Mistakes can happen in any organization, but when the office of the federal privacy commissioner loses an unencrypted hard drive with personal information it must sting.
But that’s what happened on Feb 14 during the agency’s move to Gatineau, Que. from its home across the river in Ottawa.
The Toronto Star revealed the loss in the print edition of the paper this morning, and it was confirmed in an ITWorldCanada.com interview with interim commissioner Chantal Bernier.
“It is certainly humbling,” she said, “but we will come out of this wiser. We’ve already learned precious lessons that we will be able to apply.”
The drive was always connected to a server in a locked server room until the move, she said. The move itself was watched over by commissionaires. However, it wasn’t until some time later that IT staff realized the drive was missing and only on April 9 that they realized it had personal information.
That information included the names of staff, their government ID numbers and salary information for people who work in the Office of the Privacy Commissioner and the Office of the Information Commissioner. This information couldn’t be used for impersonation or fraud, she said. But as a precaution the Public Works and Government Services (which oversees federal IT systems) has been asked to increase its digital authentication to prevent someone who can read the staff ID numbers from trying to access government records.
Although the drive was unencrypted, the data was saved in a format that Bernier said is “not easy to read” without specific software and technical knowledge on how to use it. She has a print-out of what the data would look like and says it is unlikely to be read by someone. “It’s codes, it’s very fragmented, it’s very difficult to make sense of any information.
However she acknowledged that it would be possible for someone with the right skills and software to read.
Bernier doesn’t know exactly how the drive in her department was lost. She will see an advance copy later today of an investigation into the disappearance, a report to be officially presented Friday.
Among the lessons learned so far is how long it takes for information about the extent of a data loss to emerge and the ability to quickly notify affected people, she said. On investigations other organizations have told her office that information “comes out in dribs and drabs … Now we know exactly what they mean.”
When several years ago European regulators proposed data holders notify potential victims within 24 hours of a breach, her office thought it was a great idea. Then the Europeans walked away from that timeline. In this incident staff didn’t know that personal information was on the drive for weeks.
When Bernier was told April 9 she gave staff 24 hours to get details, then started informing those affected. Full-time staff were quickly told, she said, while those on leave, working in other departments or retired are being told by letter.
Bernier has also told the speakers of the House of Commons, the Senate and the ad hoc privacy commissioner John Sims, who investigates complaints against the office of the privacy commissioner.
In a letter to Sims, Bernier said the old and new offices have been thoroughly searched several times but the drive can’t be found.
An external audit of the IT functions of her department has already been scheduled. Bernier said that she has now ordered an immediate review of the physical asset and security policies and procedures as well.