Student Privacy and You

Teachers and their schools are guardians of a great deal of information about students and their families.

Is all that information private?

What are teachers’ obligations when handling personal and confidential data?

by Graham F. Scott

In the last year, news about serious privacy breaches, in Canada and around the world, has heightened public concern about the protection of personal information.

In just one notable instance, Passport Canada’s web site mistakenly allowed users last November to see other applicants’ names, addresses, phone numbers and even social insurance numbers.

Technology may have made the collection and use of personal information easier, but it has also made the abuse of information easier, and identity theft is among the fastest-growing crimes in the world.

In Ontario, legislation is evolving to protect personal information, and school boards have updated their procedures to comply with the new laws and regulations concerning the collection, storage and use of personal information about students.

But the ultimate task of protecting students’ privacy rests, in many cases, with individual teachers in the classroom.

Classroom teachers and principals are keepers of a huge trove of personal information about students and their families, and Ontario teachers need to be aware of their rights, obligations and liabilities when handling confidential data about students.

“In the last 10 or 15 years new legislation has come out, lots of new regulation, lots of new policy,” says Theresa Shanahan, an assistant professor at York University who teaches a course on legal issues for educators. “There’s so much for people to know, and there’s a whole generation of educators that really needs some catching up in this new landscape.”

Ontario school boards must follow a patchwork of laws that govern the collection and use of student information: the Education Act, the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and the Personal Health Information Protection Act. There is overlap and duplication in privacy laws in Canada, and each level of government has its own jurisdiction, which can sometimes make the expectations for teachers seem confusing. But the core principle of all privacy law is essentially the same: unless explicit consent is given to disclose it, personal information is kept secret.

Under MFIPPA, “personal information” is any recorded information about an identifiable individual. Data such as name, address, ethnic background, blood type and fingerprints are all considered personal information. It also includes employment or criminal history, financial dealings and health records.

Under the Education Act, school boards have the authority to collect a lot of personal information about students when they register, and simply by registering their child it’s implied that a family is consenting to that information being collected. It’s when the information has to be shared with others that problems can arise. There are some good basic rules to follow, however.

Seven virtues of privacy protection

The Information and Privacy Commissioner of Ontario and the Access and Privacy Office of the Ontario government offer advice for safeguarding personal information. Here are some steps to take to ensure compliance with MFIPPA.

  1. Collect only as much personal information as you need to do your job.
  2. Collect information directly from individuals, or for students under 18, directly from their parents or guardians – not from third parties.
  3. Explain why you need to collect the information and exactly how it will be used.
  4. Get consent from students, or for students under 18, from parents, for the collection, storage and use of personal information.
  5. Store personal information securely. Keep hard copies under lock and key, such as in a locked filing cabinet; keep electronic documents on a password-protected computer. A clean desk will help prevent sensitive information being misplaced or stolen.
  6. When in doubt, ask for advice from the school principal or the board staff member in charge of privacy. (Ontario law requires every board to have one such contact person.)
  7. When you no longer need the personal information to do your job, destroy it by shredding paper documents or securely erasing electronic ones.


The Ontario Student Record (OSR) is a good place to start when considering how student information is to be treated. Each student’s OSR includes an office index card giving her or his name, student number, address, phone number, gender, birthdate, any enrolment and transfer dates, names of parents and guardians or both, and emergency contact numbers. The OSR also includes report cards and an official student transcript. Some of this information may be duplicated elsewhere or be available to teachers in another form, but the OSR itself – and all the information in it – is to be kept strictly confidential by school boards.

Information from OSRs may be released only under certain circumstances. Students themselves, at any age, have the right to access their records, as do their parents.

Teachers and school officials also have fairly broad – but not universal – leeway to access OSRs. They are allowed to access a student’s OSR only for purposes of improving the student’s instruction. That broad term, “improvement of instruction,” taken from the Education Act, means there are many occasions when it’s perfectly appropriate to access OSRs. But it’s not always appropriate.


“In the last 10 or 15 years new legislation has come out, lots of new regulation, lots of new policy.”

Sometimes, with the best of intentions, a teacher can make a mistake. Shanahan offers an example: Teacher-candidates returned from classroom placements and mentioned that one teacher, as a learning opportunity, was planning to hand out a bunch of OSRs so the teacher candidates could get a sense of what they actually contain. “And these are real live OSRs,” she recalls. She told the candidates, “That teacher can’t do that. You guys [the teacher-candidates] have no business looking at that stuff, and even teachers have no business looking at it, except for the purpose of educating their students.”

Other limited disclosures of information from the OSR are sometimes permitted, such as complying with a court order under the federal criminal code, in a civil suit, or under a court order under the Child and Family Services Act.

But even in these cases, principals are advised by the Ministry of Education to consult with their boards’ legal counsel before turning over any records. (Teachers are still required to disclose suspicion of abuse to the Children’s Aid Society under the Child and Family Services Act.)

Professional ethics

Wilfully disclosing personal information can result in a fine of up to $5,000 under MFIPPA. Wilfully breaching privacy, however, is a rare occurrence. Most privacy breaches are inadvertent or accidental. Nonetheless, parents can sue a school for breaching their child’s privacy.

Roger Mills, legal advisor to the Ottawa-Carleton DSB, says that parents could seek a remedy in the courts “if personal information was disclosed and they could establish that there were some damages as a result.”

If the teacher was acting in the course of duty when the breach occurred, he or she could potentially be covered by the school board’s insurance. Mills says he has never seen such a case proceed, however.

While teachers should be aware of the legal consequences and liabilities involved in privacy law, such issues are unlikely to come up in the day-to-day work of teaching. In most cases it’s simply a matter of professional ethics. But breaching a student’s privacy without the student’s or parents’ consent, if the disclosure is not required by law, could still result in a finding of professional misconduct under the College’s misconduct regulation.

