IPC Rules: Accountability Cannot Be Outsourced in PowerSchool Breach

Vendor management continues to be a priority for the Information and Privacy Commissioner of Ontario (IPC), and its latest decision highlights why. The IPC investigated a significant cyberattack targeting PowerSchool, a third-party service provider used by 20 Ontario school boards and the Ministry of Education to manage student information through its Student Information System (SIS) and PowerSource support portal.

This case is a reminder that while institutions may outsource services, they cannot outsource accountability. Institutions remain responsible for ensuring robust safeguards to protect personal information under their custody or control.

BACKGROUND

In January 2025, the Ministry of Education and 20 school boards (the “institutions”) reported a breach involving PowerSchool’s SIS and PowerSource portals. A threat actor accessed and exfiltrated vast amounts of personal information belonging to students, parents/guardians, and educators. Approximately 3.86 million Ontarians were affected, and the impact extended to over 5.2 million individuals across Canada.

The attacker exploited credentials with elevated administrative privileges belonging to a PowerSchool subcontractor in a technical support role outside the U.S. Many institutions had enabled the “always on” remote maintenance feature, which allowed unrestricted access to SIS environments. PowerSchool detected the breach on December 28, 2024, after receiving a ransom demand, and notified institutions 10 days later, on January 7, 2025.

In July 2025, the Office of the Privacy Commissioner of Canada (OPC) reached an agreement directly with the service provider, PowerSchool. Provincial privacy commissioners can investigate the practices of educational bodies within their jurisdiction. This bulletin focuses on the decision of the IPC following an investigation, under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and Freedom of Information and Protection of Privacy Act (FIPPA), into the institutions who engaged PowerSchool as a service provider. This decision was released on November 17, 2025, alongside a similar decision by Alberta’s privacy commissioner.

ISSUES CONSIDERED

The investigation by the IPC focused on two key issues:

1. Did the institutions have reasonable measures to prevent unauthorized access to personal information?

2. Did the institutions respond adequately to the breach?

ISSUE 1: WERE REASONABLE SAFEGUARDS IN PLACE?

The IPC examined whether the institutions had reasonable measures (technical, contractual, and oversight-related) to prevent unauthorized access to personal information. The investigation revealed systemic weaknesses that contributed to the breach, and concluded that reasonable safeguards were not in place.

Technical and Security Safeguards

The IPC found multiple weaknesses that collectively created a high-risk environment:

• Elevated User Privileges: A subcontractor had elevated permissions enabling unrestricted SIS access when remote maintenance was active, contrary to the “least privilege” principle which limits access to only what is necessary for the role.

• No Multi-Factor Authentication (MFA) on PowerSource: The portal used to access SIS lacked MFA, leaving a critical gap in account security.

• Continuous Remote Access: Many institutions enabled “always on” remote maintenance, allowing persistent entry points without additional safeguards or monitoring.

• Short Log Retention: Limited logging prevented detection of earlier unauthorized activity and hindered forensic investigation.

Contractual Agreements with PowerSchool

Institutions contracted with PowerSchool individually, resulting in inconsistent agreements. Some were outdated and lacked key provisions recommended by the IPC, including:

• Confidential information

• Notice of compelled disclosure

• Subcontracting restrictions

• Security obligations

• Retention and destruction schedules

• Audit rights

• Governing law

The IPC urged institutions to review and renegotiate agreements to include these provisions rather than relying on PowerSchool’s standard templates. Further, in a message addressed to the sector at large, the Commissioner urged relevant government actors and school boards to collaborate in their approach to contracting with ed tech providers, including:

“…to work together when negotiating new or revised Agreements with ed tech providers to ensure inclusion of the IPC’s recommended privacy and security provisions. By doing so, Ontario’s school boards can also exact more leverage in requiring ed tech providers to provide them with the information and documentation necessary to effectively oversee and monitor compliance with the agreements.”

Oversight & Monitoring of PowerSchool

Even where agreements contained adequate terms, institutions failed to enforce them. Oversight gaps included:

• Access privilege controls for user accounts,

• Use of multi-factor authentication (MFA) on both SIS and PowerSource,

• Log-retention practices,

• Adherence to data-retention schedules,

• Delivery of required audit reports and vulnerability assessments, and

• Compliance with breach-notification timelines.

The IPC stressed that institutions remain accountable for ensuring compliance. Future agreements should include robust enforcement mechanisms, such as penalties for non-compliance, and institutions must actively exercise these rights.

ISSUE 2: DID INSTITUTIONS RESPOND ADEQUATELY TO THE BREACH?

