Of the 3,134 breaches experienced by government departments between 2002 and 2012, only 399 were reported to the Office of the Privacy Commissioner
Upon learning that various government departments have failed to report thousands of incidents of data and privacy breaches to her office, Canadian Privacy Commissioner Jennifer Stoddart said it is high time guidelines on how government organizations handle such situations be turned into law.
“Departments have Treasury Board guidelines to follow in order to determine when they should notify our office of breaches, it is generally based on the magnitude of the breach and the sensitivity of data,” Stoddart said in an email to ITWorld Canada. “Our office feels federal organizations and Canadians would benefit from an instrument of greater weight to provide increased certainty such as enshrining such direction into law.”
“It’s really disturbing to learn of the extent this attempt to keep the OPC and the people in the dark,” said NDP MP Charlie Angus. His original question about how many instances Canadian’s private information held by government departments were lost, stolen or accessed by unauthorized third parties prompted the government to reveal its lapses. “There is clearly a culture of putting the interest of the department ministers ahead of those of the people they are supposed to serve.”
“I think the threshold for determining when government breaches should be reported is extremely high,” he said “Private organizations handling sensitive personal information are being pushed towards mandatory privacy breach reporting, the government should be subjected to the same.”
The Treasury Board of Canada however has a privacy breach guideline which advices government organizations on what actions to take in case of a data or privacy breach. The guideline for instance says “it is strongly recommended” that institutions notify the OPC if the breach:
- Involves sensitive personal data such as financial or medical information; or personal identifiers, such as Social Insurance Number
- Can result in identity theft or some related fraud
- Can otherwise cause harm or embarrassment which would have detrimental effects on the individual’s career, reputation, financial position, safety, health or well-being
Stoddart said that in 2009, her office had recommended a reform of the Privacy Act that called for the Treasury Board guidelines to be enshrined in law.
“We also called for the law to include a provision stipulating that requirements for adequate information security safeguards,” Stoddart said. “These recommendations have not been followed and given events such as the HRDC student loans breach and the news this week, it may be high time for them to be acted upon.”
In January this year, The Human Resources and Skill Development Canada minister Diane Finley that her department lost a portable hand drive with 585 personal records of student loan borrowers between 2000 and 2005. In December of 2012, an HRSDC employee lost a USB key containing the information of 5,000 people.
The OPC will release its annual report on the Privacy Act this fall, according to Stoddart. The report’s theme will be information security. In the coming months, the OPC also intends to undertake an audit of the use of portable storage devices by some federal organizations.