On November 18, 2025, Ontario and Alberta’s information and privacy commissioners (collectively, the Commissioners) released their findings following investigations into a privacy breach involving the education technology provider, PowerSchool Canada ULC (PowerSchool), which services educational bodies (e.g., school boards) in both provinces. While the Commissioners conducted separate investigations, they had many findings in common, including that certain educational bodies lacked adequate privacy and security arrangements with PowerSchool as required under applicable privacy law.

PowerSchool provides a suite of tools to support educational bodies, including its Student Information System (SIS), which stores personal information relating to an institution’s operations. In December 2024, PowerSchool was the target of a cyberattack that resulted in the unauthorized access and exfiltration of personal information of students, staff, and parents/guardians from the SIS of certain educational bodies. The attack affected approximately 5.2 million Canadians across the country and resulted in several breach reports being submitted to the Commissioners.

The Commissioners conducted separate investigations into the attack but coordinated their investigations under a memorandum of understanding to support collaboration and information-sharing in the handling of cross-jurisdictional investigations. The Commissioners had many investigative findings in common, such as that some or all educational bodies:

  • failed to include certain privacy and security-related contractual provisions in agreements with PowerSchool, as required under applicable law;
  • lacked adequate policies and procedures to oversee PowerSchool’s technical security safeguards for compliance with contract terms;
  • failed to limit remote access to student information by PowerSchool support personnel to only as long as necessary to address any specific technical issues; and
  • lacked adequate breach response plans or protocols.

The Commissioners issued recommendations to the educational bodies based on their findings, including for regulated entities to:

  • review and renegotiate their agreements with PowerSchool to include appropriate privacy and security related provisions;
  • strengthen monitoring and oversight over PowerSchool’s technical and security safeguards, such as by conducting a privacy impact assessment on their SIS;
  • limit remote access to their SIS to an as-needed basis; and
  • ensure adequate policies and procedures are in place to respond to future breaches.

The Commissioners’ full investigation report can be found here and here.

Summary By: Victoria Di Felice

 

E-TIPS® ISSUE

25 12 10

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

Victoria Di Felice
By Victoria Di Felice
December 10, 2025
Privacy