Tips for Federal Institutions Using Portable Storage Devices
Portable storage devices come in a range of types, sizes, styles and designs, but in general a portable storage device is any electronic device that can be used to store information and can be easily transported. This includes USB devices, such as flash drives or hard drives, tablets, laptops, smart phones, CDs, DVDs, etc. Given that these devices are often relatively small, highly portable and can have an enormous capacity for data storage, they must be handled with caution and care, particularly if they are used to store personal information.
What do federal institutions need to know about using portable storage devices to store personal information?
The Privacy Act requires federal government institutions to respect individuals’ privacy rights by properly managing the collection, use, disclosure, retention and disposal of personal information. To fulfil this requirement, institutions must implement appropriate security safeguards to protect the personal information they collect against unauthorized access, use and disclosure.
The Treasury Board of Canada Secretariat (TBS) has set out a number of policies and directives that articulate the requirements that the Government of Canada is to follow for both security and the protection of its personal information holdings.
The following information and tips are intended to complement TBS materials and provide organizations that use portable storage devices with some useful suggestions for reducing the risk of unauthorized access, use and disclosure of personal information.
What can federal institutions do to ensure personal information stored on portable storage devices is protected?
The Office of the Privacy Commissioner of Canada has identified four types of controls that can provide protection against data breaches:
- physical controls
- technical controls
- administrative controls
- personnel security controls
These controls are based on the TBS’s Directive on Privacy Practices and Policy on Government Security. Given that portable storage devices are generally very easy to remove, move or misplace, we recommend that institutions ensure that all four types of controls are rigorously applied to the handling of portable storage devices when they contain personal information. Institutions are encouraged to consult the TBS website for the most current versions of policies and guidance.
Physical controls must be used at all times to secure portable storage devices if they contain personal or sensitive information. At a minimum, institutions should ensure that:
- When these devices are in use they are not left unattended.
- When these devices are not in use they are always protected by robust physical security controls, such as locked cabinets and restricted access storage areas.
- When these devices are at the end of their lifecycle, particular care is taken in their disposal or destruction to ensure that the data stored on them is no longer accessible.
- Ensure the physical safeguards used to protect the devices are appropriate to the sensitivity of the information stored on the device.
- Control access to secure storage areas or cabinets.
- Provide employees that remove portable devices, such as laptops, from the secure office environment with tools and instruction for securing them when they are in transit or at rest outside the office.
- Update physical security control practices regularly to take new tools and business practices into account.
- Conduct regular security reviews or physical inspections of assets containing personal information to ensure proper safeguards are implemented.
- Use disposal or destruction measures that are appropriate for the type of device and the sensitivity of the data stored on the device.
Key TBS policy: Operational Security Standard on Physical Security (OSSPS)
Technological tools should be applied to portable storage devices to ensure that sensitive information is protected from unauthorized access, disclosure, copying, use or modification. At a minimum, institutions should ensure that:
- All sensitive or personal information stored on portable devices is protected by an adequate level of encryption.
- Personal information is stored only on devices that have been issued by the institution and that meet the minimum security standards set out by the institution.
- Choose technological controls appropriate for the device used and the sensitivity of the information stored on it.
- Train employees on how to apply technological safeguards, such as encryption, to portable devices.
- Provide guidance to employees on how to create strong passwords.
- Scan network drives regularly to detect unauthorized devices.
- Conduct regular security reviews or physical inspections of assets containing personal information to ensure proper technological safeguards are implemented.
Institutions should set out procedural safeguards that outline how personal information stored on portable storage devices will be managed throughout its lifecycle. At a minimum, institutions should ensure that:
- Policies and procedures related to the protection of personal information stored on portable storage devices are being followed in day-to-day operations.
- Material management practices are used to inventory and monitor any assets that may be used to store or transmit sensitive personal information.
- Personal information and assets containing personal information are identified and marked according to the highest appropriate security level.
- Portable storage devices are used only as a last resort to store and transfer personal information.
- Conduct Privacy Impact Assessments to help determine whether initiatives involving the use of personal information raise privacy risks and to ensure identified risks are mitigated.
- Conduct Threat and Risk Assessments with emphasis on privacy risks and concerns related to portable storage devices, and discuss how these concerns have been remedied or addressed.
- Update policies and procedures regularly to reflect day-to-day business activities and processes.
- Maintain a comprehensive inventory of portable devices, e.g. assign serial numbers to devices to ensure they can be tracked.
- Establish protocols for addressing loss or theft of portable devices containing personal information.
- Ensure that portable storage devices are not used as permanent storage repositories for personal information.
Personnel security controls
Policies are only effective if people put them into practice, so it is essential that employees are aware of and actively engaged in privacy and security protection. At a minimum, institutions should ensure that employees:
- Understand their roles and responsibilities for the management of personal information through its lifecycle.
- Understand their responsibilities for ensuring the physical security of personal information and assets containing personal information.
- Recognize the inherent risks in storing personal information on portable devices.
- Provide regular, mandatory training to covering security and privacy.
- Monitor employees’ use of portable storage devices containing personal information to ensure that policies and procedures are being implemented.
- Reinforce policies and procedures and the importance of putting them into practice daily through regular communication with employees.
Even the best policies and practices cannot eliminate risk entirely. Mistakes and errors will inevitably occur. Be sure that employees at all levels know what to do if something goes wrong. Privacy breaches need to be addressed immediately as per the TBS Guidelines for Privacy Breaches. In addition, the Office of the Privacy Commissioner of Canada has breach guidelines and a checklist that organizations can use to help ensure they have made the appropriate considerations in dealing with a possible privacy breach.