Language selection


Key lessons for public servants using portable storage devices

February 21, 2019

Office of the Privacy Commissioner of Canada Privacy Alerts are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.


Since the start of the 2018-19 fiscal year, we have received five breach reports from five different federal institutions related to lost or stolen portable storage devices.

For example, a piece of computer equipment was stolen from a secure area of one institution. The equipment, which was password-protected, may have contained payroll information.

In another case, an institution lost a copy it had made of a USB drive containing sensitive personal information. While the drive was password-protected, the password was available to anyone who had the key when it went missing.

Lessons learned:

  • Portable storage devices, such as USB drives, flash drives, hard drives, tablets, laptops, smartphones, CDs and DVDs, that contain sensitive information should always be secured. They should be locked up and employee access should be limited to those who need it.
  • At the end of their lifecycle, storage devices should be securely disposed of or destroyed.
  • Storage devices containing personal or sensitive information, such as health or financial data, should be encrypted and/or password protected. Personal information should only be stored on devices approved and issued by the institution.
  • Institutions should develop policies and procedures for the use of portable storage devices.
  • A Treasury Board Secretariat Information Technology Policy Implementation Notice defines the minimum level of responsibility departments and agencies must consider in regard to the secure use of portable data storage devices.

For more information:

See our Tips for Federal Institutions Using Portable Storage Devices and Personal Information Retention and Disposal: Principles and Best Practices fact sheets for more practical ways to protect stored data.

You can also find more information on responding to a privacy breach at your institution on our website.

Sign up for future Privacy Alerts by subscribing to our RSS feed. Privacy Alerts are also posted on our website.

Date modified: