Who’s Minding The Store?


Late last week, the office of the Privacy Commissioner of Canada announced a major breach within its own office with the loss of an unencrypted hard drive containing sensitive personal information relating to over 800 of its current and past employees.  The loss provides a test to Interim Privacy Commissioner Chantal Bernier, who recently took over the top job on an interim basis from departing Commissioner Jennifer Stoddart.

The Privacy Commissioner’s office announced that the information first went missing in mid-February during an office move, and that the breach was discovered in mid-March.  It was not until early April that it was determined that the hard drive contained sensitive financial information, including salaries.  Adding insult to injury, some of the missing personal information dated back 12 years. It is not clear what retention period should have applied to the data. Under Privacy Act regulations, the Commissioner would be required to retain the personal information for at least 2 years. Indefinite retention would be contrary to best practices; however, the Privacy Commissioner may be constrained by the provisions of the Library and Archives of Canada Act from destruction of the information without permission of the Librarian and Archivist depending on the exact nature of the records.   Likewise, the Office of the Information and Privacy Commissioner of Ontario has different obligations.  In any event, this lengthy retention raises questions about appropriate retention periods and whether the information ought to have been securely destroyed after an applicable retention period expired.

In fairness to the Commissioner’s office, it is believed that the missing information is not accessible without specialized software and technical knowledge, and that the information taken cannot result in identity theft.  But it may be a concern to Canadian entities bound by the Personal Information Protection and Electronic Documents Act as well as the Privacy Act to know that not only did the breach occur, but the Commissioner’s office did not notify employees or the media immediately, and did not file a police report.  On the good news front, Commissioner Bernier has stated that the breach gives her better insight as to what amount of time is reasonable for an organization to investigate a possible breach prior to taking action.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.