Canada's interim privacy commissioner says the government didn't follow its own policies to protect sensitive data of more than 583,000 student loan recipients.

A report tabled in Parliament Tuesday says the disappearance of a portable hard drive containing personal information of over 500,000 Canadians was the result of the device being left unsecured, without password protection or encryption. The report also points out that employees were not aware of the sensitivity of the information on the device.

"Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly," interim commissioner Chantal Bernier says in the report.

The investigation was launched in January 2013, after Employment and Social Development Canada reported the hard drive had been missing for two months. It contained the Social Insurance number, name, date of birth, home address, telephone number, loan amounts and balances for more than half a million student loan recipients from 2000 to 2006.

The government department was never able to find the device, but says there is no evidence that personal information on the hard drive has been used for fraudulent purposes.

Hard drive loss 'completely unacceptable'

A spokesperson for Employment and Social Development Canada says the loss of the hard drive was "completely unacceptable." 

"The department has taken action to prevent future incidents including: reviewing the ways that employees handle Canadians’ data and fix any gaps that allowed this to happen, updating network security practices to prohibit external hard drives, and providing more mandatory training for all employees on the proper handling of sensitive and personal information — and the new security policies," Eric Morrissette says. 

Bernier recommended:

  • Severely restricting the use of portable storage devices and introducing system software which blocks unauthorized use of such devices on desktop computers.
  • Periodically examining portable storage devices to ensure they are being used solely for legitimate reasons.
  • Reviewing holdings, disposing of transitory records and classifying remaining records at the appropriate security level.
  • Mandatory training on personal privacy protection and testing every two years.

The department says it has implemented most of the recommendations and will have all implemented by the fall. The commissioner plans to followup in a year to gauge the department's progress.

The vast majority of federal data breaches last year were not reported to the privacy commissioner, said Charmaine Borg, the NDP digital issues critic.

"Government departments tend not to divulge data breaches to the commissioner, or to the people affected by the breach," Borg said.

"We need a system that requires people to be notified when their data has been breached. Canadians deserve to know when their personal data has been lost by the government.”

Rodger Cuzner, the Liberal critic for employment and social development, questioned what good it would do to have new security policies in place if they aren't followed.

He also said the government should have been more forthcoming with the people that were affected by the privacy breach by providing a full list of the personal information that was compromised.

“It is unacceptable for the government to decide on behalf of a victim what information is important for them to know in order to protect themselves," Cuzner said in a written statement.

With files from The Canadian Press