The Office of the Information and Privacy Commissioner (OIPC) has released its report examining the PowerSchool cyber attack that compromised the personal information of students, parents/guardians, and teachers across Newfoundland and Labrador’s K–12 education system. The Report, released on May 11, 2026 examines the actions of the Department of Education and Early Childhood Development (the Department), which is the public body responsible for safeguarding personal information held within the PowerSchool Student Information System (PowerSchool SIS).

What follows is an overview of some of the Report’s findings. To view the Report in its entirety, please go to www.oipc.nl.ca/reports/atippa-2015-privacy-reports/.

OIPC acknowledges the important work of Information and Privacy Commissioners in Ontario, British Columbia, and Saskatchewan, whose investigations and reporting on PowerSchool informed and supported this Office’s findings.

Acting under the authority of the Access to Information and Protection of Privacy Act, 2015 (the Act), Commissioner Kerry Hatfield initiated an own‑motion investigation to assess whether the Department had appropriate security measures in place at the time of the breach and whether it took reasonable steps in responding to the breach.

The PowerSchool privacy breach extended far beyond the current generation of teachers, students, and parents or guardians. Teacher personal information in PowerSchool SIS dated back to 2010. Student personal information in PowerSchool SIS dated back further to 1995, meaning anyone who attended as a student or had a child in the K–12 educational system in Newfoundland and Labrador from 1995 onward likely had personal information taken in the PowerSchool breach.

While the Report identified weaknesses in contractual language governing PowerSchool’s services with the Department, it concludes that the primary issue was not what PowerSchool committed to in its agreements but its failure to meet those commitments in practice. The Department, being the public body responsible for the protection of personal information being stored in PowerSchool SIS, did not have sufficient oversight mechanisms in place to effectively monitor or verify PowerSchool’s compliance with its contractual and security obligations.

OIPC’s Report sets out a series of recommendations focused on strengthening the Department’s contractual requirements, enhancing oversight measures, and improving information management and security practices.

Overall, the Report finds that the Department took reasonable steps in its response to the breach. However, there are several recommendations to improve the clarity and effectiveness of future notification efforts. The Report also recommends that the Department directly notify a small group of current students who were identified as potentially having Social Insurance Number (SIN) information affected.

The breach included the MCP numbers of 244,917 from student records consisting of current and former students. OIPC’s Report concludes that the Department’s collection and retention of student MCP numbers was not authorized under the Act. As a result, the Report recommends that the Department immediately cease collecting this information and permanently remove existing MCP numbers from student records.

“This was a significant breach that affected hundreds of thousands of people across the province, many of them children,” said Information and Privacy Commissioner Kerry Hatfield. “This report makes clear that protecting personal information requires active oversight, limited collection, and ongoing verification that safeguards are working as intended. The recommendations set out practical steps to better protect personal information going forward.”

The release of this Report aligns with OIPC’s broader efforts to protect the digital privacy of children and youth, an area identified as a strategic priority in the Office’s 2023-2026 Activity Plan. Through this work, OIPC has launched a Youth Privacy Resource Hub to support students, parents, and educators in understanding and navigating digital privacy risks, and OIPC has joined the advocacy efforts of national and international partners in a federal/provincial/territorial joint resolution of privacy oversight officers across Canada on educational technologies, as well as with privacy regulators from around the world in the Global Privacy Assembly joint statement on AI-Generated images.

“Our Office is committed to protecting the privacy of children and youth through investigation, education, and collaboration,” said Information and Privacy Commissioner Kerry Hatfield. “This work is critical as digital technologies continue to expand in classrooms and beyond.”

-30-

Media contact
Sean Murray
Director of Research & Quality Assurance
709-729-6309