How Safe Is Student Data in the Digital Age?

The replacement of filing cabinets with computer servers and external hard drives likely happened in your workplace decades ago. School districts are no different. But as unavoidable as a digital workplace may seem, it lacks the security of the old paper filing system.

For example, last month the Delta School District experienced two instances where students' privacy was breached -- one disclosed to the public, one kept under wraps.

The district insists the problems have been dealt with, and student information is as safe as the money in your online banking account.

"It is encrypted and secure, and we put all of the security measures in place just as [one] would in an old filing system, tucked away," says Deneka Michaud, district communications manager.

Paul Steer, president of the Delta Teachers' Association, believes his employer is doing the best they can do to protect student information. But he still worries that more breaches are inevitable.

"It stands to reason that the more personal information that we digitize and make accessible via computer networks, the higher the risk that there will be some kind of breach at some times, and I guess what this proves is we cannot predict what kind of breach or when it's going to happen," he says.

Online database 'is safe': Michaud

The Delta School District sent a letter to parents on Oct. 26, informing them that student privacy was violated on Oct. 23 when a parent inadvertently downloaded the private information of all 16,000 students in the district, including continuing education students.

The breach happened when the parent was using Parent Connect, an online database provided by the school district to parents to check their child's homework, attendance and report cards online. The document included sensitive information like students' names, their Care Card numbers, contact information, birth dates and birth certificate numbers.

According to Michaud, the breach was the result of the parent being in the wrong place at the wrong time.

"The specific area that [the parent] was located at in Parent Connect at the time, along with an Internet error, as well as a programming error, all culminated in her being able to click and then receive this information, generating a report," she told The Tyee.

Michaud says the parent immediately notified the district of the breach, and the district's IT department responded by deleting the report and checking the district's entire system for similar breaches. This includes Teacher Connect and Employee Connect, two other online databases provided by the district, which store private information like T4 slips with Social Insurance Numbers. No other breaches were found.

The Office of the Information and Privacy Commissioner was notified of the breach when it happened and parents were encouraged to contact the Commissioner's office if they felt their privacy was at risk. In an emailed statement, the Office told The Tyee they had not received any complaints about the breach.

Despite the slip up, Michaud says the district is very concerned about online privacy and takes extra measures to ensure student and employee info is secure.

"The entire database is encrypted with security certificate technology, and that technology is equivalent to what is used in the banking industry, and every single access point to the data has that same encryption system," she says, adding the district employs other companies to conduct ethical hacks, where an outside company tests the security of their online systems.

"It is safe," she says.

Google mishap

But this wasn't the only time a breach of student privacy happened in the Delta district this fall.

Three weeks earlier another breach occurred when it was discovered that entering the name of a teacher from Delta Secondary School into a Google search uncovered a PDF with a list of the names of all the students in their classes. This breach wasn't disclosed to the public, Michaud says, because it didn't pose safety or security risks for students or employees. The Tyee was notified via an anonymous letter sent to our office.

This time, Michaud says, the problem was with Google, which was linking search results back to reports teachers produced using the district's online database. The reports, which teachers often produce to look at their class lists, are deleted daily. But if someone knew the teacher's name and the name of a class they taught, they could easily find these reports with the list of student names for that class.

"So if you knew it was me, Deneka Michaud Science 12, then it would show that list," says Michaud.

"We worked with Google and they purged absolutely everything, and with them we put in stronger security measures that completely blocks them, and as a result all of their web servers, from being able to get to that area where those reports are."

Steer says these breaches do make him question why some private information needs to be digitized at all.

"I think that there's actually very little information of students that needs to be shared digitally across computer networks," he told The Tyee. "It's apparent that breaches of this kind apparently have happened and can happen again. We take student confidentiality very seriously, and the union's going to follow up with the district to ensure that they’re doing everything possible to ensure it doesn't happen again."

Risks of the digital age

How safe, then, is private student and teacher information in other districts in the digital age? While there are no guarantees, the Ministry of Education assures their system is designed with security of private information in mind.

Delta is one of only four districts in the province that use their own internal database for student and employee information; Vernon, Campbell River, and North Okanagan-Shuswap are the other three. The rest are subscribed to the British Columbia Enterprise Student Information System (BCeSIS), the much-maligned Ministry of Education endorsed data system that has cost government almost $100 million to implement and repair since 2005.

Although scheduled to be replaced by 2013 because of widespread complaints of it being slow and repeatedly crashing, BCeSIS does have a long list of privacy breach preventions, including mandatory privacy training for all teachers and districts' staff, access to individual information limited by roles, and access limited to district staff. Even the ministry itself doesn't have access to all the information on BCeSIS.

"The Ministry does not have direct access to the data in BCeSIS," reads an emailed statement sent to The Tyee from a ministry spokesperson. "The districts use BCeSIS to prepare data submissions that are sent to the Ministry as per reporting orders."

The School Act places the responsibility for the privacy of student records on school districts, and requires, like BCeSIS, that access only be given to people whose jobs depend on it, like administrators, teachers and school counsellors.

There are no provisions requiring the digitization of school data. However, online data is a better choice than paper when it is necessary to report school enrollment numbers to the ministry by Sept. 30 in order to get educational funding.

It's not easy to go back to a paper-based information system, either. Using Delta as an example, online databases have been in use for 15 years now, although Parent Connect is only four years old.

Prior to that the district used a centralized database: schools sent their information to the district where it was manually keyed into the district's system. In 1994, they upgraded the system so schools could key the information into the centralized database, but even today individual schools cannot access student data for other schools.

"It is very important that student demographic information be available at the district and school levels," says Michaud.

"The school district needs the information to ensure we can provide educational programs, and the schools need it not only so they know what students are in their schools, but also so they can react efficiently in emergency situations."