Privacy commissioner says 32 students affected by name glitch

The investigative report concludes that future safeguards have not been put in place, called “the most important part of responding to a privacy breach.”

Larissa Kurz, Regina Leader-Post

An August glitch in an education app used by Saskatchewan school divisions that outed some transgender students has been ruled a breach of privacy by the province’s privacy commissioner.

In his report, Saskatchewan’s Information and Privacy Commissioner Ronald Kruzeniski also said divisions have not “satisfactorily demonstrated” proof it won’t happen again.

This past August, a technical error in the mobile version of Edsby changed some students’ display names on class lists from preferred names or nicknames back to legal names, with a notice issued from the company on Aug. 24.

In at least one instance, as reported by CBC Saskatchewan, the change outed a transgender student to classmates by reverting to their birth name.

The data breach occurred just days after the Ministry of Education announced a new policy requiring parental consent for students to change their pronouns or names at school. The timing garnered some panic, that reversions were because the policy was being implemented already.

Publicity brought the breach to the attention of Kruzeniski, who opened an investigation in September.

In his ruling, released on Dec. 20, Kruzeniski found that per the Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), the glitch was a breach of privacy as it revealed identifying personal information about individuals without their consent.

He ruled this specifically applies for the students affected who were using preferred names for gender identity purposes.

Kruzeniski’s report concluded 32 students were affected, in Saskatoon Public, Regina Catholic and Good Spirit school divisions. Five other divisions named in Edsby’s original notice were deemed not affected.

The glitch was active from Aug. 10 to Aug. 24, meaning these students’ information was involuntarily “publicly available for 14 days,” reads the report. The glitch was patched by Aug. 29, and affected students notified by Sept. 27 via letters from school counsellors.

Kruzeniski said he was satisfied neither Edsby or the divisions knew the error was active until Aug. 24, and took corrective measures immediately.

He then states that while reasonable efforts were made to contain the breach, notify those affected and investigate afterwards, divisions have not “satisfactorily demonstrated” measures have been taken to “prevent further breaches of this nature.”

Kruzeniski said it is not shown future safeguards have been put in place, which he calls “the most important part of responding to a privacy breach.”

School divisions confirmed Edsby has best practices on handling information for staff, and took “technical steps” to ensure such incident doesn’t occur again.

“This, however, is extremely inadequate in terms of preventive measures,” writes Kruzeniski.

He recommends divisions that use Edsby put in writing “agreements governing the use, disclosure and protection of personal information” provided to the platform, including a description of specific services and information management practice in line with LA FOIP regulations.

Divisions indicated to Kruzeniski those agreements were “being reviewed” to potentially add further privacy terms, but copies were not provided to his office prior to the release of his report.