HRSDC apologizes for losing personal info on half a million Canadians
The federal government is facing a third class-action lawsuit over a privacy breach involving more than a half-million Canadian student loan borrowers.
Stephanie Levitz , The Canadian Press
Published Thursday, February 14, 2013 12:40PM EST
Last Updated Thursday, February 14, 2013 3:14PM EST
OTTAWA -- We're sorry -- and we're trying to make sure it never happens again.
That was the message Thursday from senior federal bureaucrats responsible for the loss of personal information belonging to more than half a million Canadians.
Employees at Human Resources and Skills Development Canada lost an external hard drive and USB key in November, resulting in the massive privacy breach.
"Sensitive personal information was stored on unencrypted portable storage devices and not properly secured. This should not have occurred," said Ian Shugart, a deputy minister with the department.
"On behalf of Human Resources and Skills Development Canada, I say to the committee, I apologize for these incidents. "
Most of the people affected participated in the Canada Student Loan program between 2000 and 2007, though information belonging to participants in other programs -- as well as government staff -- was also compromised.
Both the RCMP and privacy commissioner are now investigating and at least three class action lawsuits have been launched.
A trio of bureaucrats from the department appeared before a House of Commons committee Thursday to give their account of what happened.
After the hard drive vanished on Nov. 5, officials spent a month scouring offices in Gatineau, Que., both searching for the missing device and trying to figure out what data was on it, Shugart said.
"We were being diligent about the search, when we came to the conclusion, the strong supposition that the material was not likely to be found, we continued even after to that to search exhaustively, " he said.
But when they realized that the social insurance numbers, birthdays and account balances of some 583,000 people had gone missing, Shugart said they immediately notified the privacy commissioner, began alerting those affected and launched an internal investigation.
Meanwhile, another search had already been launched for a USB key that went missing some 10 days earlier. That device contained social insurance numbers, birthdays and information on medical conditions for about 5,000 people. In that instance, it only took six days for the privacy commissioner to be warned.
MPs wondered why, in the case of the hard drive, it seemed to take so long to let Canadians know their personal information had been lost.
"You describe the actions as swift, you acted swiftly, but November 5 this first hard drive went missing and there wasn't a formal investigation launched until the first week of January," said NDP MP Ryan Cleary.
"How can you describe that as swift?"
Shugart said the officials were simply following their own rules.
"I don't want to be misunderstood as in any way saying that what occurred is acceptable -- it wasn't -- but with the information we had at the time we had it, we believe we acted appropriately with respect to our protocols."
In neither case is criminal behaviour suspected, Shugart added.
"We encountered no evidence of malfeasance and none of the monitoring that has been done since has given us any reason to believe that malicious activity has been undertaken."
In the wake of the two losses, the government has arranged for those affected to have access to credit protection packages via the credit reporting service Equifax.
About 50,000 people have enrolled so far, the bureaucrats said.
They've also fielded calls from about 200,000 people concerned about their data, and say about 65 per cent were caught up in the loss.
Since the two incidents, the department has banned the use of portable hard drives and unapproved USB sticks. They have also installed new data loss protection software designed to keep better tabs on where and how data is being moved around the department.
The ongoing internal investigation means no disciplinary action has yet been taken against the employees responsible for the data loss, though existing policies suggest they could lose their jobs.
Human Resources was responsible for 19 out of 80 privacy breaches by government departments reported to the privacy commissioner's office last year.
The majority of the 80 were due to human error, the commissioner's office reported.
Shugart said his department's aim is to get that number down to zero.
"Human beings run the system; there can never be any absolute fail-safe," he said.
"But in terms of that human culture, we want to be an organization that is excellent in everything that we do and individuals know their part in the larger scheme of things and they will handle Canadians information carefully, sensitively and accordingly to the rules."