Exposed! Major privacy breach at Stouffville High
February 8, 2013
The irony is poignant.
As a local privacy expert Claudiu Popa takes steps to keep Stouffville residents safe online, Stouffville District Secondary School (SDSS) has breached the privacy of 1000 of its students.
According to a story on YorkRegion.com, an excel spreadsheet containing information on about 80 per cent of the school's 1200 student population was accidentally attached to an email newsletter distributed to almost 1000 local families.
Popa is not impressed, noting that the breach was entirely preventable and may re-occur.
"Unfortunately the response from the York Region District School Board has shown a lack of understanding and accountability, which indicates not only that this has happened before, but that it may very well happen again."
Popa's comment reference statements made by Christina Choo-Hum, assistant manager, public affairs and communications services for the York Region District School Board.
In what appears to be an attempt to downplay the privacy breach, Choo-Hum commented to journalist Sandy Bolan that privacy breaches "happen".
"It happens in hospitals. It happens with the police. It happens in banks," Choo-Hum said. (It should be noted that the school principal, Mr. Reid Wilshire, has said that SDSS is taking the incident "... very, very seriously.")
Saying it happens is not an acceptable response. Handling the private information of Canadian citizen, and especially youth, is a trust. Protecting confidential information is something organizations must do at all times. This is the law.
Popa notes that schools are required to comply with not just one, but three layers of legislation when protecting student data.
"The legislative landscape may appear complex, with the Board having to comply with MFIPPA, the Education Act and even PHIPA laws, but one fact is absolutely crystal clear," says Popa. "The personal information of students is the single most valuable and sensitive data in their custody. The Board doesn't own this information, but they are required to protect it at all costs."
For the affected students, there is no way to put the proverbial "genie" back in the bottle now that their personal information has been released.
"It's unfortunate that once parents and their children discovered that they were the victims of a privacy breach, they had to be told by the perpetrators that this is something that happens all the time, to everyone," says Popa. "By downplaying their grave mistake, the Board of Education effectively made matters worse and exacerbated the emotional impact of the breach."
StouffvilleConnects has learned that the Ontario Privacy Commission has begun an investigation into the breach and will start collecting facts early next week.
It remains to be seen what the outcome of the investigation will be and whether the school board will be required to purchase identify theft protection insurance for all affected.
In the meantime, Popa, a certified privacy professional and author of multiple books on information protection, explains that 3 simple steps would have prevented the breach:
- assign a privacy officer in each school and invest in their professional training
- ensure that OSR data is properly classified, clearly identified and tracked
- use encryption to ensure that confidentiality is preserved
"Any one of these best practices would have prevented this breach and it is clearly unacceptable to still hear about serious incidents like this at a time where the public is so sensitized to abuse of child information, cyberbullying, online fraud and other types of crime," notes Popa. "I don't mean to plug our free training, but this is basic stuff that I even teach kids who come to my community seminars".
In an unexpected twist, Popa had originally hoped to work with SDSS on his educational workshops. His calls to the school were not returned.
"Instead I have had a lot of success and excellent feedback from presenting this content at the local library," says Popa. "The series is sponsored by local businesses and the emphasis is always on having fun, because I don't allow anyone to go home without learning something".
Popa's next KnowledgeFlow seminar, which is for youth between the age of 8 to 18, is scheduled for March 14 and will provide tips on avoiding online stalkers, scams and other types of unsafe exposure. The free session was just under 50 per cent booked after one day of registration, so those interested in attending should book soon to ensure a spot. To register go to knowledgeflow.ca (look for the flyer for details and email in your registration).