Disappearance of HDD Containing Personal Information of 583,000 Students
It highlights important lessons for organizations to follow for Office of the Privacy Commissioner of Canada.
This is a Press Release edited by StorageNewsletter.com on March 31, 2014 at 2:42 pmThe disappearance of a portable HDD containing the personal information of 583,000 student loan recipients underscores the need to ensure that formal privacy and security policies are more than simply words on paper, an investigation has found.
The investigation by the Office of the Privacy Commissioner of Canada was launched after the HDD was reported lost by Employment and Social Development Canada (ESDC), formerly Human Resources and Skills Development Canada.
An investigation report tabled in Parliament details how the HDD was left unsecured for extended periods of time; not password protected; and held personal information that was unencrypted. As well, employees handling the device were not aware of the sensitivity of the information stored on the device.
The report concludes that a gap between policies and practices at ESDC led to weaknesses in information management controls, physical security controls, and most importantly, the level of employee awareness of departmental policies and procedures.
“This incident should serve as a lesson for all organizations,” says Interim Privacy commissioner Chantal Bernier. “Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly. We are pleased that ESDC has accepted all of our recommendations and has started taking the necessary steps to implement them. We hope this investigation will prompt other federal departments and private-sector organizations to review their own privacy policies and practices.“
The Office launched the investigation in January 2013 after ESDC reported that a portable HDD containing a substantial amount of personal information had been missing for two months.
Despite extensive search efforts, the Department was unable to locate it or determine whether human error or malicious intent was responsible.
Staff of ESDC’s Canada Student Loans Program had used the department-owned 1TB HDD to make a backup copy of program information stored in the central computer to ensure its preservation when that data was being transferred between networked drives.
The HDD contained the Social Insurance Number, name, date of birth, home address, telephone number, loan amounts and balances for 583,000 clients of the loans program. It also included gender, language and marital status for some.
Because of failures in departmental practices, ESDC could not conclusively identify what information was on the portable HDD or when it had been last updated.
Nonetheless, ESDC says that no evidence has yet emerged that the personal information potentially stored on the HDD has been accessed or used for fraudulent purposes.
The investigation found that ESDC employees had contravened sections of the Privacy Act – Canada’s federal public sector privacy law – related to the use, disposal and disclosure of personal information.
ESDC has accepted all ten of the Commissioner’s recommendations and has already made significant steps in implementing some, including:
- Severely restricting the use of portable storage devices and introducing system software which blocks the use of any such devices on desktop computers without specific authorization;
- Periodically examining portable storage devices to ensure they are being used solely for the authorized reasons;
- Reviewing all materiel holdings, disposing of transitory records and classifying remaining records at the appropriate security level; and
- Instigating a new integrated learning strategy which focuses on the protection of personal privacy and includes mandatory participation for all employees and mandatory testing every two years.
The Office of the Privacy Commissioner of Canada will follow up in one year to confirm ESDC’s progress in implementing the recommendations.
“To effectively mitigate privacy risks, there must be a synergy between privacy and security controls. Implementation of such controls will help ESDC-and all organizations-to properly protect the personal information that Canadians entrust to them,” says Bernier. “To further address broader systemic issues, we are conducting an audit of the use of portable storage devices by selected federal organizations, and we have just released some new tips for organizations on this issue.”