Federal privacy office loses drive with personal data

Mistakes can happen in any organization, but when the office of the federal privacy commissioner loses an unencrypted hard drive with personal information, it must sting.

But that’s what happened on Feb. 14 during the agency’s move to Gatineau, Que. from its home across the river in Ottawa.

The Toronto Star revealed the loss in the print edition of the paper this morning, and it was confirmed in an ITWorldCanada.com interview with interim commissioner Chantal Bernier.

“It is certainly humbling,” she said. “But we will come out of this wiser. We’ve already learned precious lessons that we will be able to apply.”

The drive was always connected to a server in a locked server room until the move, she said. The move itself was watched over by commissionaires. However, it wasn’t until some time later that IT staff realized the drive was missing and only on April 9 that they realized it had personal information.

That information included the names of staff, their government ID numbers and salary information for people who work in the Office of the Privacy Commissioner and the Office of the Information Commissioner. This information couldn’t be used for impersonation or fraud, she said. But as a precaution, the Public Works and Government Services (which oversees federal IT systems) has been asked to increase its digital authentication to prevent someone who can read the staff ID numbers from trying to access government records.

Although the drive was unencrypted, the data was saved in a format that Bernier said is “not easy to read” without specific software and technical knowledge on how to use it. She has a print-out of what the data would look like and says it is unlikely to be read by someone.

“It’s codes, it’s very fragmented, it’s very difficult to make sense of any information,” she said. However, she acknowledged that it would be possible for someone with the right skills and software to read the drive.

Earlier this year, Bernier had to report on the loss of an Employment Canada portable drive with hundreds of thousands of records on student loans.

Bernier doesn’t know exactly how the drive in her department was lost. She will see an advance copy later today of an investigation into the disappearance, a report to be officially presented Friday.

Among the lessons learned so far is how long it takes for information about the extent of a data loss to emerge and the ability to quickly notify affected people, she said. On investigations, other organizations have told her office that information “comes out in dribs and drabs … Now we know exactly what they mean.”

Several years ago, when European regulators proposed data holders notify potential victims within 24 hours of a breach, her office thought it was a great idea. Then the Europeans walked away from that timeline. In this incident, staff didn’t know that personal information was on the drive for weeks.

When Bernier was told April 9, she gave staff 24 hours to get details, then started informing those affected. Full-time staff were quickly told, she said, while those on leave, working in other departments or retired, are being told by letter.

Bernier has also told the speakers of the House of Commons, the Senate and the ad hoc privacy commissioner John Sims, who investigates complaints against the office of the privacy commissioner.

In a letter to Sims, Bernier said the old and new offices have been thoroughly searched several times, but the drive can’t be found.

An external audit of the IT functions of her department has already been scheduled. Bernier said that she has now ordered an immediate review of the physical asset and security policies and procedures as well.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs