Privacy commissioner's office loses sensitive data
Unencrypted hard drive is believed to have gone missing in February
The Office of the Privacy Commissioner of Canada has lost an unencrypted hard drive containing salary information of about 800 current and former employees.
"This is humbling," said Chantal Bernier, interim privacy commissioner, in an interview Friday, after receiving the first draft of an internal review of the incident.
The main jobs of the federal privacy watchdog are to publicly scrutinize and criticize the privacy practices of other government departments and private companies, and to recommend privacy best practices.
What’s important is that we demonstrate accountability in how we handle the incident – that’s what we would expect of others.- Office of the Privacy Commissioner of Canada
The backup hard drive is thought to have gone missing on Feb. 14 when the office was moving from Ottawa to Gatineau, it was reported at a staff meeting on April 17.
Staff noticed the hard drive was missing in mid-March, and realized on April 9 that it contained personal information including names, employee numbers, and information about salaries and pay transactions for employees of the Office of the Privacy Commissioner of Canada and the Office of the Information Commissioner of Canada.
Data kept longer than it should have been
The information on the hard drive dates back 12 years, even though a government-wide policy says records of this kind aren't supposed to be kept for more than seven.
"This is one of the issues we are examining," said an information sheet to staff from the office's chief privacy officer, Andréa Rousseau.
Bernier was notified of the data breach on April 10. Bernier has been interim commissioner since Jennifer Stoddart retired in December.
According to Rousseau, the hard drive wasn't encrypted because its technology didn't allow that. "However," she wrote, "it can only be read with a specific software and with the technical knowledge to use it."
Police not called
It added that police have not been called because, "At this time, we have no reason to believe the drive was taken for malicious purposes."
Nor does the office think the information on the hard drive is enough to steal the identities of employees. But, just in case, it is asking Public Works and Government Services Canada to take extra measures to confirm the identities of current and former employees of the privacy commissioner's office.
The office said it didn't notify employees immediately because it wanted to spend some time looking for the hard drive and to be able to provide accurate information. It said it did not notify the media because it had not yet had the chance to inform all of the people affected.
Staff concerned about reputation
Bernier said that since staff members were notified of the breach on April 17, "our office's reputation is what they are concerned about."
In response to staff concern's about the effect on the office's credibility, Rousseau wrote, "We have a good relationship with the organizations we oversee. I hope they will continue to see us as reasonable, fair and balanced in our approach. What’s important is that we demonstrate accountability in how we handle the incident – that’s what we would expect of others."
Bernier said her office has gained a better understanding of how organizations respond to data breaches that she thinks will help it do a better job.
"I've already learned a lot," she said.
For example, she now understands what kind of delay is reasonable in notifying stakeholders about the breach, given the amount of time needed to figure out what data went missing and what happened to it, and who to notify about what.
When asked if other organizations should respond to data breaches the way her office is responding, she said, "We are obviously implementing the best practices that we have always put forward. In fact, we are holding ourselves to the highest standard. So yes, absolutely."
The privacy commissioner's office has responded to the draft internal review with a bunch of questions, Bernier said. The office is also arranging for an external review, which will be conducted by ad hoc privacy commissioner John Sims, retired deputy minister of justice and deputy attorney general of Canada, if he thinks it necessary.
Bernier said she hopes the reviews will reveal more details about what happened and what measures should be taken to correct the problem.