New Privacy Pressure on Schools after Joint Investigation into the PowerSchool Data Breach

On November 17, 2025, the Information and Privacy Commissioner of Ontario (“IPC”) and the Office of the Information and Privacy Commissioner of Alberta (“AB-IPC”, and, together with the IPC, the “Commissioners”) released reports on their investigations into a significant privacy breach involving PowerSchool Canada ULC (“PowerSchool”). PowerSchool is an education technology (“edtech”) provider used by schools in both the provinces of Alberta and Ontario. The incident, affecting the data of more than 50 schools and school boards (which entails 5.2 million-plus individuals), emphasizes the importance for institutions, including school boards, to maintain heightened standards in protecting sensitive personal information when engaging with third-party service providers.

Background Facts

PowerSchool supplies cloud-based platforms that help schools manage student enrollment, personal and medical information, attendance and other academic data. Over 50 entities, including public schools, charter schools and school boards in Ontario and Alberta (collectively, the “Educational Bodies”) had to report to the IPC and AB-IPC regarding a cyber-attack on PowerSchool. A threat actor gained access to PowerSchool’s Student Information System (“SIS”) and customer support portal, which stored the personal information of students, their parents and guardians, and both current and former staff at each of the Educational Bodies. The data stored by PowerSchool on its SIS and customer support portal contained social insurance numbers and other personal information, including medical information. The bad actor held the data stored by PowerSchool at ransom, which PowerSchool paid to prevent the public release of the stolen data.

During their investigation, the IPC and AB-IPC found that several of the Educational Bodies had:

• Failed to include certain privacy and security-related provisions in their contractual agreements with PowerSchool that were required by the applicable public sector privacy laws;
• Lacked sufficient monitoring and oversight of PowerSchool’s safeguards, including user access privileges for remote support personnel and the use of multi-factor authentication (“MFA”);
• Allowed longer than necessary remote access to their SIS by PowerSchool support personnel; and
• Not maintained adequate breach response policies or procedures.  

Issues

Both the IPC and AB-IPC addressed the following questions during their respective investigations into the PowerSchool data breach:                   

1. Did the Educational Bodies have reasonable measures in place to prevent unauthorized access to personal information in accordance with the requirements of the applicable provincial privacy laws and their regulations?
2. Did the Educational Bodies respond adequately to the data breach?

Findings of the Commissioners: A Lack of Compliance and Oversight of Technical and Security Safeguards

Both the IPC and AB-IPC’s reports found that the Educational Bodies did not take “reasonable measures” to block unauthorized access to sensitive personal information that was being stored by PowerSchool. The Educational Bodies in both provinces were found to have failed to include privacy- and security-related terms, mandated by the law, in their contractual agreements with PowerSchool, including failure to implement adequate limits on PowerSchool’s collection and use of personal information; failure to contract adequate breach notification obligations on PowerSchool; and audit rights that were not adequate to monitor PowerSchool’s use of personal information.

The Commissioners further concluded that the Educational Bodies did not sufficiently monitor PowerSchool’s security controls and the PowerSchool governance policy. Notably, the Educational Bodies should have ensured that when PowerSchool granted subcontractors user access to the personal information held by the Educational Bodies, the access was modified and revoked within a reasonable time period based on employment status and job requirements. In some instances, institutions over-collected information and maintained it far longer than required by failing to have internal retention and deletion policies. Further, PowerSchool did not use MFA, which was acknowledge by the Commissioners as a “security flaw in PowerSchool’s security posture and a contributing factor to the root cause of the cyberattack.”

Many Educational Bodies subject to the PowerSchool data breach lacked formal breach-response plans, which delayed containment of the breach and notification to the affected individuals. Many of the Educational Bodies also did not have policies governing privacy breaches. Both Commissioners emphasized that an incident-response readiness policy is a mandatory and proactive approach required of institutions that operate at a high level and collect, use and disclose sensitive personal information.

Key Take-Aways: Recommendations and Sector-Wide Impacts

To address the findings of the PowerSchool data breach, the Commissioners made the following recommendations:

1. Educational Bodies should review and renegotiate agreements with third-party service providers and, as necessary, renegotiate the terms of said agreements to ensure they meet applicable provincial public sector privacy law.
2. Institutions should monitor third parties’ technical and security safeguards to ensure they are compliant with applicable privacy laws and leading industry standards.
3. Institutions should limit remote access to their information systems on an as-needed basis.
4. Institutions should ensure they have safeguards (including MFA) and responsive policies and procedures in the event of future breaches.

The Commissioners each called on their respective governments to provide support and training to their respective education sectors to establish a more coordinated approach for Educational Bodies when negotiating agreements with edtech service providers to meet privacy law requirements. 

The Commissioners’ reports reinforce that public-sector organizations, particularly those responsible for sensitive personal information concerning children, must develop safeguard policies and procedures around the protection of data and breach reporting. Failure to do so risks legal non-compliance, regulatory scrutiny and loss of public trust.

For more information about data breaches and privacy compliance in Canada, please contact Roland Hung or Laura Crimi of Torkin Manes’ Technology and Privacy & Data Management Groups.

 *The authors would like to thank Torkin Manes’ Articling Student Ilar Haydarian for her invaluable contributions in preparing this insight.