privacy commissioner's report into student loan harddrive loss
Post on 03-Jun-2018
222 Views
Preview:
TRANSCRIPT
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
1/27
Special Report to Parliament
Findings under the Privacy Act
Investigation into the loss of a hard drive at
Employment and Social Development Canada
March 25, 2014
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
2/27
Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec
K1A 1H3
Minister of Public Works and Government Services Canada 2014
IP54-56/2014E-PDF978-1-100-23322-2
Follow us on Twitter: @PrivacyPrivee
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
3/27
Contents
Investigation into the loss of a hard drive at Employment and
Social Development Canada .................................................................................................... 1
Complaint Under the Privacy Act............................................................................................. 1
Introduction ............................................................................................................................. 1Background ............................................................................................................................. 1
Methodology ............................................................................................................................ 2
Summary of Facts ..................................................................................................................... 2
ESDCs Act ions Following the Incident................................................................................... 4
Appl ication ................................................................................................................................ 9
Analysis ..................................................................................................................................... 9
I. Physical Controls ............................................................................................................ 10
II. Technical Controls .......................................................................................................... 11
III. Administrative Controls ............................................................................................... 12
IV. Personnel Security Controls ........................................................................................ 13
Findings ................................................................................................................................... 14
Recommendations .................................................................................................................. 15
Other Observations ................................................................................................................ 21
Conclusion .............................................................................................................................. 22
Additional Information ............................................................................................................ 23
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
4/27
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
5/27
1
Investigation into
the loss of a hard
drive at
Employment andSocial Development
Canada
Complaint Under the
Privacy Act
Introduction
1. This Report of Findings relates to aCommissioner-initiated complaint againstEmployment and Social DevelopmentCanada (ESDC), formerly HumanResources and Skills Development Canada(HRSDC), in relation to the loss of anexternal hard drive (the incident)
containing the personal information of583,000 Canada student loan borrowers,and 250 ESDC employees.
Background
2. On December 17, 2012, ESDC verballynotified our Office of the incident. Formalwritten notification was subsequentlyreceived from ESDC on January 7, 2013.
3. ESDCs written notification advised that theexternal hard drive contained personal
information dated from 2000-2006 forCanada Student Loan borrowers, including:Social Insurance Number (SIN), first name,last name, date of birth, home address, andtelephone number. ESDC subsequentlyinformed our Office that the external harddrive also included student loan balanceinformation. In addition, the external harddrive contained employee information froma Business Continuity Plan fan out list. Thisinformation included first name, last name,home address and home phone number
and/or cell phone number.
4. Upon receipt of the notification from ESDC,we determined that there were reasonablegrounds for a Commissioner-initiatedcomplaint against the Department toascertain whether there has been acontravention of the Privacy Act.
5. Accordingly, the Office of the PrivacyCommissioner of Canada (the OPC)initiated a complaint against ESDC onJanuary 11, 2013, pursuant to subsection29(3) of the Privacy Act (theAct).
6. The OPCs investigation focused on theincident in relation to the disposal, use anddisclosure provisions of theAct.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
6/27
2
Methodology
7. Our investigation examined thecircumstances surrounding the incident, aswell as ESDCs policy framework in orderto identify the degree of conformity with the
applicable Government of Canada privacy-related policies, and whether theDepartmental policies and procedures thatwere in place at the time of the incidentwere sufficient and effectively implemented.
8. To this end, we reviewed therepresentations received from ESDC inrelation to the incident, and ourinvestigation entailed interviews with keyemployees identified as having access tothe missing external hard drive, as well as
a site visit to ESDCs Canada StudentLoans Program (CSLP) Unit, and meetingswith Departmental officials.
Summary of Facts
9. The CSLP promotes accessibility to post-secondary education for students with ademonstrated financial need by loweringfinancial barriers and ensuring Canadianshave an opportunity to develop theknowledge and skills to participate in theeconomy and society. With theseobjectives in mind, the CSLP offers a suiteof student financial assistance programsand services, including student loans forfull-time and part-time students, non-repayable grants, and repaymentassistance measures for borrowers whoexperience difficulty repaying their loans.
10. The investigation confirmed that, onNovember 5, 2012, an employee of the
CSLP Unit went to retrieve an externalhard drive from a filing cabinet and noticedthat it was missing.
11. According to ESDCs representations, thehard drive was stored in a lockable filingcabinet located in that employees cubicle,in an envelope, hidden under suspendedfiles.
12. ESDC reported that the external hard drive
was a 1 terabyte (TB) Seagate GoFlex. Itwas not password protected, nor was theinformation contained on it encrypted. Theserial number of the hard drive remainsunknown.
