On May 20, 2021, the Office of the Privacy Commissioner of Canada (OPC) announced the release of a privacy report reviewing the compliance of CoreFour Inc., which operates an educational software application called Edsby, with the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is the federal privacy legislation applicable to private sector enterprises.

This report was released concurrently with a report by the Information and Privacy Commissioner of Ontario (IPC) regarding a complaint by the same individual with respect to the use of Edsby software by an Ontario school board. The IPC addressed the complainant’s allegation that the use by the school board of Edsby software for the collection, use and disclosure of attendance information required parental consent. The IPC found that the school board did not require the consent of parents pursuant to Ontario’s Municipal Freedom of Information and Protection of Privacy Act.

The complaint filed with the federal OPC alleged that CoreFour lacked appropriate security and privacy protections for the personal information it collects, uses and discloses, and that there were security vulnerabilities, including with respect to passwords. The recommendations made by the OPC may assist school boards when evaluating software vendors.

CoreFour provides information management software services to schools and school boards. In the present circumstance, the OPC found that CoreFour’s legal obligations regarding personal information were as directed by its clients and restricted by contractual agreements. The volume and sensitivity of the personal information collected, used and disclosed by Edsby was deemed to require a high level of security safeguards, consistent with the sensitivity that applies to the personal information of vulnerable individuals, such as minors.

The OPC found that CoreFour did not have sufficient safeguards to protect personal information. It recommended that a formal information security management framework with written technological policies, procedures, processes and templates be developed.  It was also recommended that CoreFour conduct its own malware scans of third-party software applications. As well, the OPC recommended that CoreFour ensure that it has sufficient human resources for IT security who are trained on the policies, procedures and measures to be taken to protect personal information.

A formal privacy management framework was also recommended by the OPC. The OPC found that CoreFour had not conducted a formal assessment of the privacy risks within the Edsby application, and while not required by PIPEDA, it was a recommended best practice. Accompanying privacy policies and procedures and formal privacy training of employees and contractors was also recommended.

While the complainant alleged that there was an unreported privacy breach by CoreFour and the school board, the OPC found that, in fact, the complainant was the only individual who had accessed personal information that was subject to the software vulnerability detected. Aspects of CoreFour’s privacy policy were identified as confusing by the OPC and suggestions were made to clarify certain statements.  However, the privacy breach protocols implemented by CoreFour were considered appropriate by the OPC.

What this means for school boards

As part of due diligence, school boards should consider seeking confirmation that an information security management framework and personal privacy framework are in place, which implement assessment and compliance processes.  The vendor should also certify that regular training of both employees and contractors is undertaken.

In some cases, it may be appropriate for a school board to require that the vendor be certified in accordance with international standards and also to engage an independent technology security auditor to provide advice, confirm compliance and conduct testing of the vendor’s security.

Proportionality regarding due diligence when procuring software applications managing the personal information of students should not necessarily be related to the cost of the software application.  Instead, school boards should consider due diligence commensurate with the potential risks in the event of a security breach.