(from Information and Privacy Commissioner of Ontario) Educational technologies provided by third party vendors are a major entry point for cyberattacks that can put the personal information of students, teachers and parents in harm’s way. An investigation into the PowerSchool hack found that many schools:
- were missing key privacy and security related provisions in their agreements with PowerSchool, and that contracts were inconsistent from school to school.
- lacked the mechanisms necessary to oversee PowerSchool’s privacy and security-related policies and practices and to monitor and enforce the company’s compliance with the terms of their agreements.
- kept their student information systems always open through the customer service portal instead of limiting access to PowerSchool’s technical support workers on an as-needed basis only.
- collected highly sensitive personal information they did not need for educational purposes and kept personal data longer than necessary.
More from Information and Privacy Commissioner of Ontario
