Privacy Law for Private Schools in Canada

What makes private schools distinct

Private schools collect personal information about minors — a category that receives heightened protection under PIPEDA and equivalent provincial legislation because children cannot fully appreciate the privacy implications of disclosing personal information. The school acts as a custodian of information entrusted by families, often including sensitive health information (allergies, medical conditions, diagnoses), learning assessments and IEPs, and family financial details (tuition payment, bursary applications).

Schools also operate in loco parentis — the duty of care creates legitimate reasons to collect health and medical information that would otherwise be exceptional. That same duty creates responsibility to protect that information appropriately.

---

Which laws apply

Jurisdiction	Applies when	Regulator
PIPEDA	The school is a private, tuition-based institution; or students or families are in provinces without substantially similar legislation	OPC — priv.gc.ca
Alberta PIPA	Students, families, or employees are Alberta residents	OIPC Alberta — oipc.ab.ca / breachnotice@oipc.ab.ca
BC PIPA	Students, families, or employees are BC residents	OIPC BC — oipc.bc.ca

Public schools and publicly funded institutions are subject to provincial FOIPP/FIPPA legislation, not PIPEDA or provincial PIPA. This guide covers private independent schools only.

---

What personal information private schools hold

Student academic records: Enrollment records, transcripts, report cards, course selections, graduation requirements, standardized test scores.

Student health and medical information: Allergies and anaphylaxis plans, medications administered at school, diagnoses relevant to the school's duty of care, physician notes, vaccination records.

Student learning and support records: Individual Education Plans (IEPs), psycho-educational assessments, learning disability diagnoses, tutoring or support service records, accommodation documentation.

Student disciplinary records: Incident reports, suspension records, meeting notes, correspondence with families about conduct.

Family and financial information: Parent/guardian names and contact details, tuition payment records, banking or credit card information, bursary or financial aid applications (including family income details).

Employee information: SINs, banking details, teaching licences and certifications, criminal record checks (Vulnerable Sector Checks), employment records.

---

Common breach scenarios

Phishing: An administrator's or teacher's email account contains student records, family contact details, and sensitive correspondence. A compromised school email account is a direct path to student personal information. See Phishing and Business Email Compromise.

Ransomware: School management systems holding student academic, health, and family records are ransomware targets — the combination of information about minors and sensitive health/learning data creates significant extortion leverage. See Ransomware Attack: What Canadian SMEs Must Do.

Cloud platform breach: Learning management systems (Canvas, Brightspace, Google Workspace for Education), student information systems, and communication platforms are vendor breach scenarios if the platform is compromised. See Vendor or Third-Party Breach.

Unauthorized employee access: A staff member accessing student records beyond those in their teaching or administrative responsibility. See Unauthorized Employee Access.

---

RROSH in a private school breach

Minor's information: The OPC and provincial commissioners treat personal information about minors as deserving heightened protection. A breach of student records is more likely to meet the RROSH threshold than an equivalent breach of adult personal information, because children are more vulnerable to harm from unauthorized disclosure and have less capacity to protect themselves.

Learning and health records: IEPs, psycho-educational assessments, and health condition information are among the most sensitive student records. Unauthorized disclosure can affect a student's educational opportunities, social relationships, and self-image. RROSH is likely present whenever these records are part of a breach.

Disciplinary records: Unauthorized disclosure of a student's disciplinary history can affect their future academic placements, references, and reputation. RROSH depends on the severity of the information and the realistic harm from its disclosure.

---

Core compliance obligations

Privacy officer: Designate a named individual — typically the head of school, registrar, or administrator — responsible for PIPEDA compliance. Their contact must appear in the school's privacy policy.

Privacy policy: Describe what student and family information is collected, why, which third parties it is shared with (educational authorities, post-secondary institutions, service providers), how it is protected, and how families can access student records or make a complaint. The policy must be available to families at the time of enrollment.

Enrollment consent: Enrollment forms must include a privacy disclosure and consent covering: what information is collected and for what purposes, who it may be shared with, how long it is retained, and how families can access records or withdraw consent. Consent for non-routine uses (sharing records with a research body, using photographs in marketing) must be separate and specific.

Vulnerable Sector Checks: Staff who work with minors must undergo criminal record checks (Vulnerable Sector Checks) — those records are personal information subject to PIPEDA and must be handled with the same care as other sensitive employee records.

Retention: Student academic records should typically be retained permanently (transcripts) or for a period sufficient to respond to future inquiries about qualifications. Other student records (disciplinary, health notes from a specific incident) have shorter retention periods. Align retention periods with provincial independent school association guidance and your legal counsel's advice on limitation period exposure.

Vendor contracts: Every learning management system, student information system, and communication platform must have written contracts with privacy and security obligations. Confirm that platforms used for student data have been assessed for compliance with Canadian privacy law, not just US FERPA or GDPR standards.

Safeguards: Encrypted storage for all student records, access controls limiting staff to records relevant to their role, MFA on school management systems, secure destruction of paper records and retired devices, and policies governing staff use of personal devices for school communications.

Family notification specifics: When notifying families of a breach involving student records, address the notification to the parent or guardian for minor students, or directly to the student if they are an adult. Describe specifically what student information was involved and what the school is doing. Advise families to monitor for any signs that the student's personal information is being misused.

---

Experienced a breach at your school? ClearBreach walks private schools through their RROSH assessment across PIPEDA, Alberta PIPA, and BC PIPA and generates regulator reports and family notification letters in under 15 minutes. Start your assessment →

---

Related guides

• PIPEDA Breach Reporting Requirements
• Alberta PIPA Breach Notification
• BC PIPA Breach Reporting
• Ransomware Attack: What Canadian SMEs Must Do
• Vendor or Third-Party Breach: What Canadian Organizations Must Do
• How to Write a Privacy Policy for a Canadian Business

---

This guide covers PIPEDA, Alberta PIPA, and BC PIPA obligations for private, tuition-based schools. Publicly funded schools are subject to provincial FOIPP/FIPPA legislation not covered here. Independent school association requirements and provincial education ministry obligations are separate from privacy legislation and are not covered here. Quebec's Law 25 is not covered here.