About 1,000 past and present students in the Chilliwack School District may have been affected by a privacy breach that took place between 2005 and 2015.
A letter explaining the breach was published by the district on their website on Dec. 22, 2017, but the information has not come up in any recent public meetings. It happened through the district’s participation in research with a not-for-profit group called Educational and Community Supports, a program of the University of Oregon.
Parent Brian Mielke has been attempting to hold the district accountable for the breach for many years, with the help of the Office of the Information and Privacy Commissioner (OIPC). He cottoned onto the breach when delving into his own child’s records several years ago.
“I wanted a copy of my child’s student file,” he said. “I had to do an FOI request to get the file and it took them maybe about four or five months to respond — they went past the period and had to get permission (from OIPC) to extend it.”
When he finally received the data package, it had been heavily redacted by lawyers, but many students’ names were inadvertently missed. Seeing this as a breach of privacy for those students, he thought he’d investigate the document further. He noticed an URL at the bottom of the printout, pinged the IP for the server, and found it to be a server in Oregon.
“I immediately became concerned,” he said. “There are very clear privacy laws of data not crossing the border.”
Through further research he found the connection between School District 33 and Educational and Community Supports was for the use of a program called Positive Behaviour Information System (PBI-SWIS). This research was being used to gather information to develop a technique known as positive behaviour support for behaviourally challenged students. Data was sent across the border for the program, and the school district paid a licensing fee for the software.
In their public letter, the district states the program is used to track behavioural incidents.
“PBI-SWIS was used to gather information about the type and frequency of school based behavioural interventions on an individual and aggregated basis. Only information pertaining to students receiving behaviour support or intervention was affected,” the district says. “We estimate that the number of students affected was approximately 1,000.”
They also have been working with the Office of the Information and Privacy Commissioner to respond to privacy concerns and say there is “no information to suggest that any of this research information was used or disclosed or any purpose other than the university research.”
The OIPC confirms they’ve been working on the matter, but declined to speak about any details.
Mielke says the breach of information is also a breach of trust. He searched the internet for examples of people in the education field using Chilliwack information for their own purposes, publicly, and was able to find several examples. One of them was a PowerPoint presentation about First Nation students at a Chilliwack elementary school.
There are specific sections of the Freedom of Information Act and Protection of Privacy Act that school districts must adhere to. The letter from the school district admits that this partnership contravened that act, but does not spell out exactly how. Mielke says it was through violation of sections 30.1 (transferring student data outside of the country) and 35 (not having an agreement in place to do so).
The district says despite the breach, they feel confident that no identifying student data was compromised.
“All information shared with the researchers was stripped of student identifiers immediately upon receipt by the researchers and we have also confirmed with the researchers that all personally identifiable records have been permanently destroyed,” their letter states. In addition, they say, researchers involved were bound by confidentiality contracts.
The Chilliwack School District said that they believe the risk of any adverse impact on individual privacy is minimal. However, any individual who has questions about this matter should contact Ms. Tamara Ilersich, Director of HR at email@example.com for more information.