British Columbia

BC Pension Plan warns 8,000 people about privacy breach after box goes missing

The box contained microfiche with personal information of College Pension Plan members who worked from 1982 to 1997. Some of the information includes, names, social insurance numbers and dates of birth.

Box contained microfiche with personal information of College Pension Plan members from 1982 to 1997

The B.C. Pension Corporation declared a privacy breach after an employee reported that a box of microfiche was missing following a recent office move. (CBC)

About 8,000 College Pension Plan members are receiving notification from the B.C. Pension Corporation that their personal information may be at risk after a box went missing during an office move earlier this year. 

The box contained microfiche with personal information of members who worked from 1982 to 1997. Some of the information includes, names, social insurance numbers and dates of birth.

"We did an extensive search and because we couldn't find it, we took the safe route and declared a breach," said Sherry Sheffman with the B.C. Pension Corporation. 

BC Information and Privacy Commissioner Michael McEvoy said in a statement that the breach was discovered in October of 2018, after the corporation moved offices in September. However, the public body did not report the missing personal information to his office until March 8.

"The recent breach of personal information at B.C. Pension Corporation clearly demonstrates why British Columbia requires mandatory breach notification," said McEvoy.

"With mandatory breach notification in place, public bodies and organizations would be required to report breaches or suspected breaches to my office within days of discovery. In this case, the BC Pension Corporation would have been required by law to report the breach in October."

Low risk, says pension corporation

Microfiches were used before the new payroll system was implemented, and are maintained for archival purposes for data prior to 1999, said Sheffman. 

Since the data is in a microfiche and non-digital format, the pension corporation considers the breach low risk, Sheffman told Daybreak South's Christine Coulter.

"The microfiche is very, very difficult almost impossible to read without special equipment and it's difficult to convert to a medium that could be used online," she said.

High risk, says FIPA

However, Sara Neuert, executive director of the B.C. Freedom of Information and Privacy Association, feels otherwise.

"I would not say that this is a low risk. I think this is a really high risk. In a province where we're fighting such crime as money laundering, the government should be stepping forward and trying to take that stand and protect people's data a little bit more," said Neuert.

"To have microfiche out there where anyone who is ingenious enough to figure out how to access what data is on there I think is very high risk. And the fact that 8,000 people have been affected by this breach I think is really staggering."

The association wants the province to update the Freedom of Information and Privacy Act to give the privacy commissioner more oversight, so there are penalties for future breaches, said Neuert.

"This is a public body and I think the government needs to step up and update our legislation in a way that will protect people out there."

'This really isn't acceptable,' says affected member

West Kelowna resident Pamela Stevens is one of the affected members who received a letter dated March 29, informing her of  the privacy breach. 

"I couldn't believe that it actually had happened. You know this really isn't acceptable," said Stevens.

"The information is out there and there are people that wait around for these things to happen to get people and to use their cards and information to misuse it."

Since the breach, the pension corporation has placed additional security and controls on microfiche records, said Sheffman.

"To protect members from potential unauthorized access, the corporation has enlisted services of a private cyber-security firm to do a search and determine if any information was at risk," said Sheffman. 

"To date there is no evidence of any malicious players."

with files from Brady Strachan, Christine Coulter and Daybreak South


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?