Feb 14, 2025

Manitoba Ombudsman has been made aware that there have been privacy breaches across many Manitoba school divisions that use PowerSchool data management platforms.

PowerSchool is a cloud-based platform used by students, educators and educational institutions across Canada. PowerSoft has shared on its website that there was “unauthorized exfiltration of certain personal information” from its systems used across the country, including in Manitoba.

The initial steps school divisions should take in responding to a breach are containing the breach, evaluating the risks associated with the breach and notifying affected individuals. Additionally, all school divisions affected would be required to submit privacy breach reports to our office, as outlined under The Freedom of Information and Protection of Privacy Act (FIPPA) and The Personal Health Information Act (PHIA).

Are school divisions required to report to Manitoba Ombudsman?

A privacy breach occurs when there is theft or loss, or unauthorized access, use, disclosure, destruction or alteration of personal information or personal health information. As of 2022, Manitoba public bodies and trustees are required to report privacy breaches to Manitoba Ombudsman when the public body or trustee determines there is a real risk of significant harm to an individual because of the breach.

The criteria for determining if a breach could create a risk of harm is defined under FIPPA regulation and PHIA regulation. Criteria includes determining if there is evidence of malicious intent, such as the breach being a result of theft or gaining unauthorized access to a computer system.

Educational bodies such as school divisions, universities, and colleges are required to report privacy breaches under FIPPA and are also subject to PHIA if they hold personal health information.

What happens when a public body or trustee reports a breach to Manitoba Ombudsman?

After receiving a privacy breach report our team would conduct a review. We determine if the public body or trustee took all reasonable steps to respond to the breach. We assess the public body or trustee's compliance with legislation and regulation for determining real risk of significant harm, and review how affected individuals were notified. We may identify gaps in the response and ask the public body or trustee to address them. We may also give guidance and make recommendations, if needed, for appropriate action to improve privacy protections and prevent similar breaches from happening again in future.

Typically, privacy breach final reports are provided directly to the public body/trustee in order for them to make any necessary improvements to mitigate harm and prevent additional breaches of privacy. We publicly publish final reports with recommendations or reports that are of significant public interest on our website.

What if I am affected by the breach?

When a privacy breach occurs, the public body is your main source of ongoing information and updates about the breach and any measures, supports and services they may be offering to you as a result. In Manitoba, many school divisions have set up dedicated web pages to provide anyone affected with information.

You may also want to research what impacts this may have on you, your children or children in your care. Resources that may be helpful:

Notice of Data Breach for Individuals in Canada
Information for individuals - Canadian Centre for Cyber Security

Has Manitoba Ombudsman received privacy breach reports from impacted Manitoba school divisions?

We have been made aware that there have been privacy breaches across many Manitoba school divisions. All school divisions affected would be required to submit privacy breach reports to our office, as required by FIPPA and PHIA.

We will not comment to media or individuals on any particular school division or provide any further detail at this time. Please refer to the information on the page for any of your questions.

Is Manitoba Ombudsman investigating PowerSchool?

The ombudsman’s jurisdiction is for Manitoba public bodies and trustees. PowerSchool is a private company and is not a public body or trustee. When a public body/trustee uses an “information manager” the public body/trustee is still deemed to have custody and control of the personal information.

An information manager is a person or body that processes, stores, or destroys personal information and personal health information for a public body/trustee, or that provides information management or information technology services for a public body/trustee. Section 25 of PHIA and Section 44 of FIPPA set out requirements about information managers.

When a public body or trustee provides personal information to an information manager, FIPPA and PHIA require the body/trustee to enter into a written agreement that provides for the protection of the information against risks such as unauthorized access, use, disclosure, destruction, or alteration, in accordance with FIPPA/PHIA regulations.

Information managers must comply with the requirements of the acts related to the protection, retention, and destruction of personal information or personal health information, as well as duties imposed on them under the required written agreement.

On February 11, 2025 the Privacy Commissioner of Canada Philippe Dufresne announced that his office is launching an investigation into PowerSchool, the private company/information manager that is involved in these privacy breaches. That office has jurisdiction over private businesses under The Personal Information Protection and Electronic Documents Act (PIPEDA).

Can I file a complaint with the ombudsman?

Yes, you can make a complaint to the ombudsman about how a public body/trustee handled your personal information or personal health information including instances where information was disclosed/shared in a way that is not authorized by law.

For individuals affected by large privacy breaches reported to our office, that privacy breach will be reviewed regardless of if we receive individual complaints or not.

What are your privacy rights?

Manitoba public bodies and trustees should only collect, use, store or disclose your personal information or personal health information as authorized under FIPPA and PHIA. You have the right to:

• privacy of your personal or personal health information, which should only be collected, used and disclosed for purposes allowed by FIPPA and PHIA
• protection of your personal or personal health information through physical, administrative and technical security safeguards
• access your personal or personal health information, and ask that any errors be corrected
• be notified by a public body or trustee of a privacy breach when required
• have someone else exercise your rights, including making a complaint on your behalf
• make a complaint to the ombudsman about how a public body or trustee handled your personal or personal health information or the body’s response to your request to access/correct that information

Learn more about:

• Making a complaint
• The Freedom of Information and Protection of Privacy Act
• The Personal Health Information Act