The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, April 29, 2005
A teacher with the Halifax Regional School Board apparently put a confidential student list on an accessible website. It wasn't linked to from anywhere, but someone e-mailed the URL to the Halifax Chronicle Herald:
Student information posted on Internet: "Teacher at Dartmouth school unaware confidential file could be accessed
By BARRY DOREY / Staff Reporter
School webmasters can expect a stern warning and a reminder about the dangers of their online duties after a detailed Dartmouth student list was left accessible on the Internet.
A teacher at Bicentennial School on Victoria Road posted a spreadsheet that listed the name, address, birthdate and phone number of every student.
It was posted in an area where she believed nobody would find it and there were no links to the page on the school website. But provided with the web page address, anyone could download the file.
"That information should have never been able to be accessed," said Doug Hadley, spokesman for the Halifax regional school board.
"We will be following up, we will talk to our schools this week."
Alerted to the situation by this newspaper, board officials located and removed the file within an hour Thursday night.
Mr. Hadley said the board is looking into the possibility that a hacker located the file, which was created last summer and was stashed in a private folder on the board's servers. But it was not protected by any passwords or other safeguards, meaning anyone with the URL could view the page.
"It's possible it may have been accessible for the entire year," Mr. Hadley said.
An e-mail including the web address was sent to this newspaper Thursday.
Board officials will use the incident as a "teaching moment" for all teachers or administrators who act as webmasters, he said. They will be reminded of the board's acceptable-use policy and will be warned of the perils of posting confidential information.
"This type of breach was not done with any type of (malicious) intent in mind, but we have to treat it seriously," Mr. Hadley said.
"The teacher was likely going beyond (the call of duty) and carrying the work home," where she could access information online.
The warning to webmasters, who receive general training but little in the way of followup or skills upgrading, is clear.
"Files may not be just for their eyes" if a hacker finds the page or "if someone knows what they are looking for," Mr. Hadley said.
He wouldn't speculate on any discipline that may be meted out to the teacher who made the mistake.
"I'm sure that the principal will follow up with the staff person," he said.
One parent of a Bicentennial student said the school board should be doing more to train and oversee teachers.
"It's unfortunate and I think the school board has to be more vigilant," said the father of two students.
"It's disappointing that it was not more secure."
Board policy forbids the posting of any student information without the written consent of a parent or guardian. And any files containing personal information must be protected with user names and passwords."
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.