The territory’s Department of Education is sharing information about students in ways that are not compliant with the Access to Information and Protection of Privacy Act (ATIPPA).

That’s a conclusion of the Office of the Yukon Information and Privacy Commissioner (IPC).

Released Monday, the finding has prompted the department to instruct the territory’s schools to refrain from posting photos of students (or any other personal information) to school websites or social media platforms for the time being.

Some Yukon schools have been collecting, using and disclosing photos, videos and audio of students on Internet platforms, including social media, as part of their outreach to parents and the community.

Under the ATIPPA, these images are considered the students’ personal information.

The IPC conducted a compliance audit into this practice.

The audit found that the Department of Education could not demonstrate that it has authority for this activity.

Nor could it show that it’s protecting students’ personal information, as required under the ATIPPA.

The audit also found that some department employees are using their work contact information to create and maintain social media pages and may be collecting, using and disclosing students’ personal information without authority under the ATIPPA – and contrary to the department’s policies and procedures.

“This privacy audit identified considerable and serious privacy risks associated with posting students’ personal information on Internet platforms,” said Jason Pedlar, the territory’s Information and Privacy Commissioner.

“These include the inability to track or control the further dissemination of photos and videos and the inability to prevent their use for unwanted or unintended purposes, such as the harvesting of personal information by fraudsters or other criminals.”

In its audit report, the IPC made six recommendations.

These include that the department must immediately cease the collection, use and disclosure of student personal information on Internet platforms until it can establish that it has authority under the ATIPPA to do so.

As well, it must purge all existing student personal information from its official Internet platforms.

“If it wishes to resume this activity, it must conduct a privacy impact assessment to address and mitigate any associated privacy risks, as well as develop and implement an accountability framework in this regard, outline the framework in written policies and procedures, ensure these are periodically evaluated and audited for effectiveness and compliance, and ensure student personal information is handled in ways that are compliant with the ATIPPA,” the IPC office said.

The IPC also recommended that the department review school social media to assess for any privacy breaches that may have occurred involving the unauthorized collection, use or disclosure of student personal information by its employees.

The department must also immediately notify all its employees of their obligations under the ATIPPA regarding students’ personal information.

The department has accepted several of the IPC’s recommendations, the IPC office said.

The department said in a statement this morning it takes student privacy “very seriously.

“The report by the Yukon Information and Privacy Commissioner’s Privacy Compliance Audit provided useful suggestions about how the department can strengthen its efforts to protect student privacy,” the statement said.

“The department has directed our schools to not post photos of students (or any other personal information) to school websites or social media platforms until the associated risks have been fully assessed and further guidance has been provided.”

The department is completing a privacy impact assessment, as recommended by Pedlar.

It’s also developing an accountability framework that will outline roles, responsibilities, and oversight with respect to posting student personal information to Internet sites.

The framework will be reflected in policies and procedures, which will be evaluated periodically and audited for compliance.

“The department will also inform and remind all employees, via communications and training, about their obligations with respect to the collection, use or disclosure of students’ personal information under the ATIPPA,” the statement said.

The Information and Privacy Commissioner is an independent officer of the Yukon Legislative Assembly.