In Halton District School Board (Re), the Office of the Information and Privacy Commissioner of Ontario (IPC) investigated allegations against the Halton District School Board (the Board) related to the collection, use and disclosure of student’s personal information through the use of third-party apps such as Google. The IPC’s recommendations to bring the Board into compliance with the Municipal Freedom of Information and Protection of Privacy Act (the Act) serve as a reminder that school boards must continually ensure that the use of education technologies does not compromise students’ privacy.
Background
The Board had an agreement with Google to provide online educational tools for students (the G Suite). The Board determined which tools are available to students, and accounts were set up by both students and administrators.
The Board is subject to the Act as an Ontario-based institution. The purpose of the Act is to protect the privacy of individuals, and to safeguard personal information held by intuitions.
The complaint
The parents of two children enrolled at a Board elementary school filed a complaint with the IPC. The complaint alleged that the Board violated the Act through its collection, use, and disclosure of students’ personal information to third party apps on the G Suite. Moreover, the complainants alleged that the apps collect excessive amounts of personal information from students. The complainants asserted that the violation threatened their children’s’ safety, security, and privacy.
Findings of the IPC
1. Student information is “personal information”
The Act regulates the collection and use of “personal information”, which is defined as any information (a) about an individual in their personal capacity, (b) where it is reasonable to expect that an individual could be identified if the information were disclosed. Apps used by Board students collected information that included: full names, student numbers, Ontario Education Numbers, grade level, location, email, classes, date of birth, performance data, enrolment dates, and photos. The IPC found that students’ information could reasonably identify the student and constituted ‘personal information’ under s.2 (1) of the Act.
2. Collection of students’ personal information was necessary for accessing online apps
Section 28(2) of the Act requires that the collection of personal information be “necessary to the proper administration of a lawfully authorized activity”. The Board had to show that their activities were lawful and necessary to administer education services through third party apps. Personal information only helpful to the Board’s education services was not considered necessary.
First, the IPC agreed with the Board that the provision of education and education-related services to students under s. 169.1, 170(1), 171(1), 264(1) and 265(1) of the Education Act were lawfully authorized activities. Second, the Board argued that it is their role (not the individual receiving services) to determine necessity. Apps that over-collect personal information are not accessible for students. The IPC found that the assessment system adequately ensured only necessary personal information was collected. Therefore, the Board’s collection of students’ personal information was deemed necessary under s.28 (2) of the Act.
3. The Board did not provide adequate notice of collection to parents
The Act requires that institutions provide notice to individuals when collecting personal information. Adequate notice ensures respect for privacy and accountability. Section 29(2) of the Act stipulates three notice requirements:
- The legal authority for collection is stated;
- The principal purpose for which information is intended to be used is stated; and
- The title, business address, and business telephone number of an officer or employee of the institution who can answer the individual’s question about the collection is stated.
The Board provided various notices, including during student registration and on their website. However, the notices only satisfied the first two requirements of s. 29(2). On the third requirement, only the principal’s name and general email address were provided to parents. The IPC recommended that the Board revise notices to comply with the requirements of s. 29(2).
4. Personal information was used improperly by the Board
Under s.31 (b) of the Act, an institution can only use personal information in its custody or under its control for the purpose for which it was obtained or for a consistent purpose. A purpose is ‘consistent’ under s.33 “only if the individual might reasonably have expected such a use or disclosure”. Compliance with s.31 of the Act requires that the Board restrict third party vendors’ use of student information. Clauses 5 and 6 of the Board’s common Usage Agreement stated that a Vendor shall not “collect, access, disclose, sell or share Personal Information for its own benefit or purpose”. The IPC found that most Usage Agreements between the Board and third party vendors included sufficient limits on personal information use, however; the IPC recommended that the Board review all vendor agreements to ensure consistency.