13. According to ESDC, the external harddrive was used to backup information inpreparation for the migration of informationfrom the T drive to the U drive on theDepartment's network. The migration ofinformation was performed by the
Innovation, Information and TechnologyBranch (IITB) on October 12, 2012.
14. ESDC confirmed that the IITB was notinvolved in the backup of information onthe hard drive, as the hard drive was nottechnically necessary for the datamigration. The hard drive was only usedas a risk mitigation measure by the CSLPto protect against inadvertent loss ordeletion of the files during the migration.
15. By way of background, ESDC confirmedthat the data migration project started in2011 by the Operational Program SupportDivision (OPSD). The OPSD became theProgram Integrity and Accountability (PIA)Division in the fall of 2011. The PIADivision provides stewardship to the CSLPthrough leadership in planning, reporting,portfolio management, accountability,program integrity and compliance, as wellas administrative services for the CSLP,including finance, human resources,financial and information management,security and accommodations.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
7/27
3
16. Following a comprehensive review of thefiles and folders on the Departmentsnetwork that were identified for themigration project, ESDC informed ourOffice that the following data files werecompromised by the loss of the externalhard drive, each of which is described in
more detail below:
Files pertaining to client satisfactionsurveys;
Files containing investigation reports;
Files containing CSLP financial,business plan and Human Resourcesinformation;
Files containing Business Continuity
Planning information.
17. Notwithstanding the above, as the harddrive is missing, ESDC submits that thereis no way to conclusively identify whatinformation was in fact backed up to thehard drive.
Client Satisfaction Surveys
18. The CSLP conducts an annual survey totrack experience and satisfaction with
CSLP service delivery for in-studyborrowers and those borrowers inrepayment. The survey is also used tomeasure satisfaction with service deliveryby the National Student Loans ServiceCentre (NSLSC), and helps the CSLPbetter understand the client population.The PIA Division is responsible for theclient satisfaction survey on behalf of theCSLP.
19. ESDC reported that some of the
information contained on the hard drivestems from files associated with theCSLP's client satisfaction surveys thatwere conducted in 2004-2005, 2005-2006,and 2006-2007. ESDC subsequentlyconfirmed that some of the affectedborrowers fall beyond the survey yearsinitially reported, up to and including thedisbursement year 2012.
20. In addition to the seven pieces of personalinformation described by ESDC in itsnotification to our Office, the files relating toclient satisfaction surveys may have alsoincluded the following fields of informationin relation to borrowers:
Loan certificate number, loan ID number,loan class (whether the borrower is in study,
or in repayment), whether the borrower had
direct contact with the Service Provider, the
name of the education institution that the
borrower attended, the borrowers gender,
language, marital status, the province that
issued the loan, the type of loan (e.g. part
time loan), years of study, end of study
date, loan interest rate, loan interest type,
the date the loan was issued, the
disbursement date, the federal loandisbursement amount, the student loan
consolidation date, whether the borrower is
active (borrower sent in consolidation
agreement), or passive (borrower did not
submit consolidation agreement), the type
of loan (eg. full-time direct, part-time direct,
integrated), delinquency flag (identifies
whether the borrower is in delinquency), the
delinquency date, a paid in full indicator,
the outstanding balance on the loan, fax
number.
21. ESDC submits that not all information fieldswere populated for each borrower. Thepersonal information of the affectedindividuals on the external hard drive wascontained within different data files and, assuch, the number of information fieldsfound within these files varied.
Investigation Reports
22. We confirmed that the investigationreports, described by ESDC as part of theinformation content on the hard drive referto the administrative investigations thatwere undertaken to confirm the eligibility ofa number of students for the CSLP,including loans, grants, and repaymentassistance.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
8/27
4
23. ESDC submits that the following dataelements were included in a series ofworking documents that itemized theindividuals being reviewed for eligibility:clients name, address, SIN, date of birthand loan amount.
24. Our review confirmed that the hard drivemay have also included the following fieldsof information in the investigation reports:
Canada student loan number, amount paid
(including interest), amount paid to principal
only, and status (this indicates whether it is
paid in full; there is no account activity; the
loan was referred to legal for civil action; the
individual declared bankruptcy or is
deceased; or the loan is resolved).
25. ESDC submits that not all fields werepopulated in relation to each of the 583,000borrowers affected by the breach, as not allof these borrowers were the subjects ofinvestigations for the purposes of programeligibility.
CSLP Financial, Business Plan and HRInformation
26. Our investigation confirmed that this
information refers to documents thatcapture both CSLP financial and work planactivities that are undertaken on an annualbasis in order to assign resources and workfor a given fiscal year within the program.Consequently, no personal information wascaptured in these files.
