Privacy watchdog may audit gov’t departments after Ottawa loses student data

The privacy commissioner’s office is considering an audit of select government departments after a federal agency lost personal information of more than half a million student-loan borrowers.

Assistant privacy commissioner Chantal Bernier says her office may audit departments that have large volumes of sensitive data after conducting an investigation into the loss of a portable hard drive containing files of 583,000 people who held student loans from 2000 to 2006.

Human Resources and Skills Development Canada said last week that the missing device contains student names, social insurance numbers, birth dates, loan balances and contact details, but not the borrowers’ banking information. Personal contact information of 250 department employees was also on the hard drive.

Student-loan borrowers from Quebec, Nunavut and the Northwest Territories are not affected.

The RCMP is also looking into the matter.

Meanwhile, a Newfoundland lawyer said this week he plans to file a class-action lawsuit against the federal government on behalf of students wishing to pursue legal action.

In an interview with CTV Atlantic, Bernier said she hopes the hard drive has not fallen into the wrong hands.

“That is what everyone hopes, of course,” she said.

She said a possible audit of other government departments will look at how sensitive data is stored on portable hard drives, USB keys and mobile devices.

“Do they have the right policies to ensure their safety? That’s another angle to look at the systemic issues at hand here,” Bernier said.

Bernier said the national privacy watchdog is trying to determine “exactly what happened and why it happened” when the hard drive went missing from HRSDC’s Gatineau, Que. office.

Even when strict data-storage policies are in place, human error is the main cause of privacy breaches, she said.

Bernier said it’s difficult to assess the risk to affected student-loan borrowers because no one knows what happened to the data.

“We don’t know where that hard drive is. Is it in the wrong hands, or is it just in the wrong place? So when we have more on that, then we’ll be able to see exactly the risk that’s been created.”

Human Resources Minister Diane Finley has called the privacy breach “serious” and “unacceptable.”

She requested last week that all departmental employees participate in mandatory training on a new security policy, which bans portable hard drives and unapproved USB keys.

HRSDC said it will send out letters to all those affected -- if the department has their current contact information.

Others can call a toll-free number, 1-866-885-1866 (or 1-416-572-1113 for those outside North America) to find out if their files were on the missing hard drive.

“I think, already, a big consequence has been loss of trust,” Bernier said. “I think if you look at the reaction of Canadians, they are shaken in their trust. That, of course, is a huge consequence for the department.”

One digital security expert says the Canadian government has a lot of catching up to do when it comes to safeguarding sensitive information.

“What I can comfortably say is that Canada is five-plus years behind our U.S. colleagues,” Tony Busseri, CEO of Route1 Inc., told CTV’s Power Play.

He said data security in the private sector is not much better.

“Canada as a whole, whether it be a Fortune 100 (company), whether it be our federal or provincial governments, we’re just flat-out behind what best practices are,” Busseri said.

With a report from CTV Atlantic