Yukon's information privacy commissioner wants to know what the territorial government is doing in the wake of last fall's data breach in B.C. involving millions of education records for B.C. and Yukon students.
Diane McLeod-McKay said she is disappointed by the Yukon government's response or lack thereof. "By this point I would have hoped to have seen a comprehensive investigation or a breach report provided to my office."
McLeod-McKay said there's been little contact between her office and the Yukon government since the B.C. education department lost a hard drive in September. The hard drive contained as many as 8,000 unencrypted Yukon student records, dating from 1986 to 2009.
"I need to be working more closely with the department of education on this issue. This breach occurred in September and we are now in January and I have very limited information at this point about what is happening on their end," McLeod-McKay said.
On Thursday, B.C.'s privacy commissioner Elizabeth Denham issued a report on the data breach. She found that several B.C. education department workers contravened a series of security policy directives and protocols by transferring information from the ministry server onto mobile hard drives, one of which was then lost.
Possibility of identity theft, fraud
"I'm troubled, obviously," said McLeod-McKay, reacting to the B.C. report. She said it's clear that having good policies and procedures in place isn't enough, there must also be good training and auditing of whether or not the policies are effective.
Even if the data breach was B.C.'s error, Yukon must take responsibility for the contracts it signs, according to McLeod-McKay. The Yukon student records were subject to a data sharing agreement between the province and territory.
"Of course it's up to the Yukon government to ensure that they're protecting the personal information of the Yukon students in this case," she said.
The lost hard drive included personal information, such as names, birth dates and addresses. It also included course marks, exam results and detailed graduation files for some students.
"The kind of information that was breached here, for the majority, is not highly sensitive personal information [but] there is the possibility of identity theft and fraud even with just the name, date of birth, and address," McLeod-McKay said.
She said people need to be notified that their personal information is out there.