Employees Personal Information forBusiness Continuity Planning
27. Further to paragraph 3 of this Report,
ESDC reported to our Office that theexternal hard drive also containedemployee information from a businesscontinuity plan fan out list.
28. We confirmed that a fan out list is used tocontact employees in the event of anemergency situation which interrupts theirwork, such as a building shutdown. The fanout list is an evergreen document; it isupdated regularly to ensure that theinformation is accurate, and to reflect
changes in personnel.
29. ESDC confirmed that 250 Learning Branchemployees were affected by this incident.The information contained in the fan out listincluded the employees first name, lastname, home address, home telephonenumber, and, in some cases, cellularphone number.
ESDCs ActionsFollowing the
Incident
30. As part of its submissions to our Office,ESDC provided a comprehensive report ofthe chronology of actions taken to respondto the incident, including details of theoffice sweeps and building searches,
meetings organized with staff, thecommuniqus to staff, the preliminaryinterviews that were conducted with theemployee who reported the harddrive missing, and others identified ashaving access to the hard drive, as well asthe steps taken by IITB to locate, scan andreview external hard drives located in thebuilding and other locations in the NationalCapital Region.
31. We highlight the following dates fromESDCs representations:
On November 5, 2012, the employeesmanager was notified of the missingexternal hard drive and search effortsensued;
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
9/27
5
On November 22, 2012, the Director ofthe CSLP was notified of the incidentand additional search efforts wereinitiated, including communication withall staff;
On November 26, 2012, the Director of
the CSLP was advised of theinformation content on the externalhard drive and proceeded to advisesenior management of a potentialprivacy incident;
On November 29, 2012, the SecurityIncident Report was signed off by theDirector of the CSLP. The RegionalSecurity Office (RSO) initiatedadditional searches and sweeps of theoffice area and building, and also
interviewed the employee who reportedthe incident, and three formeremployees;
On December 6, 2012, following acomprehensive review of the files andfolders that were saved to the externalhard drive, ESDC determined that thescope of the personal informationcompromised pertained to over500,000 clients.
32. On January 4, 2013, ESDCs SpecialInvestigations Unit, Internal Integrity andSecurity Directorate, was mandated toundertake a formal internal investigation inorder to ascertain the circumstancessurrounding the loss of the hard drive.ESDCs internal investigation concludedwith a report dated February 27, 2013, anda supplementary addendum to the reportdated April 9, 2013.
33. As part of its internal investigation, ESDC
reported that interviews were conductedwith four employees in the CSLP Unit whowere identified as part of the working groupcreated to work on the data migrationproject. These employees were identifiedas having the hard drive in theirpossession for the purposes of assistingwith the migration project, or havingknowledge of its storage location.
34. In addition, the computers of the fouridentified employees were subject to an ITforensic analysis in order to determine ifany external hard drive had beenconnected to them.
35. Interviews were also conducted with 15
employees working in the same areawhere the hard drive was reported missing,including two employees currently workingin other federal departments.
36. ESDC confirmed that the CSLP area iscontrolled by an access card system andthe access logs for the area were reviewedas part of its investigation.
37. A Canada-wide search was also conductedon ESDCs departmental network to verifyif an external hard drive matching the makeand model of the missing drive wasconnected to one of its computers.
38. ESDCs internal investigation establishedthe following facts:
The initial backup of the information atissue to the external hard drive wasconducted in 2011 in the OperationalProgram Support Division (OPSD);
Between January and August 2012, thehard drive was used to conductsporadic safeguarding (backups) of theinformation on the T drive by theworking group within the CSLP Unit.ESDC established that no files weredeleted from the hard drive by theworking group members;
The IT forensic analysis confirmed thatan external hard drive with the same
make and model (Seagate GoFlex)was connected in June 2012 to one ofthe computers searched. ESDCreported that, based on the balance ofprobabilities, this external hard drive(and its associated serial number) waslikely the missing hard drive;
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
10/27
6
The IT analysis was inconclusive inrelation to two of the computerssearched one employees computerwas replaced in October 2012 and sentto surplus; and the other computer wasreimaged in December 2012, erasingall evidence that a hard drive may have
been connected to it;
ESDC found no evidence that aSeagate GoFlex external hard drivewas ever connected to the fourthcomputer analyzed during the internalinvestigation;
ESDC also confirmed that the harddrive was left for periods of time(weeks) without being stored in a
locked filing cabinet. Even when storedin the cabinet, the cabinet was notalways locked and other employeesinvolved in the data migration projectwere aware of the location of the keys;
The external hard drive was last seenby an employee in August 2012, and aspreviously noted, it was discoveredmissing on November 5, 2012;
The access log report for the period ofAugust 2012 November 2012revealed that over 200 differentemployees had access to the CSLPcontrolled area. ESDCs reviewconfirmed that all individuals hadapproved access;
Following multiple searches of thebuilding where the CSLP is located,ESDC found no evidence of a breakand enter into the building, or forcedattempts to access the cabinet wherethe hard drive was stored;
The information contained on the harddrive was not encrypted and was notprotected by a secure password;
The procedures outlined in ESDCsDepartmental Security Policy andProcedures Manualfor handling theinformation contained on the externalhard drive (Protected B), were notfollowed in relation to storage (whereremovable media is used to store
sensitive information, the media shouldbe stored in a security-approvedcontainer); and encryption (sensitiveinformation should be encrypted).
