The Office of the Privacy Commissioner of Canada has released
its Report of Findings from a year-long
investigation into a significant incident involving the loss of
personal data at the former Ministry of Human Resources and Skills
Development Canada (HRSDC).
In late 2012, an employee of HRSDC discovered the loss of an
external hard drive containing the personal information of 583,000
Canada student loan borrowers, and 250 employees. The external hard
drive was a 1 terabyte external drive that was being used to backup
information prior to the migration of information on HRSDC's
network. According to the Report of Findings, the backup was
unnecessary to the migration but was conducted as a risk mitigation
However, this "work around" created significant risks
for HRSDC. Remarkably, the drive was not encrypted or even password
protected. Nor was the drive inventoried by serial number. The
drive was not stored in a vault. Instead, the hard drive was stored
frequently but not always in a lockable filing cabinet located in
an employee's cubicle, in an envelope, hidden under suspended
Although HRSDC had many sound policies, there were significant
gaps in practices. Among the notable observations and
recommendations in the report and accompanying guidance are:
Privacy impact assessments and threat risk assessments are
critical elements of an accountability framework. They should be
conducted for the use of portable storage devices.
Portable storage devices should only be used as a last resort
for the storage or transfer of personal information. They should
not be used as permanent storage.
Portable storage devices used for personal information should
be protected by strong technological safeguards, such as
Assets, such as portable storage devices, that are used to
store personal information should be inventoried, monitored and
Organizations should verify compliance with policies regarding
safeguards by periodically conducting security reviews, including
physical checks to ensure that the portable storage device is being
Organizations should scan networks for unauthorized
The Report of Findings may be found here. A Fact Sheet containing Tips for Federal
Institutions Using Portable Storage Devices may be found here. Although the Fact Sheet is directed at
governmental agencies, it has broader application under the
OPC's Accountability Guidelines released last year
in conjunction with the Information and Privacy Commissioners of
Alberta and British Columbia.
Dentons is a global firm driven to provide you with the
competitive edge in an increasingly complex and interconnected
marketplace. We were formed by the March 2013 combination of
international law firm Salans LLP, Canadian law firm Fraser Milner
Casgrain LLP (FMC) and international law firm SNR Denton.
Dentons is built on the solid foundations of three highly
regarded law firms. Each built its outstanding reputation and
valued clientele by responding to the local, regional and national
needs of a broad spectrum of clients of all sizes –
individuals; entrepreneurs; small businesses and start-ups; local,
regional and national governments and government agencies; and
mid-sized and larger private and public corporations, including
international and global entities.
Now clients benefit from more than 2,500 lawyers and
professionals in 79 locations in 52 countries across Africa, Asia
Pacific, Canada, Central Asia, Europe, the Middle East, Russia and
the CIS, the UK and the US who are committed to challenging the
status quo to offer creative, actionable business and legal
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances. Specific Questions relating to
this article should be addressed directly to the author.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).