The Office of the Privacy Commissioner of Canada has released its Report of Findings from a year-long investigation into a significant incident involving the loss of personal data at the former Ministry of Human Resources and Skills Development Canada (HRSDC).
In late 2012, an employee of HRSDC discovered the loss of an external hard drive containing the personal information of 583,000 Canada student loan borrowers, and 250 employees. The external hard drive was a 1 terabyte external drive that was being used to backup information prior to the migration of information on HRSDC's network. According to the Report of Findings, the backup was unnecessary to the migration but was conducted as a risk mitigation measure.
However, this "work around" created significant risks for HRSDC. Remarkably, the drive was not encrypted or even password protected. Nor was the drive inventoried by serial number. The drive was not stored in a vault. Instead, the hard drive was stored frequently but not always in a lockable filing cabinet located in an employee's cubicle, in an envelope, hidden under suspended files.
Although HRSDC had many sound policies, there were significant gaps in practices. Among the notable observations and recommendations in the report and accompanying guidance are:
- Privacy impact assessments and threat risk assessments are critical elements of an accountability framework. They should be conducted for the use of portable storage devices.
- Portable storage devices should only be used as a last resort for the storage or transfer of personal information. They should not be used as permanent storage.
- Portable storage devices used for personal information should be protected by strong technological safeguards, such as encryption.
- Assets, such as portable storage devices, that are used to store personal information should be inventoried, monitored and tracked.
- Organizations should verify compliance with policies regarding safeguards by periodically conducting security reviews, including physical checks to ensure that the portable storage device is being safeguarded.
- Organizations should scan networks for unauthorized devices.
The Report of Findings may be found here. A Fact Sheet containing Tips for Federal Institutions Using Portable Storage Devices may be found here. Although the Fact Sheet is directed at governmental agencies, it has broader application under the OPC's Accountability Guidelines released last year in conjunction with the Information and Privacy Commissioners of Alberta and British Columbia.
About Dentons
Dentons is a global firm driven to provide you with the competitive edge in an increasingly complex and interconnected marketplace. We were formed by the March 2013 combination of international law firm Salans LLP, Canadian law firm Fraser Milner Casgrain LLP (FMC) and international law firm SNR Denton.
Dentons is built on the solid foundations of three highly regarded law firms. Each built its outstanding reputation and valued clientele by responding to the local, regional and national needs of a broad spectrum of clients of all sizes – individuals; entrepreneurs; small businesses and start-ups; local, regional and national governments and government agencies; and mid-sized and larger private and public corporations, including international and global entities.
Now clients benefit from more than 2,500 lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US who are committed to challenging the status quo to offer creative, actionable business and legal solutions.
For more information, visit our Privacy and Data Security blog at www.datagovernancelaw.com
Learn more at www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.
