Ontario’s privacy commissioner is urging municipal rules surrounding the reporting of privacy breaches be brought in line with the province following the massive PowerSchool data breach last year.
Information and privacy commissioner Patricia Kosseim told Global News in an interview on Wednesday such changes are needed to reassure Ontarians.
“There is no mandatory breach reporting under the Municipal Act, there is no mandatory PIA (privacy information assessment), there is no mandatory investigation regime, robust investigation regime or order-making powers for our office under the MFIPPA Act,” Kosseim said.
Under amendments made to the Freedom of Information and Protection of Privacy Act (FIPPA) that came into force in July, provincial institutions are required to report certain privacy breaches to Kosseim’s office, and notify affected individuals of the breaches.
But those requirements are absent under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), which governs not only municipal governments, but school boards, police services boards and public library boards.
Story continues below advertisement
1:00
American college student expected to plead guilty in PowerSchool cyberattack that affected CBE
In the report, it was noted that after being informed of the cyber attack, institutions initiated their breach response plans, which included reporting the attack to their insurer, the Ministry of Education, law enforcement and her office.
Get daily National news
Get the day’s top news, political, economic, and current affairs headlines, delivered to your inbox once a day.
But it also noted that some school boards and institutions lacked a robust breach response plan, with one board acknowledging they had no response plan at all.
“We are calling on government to urgently raise the standards of MFIPPA to match FIPPA so all public institutions are subject to the same requirements, standards and obligations and students and parents can sit back, or Ontarians in general, and have the same expectation of protection with whatever level of government or public institution they’re dealing with,” she said.
Ontario’s Ministry of Public and Business Service Delivery and Procurement stated to Global News that its Enhancing Digital Security and Trust Act provides the government with tools to “better protect” student data, including through the implementation of age-appropriate standards for classroom software and the strengthening of procurement rules to prevent the misuse of student information.
Story continues below advertisement
Kosseim’s recommendations come after she and her Alberta counterpart released their reports on the PowerSchool data breach.
That breach saw approximately 5.2 million Canadians impacted across the country, according to Kosseim’s office, with 3.86 million Ontarians affected. Another 700,000 were affected in Alberta.
Retention of data ‘aggravated’ situation
A news release laid out several key findings and made recommendations on changes needed, but Ontario’s commissioner noted that her report also highlighted issues surrounding the retention of data.
Trending Now
-
Canadians are set to get a nationwide emergency test alert within hours
-
Auto theft costs Canadians $1B. Here are the top vehicles sought by thieves
“The situation was aggravated by the amount of information that was retained by the institutions in their student information systems (SIS),” she said Wednesday. “In other words, the breach was made all that much more massive due to the fact the school boards were collecting sensitive personal information that they didn’t need for the purposes of their education mandate.”
Story continues below advertisement
Some school boards are noted in the report to have retained data on current and former students and their parents or guardians for years or, in some cases, decades. Peel District School Board had data dating back to 1965, with the Toronto District School Board going back to September 1985.
The Ministry of Education, according to the report, had data going back to 1999 for both students and current and former educators.
Among the information retained: dates of birth, health-card numbers, social insurance numbers and family information.
2:08
Calgary law firm files lawsuit over massive PowerSchool data breach
Following the data breach and her report, Kosseim said she’s hoping it reiterates to school boards and educational bodies the need to be accountable for information, even if a cyberattack does not directly impact their institution.
“It’s really important that public institutions like school boards realize that while they can outsource their services, including involving personal information, they cannot outsource their accountability for that personal information,” she said.
Story continues below advertisement
The report calls on institutions to “separately” provide the Information and Privacy Commissioner with proof of compliance or the status of their efforts to comply with the recommendations.
A government official told Global News on background that it is reviewing the commissioner’s report on the PowerSchool breach and its recommendations.
More on Science and Tech
More videos
© 2025 Global News, a division of Corus Entertainment Inc.