39. ESDC issued a public statement onJanuary 11, 2013 regarding the loss ofthe external hard drive, providingbackground information and a timelineof events in relation to the incident onits website.
40. ESDC submits that, in order to mitigatethe impact on those clients affected bythe loss of the hard drive, it initiated apublic awareness campaign thatincluded press releases, publicannouncements, and specialinformation on the Departmentswebsite. In addition, ESDC set up adedicated toll-free information line inorder for individuals to verify whetherthey were affected by the incident, andto obtain additional information
regarding the incident. This service wasoffered to individuals starting onJanuary 14, 2013.
41. Between January 28, 2013 andFebruary 1, 2013, ESDC sent outnotification letters to those clients forwhich it had current contact information.ESDC advised affected clients of thepersonal information that wascompromised by the loss of the externalhard drive, including: Social InsuranceNumber (SIN), first name, last name,date of birth, home address, telephonenumber, and student loan balance.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
11/27
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
12/27
8
51. The matter was also referred by ESDC tothe Royal Canadian Mounted Police(RCMP) on January 7, 2013 forinvestigation. It was subsequently reportedpublicly on August 8, 2013, that the RCMPwould not launch a criminal investigationinto the matter.
52. ESDC submits that appropriateadministrative action has been taken inrelation to the incident, in line with TreasuryBoard Secretariats Guidelines forDiscipline.
ESDCs PrivacyManagement Framework
53. ESDC submits that the Departmentcommenced a review of its privacy
management framework in 2010, whichresulted in the launching of a multi-yearprivacy renewal initiative.
54. In 2011-2012, ESDC conducted a reviewof privacy management practices andconvened with key stakeholders to informthe development of the Privacy Renewal
Action Plan. The first phase of the ActionPlan was launched in 2011-2012, whichincluded a privacy risk triage and thedrafting of a consolidated Departmental
Privacy Code. The new Privacy Codecame into force in March 2013.
55. In 2012-2013, four key priorities wereidentified for the second phase of the
Action Plan, including program-led PrivacyAction Plans for eight of ESDCs statutoryprograms; the re-design of theDepartments Privacy Impact Assessment(PIA) Process; the launch of a newDepartmental Policy on PrivacyManagement; and the implementation of a
renewed privacy training and awarenessstrategy.
Departmental Directives and Protocols
56. On January 14, 2013, ESDC issued new ITSecurity Guidelines to all staff. The USBStorage Devices Directive providesdirection that only authorized USB devicesare allowed for use on departmental
computers. This includes portable harddrives and USB keys.
57. To implement the Directive, allunencrypted USB devices were collectedfor proper disposal and a limited number ofencrypted (password or biometric) arebeing distributed to employees whoregularly work with protected or classifiedinformation. Further, ESDCreported that it now regularly scans itscorporate network to detect the use of
unauthorized USB devices.
58. ESDC also reported that an updatedversion of its Information ClassificationGuide was reissued on January 15, 2013to enhance employees awareness of therequirements for safeguarding protectedand classified information.
59. In addition to the new USB Directive,ESDC is conducting a risk assessment ofall other mobile devices to identify the riskof loss of personal information. To thisend, it has temporarily disabled the abilityof employees to write on CDs, DVDs, andother optical media unless a legitimatebusiness requirement is identified andapproved.
60. ESDC confirmed that work is ongoingwithin the department to develop anddeliver enhanced integrated training fordepartmental staff. All employees will berequired to undertake mandatory trainingon the subjects of privacy, security,information technology security,information management and values andethics. Re-certification will be requiredevery 24 months.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
13/27
9
61. The Department is also implementing anEngagement Plan to engage employeeson the stewardship of information. Tosupport this Plan, ESDC implemented aportal on the Stewardship of Information in
August 2013. The site provides employeeswith information relating to the
management and protection ofDepartmental information assets, as wellas information on the issues of privacy,security, IT security, informationmanagement, and values and ethics.
Application
62. In making our determination, weconsidered sections 3, 6, 7 and 8 of the
Act.
63. Section 3 of theActdefines personalinformation as information about anidentifiable individual that is recorded inany form including, without restricting thegenerality of the foregoing: informationrelating to race, national or ethnic origin,colour, religion, age, marital status,education, medical, criminal oremployment history, financial transactions,identifying numbers, fingerprints, blood
type, personal opinions, etc.
64. Subsection 6(3) of theActrequires that agovernment institution dispose of personalinformation under its control in accordancewith the regulations and in accordance withany directives or guidelines issued by thedesignated minister in relation to thedisposal of that information.
65. Paragraph 7(a) of theActstates thatpersonal information shall not, without the
consent of the individual to whom it relates,be used by the institution except for thepurpose for which the information wasobtained or compiled by the institution orfor a use consistent with that purpose.
66. TheActstates that personal informationcan only be disclosed with an individual'sconsent Subsection 8(1) or inaccordance with one of the categories ofpermitted disclosures outlined insubsection 8(2) of theAct.
Analysis
67. The personal information contained on themissing external hard drive for example,name, address, date of birth, SIN isclearly personal information as defined bysection 3 of the Privacy Act.
68. Following our analysis of ESDCs policies,in particular, the Departmental Security
Policy and Procedures Manual (June2005), the Policy on Departmental ITSecurity Management (December 2010),and the Departmental Privacy Policy (lastupdated in October 2009), we are satisfiedthat these policies conformed to therequirements of the relevant TreasuryBoard Secretariat (TBS) policies andguidelines, in particular, the Policy onGovernment Security, the OperationalSecurity Standard: Management ofInformation Technology Security (MITS),
and the Operational Security Standard onPhysical Security (OSSPS).
69. What this means is that we are satisfiedthat ESDC had in place at the time of theincident the policies commensurate withthe requirements demanded by theGovernment of Canada for the protectionof its personal information holdings.
70. Notwithstanding the above, ourinvestigation identified a number of
weaknesses in ESDCs control over thepersonal information identified on themissing hard drive. In our view, theDepartment failed to translate its ownprivacy and security policies intomeaningful business practices.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
14/27
10
71. For ease of reference, we have organizedour analysis around four types of controlsthat the OPC has identified as providingprotection against data breaches whatwe refer to as the four pillars of soundprivacy management.
72. We base these controls on the TBSsDirective on Privacy Practicesand thePolicy on Government Security,specifically:
I. Physical Controls
II. Technical Controls
III. Administrative controls
IV. Personnel Security Controls
I. Physical Controls
73. Physical security controls are paramount inensuring that government information(including personal information), assetsand services are protected againstcompromise. This includes implementingstrategies to mitigate the risk ofunauthorized access, use or disclosure ofpersonal information.
74. Our investigation established that theCSLP Unit is located in an operationalzone, limited to authorized departmentalemployees. The physical area is controlledby an electronic card access system and ismonitored after-hours by a security alarmsystem. The entrance to the building ismonitored by a Commissionaire and visitoraccess is strictly controlled (sign-in andvisitor pass).
75. While base building security isfundamental to safeguarding governmentemployees and assets, physical securitystrategies must also be in place to protectinformation and to comply withGovernment of Canada policies.
76. In line with ESDCs Departmental SecurityPolicy and Procedures Manual and theGovernment of Canadas OperationalSecurity Standard on Physical Security,protected information, which includespersonal information, must be stored in asecurity-approved container (e.g. approved
filing cabinet). It also requires thatprotected information and valuable assetsare properly safeguarded when occupantsare away from their workstations for anylength of time. Accordingly, keys or otherlocking features of security containersmust also be safeguarded.
77. We highlight that the personal informationcontent on the missing external hard driveis classified at the Protected B level,according to the Government of Canada
classification standards. TBS states thatthis applies to sensitive personal, privateand business information wherecompromise could result in grave injury(e.g. loss of reputation, identity theft, etc.).
78. ESDCs Departmental Security Policy andProcedures Manual requires that, whereremovable media is used to store sensitiveinformation, including personal information,the media must be stored in a security-approved container when not in use.
79. Our investigation established that the harddrive was often left unsecured for extendedperiods of time without being stored in afiling cabinet. Even when stored in thecabinet, the cabinet was not always lockedand other employees were aware of thelocation of the keys.
80. Portable devices are attractive assets andsafeguards must be in place to protect thepersonal information stored on thoseassets. To this end, we are not satisfiedthat ESDC had in place robust physicalsecurity controls to mitigate the risk ofcompromise to both the external hard driveand the personal information stored on it.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
15/27
11
II. Technical Controls
81. Federal Departments and agencies arerequired by the Policy on GovernmentSecurity (PGS) to protect governmentassets and information, including personalinformation, and are directed to have an IT
Security strategy in place to protectinformation throughout its lifecycle. ITSecurity refers to the safeguardsimplemented to preserve theconfidentiality, integrity, availability,intended use and value of electronicallystored, processed or transmittedinformation.
