The Government has been praised for its swift reporting of a cyberattack on a schools-based programme that compromised some of users’ personal information.

Alex White, the Privacy Commissioner, said that Kalmar Richards, the Commissioner of Education, and the Department of Education, carried out the correct steps under the newly enacted Personal Information Protection Act in response to the hack of PowerSchool.

The Ministry of Education announced this month that the student information system provider for public schools suffered a “cybersecurity incident" when an unauthorised party gained access to its systems via a compromised credential.

An investigation is under way to ascertain what details were compromised, with the education department calling it a serious matter.

Ms Richards said the company confirmed the breach included “data from some Bermuda public schools families and teachers”.

She added: “The compromised information primarily consists of parent and student contact details, such as names, students’ date of birth, addresses, telephone numbers and e-mail addresses.

“Additionally, PowerSchool has informed clients that more sensitive personally identifiable information was also affected for certain individuals.”

She said the department held personal details on its medical alert field, such as allergies and asthma.

Until PowerSchool recovers the Bermuda database logs files covering the period of the breach, the department cannot confirm whether information “specific to Bermuda public schools was compromised”.

Ms Richards said anyone affected would be notified once the department was updated.

She added: “Our other cloud-based services, such as Schoology, remain secure and unaffected.”

Ms Richards confirmed that personal information notification documents had gone to Mr White.

She said PowerSchool was “a trusted vendor” since 2008, with the incident marking the first cybersecurity breach under their service.

Ms Richards said the company’s student information tables captured data on “attendance, courses, enrolment history, grades, and behaviour incidents”.

She affirmed the department’s commitment to securing student and staff data.

She added: “Families and staff with questions or concerns are encouraged to contact the Office of the Commissioner via e-mail at coe@moed.bm.”

The company has also provided an online statement on the incident, which it spotted on December 28.

Mr White commended Ms Richards and the department for their “proactive transparency, for notifying my office appropriately, and for their willingness to promptly respond to follow-up requests and discussions”.

Mr White said until the facts were confirmed and the investigation completed, the Office of the Privacy Commissioner of Bermuda would not formally give a public statement on the reported breach of security.

He said it would be “useful” for him to give guidance to the public on the best course of action in the event of a breach.

He said: “Under Pipa, there is legal requirement for an organisation that is using personal information to, without undue delay, notify PrivCom of a breach.

“The legal requirement to notify my office is based on a multi-part test — Pipa considers a breach of security to be an incident that leads to, for example, unauthorised access to personal information which is likely to adversely affect an individual.

“In other words, there must be an action, such as unauthorised access, and there must be a determination that the consequence is likely to be an adverse effect to an individual.

“Breach notifications have several policy objectives.

“The requirement for transparency means that organisations are held responsible for their due diligence and level of care.

“The requirement to inform individuals about adverse effects gives the individuals warning so that they may take action to protect themselves from harm, if possible.

“Because our office is made aware of the breach, we can offer an expert opinion on whether further steps may be needed.”

Mr White said a security breach could take time to investigate and resolve, and that once an organisation was aware of a breach, they were allowed to assess the situation and validate details prior to notification.

He added: “An example of undue delay before notification would be if the time spent assessing the situation would increase the likelihood or severity of the harm to an individual.

“If an organisation would like advice on the steps to take, then they may provide a preliminary notification to my office even before they are certain that there is a risk of harm to an individual.”

Mr White emphasised that when an organisation suffered a breach of security, it did not necessarily mean it had behaved inappropriately or negligently.

However, he added: “Organisations should put in place reasonable measures and safeguards that are proportional to the risk of harm to individuals from a breach of personal information.

“These measures will depend on the types and uses of personal information.

“Pipa does not require perfection, which is an impossible standard.”

The Ministry of Education reported on January 10: “According to PowerSchool, malware was not involved in this incident. PowerSchool has advised the department that the incident has been contained and that their systems remain secure.

“The unauthorised access allowed the party to reach the management console of PowerSchool’s Powersource tool.”

The ministry added: “PowerSchool believes that the compromised data has been deleted and will not be shared publicly. They are actively working to prevent further unauthorised access or misuse of data.”

To assist organisations in notifying the privacy office of a breach, an electronic breach notification form can be found at its website, privacy.bm, in the Organisations Hub at privacy.bm/organisations-hub.

The form will guide organisations on what information to include in a breach notification to the office.

Template letters that organisations can use to notify individuals are available from the office.