Privacy commissioner raps B.C. for massive privacy protection failure
Privacy commissioner Elizabeth Denham along with children's representative Mary Ellen Turpel-Lafond have submitted a joint report to the B.C. legislature calling for a co-ordinated strategy to prevent online harassment (Adrian Wyld / THE CANADIAN PRESS)
VICTORIA -- British Columbia's Education Ministry lost personal information pertaining to 3.4 million students when staff breached security policies and misplaced a hard drive with data stretching back 30 years, an investigation has revealed.
Privacy commissioner Elizabeth Denham said in a report released Thursday that the ministry did not secure a portable hard drive when the information was transferred from computer servers in an effort to save on storage costs.
A series of actions put the information at risk, assistant commissioner Jay Fedorak said.
"The policies were good and it appeared that the employees were aware of the policies," he said in an interview. "They just didn't follow them."
"Policy is important, but policy alone isn't enough," Fedorak said. "It's important that there be adequate and effective training of staff and some compliance auditing or follow-up."
The lost information collected between 1986 and 2009 was mostly associated with students in British Columbia and Yukon.
It included names, addresses, dates of birth, gender, grades, schools, personal education numbers, graduation status, financial aid data and designations such as ESL or special needs.
A smaller number of records included more sensitive information, such as teacher retirement plans, education outcomes for student cancer survivors, health and behaviour issues and children in care.
The ministry discovered the drive missing last August, when a team of up to 50 bureaucrats began searching, to no avail. The Office of the Information and Privacy Commission was notified in September.
"They satisfied us they had looked in every box, in every desk, in every drawer, and they weren't able to find it," Fedorak said.
Investigators said the device could have been missing for as long as five years. After moving information off the server, staff failed to encrypt the device. Then they transferred it to a warehouse that wasn't equipped to secure information or keep track of devices for retrieval.
Denham made nine recommendations to strengthen the security of personal information, including encrypting all mobile data storage devices and maintaining accurate inventories of personal information.
"If this was actually a situation involving a cash loss of $3.4 million, I believe the government would take rapid, dramatic and decisive action to deal with the situation," she said in her report.
Education Minister Mike Bernier acknowledged the privacy breach as "unacceptable" and described the commissioner's assessment and recommendations as "fair and balanced."
"We sincerely apologize for any inconvenience this incident may have caused people," he said in a statement.
Bernier also said the government must do a better job of ensuring that public servants receive ongoing training. He said a formal review of the ministry's personal information management practices is underway.
Enhanced privacy policies will be introduced in the coming weeks, he said.
But Opposition New Democrat education critic Rob Fleming said he's not convinced the government's actions will fix deeply rooted privacy problems. He pointed to other breaches that have occurred in the health and forests ministries.
"(This is) bad decision making in a crisis-like environment, I think, created by B.C. Liberals cuts in the Ministry of Education and elsewhere."
The commission will follow up in three months to determine the extent to which the ministry has implemented the recommendations. It will also conduct an audit of privacy training.