82. ESDCs Departmental Security Policy andProcedures Manual requires thatmeasures must be established to
safeguard personal or other sensitiveinformation throughout its lifecycle. Thisincludes the secure processing, storing,handling, communicating, transmitting anddestroying of sensitive information inaccordance with departmental securitystandards, and on the basis of a Threatand Risk Assessment (TRA). Further, itstates that personal or other sensitiveinformation must be identified and markedaccording to its highest level of security.
83. Our investigation determined thatremovable media (e.g. external harddrives, USB keys, etc.) were not subject tosecurity risk assessment activities at thetime of the incident. ESDC did not requirethat a TRA or a Privacy Impact
Assessment (PIA) be conducted in relationto the use of removable media containingpersonal information. In addition, themissing external hard drive was notmarked as required by ESDCs policy.
84. ESDC submits that it annually conductsrisk assessment exercises; however, givenlimited resources, priority was given tohigher level threats. Removal media werenot identified as a high level threat. Inaddition, ESDC submits that the use ofremovable media with desktop or network
hardware and software were also notamongst the systems examined at the timeof the incident. It indicated that theDepartment is now proceeding with aprogressive certification and accreditationof its systems.
85. ESDCs Departmental Security Policy andProcedures Manual also requires that,where removable media is used to storesensitive information, including personalinformation, the information should be
encrypted. Further, ESDCs SecurityBulletin entitled Encryption Requirements(December 2008), states that, wherepossible, management should limitsituations where employees are required tostore protected information, includingpersonal information, on portable mediadevices. Where unavoidable, it is theemployees responsibility to ensure thatthe information is encrypted.
86. While ESDC submits that at least two
approved procedures were readilyavailable to the users of the external harddrive 1) the password protection feature;and 2) the use of the Entrust encryptionsoftware; the investigation establishedthat no technological safeguards wereimplemented to protect the informationcontent on the hard drive in this case.
87. We recognize that ESDC introduced a newUSB Storage Devices Directive inJanuary 2013 that prohibits the use of
unencrypted USB keys and hard drives ondepartmental computers. To this end, weencourage ESDC to continue with theimplementation of this risk managementstrategy, including regularly scanningnetwork drives to detect unauthorizeddevices and clearly communicating thenew Directive to all employees.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
16/27
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
17/27
13
96. Administrative safeguards also refer to theenforcement of an institutions writtenpolicies, directives, procedures andprocesses for the protection of personalinformation.
97. Further to paragraph 70, while we are
satisfied that ESDC had in place at the timeof the incident sound policies in relation tothe management of its personal informationholdings, we are of the view that there is anidentifiable gap in the translation of thesepolicies to the day-to-day businessoperations of the Department.
98. Consequently, we are not satisfied that, atthe time of the incident, ESDC had effectivecontrols in place to ensure themanagement of the information in question
throughout its lifecycle.
IV. Personnel Securi ty Controls
99. Personnel security controls refer to aDepartments management of itsemployees suitability, proper training,supervision and disciplinary procedures.
100. The examination of the trustworthinessand suitability of employees to protect theemployer's interests is accomplished byconducting security assessments andreliability checks, which are conditions ofemployment under the Public ServiceEmployment Act (PSEA).
101. Our investigation confirmed that theemployees who had access to theinformation content on the external harddrive each had a valid security clearancecommensurate with the level ofinformation required for their positions.
102. Government of Canada employees areresponsible for managing the informationthey collect, create and use to support theprograms and services under which theyoperate.
103. To accomplish this, employees have aresponsibility to apply Government ofCanada and Departmental policyinstruments (policies, standards andassociated procedures). Employees musttherefore be provided timely access totraining to ensure that they have the
necessary knowledge, skills andcompetencies to effectively carry out theirduties.
104. We are not satisfied in this case that theemployees who had access to theexternal hard drive fully understood theprivacy risks inherent to the use of aportable device, or the vulnerabilities ofthe information stored on the device. Infact, it is our view that the employeesinterviewed during the investigation did
not have a clear understanding of theinformation content on the hard drive atall.
