Ontario Alberta Privacy Commissioners Release PowerSchool Breach Investigation Findings

News Releases

Ontario and Alberta privacy commissioners release investigation findings into PowerSchool breach affecting school boards and other educational bodies

November 18, 2025

TORONTO, ON (November 18, 2025) — Ontario and Alberta information and privacy commissioners have released the findings of their investigations into a massive privacy breach involving PowerSchool education technology (edtech) used by schools in their respective provinces. The incident, which affected millions of Canadians across the country, highlights the importance for educational bodies, including school boards, to maintain high standards for protecting sensitive personal information of their students and educators, including when using service providers.

Although they issued separate investigation reports, the Ontario and Alberta commissioners coordinated their investigations under a memorandum of understanding to enhance collaboration and information-sharing in the handling of cross-jurisdictional investigations. Both reports have key findings in common, including that some or all of the educational bodies:

• Failed to include certain privacy and security-related provisions in their contractual agreements with PowerSchool to ensure that the educational bodies meet the requirements of applicable provincial public sector privacy law.
• Lacked policies and procedures to effectively monitor and oversee PowerSchool’s technical and security safeguards to ensure the company complied with its contractual terms and conditions, including in respect of user access privileges for remote support personnel and the use of multi-factor authentication.
• Failed to limit remote access to their student information systems by PowerSchool support personnel for only as long as necessary to address specific technical issues.

• Lacked adequate breach response plans or protocols.
  The Ontario and Alberta commissioners made recommendations to address the findings in their respective reports, including that the educational bodies:

• Review and, as needed, renegotiate agreements with PowerSchool to include the recommended privacy and security related provisions to ensure that the educational bodies meet the requirements of applicable provincial public sector privacy law.

• Implement effective monitoring and oversight over PowerSchool’s technical and security safeguards to ensure they are compliant with applicable provincial public sector privacy law and leading industry standards, including, by conducting a privacy impact assessment of their student information systems.

• Limit remote access to their student information systems on an as-needed basis only.

• Ensure they have adequate policies and procedures to respond to breaches in the future.
  Both Ontario and Alberta commissioners call on their respective governments to support the education sector by using their procurement leverage to strengthen the bargaining power of educational bodies when negotiating agreements with edtech service providers and that will enable educational bodies to meet their privacy law requirements. The commissioners also call on their respective governments to provide educational bodies with the technical guidance or assistance needed to assess the privacy and cybersecurity posture of edtech vendors. This would further support educational bodies in carrying out their monitoring and oversight responsibilities.

“This type of sector wide coordination and cooperation among school boards, strongly supported by government, would strengthen their contract negotiations with edtech service providers, as well as the oversight and monitoring measures necessary to ensure compliance with their obligations under public sector privacy laws,” said Patricia Kosseim, Information and Privacy Commissioner of Ontario. “Most importantly, such efforts would provide students, their parents, guardians, and educators with the personal information protection they deserve and an education system they can trust.”

“One of my office’s highest priorities is to identify, facilitate and support opportunities to enhance access and privacy education and protections for children and youth,” said Diane McLeod, Information and Privacy Commissioner of Alberta. “The investigation reports from my office and the office of the Ontario OIPC establish beyond a doubt that the risks to privacy caused by the PowerSchool breach were significant, for both the students as well as the adults affected. It is essential to remember that privacy does not happen on its own. It requires a concerted effort by public bodies to create and implement policies and procedures that ensure privacy is protected. There is no way around this. It simply must be done. I believe the recommendations in our reports, including those to government, set out a path that, if followed, will ensure the appropriate actions are taken.”

Learn more:

• Ontario IPC investigation report
• Alberta IPC investigation report Media contacts:

Office of the Information and Privacy Commissioner of Ontario

Office of the Information and Privacy Commissioner of Alberta
Elaine Schiman
Communications Manager

Mobile: (587) 983-8766

Topics Children and Youth in a Digital World Technology and Security

Media Contact

For a quick response, kindly e-mail or phone us with details of your request such as media outlet, topic, and deadline:

Email:
Telephone: 416-326-3965

Contact Us

Social Media

The IPC maintains channels on LinkedIn, X (formerly Twitter), YouTube and Instagram in its efforts to communicate to Ontarians and others interested in privacy, access and related issues.

-

-

Our Social Media Policy

Help us improve our website. Was this page helpful? Yes No How did this page help you? The information is incorrect or needs to be updated. The information was too hard to understand. The information wasn’t relevant. I didn’t find what I was looking for. Other Note:

• You will not receive a direct reply. For further enquiries, please contact us at
• Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
• For more information about this tool, please see our Privacy Policy.