What Can Service Providers to the Public Sector Learn From the PowerSchool Privacy Incident?

On November 17, 2025, Ontario’s Information and Privacy Commissioner (ON IPC) and Alberta’s Office of the Information and Privacy Commissioner (AB OIPC) each released their findings from their investigations into a cybersecurity incident that occurred at a widely used third-party service provider, PowerSchool Canada ULC (PowerSchool), which affected 5.2-million Canadians across several schools and school boards in Canada.

The reports considered whether the Ontario and Alberta institutions had reasonable measures in place to prevent unauthorized access to personal information. The ON IPC found that some institutions (a) did not have reasonable provisions in their agreements with PowerSchool to ensure the privacy and security of personal information, and (b) did not have sufficient oversight or monitoring measures in place to ensure personal information would be protected. Similarly, the AB OIPC found the institutions did not have policies or procedures in place to meet their security obligations as it relates to vendor management.

In this bulletin, we discuss what service providers to public-sector institutions may expect in terms of changes to contracting with and providing services to such institutions in light of these reports.

Providing Services to Government Institutions

The ON IPC’s report highlighted the contractual terms it expects to be in place between government institutions and third-party service providers to ensure the personal information shared is protected in accordance with Canadian privacy laws. Examples of terms service providers to Ontario public sector institutions should expect to be included in service agreements, particularly where sensitive information is involved, include:

• Ownership of Data: Personal information must definitively belong to the institution.
• Collection, Use and Disclosure: The service provider cannot process personal information for unauthorized purposes unless permitted by the institution, including for the service provider’s own commercial benefit.
• Notice of Compelled Disclosure: If the service provider is legally compelled to disclose the institution’s personal information, the institution must be promptly notified and given the opportunity to seek a protective order or other remedy to prevent disclosure.
• Subcontracting: The service provider cannot subcontract without approval from the institution, and subcontractors must be bound by the same or equivalent privacy and security obligations as the service provider.
• Security: The service provider must ensure the security and integrity of personal information. Where sensitive personal information is processed by a service provider, details surrounding such measures should be granularly described in a Data Processing Agreement (DPA); for instance, password requirements, encryption standards or employee training should be specified.
• Retention and Destruction: The service provider must return all the institution’s confidential information, including personal information, at or before the end of the contract. Requirements for record retention and destruction procedures for the duration of the contract should be established.
• Audits: The service provider should be required to undergo annual privacy and security compliance audits. Copies of audits should be provided to the institution, and institutions should ensure gaps in non-compliance are being appropriately remediated by the service provider.
• Breach Reporting: The service provider must notify the organization of any breaches in security safeguards and provide details regarding the incident.

Additionally, both the AB OIPC and the ON IPC stressed the importance of institutions pre-assessing and routinely monitoring the information security and privacy practices of their service providers and ensuring there are meaningful consequences in place for instances of service provider non-compliance with data protection terms. Institutions will not meet their safeguarding obligations by simply imposing information security and privacy obligations on service providers by contract.

For instance, while the AB OIPC found that the contractual protections established were generally adequate, it still found that the public institutions failed to properly safeguard the personal information involved because they did not satisfy themselves that PowerSchool actually had these measures in place, that they were working as expected and that they were maintained throughout the term of the contract. The AB OIPC closely compared the contractual information security obligations imposed on PowerSchool with PowerSchool’s actual information security policies and practices and identified several deficiencies and discrepancies. These deficiencies should have been identified by the public institutions in their vendor due diligence processes, both in the pre-contractual assessment phase and the ongoing monitoring phase, and addressed by the public institution to meet its safeguarding obligations.

Key Takeaways

As a result of these findings, service providers to public-sector institutions may experience requests for more detailed information regarding the service provider’s information security and privacy practices prior to entering into service agreements. Public-sector institutions may also demand service providers offer more frequent disclosure of information security audit reports, results from vulnerability and penetration tests or scans, or evidence of ongoing privacy and cybersecurity training of personnel who have access to client data throughout the term of the agreement.

It will be important for service providers to ensure they balance complying with requests for more information with only sharing the necessary confidential commercial information with the institution. When sharing such information, service providers should clearly label the information as confidential, as this type of information may be subject to an access to information request received by the institution.

For more information, please contact the authors or any other member of our Privacy & Data Protection group.