105. Further to paragraphs 70 and 97, it is ourview that there is an identifiable gap inthe translation of Departmental policies tothe day-to-day business operations of thedepartment. To this end, we highlightthat there is a lack of employeeawareness in the following areas thatcontributed to vulnerabilities in ESDCs
information management practices at thetime of the incident:
Information stewardship identifyingand handling personal information;
Security responsibilities proceduresfor storing personal information andassets containing personalinformation;
IT controls and responsibilities implementing safeguards to protect
personal information, particularlyinformation stored on portabledevices (e.g. encryption);
Threats awareness of the inherentrisks associated with the loss orunauthorized access, use ordisclosure of personal information.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
18/27
14
106. Employee awareness is accomplishedthrough effective management, leadershipand the supervision of employees, whichsupport information managementpractices and mitigate the risks of humanerror, wrongdoing or negligence. This mayinclude formal direction, follow-ups,
monitoring, inspections, and auditcontrols. There are consequences to non-compliance, and steps must be taken toidentify the risks and manage them beforethey occur.
107. ESDC submits that the IT SecurityCentre of Excellence, under its ITSecurity Awareness Program, issuesmonthly tips and alerts to staff. Inaddition, the Department sends outperiodic reminders to employees on the
importance of protecting the personalinformation of Canadians and the strictprocedures to be followed in handlingsuch information. IT Security
Awareness Training was also deemedmandatory by ESDC in June 2009 withthe approval of the Policy onDepartmental IT Security Management.
108. Further to paragraph 60, ESDC submitsthat work is ongoing to develop anddeliver enhanced integrated training for
departmental staff. All employees willbe required to undertake mandatorytraining on the subjects of privacy,security, IT security, informationmanagement and values and ethics.
109. We encourage ESDC to continue withthe establishment of a comprehensivetraining and awareness program toensure that employees have thenecessary knowledge, skills andcompetencies to effectively carry out
their information management duties.
110. Further to paragraph 52, ESDC submitsthat appropriate administrative actionhas been taken in this case. To thisend, Departments are authorized toestablish standards of discipline and toset penalties, including termination ofemployment, suspension, demotion to a
position at a lower maximum rate ofpay, and financial penalties that may beapplied for breaches of discipline ormisconduct, in line with Treasury BoardSecretariats Guidelines for Discipline.
Findings
111. The Privacy Act requires governmentinstitutions to respect the privacy of
individuals by properly managing thecollection, use, disclosure, retentionand disposal of personal information.
112. ESDC regularly collects personalinformation for purposes ofadministering the CSLP. It stands toreason that, in order to meet itsobligations to ensure that it does notuse or disclose personal information ina manner contrary to theAct, it is anecessary precondition that ESDC
protect the personal information it hascollected during its life cycle - from thetime of collection until it is destroyed byan approved method.
113. In order to effectively protect thepersonal information againstunauthorized uses and disclosures,government institutions must implementappropriate security safeguards.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
19/27
15
114. This notion is supported at the policylevel within the federal government. Forexample, TBSs Directive on PrivacyPracticescalls for limiting access anduse of personal information byadministrative, technical and physicalmeans to protect personal information,
and TBSs Policy on GovernmentSecurityand its related standardsestablish minimum safeguards toprotect and preserve the confidentialityand integrity of government assets,including personal information.
115. ESDCs failure to implement theappropriate safeguards to protect thepersonal information in question hascreated a significant risk forunauthorized access, use or disclosure
the very threats that the Governmentof Canada is entrusted to protect it from.Of great concern is the volume andsensitivity of the personal informationcontained on the external hard drive information that could, in the wronghands, lead to identity theft or fraud.
116. ESDC also has a responsibility toensure it disposes of personalinformation in accordance with therequirements of theAct, which includes
a requirement that the information bedisposed in accordance with anydirectives or guidelines issued by thedesignated minister (i.e., the Presidentof the Treasury Board).
117. In this regard, the TBS Directive onPrivacy Practicesrequires thatgovernment institutions dispose ofrecords containing personal informationin accordance with the provisions of theLibrary and Archives of Canada Actand
according to government securitystandards.
118. Given that the hard drive in this case islost, ESDC is not in a position todemonstrate that it complied with theserequirements to properly dispose of thepersonal information contained on thehard drive.
119. Based on the above, we are notsatisfied that ESDC has met therequirements of sections 6(3), 7 or 8 ofthe Privacy Actin this case.
120. Accordingly, we have concluded that
the matter is well-founded.
Recommendations
121. In a letter dated November 4, 2013, ourOffice provided a Preliminary Report ofFindings to ESDC pursuant tosubsection 33(2) of the Privacy Act.This Report contained details of ourinvestigation and set out the preliminary
findings and recommendations of ourinvestigation.
122. To this end, we recommended thatESDC implement a number of securitymeasures to contribute to theprevention of a similar incident, and tohelp ESDC meet the requirements oftheActto protect against unauthorizeduses and disclosures of personalinformation. The recommendationsmade to ESDC were based on the four
types of controls that the OPC hasidentified as providing protectionagainst privacy breaches, further toparagraph 72 of this Report.
