A portable computer hard drive containing the personal information of more than 500,000 student loan recipients was left unsecured for extended periods of time by government employees and was not protected by a password or encryption, Canada’s top privacy watchdog says.

In a report tabled in Parliament on Tuesday, interim federal privacy commissioner Chantal Bernier detailed the various security procedures Employment and Social Development Canada failed to follow when dealing with the confidential information -- failures she said should serve as a lesson for every public sector department and agency.

The report says the ESDC hard drive went missing in 2012. It contained the personal information -- including social insurance number, name, date of birth, home address, telephone number, loan amounts and balances -- of 583,000 Canada Student Loans Program borrowers from 2000 to 2006.

The hard drive also included the gender, language and marital status for some borrowers, as well as information on about 250 ESDC employees.

The ESDC subsequently reported the hard drive missing to the Office of the Privacy Commissioner of Canada, and an investigation began in January 2013.

The privacy commissioner’s report says that the ESDC has found no evidence that the personal information stored on the hard drive has been accessed or used for fraudulent purposes. But the results of that investigation show that numerous security procedures were not properly followed and that ESDC employees had contravened sections of the Privacy Act “related to the use, disposal and disclosure of personal information.

“The report concludes that a gap between policies and practices at ESDC led to weaknesses in information management controls, physical security controls, and most importantly, the level of employee awareness of departmental policies and procedures,” a summary of the privacy commissioner’s report says.

Gov’t ‘failed’ Canadians

Rodger Cuzner, Liberal critic for Employment and Social Development Canada, said the report “made it pretty clear that the government failed almost 600,000 Canadians because they didn’t follow their own policies.”

“That is very disturbing given that this department manages personal information on millions of Canadians from Employment Insurance to Canada Pension,” Cuzner said in a statement on Tuesday. “Policies are not worth the paper they are written on if they are not followed.”

While ESDC policy required portable storage devices such as hard drives to be stored in a lockable filing cabinet when not in use, the report says that it was often left unsecured for extended periods of time. Even when it was stored in a filing cabinet, the report goes on to say, the cabinet was in an open cubicle and often not locked. The report says ESDC did not record the serial number of the hard drive and that “no specific employee was assigned responsibility for its custody.”

ESDC also didn’t classify the hard drive as “a high-level threat to privacy,” and that neither “password protection nor encryption were implemented to protect the sensitive information on the portable hard drive.”

The privacy commissioner’s investigation also revealed that ESDC did not track which employees used the device, or knew the exact contests of the portable drive at the time it went missing.

EDSC staff lacked a “clear understanding of the information content on the hard drive," as well as “sufficient awareness about information stewardship, security responsibilities, IT controls and privacy threats, all areas covered by department policies,” the report says.

“This incident should serve as a lesson for all organizations,” Bernier said in a summary of the investigation. “Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly.”

The report said that ESDC has accepted all of the privacy commissioner’s recommendations. They include:

  • Severely restricting the use of portable storage devices and introducing computer software that blocks the use of any such devices on desktop computers without specific authorization;
  • Periodically examining portable storage devices to make sure they are being used properly;
  •  Reviewing all materiel holdings, disposing of transitory records and classifying remaining records at the appropriate security level; and
  • Mandatory employee training every two years on the protection of personal privacy

The report also says the Office of the Privacy Commissioner will conduct a follow-up in one year to confirm ESDC’s progress in the implementation of the commissioner’s recommendations.