The loss of a hard drive containing the personal information of nearly 600,000 Canada Student Loans Program borrowers happened last year because government employees simply were not following the rules, according to a report from Canada’s top privacy watchdog, released Tuesday.
Federal privacy commissioner Chantal Bernier’s investigation took over a year, and started after a one-terabyte drive was reported missing from the offices of Employment and Social Development Canada (ESDC) in November 2012. The drive had no password protection or data encryption, and its contents included the names, dates of birth, addresses, and social insurance numbers of people who had received loans between 2000 and 2006. It may also have contained other sensitive information, such as gender, marital status and loan amounts.
After an intensive search that included forensic IT specialists and the RCMP, the hard drive has still not been located. It is still not known whether the disappearance was a result of human error or malicious intent.
The commissioner’s report said that ESDC “failed to translate its own privacy and security policies into meaningful business practices,” which practically meant that the missing device was left unsecured and unsupervised for extended periods of time. Workers at the ESDC lacked proper training and displayed a lack of understanding as to how sensitive the information was.
“This is, in fact, not unique to ESDC, but rather a pattern where we see organizations public or private endorsing, adopting, using fully new technologies without developing the commensurate safeguards,” said Bernier in an interview with the Vancouver Sun.
The privacy commissioner made ten recommendations to prevent such incidents going forward, and all ten either have been or will be implemented by the ESDC.
The ESDC began its investigation by trying to directly contact everyone affected for whom they still had up to date information. It opened a telephone hotline, and began a public awareness campaign in June 2013. The ESDC reports that no incidents of fraud, identity theft, or other malfeasance have been connected to the lost hard drive, based on analytic reports from Equifax and the Social Insurance Register.
Amanda Paiva was a student at the University of Toronto from 2005 to 2007, is one of the affected loan recipients. She received a letter from the government last summer, informing her that her information had been compromised. “I understand that mistakes happen,” she said, “we all make them in our jobs, but you would think that when you are in charge of things that affect other people, you would be more careful.”
Paiva was told by the ESDC to check her credit report every year, and notify them in case of any irregularities.
With files from the National Post.