The complainants also asserted two additional arguments. First, that students’ personal information was posted on YouTube when they wrote comments and this was not a ‘consistent’ purpose under s.31 (b). When students leave comments on YouTube, the comments were publically available with their name and photo accompany the comment. The IPC found that where the Board determined YouTube should be used for education services, importing student profile information was a consistent purpose and permitted under s.31 (b) of the Act.
Second, the complainants argued that marketing and advertising material sent to students by third party vendors was not a consistent purpose and violated s.31 (b). There must be a “rational connection between the purpose of the collection and the purpose of the use”, and rational connection is judged on a standard of reasonableness (not perfection). Part of “reasonableness” is that a person could foresee their information being used in the manner at issue. The complainant cited evidence that students received emails with the chance to enter prize draws. The IPC found that students and parents would not reasonably expect that information provided to obtain education services would be used to market goods and services to them. Therefore, the use of personal information for advertising and marketing by third party vendors violated s.31 (b). The IPC recommended that the Board revise its Usage Agreement to explicitly prohibit use of students’ personal information for advertising and marketing, and take steps to prevent similar violations moving forward.
5. The Board did not technically disclose students’ personal information
Save for the exceptions outlined in s. 32 of the Act, institutions cannot generally disclose personal information. In this case, the complainants argued that the Board violated s.32 and disclosed student information when they set up G Suite accounts. Furthermore, the complainants argued that student information was disclosed when students posted online and their comments were publically viewable. First, the IPC found that the Board was permitted to disclose personal information when setting up student accounts. Section 32 (d) permits disclosure to an agent of an institution if it is necessary for the institution’s function. In this case, the third party vendors were considered agents of the Board, and they required student information in order to set up accounts. Second, the IPC stated that posting comments on third-party apps is an individual student’s choice. Therefore, neither the Board nor the third-party vendors actually made any unauthorized disclosure.
6. The Board does not have sufficient contractual and oversight measures
Section 3(1) of Ontario Regulation 823 requires that institutions have reasonable measures to prevent unauthorized access to records in their custody or control. However, there is no ‘one-size-fits-all’ protection system. Rather, measures must be reasonable in relation to the type of information being held. The standard is reasonableness, not perfection. When an institution subject to the retains a private sector entity to provide functions on its behalf, there must be appropriate contractual provisions to meet the same protection threshold. Contractual provisions relevant to assessing if an institution fulfilled its obligations include: (a) ownership of data, (b) collection, use, and disclosure, (c) confidential information, (d) notice of compelled disclosure, (e) subcontracting, (f) security, (g) retention and destruction, and (h) audits. In this case, the Board did not allow usage of apps unless there was a contract in place between the Board and the vendor. However, the IPC found that the Board’s contractual provisions regarding, collection, use and disclosure, notice of compelled disclosure, security, retention and destruction, and audits were inadequate. The IPC recommended that all vendor contracts be revised to ensure sufficient protection of student information. The recommendation included:
- that the Board should revise Usage Agreements to include a clause requiring the vendors provide notice to the Board of any disclosure of personal information it has made in compliance with applicable law;
- the Board should update its Usage Agreements to ensure that Vendors’ personal information protection obligations continue despite changes to business name, structure, or ownership;
- the Board should add requirements to Usage Agreements that vendors delete data for student accounts no longer being used; and
- the Board should add requirements to Usage Agreements that vendors perform audits for privacy and security compliance if requested.
The Act gives the IPC power to make an order after completing an investigation. As part of the investigation process, the IPC will likely follow-up with the Board to ensure that any recommendations made are being implemented.
Key takeaways
The IPC decision in Halton District School Board (Re) raises important issues regarding the protection of student data in an increasingly digital education era. The COVID-19 pandemic accelerated the adoption of education technologies, which is likely to persist for the foreseeable future. The decision in this case acts as a reminder that the protection of students’ personal information should be paramount in school board decision-making regarding adoption of new technologies. School boards must remain alert to how third-party providers use students’ data. On a practical level, school boards and their advisors should continually ensure that their contractual provisions adequately protect students and their personal information. Parents and regulators are sure to be keeping an eye on the safety and privacy of their students.