Annual Report to Parliament 2013-14 - page 10

Annual Report to Parliament 2013-2014 – Report on the
Privacy Act
The OPC produced tip sheets for public
servants on how to protect against data
breaches when using external hard drives and
other portable storage devices (see section 5).
In addition, our Office is currently auditing
how well personal information on such
portable storage devices is being protected
in 17 selected government agencies and
departments.
As noted in previous years, because data breach
reporting to the OPC has been voluntary, the
Office could never say categorically that the
number of incidents had really risen from one
year to the next. The increase might simply
have been the result of more diligent reporting.
From now on, however, such uncertainty
should be reduced, thanks to a revised
Directive
on Privacy Practices
from the Treasury Board
Secretariat (TBS).
The Directive makes mandatory the reporting
of any “material” data breach to both the TBS
and the OPC. The OPC worked with TBS to
define what constitutes a material breach and
also created a web-based form housed on the
OPC website for federal institutions to report
such breaches.
This work followed a number of breaches that
highlighted the need for increased vigilance
in safeguarding personal information held by
organizations. For example, this year’s report
includes a look at the Office’s investigation of
ESDC and Justice Canada concerning a lost
USB key. The portable device with the personal
information of 5,045 people appealing their
disability entitlements under the Canada
Pension Plan disappeared from an office at
ESDC where it was being used by a Justice
lawyer. After an investigation, the resulting
OPC recommendations echoed those made in
the special report following the student loan
hard drive loss.
Invasive security screening
While data breaches remained a key focus
of 2013-2014, a key trend noted in Privacy
Impact Assessments (PIAs) reviewed during
the past year was that of some government
institutions developing more invasive security
screening techniques going beyond the
existing security requirements of the federal
government. In several cases, these enhanced
screening standards involved collecting
personal data from social media and other
open sources.
For example, the Canada Revenue Agency
(CRA) submitted a PIA for its “Reliability
Status+” personnel security screening
standard, which proposed a number of new,
more intrusive screening measures including
open social media content, law enforcement
records checks, and a reliability questionnaire.
After consulting with our Office, the Agency
amended its program considerably (for more
on this, see section 5).
2
1,2,3,4,5,6,7,8,9 11,12,13,14,15,16,17,18,19,20,...61
Powered by FlippingBook