Skip to main content

32 Sask. students outed as transgender due to Edsby glitch: privacy commissioner

Share

Saskatchewan’s privacy commissioner says 32 students were outed as trans before the start of the school year due to a technical glitch with the online learning platform Edsby.

Edsby is a digital platform accessible to parents, students and teachers used to track attendance and grades, and facilitate communication.

Due to an issue transferring student data in eight school divisions, in August 2023 Edsby informed administrators that the legal names of students at those schools were visible to anyone connecting to the platform’s mobile application, rather than the preferred names.

Commissioner Ron Kruzeniski says this means that for several weeks just before the start of the new school year, 32 students had their privacy breached when their legal first names were visible to the rest of their classmates.

“The first category comprises students with legal names (distinct from their preferred names), the disclosure of which would reveal a fact personal about them,” Kruzenisky said in his December report.

“For example, in some instances, the name change could reveal that the student is transgendered. This is information personal to these individuals and their legal name alone, in this case, qualifies as personal information.”

In this case, Kruzeniski says there were 32 students whose legal first name qualified as personal information. They attended schools in the Saskatoon Public, Regina Catholic and Good Spirit schools divisions.

“The school divisions did not have consent of the 32 students to disclose their personal information,” he wrote. “A privacy breach occurred for each student whose birth name … did not match their chosen name and revealed a fact personal to them.”

Kruzeniski says his office learned of the issue from a news article on Aug. 25, but his office wasn't contacted by a school division representative on Aug. 29.

He says the divisions told the commission that all affected students were told of the breach through their counsellors by September 27.

The counsellors delivered letters “in confidence without knowing the contents of the letter and the students were given an opportunity to speak to the counsellors if they wished to.”

The letters described the breach, outlined steps taken to prevent future incidents and offered an apology to the students, Kruzeniski says.

While the school divisions generally responded appropriately to the privacy breach, the commissioner found some ongoing issues of concern in the written agreements between the divisions and CoreFour, the company that administers Edsby.

He found the agreements did not comply with a section of the province’s freedom of information regulations.

“I find that none of the documents shared with my office evidences an agreement between the school divisions and Edsby with provisions governing the access, use, management and protection of students’ personal information,” Kruzeniski said.

“These are issues not to be taken lightly as in the past, there have been security concerns with the use of Edsby in other jurisdictions,” including in Ontario and at the federal levels in Canada and the U.S., he said.

Kruzeniski found the affected school divisions had not adequately described steps taken to prevent similar future breaches and recommended they create data protection agreements with CoreFour within 30 days.

CTVNews.ca Top Stories

Stay Connected