Policy, practice gap behind federal data breach

The disappearance of an Employment and Social Development Canada (ESDC) portable hard drive containing the personal information of 583,000 student loan recipients illustrates the critical need to put security and privacy policies into practice in government institutions, according to an investigation by the Office of the Privacy Commissioner of Canada.

“A gap between policies and practices at ESDC led to weaknesses in information management controls, physical security controls, and most importantly, the level of employee awareness of department policies and procedures,” a statement from the privacy commissioner’s office said.

In November last year a hard drive containing the names, social insurance numbers, birth dates, and other information of 583,000 student loan borrowers as well as contact information of 250 ESDC (formerly known as Human Resources and Skills Development Canada) personnel went missing. The hard drive was unencrypted, which was against department policy.

The privacy commissioner’s investigation, which was tabled in Parliament yesterday, detailed how that hard drive was habitually left “unsecured for extended periods of time; not password protected; and held personnel information that was unencrypted.”

Employees handling the device “were not aware of the sensitivity of the information stored on the device,” a statement from the OPCC said.

“This incident should serve as a lesson for all organizations,” said Chantal Bernier, interim privacy commissioner. “Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly.”

Bernier, however, said she is pleased that the ESDC has accepted all of her office’s recommendations and are taking the steps to implement them.

The 10 recommendations include:

• Severely restricting the use of portable storage devices and introducing system software which blocks the use of any such devices on desktop computers without specific authorization
• Periodically examining portable storage devices to ensure they are being used solely for the authorized reasons
• Reviewing all materiel holdings, disposing of transitory records and classifying remaining records at the appropriate security level
• Instigating a new integrated learning strategy which focuses on the protection of personal privacy and includes mandatory participation for all employees and mandatory testing every two years
Despite extensive search efforts, the hard drive has not yet been located, nor was it determined whether human error or malicious intent was involved in the disappearance of the device.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Nestor E. Arellano
Nestor E. Arellano
Toronto-based journalist specializing in technology and business news. Blogs and tweets on the latest tech trends and gadgets.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now