The Campbell River School District has sent out a warning to parents and guardians of Timberline Secondary students that some of their personal information was left unsecured on a school server and could possibly have been “inappropriately accessed.”
District Secretary-Treasurer Kevin Patrick says the file in question contained “some student names, identification, home phone number and parent email address,” and that the file was on a server accessible to students and staff using a login code.
“The shared drive is secured from the public, but students and staff have access to it,” Patrick says, adding that once the document was discovered by the district’s IT manager to be unsecured, it was immediately removed.
“We don’t think that anybody accessed it, but because we know it was accessible, we are required to report it both to the Office of the Information and Privacy Commissioner as well as notify all the people who potentially could have been impacted by any viewing of it by the public.”
The whole situation came about because one box didn’t get ticked during the process of putting it on the server, Patrick says. Some documents on that shared drive are supposed to be accessible to everyone with a login code – which all parents and students have – while others are only supposed to be accessible “by designated people.”
“Those restrictions are supposed to be set when the file is uploaded and this one was missed,” Patrick says.
While Patrick cannot discuss personnel or employee disciplinary issues, he says the person responsible for the file being accessible, “has been spoken to,” and has, “demonstrated that they will ensure they will do that in the future.”
Patrick says the district is also looking at this as a learning experience for staff.
“It’s an important reminder for all staff that we are required through legislation that we are required to keep information about individuals private, so we have had those conversations with multiple people to ensure that we will continue to maintain student and staff privacy,” Patrick says.
If anyone has any concerns about this matter, Patrick says they should contact him at the school district office (250-830-2300) or Timberline Principal Jeremy Morrow.
There are also documents on the website of the Office of the Information and Privacy Commissioner that may be of use for people who may have been affected.
Note: A previous version of this story said the server was accessible to parents of Timberline students. The server was, in fact, only accessible to students and staff.