Loss of portable hard drive containing personal information of student loan borrowers
OTTAWA, March 25, 2014 — A portable hard drive containing the personal information of 583,000 student loan borrowers went missing in 2012 from Employment and Social Development Canada (ESDC), formerly Human Resources and Skills Development Canada. The hard drive also contained personal information about 250 ESDC employees. ESDC cannot say if the disappearance resulted from human error or malicious intent.
What went wrong?
The Office of the Privacy Commissioner of Canada’s investigation identified weaknesses related to four types of controls, which are the “pillars” of sound privacy management.
- Physical controls
- ESDC policy required that such portable storage devices be stored in a lockable filing cabinet when not in use. Our investigation established that the hard drive was often left unsecured for extended periods of time. Even when it was stored in a filing cabinet, the cabinet was in an open cubicle and often not locked.
- ESDC did not record the serial number of the hard drive and no specific employee was assigned responsibility for its custody.
- Technical controls
- ESDC policy did not class such portable storage devices as a high-level threat to privacy. Accordingly, ESDC did not perform any type of security risk assessment for the hard drive.
- ESDC left encryption of sensitive information on portable storage devices to the discretion of employees.
- Neither password protection nor encryption were implemented to protect the sensitive information on the portable hard drive.
- Administrative controls
- ESDC did not have a comprehensive inventory of the portable storage devices used in the unit which administered student loans.
- ESDC did not track which employees used the portable hard drive.
- There was no effective control over the personal information on the portable hard drive.
- ESDC was not aware of the exact information content which had been backed up to the portable hard drive at the time it was discovered missing.
- Personnel controls
- The relevant ESDC staff lacked a clear understanding of the information content on the hard drive, its sensitivity and also of the privacy risks inherent in the use of such portable storage devices.
- ESDC employees lacked sufficient awareness about information stewardship, security responsibilities, IT controls and privacy threats, all areas covered by department policies.
At the time of the hard drive loss, ESDC had privacy and security polices which on paper met the Government of Canada’s requirements for the protection of personal information. In our view, however, ESDC failed to translate its own policies into meaningful business practices.
What does the Office of the Privacy Commissioner of Canada recommend?
The Office of the Privacy Commissioner of Canada’s investigation concludes that the complaint against ESDC under the Privacy Act is “well founded” — meaning there was a contravention of the Privacy Act. The final Report of Findings makes 10 recommendations, including:
- Regular monitoring of physical controls as a key part of ESDC’s security program.
- Use established processes to identify and assess emerging privacy and security risks.
- Conduct a comprehensive review of all ESDC materiel holdings to ensure appropriate security classification for all personal information and assets containing that information.
- Use portable storage devices for personal information only as a last resort and all personal information stored on portable devices must be protected by strong technological safeguards, such as encryption.
- Maintain an inventory of those assets, with measures such as bar codes to enable tracking.
- Conduct regular inspections or security reviews of those assets to ensure personal information is protected.
- Implement an expanded training and awareness program covering security and privacy. Participation should be mandatory and recorded.
- Take measures to monitor personal information management practices.
What has ESDC done?
ESDC accepted all of the Office of the Privacy Commissioner of Canada’s recommendations and has taken significant steps to implement the required changes. For the recommendations listed above, these steps include:
- Security software blocking the use of portable storage devices on desktop computers, unless authorized by management.
- Security sweeps in ESDC buildings and the development of a security framework.
- A review of all material holdings, followed by disposal of transitory records and classification of the remaining records at appropriate security level.
- Centralized management of all portable devices. Laptops, USB keys and hard drives are tracked by serial number and monitored when connected to the Department’s network.
- As part of an internal audit on IT security, examination of portable storage devices to ensure only approved uses.
- A new integrated learning strategy focusing on the protection of personal privacy with mandatory participation for all employees and mandatory testing every two years.
The Office of the Privacy Commissioner of Canada’s investigation identified a significant gap in ESDC’s implementation of its privacy and security policies in the day-to-day business operations of the Department. This gap resulted in weaknesses in information management controls, physical security controls, and most importantly, the level of employee awareness of departmental policies and procedures. The Office will follow-up in one year to confirm ESDC’s progress in the implementation of the recommendations and its continuing efforts towards improving the management of the department’s personal information holdings.
- Date modified: