The number of data breaches of federal institutions reported to the privacy commissioner over the most recent 12 month period hit a record number for the second year in a row, according to a new report.
In her annual report to Parliament on Tuesday, outgoing commissioner Jennifer Stoddart said the number of data breaches reported to her office between April 2012 and March of this year rose to 109 from 80 during the same period the year before.
Those included the loss of by Human Resources Development Canada (now called Employment and Social Development Canada) staff of a portable hard drive with 585,000 personal records, and the loss by a Justice Department employee of a USB key with sensitive information on 5,000 people.
Because federal departments and agencies aren’t required to notify the privacy commissioner about data losses or breaches it is impossible to figure out whether the increase in reported incidents means there were more of them or whether people are calling in more, Stoddart said.
The numbers show that the Canada Revenue Agency had the most problems, with 22 breaches reported in the 12-month period, followed by Correctional Service Canada with 17, HRSDC with 11, Foreign Affairs with 10, Veterans Affairs and Citizenship each with five, Canada Post and Statistics Canada with four each, and National Defence with three. Other agencies had a combined 28 reported breaches.
As in previous years, the report adds, most of the causes was accidental disclosure of information through human error. Of the 109 reported breaches 31 could be attributed to the loss of documents, including the loss of passports at Canadian embassies.
Theft was the cause of eight breaches, particularly of laptops. The personal tax information of 46 people was involved in one laptop theft.
Here’s a few nuggets from the report:
–One of the thefts occurred in Calgary, where an encrypted laptop, a USB key and papers were lifted from a rental car. The USB key had information used by the Financial Transaction and Reports Analysis Centre (FINTRAC), which looks into suspicious financial transactions. Data on the laptop is safe, but “security procedures related to the use of USB keys” weren’t followed.
–While dropping off a child at a school, a security intelligence officer working for Corrections Canada dropped a USB key, which had personal information on 152 prisoners. The key was turned in by a school employee.
–Some in Ottawa think you surrender your right to privacy by posting on Facebook — that, Stoddart said, was the argument made in the case of one complaint. Staff at Aboriginal Affairs and Northern Development and at Justice accessed the Facebook posts of First Nations activist Cindy Blackstock, who had filed a human rights suit against the government, as well as social media feeds linked to her and distributed the posts to others in the department. They also repeatedly accessed her Indian status records in the government’s database.
Blackstock had three Facebook pages, two of which related to First Nations affairs. But the third was personal, and therefore collecting it by federal staff fell under the restrictions of the federal Privacy Act.
Stoddart’s office concluded the fact that some personal information is available on the Internet doesn’t make it non-personal. She recommended both departments stop accessing anything Blackstock posts online unless it has a direct connection to legitimate government business.