By Esther Shainblum and Martin U. Wissmath

Halton District School Board Should Do Better to Protect Student Privacy: IPC Report

Ontario’s Information and Privacy Commissioner (IPC) published eight recommendations for the Halton District School Board (the “HDSB”) to improve its compliance with provincial privacy laws. In Halton District School Board (Re), an IPC report published on February 7, 2022 (the “Report”), identified a number of deficiencies in HDSB’s handling of the personal information of elementary students and some areas in which it failed to comply with the Municipal Freedom of Information and Protection of Privacy Act (the “Act”). The parents of two children attending elementary schools anonymously complained that HSDB’s use of third-party applications (the “Apps”) as part of the “G Suite Marketplace” software platform was in contravention of the Act, including failing to track the personal information collected by third parties through the Apps, posting of personal information without knowledge or consent and allowing third party advertising to students.

The IPC found that personal information of students as defined under section 2(1) of the Act included their names, student numbers, grade level, location, date of birth, photos and schoolwork. The IPC found that the system put in place by HDSB to determine whether a digital educational tool was permitted to collect students’ personal information satisfied HDSB’s obligation to ensure that it collects, directly or through its agents, only the personal information necessary for the provision of educational services, and that the collection of personal information permitted under its system was authorized under the Act. However, the IPC found that the notice of collection posted by HDSB did not refer readers to a specific person with title, address and telephone number as required by the Act and therefore did not align with the Act.

The IPC also found that the usage agreements between HDSB and the third party vendors were not all adequate and should be reviewed and revised to, without limitation: explicitly prohibit vendor use of students’ personal information for marketing or advertising purposes; include a clause requiring the third parties to provide notice to HDSB of any disclosures of personal information made in compliance with applicable law; ensuring that vendor obligations regarding personal information will continue to apply if the vendor’s business name, structure or ownership changes; requiring and confirming deletion of personal information by vendors and requiring vendors to audit the privacy and security of student information at HDSB’s request.

Due to the anonymous nature of the complaint, the IPC was not able to make findings on specific allegations made by the complainants. The Report provides good guidance for charities and not-for-profits regarding the practices they should adhere to when engaging third party vendors that may collect and use personal information of children and other stakeholders.

​

​Read the March 2022 Charity & NFP Law Update