By Canadian Security
The disappearance of a portable hard drive containing the personal information of 583,000 student loan recipients underscores the need to ensure that formal privacy and security policies are more than simply words on paper, an investigation has found.
By Canadian Security
The investigation by the Office of the Privacy Commissioner of Canada was launched after the hard drive was reported lost by Employment and Social Development Canada (ESDC), formerly Human Resources and Skills Development Canada.
An investigation report tabled in Parliament today details how the hard drive was left unsecured for extended periods of time; not password protected; and held personal information that was unencrypted. As well, employees handling the device were not aware of the sensitivity of the information stored on the device.
The report concludes that a gap between policies and practices at ESDC led to weaknesses in information management controls, physical security controls, and most importantly, the level of employee awareness of departmental policies and procedures.
“This incident should serve as a lesson for all organizations,” says Interim Privacy Commissioner Chantal Bernier. “Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly.”
“We are pleased that ESDC has accepted all of our recommendations and has started taking the necessary steps to implement them. We hope this investigation will prompt other federal departments and private-sector organizations to review their own privacy policies and practices.”
The Office launched the investigation in January 2013 after ESDC reported that a portable hard drive containing a substantial amount of personal information had been missing for two months.
Despite extensive search efforts, the Department was unable to locate it or determine whether human error or malicious intent was responsible.
Staff of ESDC’s Canada Student Loans Program had used the department-owned, 1 terabyte hard drive to make a backup copy of program information stored in the central computer to ensure its preservation when that data was being transferred between networked drives.
The hard drive contained the Social Insurance Number, name, date of birth, home address, telephone number, loan amounts and balances for 583,000 clients of the loans program. It also included gender, language and marital status for some.
Because of failures in departmental practices, ESDC could not conclusively identify what information was on the portable hard drive or when it had been last updated.
Nonetheless, ESDC says that no evidence has yet emerged that the personal information potentially stored on the hard drive has been accessed or used for fraudulent purposes.
The investigation found that ESDC employees had contravened sections of the Privacy Act — Canada’s federal public sector privacy law — related to the use, disposal and disclosure of personal information.
ESDC has accepted all 10 of the Commissioner’s recommendations and has already made significant steps in implementing some, including:
Severely restricting the use of portable storage devices and introducing system software which blocks the use of any such devices on desktop computers without specific authorization;
Periodically examining portable storage devices to ensure they are being used solely for the authorized reasons;
Reviewing all materiel holdings, disposing of transitory records and classifying remaining records at the appropriate security level; and
Instigating a new integrated learning strategy which focuses on the protection of personal privacy and includes mandatory participation for all employees and mandatory testing every two years.
The Office of the Privacy Commissioner of Canada will follow up in one year to confirm ESDC’s progress in implementing the recommendations.
“To effectively mitigate privacy risks, there must be a synergy between privacy and security controls. Implementation of such controls will help ESDC — and all organizations — to properly protect the personal information that Canadians entrust to them,” says Interim Commissioner Bernier. “To further address broader systemic issues, we are conducting an audit of the use of portable storage devices by selected federal organizations, and we have just released some new tips for organizations on this issue.”
About the Office of the Privacy Commissioner of Canada
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations engaged in commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.