches and “ensure stronger cyber protection” for users of PowerSchool.

They include enhancing cybersecurity training for all departmental staff, reviewing all data held within PowerSchool, updating a retention and deletion schedule for personal information store in PowerSchool and reviewing and implementing additional security controls.