An investigation into the federal government's loss of personal information on over 5,000 Canadians has widened to include the Justice Department.
The loss of a portable data key containing information connected to Canada Pension Plan disability benefits was initially thought to involve only Human Resources and Development Canada, which administers the program.
But those who filed complaints to the privacy commissioner's office over the data breach are now being told the incident may have included another department.
"I wish to advise you that it has come to our attention that an employee from the Department of Justice Canada may also have been involved in the incident which resulted in the loss of the USB device," says the letter.
It goes on to inform recipients a complaint against the Justice Department was filed Jan. 28.
"Our office is therefore investigating both HRSDC and Justice Canada regarding the incident," says the letter, dated Feb. 14.
A Justice spokeswoman said the department is investigating as well.
"Administrative investigations are underway to determine all the facts surrounding this matter," Carole Saindon said in an email.
"The Department of Justice is part of the investigations. Justice Canada takes the protection of privacy seriously," she said.
"It would be inappropriate to comment further while the investigations are ongoing."
No mention of expanded search at committee
The same day as the letter, senior officials from the Human Resources Department were before a House of Commons committee testifying about the breach.
No mention was made of the possibility another department was involved.
The committee was told that USB key went missing Nov. 16, two days after it was loaded with unencrypted information on 5,045 people, including their social insurance number, medical conditions, level of education and jobs.
The key was handed to an employee working on a secure floor at Human Resources who used it the next day, but then couldn't find it.
The committee heard that the search for the missing stick included an employee's home and office, and even a taxi they had taken home the day after the stick was received.
It was never recovered.
Breach unrelated to student loan information loss
About 10 days earlier, an employee in a different division at Human Resources had also misplaced an external hard drive – that device contained student loan information on 583,000 Canadians.
That incident is also under investigation.
A spokeswoman for the privacy commissioner said at this point that investigation remains focused on Human Resources.
"We've opened a complaint against the Department of Justice in relation to the incident involving loss of the information stored on the USB key -- not in relation to the other (student loan info) breach," Anne-Marie Hayden said in an email.
Latest development adds wrinkle to lawsuit
The idea that officials within Justice were looking at people's medical files raises a host of new questions about what the government does with people's personal information, said one of the lawyers involved in a class-action lawsuit against the government.
"Nothing good comes of having the Department of Justice look at your CPP disability pension application information," said Ted Charney.
Charney said the possibility another department is involved could change the nature of the lawsuit.
"If it turns out that this personal information has been leaked to a department who shouldn't have received it, it's an additional breach of privacy," he said.
"The motives and purpose for that employee getting access to that information is of very significant concern to us."
Since the two incidents, Human Resources has banned the use of portable hard drives and unapproved USB sticks.
They have also installed new data loss protection software designed to keep better tabs on where and how data is being moved around the department.
"The incidents are unacceptable," Ian Shugart, the department's deputy minister told the committee earlier this month.
"Sensitive personal information was stored on unencrypted portable storage devices and not properly secured. This should not have occurred."