The IPC concluded that the institutions’ response was inadequate due to gaps in breach planning, data retention, and oversight of PowerSchool. Key deficiencies, even after remedial measures had been taken, included:

• Lack of robust breach response plans and early detection processes involving the service provider

• Absence of clear retention schedules and regular purging of outdated personal information

• Weak monitoring and enforcement of privacy and security measures to protect personal information held in PowerSchool’s SIS and PowerSource.

Response Highlights

• Breach Plans: Some boards had structured response plans, but others lacked protocols for third-party breaches. The IPC stressed that institutions must not only maintain their own plans but also verify that service providers have robust incident response procedures and share them on request.

• Scope & Data Issues: Investigations confirmed the breach involved highly sensitive data (such as health card numbers, SINs, and insurance policy details), much of which was collected without legal authority or necessity. This over-collection amplified the risk of harm.

• Law Enforcement: Only three boards reported the attack directly to Ontario police; most relied on PowerSchool, which only contacted U.S. authorities. The IPC emphasized that institutions should ensure direct reporting to local law enforcement for cyberattacks of this magnitude.

• Containment: Institutions removed unauthorized data fields and stopped collecting unnecessary information. PowerSchool isolated the compromised portal, revoked credentials, and added restrictions.

• Notification: Institutions issued direct notices to individuals with the most sensitive data and indirect notices via websites, press releases, and social media. While most notices were clear and updated regularly, some were buried on websites, limiting accessibility. IPC recommended prominent placement for future notices.

• Investigation: PowerSchool hired a cybersecurity firm but refused to share full forensic reports despite contractual obligations. IPC advised institutions to demand these reports and require PowerSchool to strengthen early breach detection, given the four-month delay in discovery.

CONCLUSION

The IPC found that the institutions lacked reasonable safeguards and failed to respond adequately to the PowerSchool cyberattack. Weak security controls, outdated contracts, and poor oversight amplified the breach’s impact, exposing millions of records. This case highlights that vendor management is not just a procurement exercise, it is a privacy compliance obligation. Institutions must actively monitor third-party providers, enforce contractual rights, and adopt strong technical and governance measures to protect personal information.

RECOMMENDATIONS

The IPC urged the institutions to strengthen both technical safeguards and vendor oversight:

Technical & Security Measures

• Restrict remote SIS access to “as needed” only.

• Review PowerSchool’s security policies for MFA, access controls, and log retention; demand fixes where gaps remain.

Contractual & Oversight Measures

• Amend agreements to include essential privacy/security clauses and strong enforcement rights.

• Require annual security audits and certifications (ISO, SOC 2) and vulnerability assessments.

• Standardize monitoring processes and enforce contractual rights when PowerSchool fails to comply.

Other Recommendations

• Stop collecting unnecessary sensitive data and implement retention schedules with regular purging.

• Update breach-response plans to address third-party risks.

• Ensure timely notification to individuals whose personal information has involved in the cyberattack.

• Conduct Privacy Impact Assessments and adopt stronger procurement practices aligned with IPC guidance.

KEY TAKEAWAYS FOR INSTITUTIONS

Accountability Cannot Be Outsourced

Even when using third-party service providers, institutions remain responsible for safeguarding personal information. Vendor management is not just a procurement issue; it’s a privacy compliance obligation.

Strengthen Contracts and Oversight

Ensure agreements include robust privacy and security provisions, enforceable audit rights, and clear breach-notification timelines. Actively monitor compliance and demand evidence such as security certifications and vulnerability assessments.

Limit Risk Through Data Minimization Practices

Stop collecting unnecessary sensitive information (e.g., health card numbers, SINs) and implement retention schedules with regular purging to reduce exposure in the event of a breach.

Plan for Breaches Involving Vendors

Maintain a breach-response plan that addresses third-party incidents and verify that service providers have their own plans. Test these plans regularly.

Conduct Privacy Impact Assessments (PIAs)

As of July 1, 2025, PIAs are mandatory for FIPPA institutions in the circumstances outlined. The IPC recommends all institutions, including those designated under the MFIPPA, conduct PIAs in accordance with its recently updated guidance document: Planning for Success: Privacy Impact Assessment Guide.

RECOMMENDED RESOURCES

• Privacy Breaches: Guidelines for Public Sector Organizations (IPC)

• Privacy and Access in Public Sector Contracting with Third Party Service Providers (IPC)

• Investigation Report from the Information and Privacy Commissioner of Alberta

• Letter of Commitment by PowerSchool to the Office of the Privacy Commissioner of Canada

• Canada’s privacy regulators call for strong protection of children’s privacy in the development and use of educational technologies | Information and Privacy Commissioner of Ontario