One way to think of it is that individuals own all personal information about themselves. When students enrol, they lend that information to the school, but ultimately the information is still theirs. And only the owner of that information is allowed to decide when, where and how it will be used.

Personal information is found in many other places besides OSRs. Teachers are privy to personal details about their students simply by virtue of sharing a classroom with them for hours each week. They may take notes about students in class to help them recall important details later. Permission slips require parents’ names and phone numbers. Even calendars and day planners may contain personal information about students, such as e-mail addresses or phone numbers, that teachers have a duty to safeguard. Like the data in the OSR, this information is considered strictly confidential and can be shared only under certain circumstances.

Use judgment

The best rule of thumb is this: consider whether disclosing information will contribute to improved instruction for the student. Privacy regulations can’t make that decision for you. This is where the law steps back and professional ethics take centre stage – in judging just when information-sharing will improve the education of a student, and when it won’t. Professional ethical standards provide guidance.

For instance, say that Fatima’s parents are divorcing and her marks are slipping as a result. Sharing that information in the staff room with a colleague, so that Fatima can get some extra help and support, will improve her education. Sharing the same information with the same colleague, but this time in the produce aisle at the grocery store, is unlikely to meet professional standards.

“Confidential information about students’ lives should not be the source of gossip or frivolous discussion,” says Elizabeth Campbell, an associate professor who has taught professional ethics at OISE/UT. “It should be shared sparingly and only when compelled by law, or in cases of helping students and serving their best interests.”


“I think that teachers intuitively know to protect the privacy of the information they collect.”

To share or not to share – that is the question. Nancy Massie says common sense usually provides the answer. Massie, Chair of the Freedom of Information / Records Management Committee of the Ontario Association of School Business Officials and Assistant Manager Records Management, MFIPPA with the York Region DSB, says teachers should be alert but don’t have to feel paranoid.

“I think that teachers intuitively know to protect the privacy of the information they collect,” Massie says. “They may not know the particulars of the legislation, but out of pure respect and ethical instinct, they do, for the most part, do the right thing.” When in doubt, she says that asking the school principal or the board’s freedom of information or privacy officer is a good place to start. “I always recommend to teachers to err on the side of caution. Say no first and then figure it out afterwards. Because once you’ve let personal information out, you can’t get it back.”

Guiding standards

The Ontario College of Teachers’ Ethical Standards for the Teaching Profession are based on four values: care, respect, trust, and integrity. All four qualities are key to the responsible stewardship of personal information and can act as a guide. The standard of respect, in fact, explicitly names confidentiality as an ethical standard. Care implies that teachers must protect personal information although in cases of suspected abuse, the same ethical standard – not to mention the Child and Family Services Act – dictates that a teacher must speak up in the student’s best interest.

Teachers should be aware that any kind of personal information, even a note they may jot about a student in the margin of a daybook, is the property of the individual, who has a right to request that information under freedom of information laws.

“It needs to be understood that all of our information really belongs to the board,” says Massie. “If you weren’t an employee here, you wouldn’t have the information to record or to file, or even to discuss. So if the board is setting procedure around proper protection of information, you have an obligation to protect it.”

Students and parents have the right to request access to even casually recorded information. Massie recalls a recent instance where a parent asked to see all written documentation of her child. “That included what was in a teacher’s daybook,” says Massie. “The teacher was really quite surprised to discover that such information could be taken and shared with the parent. Teachers may think their daybooks are their own personal property, and indeed they are not.”

Non-classroom activities may present some privacy concerns, and it’s worth being aware of them. Yearbooks and school newsletters often contain names and photos of students, for instance, which is technically personal information. These seldom cause problems, but parents have been known to lodge complaints or ask that information about their children be removed from such publications. And putting a newsletter on the Web, with no control over who sees it, further increases privacy concerns.

Help at hand

The thicket of potential hazards may seem daunting, but there is help. Teachers in training receive some general instruction in privacy and confidentiality through courses on law and education. Many boards offer professional development opportunities for working teachers to learn more about privacy and confidentiality issues, and under MFIPPA, each board must have a staff member who can explain the authority under which personal information is collected, and answer questions about how it can be used, shared and disposed of. In addition, the Privacy Commissioner’s office provides a roster of privacy experts. Schools can book these experts to talk to staff or students about privacy issues.


“Unless privacy policies are woven into the fabric of an organization’s day-to-day operations, they won’t work.”

In the end, safeguarding the privacy of students needs to be inherent in professional practice. “Upholding compliance with Ontario privacy laws is not simply a matter of following the provisions of enacted legislation,” Ontario Information and Privacy Commissioner Ann Cavoukian said in a speech last year. “Unless privacy policies are woven into the fabric of an organization’s day-to-day operations, they won’t work – full stop.” In hospitals, government offices and schools, Cavoukian said, privacy must become “embedded in the institutional culture.”

“Everyone needs to be brought up to speed about what the current situation is” around students’ privacy, says Shanahan. “It’s got to be attended to.”

Teaching about privacy

Teachers aren’t the only ones with a responsibility to protect students’ privacy. Students themselves should be informed about their rights and how to protect their personal information. This may be uphill work. Anyone who has spent time on MySpace, Facebook or Bebo knows that many students don’t mind letting it all hang out online. But that makes for good opportunities to engage students in conversations about privacy, citizenship and interactions between individuals and government.

The web site of the Information and Privacy Commissioner of Ontario offers lesson plans and resources to teach students about freedom of information and the importance of protecting their privacy, with downloadable teachers’ guides for Grades 5, 10, 11 and 12 curriculum.

It’s never too early to educate students about the importance of their personal information – or too late.

Top of Page