The Office of the Privacy Commissioner of Canada has released its Report of Findings from a year-long investigation into a significant incident involving the loss of personal data at the former Ministry of Human Resources and Skills Development Canada (HRSDC).
In late 2012, an employee of HRSDC discovered the loss of an external hard drive containing the personal information of 583,000 Canada student loan borrowers, and 250 employees. The external hard drive was a 1 terabyte external drive that was being used to backup information prior to the migration of information on HRSDC’s network. According to the Report of Findings, the backup was unnecessary to the migration but was conducted as a risk mitigation measure.
However, this “work around” created significant risks for HRSDC. Remarkably, the drive was not encrypted or even password protected. Nor was the drive inventoried by serial number. The drive was not stored in a vault. Instead, the hard drive was stored frequently but not always in a lockable filing cabinet located in an employee’s cubicle, in an envelope, hidden under suspended files.
Although HRSDC had many sound policies, there were significant gaps in practices. Among the notable observations and recommendations in the report and accompanying guidance are:
Privacy impact assessments and threat risk assessments are critical elements of an accountability framework. They should be conducted for the use of portable storage devices.
Portable storage devices should only be used as a last resort for the storage or transfer of personal information. They should not be used as permanent storage.
Portable storage devices used for personal information should be protected by strong technological safeguards, such as encryption.
Assets, such as portable storage devices, that are used to store personal information should be inventoried, monitored and tracked.
Organizations should verify compliance with policies regarding safeguards by periodically conducting security reviews, including physical checks to ensure that the portable storage device is being safeguarded.
Organizations should scan networks for unauthorized devices.
One of the issues not addressed in detail in the Report of Findings or the accompanying guidance is the root causes for the use of portable storage devices. In this case, it is not clear that the use of the external hard drive was necessary as a precaution against loss of data. The benefits of subjecting work processes and technologies to a privacy impact assessment or threat risk assessment is that the organization is more likely to examine the privacy and security issues in a systemic way that will reveal the root causes for the use of media such as portable storage devices. For example, are they being used because of a lace of trust or understanding about the migration or back up of data? Is it because remote access is not available or unreliable? Are there IT infrastructure limitations that should be addressed?
The Report of Findings may be found here. A Fact Sheet containing Tips for Federal Institutions Using Portable Storage Devices may be found here. Although the Fact Sheet is directed at governmental agencies, it has broader application under the OPC’s Accountability Guidelines released last year in conjunction with the Information and Privacy Commissioners of Alberta and British Columbia.