Welcome to our fully functional beta site. We welcome all comments
The Informatica blog - Authored by Claudiu Popa

Privacy breach at local school was preventable, may re-occur: Expert

Attention Community Events and Business Editors:

Privacy Breach at York Region School Was Entirely Preventable, May Re-occur: ExpertThe recent breach of student information at a local high school showed improper response and failure to follow basic guidelines, but represents an opportunity for schools across the region to improve student protection and demonstrate due care.

February 8, 2013 /PR/ Last week’s breach of privacy impacted approximately a thousand students and their families, with personal information including phone numbers, personal emails and sensitive Ontario education numbers sent in an attachment to newsletter recipients. This brought about the very real risk of identity theft and more breaches of privacy for students and their families.

According to the Education Act, this information is an integral part of the Ontario Student Record (OSR), a confidential file that represents the student’s educational progress through the school system in the province. According to the Information and Privacy Commissioner of Ontario (IPC), boards of Education are required by law to preserve the confidentiality of this sensitive information. The IPC’s “Guide to Ontario Legislation Covering the Release of Students’ Personal Information” authored by Commissioner Ann Cavoukian, indicates that parents or students 18 or over can request that personal records be removed or destroyed from the OSR under certain conditions.

Concerned and angry parents have taken steps to contact the Board of Education and local media to express their disappointment. “Parents have a right to be angry. The School Board has publicly disseminated enough personal information for anyone to impersonate their child, and potentially gain access to their entire Ontario Student Record” said Claudiu Popa, a security expert recognized by the Office of the Privacy Commissioner as a Privacy by Design Ambassador.

Although the school’s response has been that they are taking the matter “very, very seriously”, the board’s reaction has been disappointing, with the assistant manager of public affairs, Christina Choo-Hum, simply stating that breaches do happen in every organization.

Claudiu Popa, who offers privacy education for teachers, parents and students at no charge as part of a community initiative called KnowledgeFlow, said: “The legislative landscape may appear complex, with the Board having to comply with MFIPPA, the Education Act and even PHIPA laws, but one fact is absolutely crystal clear. The personal information of students is the single most valuable and sensitive data in their custody. The Board doesn’t own this information, but they are required to protect it at all costs. Unfortunately the response from the York Region District School Board has shown a lack of understanding and accountability, which indicates not only that this has happened before but that it may very well happen again.”   

Popa, a certified privacy professional and author of multiple books on information protection says that 3 simple steps would have prevented the breach. Schools that have not yet identified such lapses in compliance and protection have a real opportunity to show leadership and due care with the following best practices:

-        assign a privacy officer in each school and invest in their professional training
-        ensure that OSR data is properly classified, clearly identified and tracked
-        use encryption to ensure that confidentiality is preserved
“Any one of these best practices would have prevented this breach and it is clearly unacceptable to still hear about serious incidents like this at a time where the public is so sensitized to abuse of child information, cyberbullying, online fraud and other types of crime. I don’t mean to plug our free training, but this is basic stuff that I even teach kids who come to my community seminars”.

“Not being able to trust a car rental firm or a social media company with our children’s information is one thing, but for the Board of Education to compromise its good name and reputation by simply downplaying a serious breach does come with a certain degree of arrogance.” Popa added that enforced policies and employee training should be mandatory and frequent to ensure that incident reporting, breach notification and data classification are consistently respected by all employees and contractors of every school and every board of education across Ontario.

    /For additional comment, contact Claudiu Popa, president, Informatica Corporation at (416) 431-9012 or email SoundBites@SecurityandPrivacy.ca.  

To register students, parents or teachers for KnowledgeFlow Cybersafety Education programs (at no charge) contact Catherine Sword at the Whitchurch-Stouffville Public Library at 905-642-READ or email Register@KnowledgeFlow.ca.

CO:  KnowledgeFlow CyberSafety Education
IN:  York Region + Durham Region
Sort Comments
Michael Loeters | 02/11/2013 08:36:58
An excellent perspective on the privacy risk in the educational sector. The fact that this is information about children makes it all the more sensitive. The public can be forgiving with respect to the fact that these incidents do happen, but they are not forgiving with how an organization handles it. Downplaying the significance of this was the worst thing they could have done. They should have said it was serious and presented a clear plan as to how they were going to deal with it, and prevent it from happening again. That is what people want to know and allow them to be more forgiving.

In the early 1920s, the Enigma machine was a portable encryption machine with rotor scramblers used for encoding and decoding confidential messages....
Bleeding hearts unite, the OpenSSL Heartbleed bug threatens to impact user privacy and business security online. There's a new security vulnerability in town. It's not even that new, we just didn't know about it until now. But it's a whopper and it threatens to i...
Independent risk assessments are the most basic best practice in business.Security is about risk. And risk is about numbers. Given the high probability of suffering data security and privacy breaches, is it any wonder compan...
Netflix just the latest brand used in wave of phone text support fraudEver wonder what the use of stealing millions of email addresses is? All those often downplayed, 'low sensitivity' data breaches have massive potent...
Layered SecurityI'm often surprised at the public's disappointment with the realization that security processes are not directly analogous to the medical notion of im...
Target breach will have serious consequencesThis past Christmas season hasn't been kind to the Target chain of retail stores nor to its brand. A brazen attack took place in December that affecte...

Welcome to Informatica

Be Secure.

Be Trusted.

Follow us on