Yukon Information and Privacy Commissioner
Information and Privacy Commissioner audit finds Department of Education non-compliant with privacy law
Mon, Jun 12, 2023
WHITEHORSE – The Office of the Yukon Information and Privacy Commissioner (IPC) has found that the Yukon Department of Education is sharing information about students in ways that are not compliant with the Access to Information and Protection of Privacy Act (ATIPPA).
Some Yukon schools collect, use and disclose photos, videos and audio of students on internet platforms, including social media, as part of their outreach to parents and the community. Under the ATIPPA, these images are considered the students’ personal information (PI).
The IPC conducted a compliance audit into this practice. The audit found that the Department of Education could not demonstrate that it has authority for this activity, nor could it show that it is protecting the PI of students as required under the ATIPPA. The audit also found that some department employees are using their work contact information to create and maintain social media pages and may be collecting, using and disclosing student PI without authority under the ATIPPA and contrary to the department’s policies and procedures.
“This privacy audit identified considerable and serious privacy risks associated with posting students’ personal information on internet platforms,” said Jason Pedlar, Yukon Information and Privacy Commissioner. “These include the inability to track or control the further dissemination of photos and videos and the inability to prevent their use for unwanted or unintended purposes, such as the harvesting of personal information by fraudsters or other criminals.”
In the audit report, the IPC made six recommendations. These include that the department must immediately cease the collection, use and disclosure of student PI on internet platforms until it can establish it has authority under the ATIPPA to do so. As well, it must purge all existing student PI from its official internet platforms. If it wishes to resume this activity, it must conduct a privacy impact assessment to address and mitigate any associated privacy risks, as well as develop and implement an accountability framework in this regard, outline the framework in written policies and procedures, ensure these are periodically evaluated and audited for effectiveness and compliance, and ensure student PI is handled in ways that are compliant with the ATIPPA.
The IPC also recommended that the department review school social media to assess for any privacy breaches that may have occurred involving the unauthorized collection, use or disclosure of student PI by its employees. The department must also immediately notify all its employees of their obligations under the ATIPPA regarding student PI.
The Department accepted the IPC’s recommendations #3, 4, 5 and 6.
To view the report, click here.
The Information and Privacy Commissioner is an independent officer of the Yukon Legislative Assembly.
To download a PDF of this news release, click here.