A Calgary woman who complained to the privacy commissioner after a USB key with her personal information disappeared from a federal government office says she is not satisfied with the outcome of the investigation.

Melaney Ellingson was trying to get Canada Pension Plan disability benefits when a key containing her health records and social insurance number (SIN) — as well as personal information from more than 5,000 other Canadians — went missing in 2012. 

It has never been recovered.

"We're put at risk of identity theft and fraud because of what they have done," she said. "I'm at risk for the rest of my life unless the find that USB key."

The incident happened at the offices Human Resources and Skills Development Canada (HRSDC) — since renamed Employment and Social Development Canada (ESDC) — while it was in the possession of an in-house Department of Justice (DOJ) lawyer. 

Ellingson complained to the federal privacy commissioner.

Complaint well-founded, says commissioner

In a letter this month to Ellingson, commissioner Daniel Therrien told Ellingson her complaint is well-founded.

Therrien said his office concluded that while both ESDC and the DOJ had appropriate policies in place to protect personal information, both departments “failed to translate its own privacy security policies into meaningful business practices.”

While the USB key was not password-protected or encrypted, there is no evidence the information was accessed or used for fraudulent purposes. However Therrien said the incident demonstrated both departments failed to implement appropriate safeguard and “created a significant potential for unauthorized access” to personal information.

Both departments conducted independent, formal investigations of the incident, Therrien noted.

The commissioner told Ellingson that his office recommended both ESDC and the DOJ implement a number of new security measures to prevent a similar incident from happening. Both departments agreed and have begun action plans, he said.

The privacy commission says it will provide free credit and identity protection services for six years to all of the people affected by the security breach, and the incident will be mentioned in the privacy commissioner's annual report expected in October.