(ID 349254967 © HAKINMHAN | Dreamstime.com)

By rdnewsNOW staff

Student information

Alberta and Ontario privacy commissioners release findings of PowerSchool data breach

Nov 18, 2025 | 1:30 PM

Alberta and Ontario Privacy Commissioners have released the findings following an investigation into the massive PowerSchool data breach that occurred last January.

The widespread breach impacted schools across North America and other parts of the world, compromising students’ personal information.

Locally, it affected Red Deer Public Schools, Red Deer Catholic Regional Schools, Wolf Creek Public Schools, Wild Rose School Division, and Clearview Public Schools. Meanwhile, Chinook’s Edge School Division was not impacted.

At the time, it was reported that the breach involved current and past student and staff information stored within the PowerSchool Student Information System, including:

• Student names
• Student mailing addresses
• Dates of birth – students only
• Student home phone numbers
• Basic student medical information (in some cases), such as details about asthma, diabetes, or allergies

Last seen Nov. 28

Missing: Jimmy Eagle, 27, of Maskwacis

Dec 14, 2025

the situation is dire

Two deaths, possibly from cold exposure, raise alarm amid Red Deer shelter situation and plight of homeless community

Dec 12, 2025

Lace-'Em Up!

Red Deer's outdoor rinks returning for another season

Dec 12, 2025

The province says the incident highlights the importance of educational bodies maintaining high standards for protecting personal sensitive information for their students and staff.

Although Ontario and Alberta had separate reports, they coordinated their investigations under a memorandum of understanding to enhance collaboration and information-sharing. However, both reports have key findings in common:

• failed to include certain privacy and security-related provisions in their contractual agreements with PowerSchool to ensure that the educational bodies meet the requirements of applicable provincial public sector privacy law;
• lacked policies and procedures to effectively monitor and oversee PowerSchool’s technical and security safeguards to ensure the company complied with its contractual terms and conditions, including in respect of user access privileges for remote support personnel and the use of multi-factor authentication;
• failed to limit remote access to their student information systems by PowerSchool support personnel for only as long as necessary to address specific technical issues; and,
• lacked adequate breach response plans or protocols.

The commissioners also made recommendations to address the findings in their respective reports, including that the educational bodies:

• review and, as needed, renegotiate agreements with PowerSchool to include the recommended privacy and security-related provisions to ensure that the educational bodies meet the requirements of applicable provincial public sector privacy law;
• implement effective monitoring and oversight over PowerSchool’s technical and security safeguards to ensure they are compliant with applicable provincial public sector privacy law and leading industry standards, including by conducting a privacy impact assessment of their student information system;
• limit remote access to their student information systems on an as-needed basis only; and
• ensure they have adequate policies and procedures to respond to breaches in the future.

Both Ontario and Alberta commissioners call on their respective governments to support the education sector by using their procurement lever to strengthen the bargaining power of educational bodies when negotiating agreements with edtech service providers, and that will enable educational bodies to meet their privacy law requirements.

The commissioners also call on their governments to provide educational bodies with the technical guidance or assistance needed to assess the privacy and cybersecurity posture of edtech vendors.

“One of my office’s highest priorities is to identify, facilitate and support opportunities to enhance access and privacy education and protections for children and youth,” said Diane McLeod, Information and Privacy Commissioner of Alberta.

“The investigation reports from my office and the office of my counterpart in Ontario establish beyond a doubt that the risks to privacy caused by the PowerSchool breach were significant, for both the students as well as the adults affected. It is essential to remember that privacy does not happen on its own. It requires a concerted effort by public bodies to create and implement policies and procedures that ensure privacy is protected. There is no way around this. It simply must be done. I believe the recommendations in our reports, including those to government, set out a path that, if followed, will ensure that appropriate actions are taken.”