The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from the parent of a student of the York Region District School Board (the board) objecting to the board’s implementation of a cloud-based data management service (Edsby), under contract with Corefour Inc. (Corefour), to store and process information pertaining to the attendance of the board’s students. The complainant alleged that the board’s use of Edsby contravened the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA or the Act). The complainant’s concerns included the board’s failure to secure parental consent to the use of Edsby, the adequacy of its notice of collection, potential misuse of information by Edsby service providers, the adequacy and enforceability of the terms of the board’s contract with Corefour and the adequacy of the board’s oversight in relation to various Edsby security measures. The complainant also raised concerns relating to the Edsby Terms of Use and Privacy Policy and a specific security vulnerability that was exploited by the complainant.
This report concludes that the board’s collection, notice of collection, use and disclosure of the students’ personal information were in compliance with the Act. This report also concludes that the board has reasonable contractual measures in place to ensure the privacy and security of the personal information of its students.
However, this report concludes that the board has not demonstrated that it has reasonable oversight measures in place in relation to the performance of the board’s and Corefour’s contractual security obligations, in accordance with the requirements of the Act and its regulations. In particular, the board did not have reasonable measures in place to prevent the security vulnerability that was exploited. This report makes recommendations as to the steps the board should take to strengthen and document the board’s oversight of security measures. This report also make recommendations with respect to its contract with Corefour and the Edsby Terms of Use and Privacy Policy.