The disappearance of an Employment and Social Development Canada (ESDC) portable hard drive containing the personal information of 583,000 student loan recipients illustrates the critical need to put security and privacy policies into practice in government institutions, according to an investigation by the Office of the Privacy Commissioner of Canada.
“A gap between policies and practices at ESDC led to weaknesses in information management controls, physical security controls, and most importantly, the level of employee awareness of department policies and procedures,” a statement from the privacy commissioner’s office said.
In November last year a hard drive containing the names, social insurance numbers, birth dates, and other information of 583,000 student loan borrowers as well as contact information of 250 ESDC (formerly known as Human Resources and Skills Development Canada) personnel went missing. The hard drive was unencrypted, which was against department policy.
The privacy commissioner’s investigation, which was tabled in Parliament yesterday, detailed how that hard drive was habitually left “unsecured for extended periods of time; not password protected; and held personnel information that was unencrypted.”
Employees handling the device “were not aware of the sensitivity of the information stored on the device,” a statement from the OPCC said.
“This incident should serve as a lesson for all organizations,” said Chantal Bernier, interim privacy commissioner. “Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly.”
Bernier, however, said she is pleased that the ESDC has accepted all of her office’s recommendations and are taking the steps to implement them.
The 10 recommendations include:
• Severely restricting the use of portable storage devices and introducing system software which blocks the use of any such devices on desktop computers without specific authorization
• Periodically examining portable storage devices to ensure they are being used solely for the authorized reasons
• Reviewing all materiel holdings, disposing of transitory records and classifying remaining records at the appropriate security level
• Instigating a new integrated learning strategy which focuses on the protection of personal privacy and includes mandatory participation for all employees and mandatory testing every two years
Despite extensive search efforts, the hard drive has not yet been located, nor was it determined whether human error or malicious intent was involved in the disappearance of the device.