123. In its response to the PreliminaryReport of Findings received onDecember 4, 2013, ESDC accepted ourrecommendations in full. Set out beloware our recommendations and ESDCsresponse to each of ourrecommendations.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
20/27
16
OPC Recommendation 1
We recommended that ESDC revisit its
physical security control practices to ensure
that regular monitoring and inspections are
incorporated into its security program. Thiswill help to ensure that personal information
is stored in approved cabinets when
employees are away from their desks for any
length of time; that cabinets are locked
accordingly; that keys for cabinets are
properly safeguarded; and that attractive or
valuable assets (i.e. external hard drives,
laptops, etc.) containing personal information
are properly safeguarded.
ESDCs Response
ESDC submits that it has commenced security
sweeps in its buildings, including employee
cubicles and offices. ESDC contends that this
initiative will raise awareness and help mitigate
the potential loss of government assets and
information. ESDC is finalizing a plan to
conduct security sweeps in all regions.
ESDC highlighted that it is also developing a
Departmental Security Framework that sets out
the effective management of security
responsibilities and imbeds security principles
and practices at both the strategic and
operational levels. The Framework and
associated plans will help to define different
types of security requirements, inform
improvements to security functions, as well assupport security training and awareness.
OPC Recommendation 2
A PIA is a formal process that helps
determine whether initiatives involving the
use of personal information raise privacy
risks, and proposes solutions to eliminate ormitigate privacy risks to an acceptable level.
A TRA assists in the determination of IT
security requirements and can be short and
simple, depending on the sensitivity, criticality
and complexity of the program, system or
service being assessed. We recommended
that ESDC establish protocols to coordinate
the identification and categorization of its
personal information holdings and assets
with departmental PIA and TRA activities inorder to mitigate all identified privacy risks.
ESDCs Response
ESDC highlighted that the identification,
assessment and mitigation of privacy risks is a
key pillar of its Privacy Management
Framework. Following the first phase of
ESDC's 2011 Privacy Renewal Action Planwhich included a series of privacy risk
assessments of the Department's major
statutory programs and personal information
holdings, program-led Privacy Action Plans
were developed and launched for the
Department's eight statutory programs in 2012
as part of phase two of the Privacy Renewal
Action Plan.
In 2012-2013, ESDC submits that it re-engineered its Privacy Impact Assessment
(PIA) process to enhance and streamline the
Department's privacy risk assessment and
mitigation process, and also launched a new
strategic planning process to support the
implementation of an annual privacy and
information security work plan.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
21/27
17
ESDC submits that it will continue to support
the implementation of a risk-based, proactive
approach to privacy management by building
on progress achieved to date and identifying
and assessing emerging privacy and security
risks.
OPC Recommendation 3
We recommended that ESDC complete a
comprehensive review of its materiel holdings
to ensure that all personal information and
assets containing personal information are
identified and marked according to the
highest appropriate security level (e.g.
Protected B), in line with ESDCsDepartmental Security Policy and
Procedures Manual, and Treasury Boards
Security Organization and Administration
Standard for selecting minimum safeguards
to protect information and assets.
ESDCs Response
ESDC highlighted that it is presently executingan Information Management strategy across all
branches and regions which includes the
following core elements:
i. Examination of all repositories to
develop an inventory of information
assets;
ii. Appropriate retention and disposition
decisions to ensure that transitoryrecords which are no longer required
are disposed of, and records of
business value are preserved;
iii. Classification of remaining records tothe appropriate security level, followingthe Department's informationclassification guide;
iv. Appropriate protection, through accessrights, encryption, or both, ofinformation that is rated Protected orabove.
OPC Recommendation 4
We recommended that portable storage
devices only be used as a last resort to store
or transfer personal information, and only if it
is demonstrably necessary to fulfill a specific
and documented purpose. All sensitive or
personal information stored on portable
devices must be protected by strong
technological safeguards, including
encryption.
ESDCs Response
ESDC highlighted that steps have been taken
to restrict and manage the use of portable
storage devices, including: 1) On January 11,
2013, the USB Storage Devices Directive was
implemented that restricts the use of portable
storage devices to instances where
management has validated the need,
mandates the use of encrypted (biometric and
password) USB keys or hard drives, and
imposes consequences for failure to comply;
2) On January 18, 2013, the monitoring of
desktop computers for unauthorized use of
USB devices began; 3) On May 27, 2013,
security software was deployed to block
unauthorized use of USB devices; and 4) On
June 3, 2013, security software was deployed
to block all other portable storage devices,such as optical media (CD/DVD) and floppy
disks. Only authorized users can save to such
media.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
22/27
18
OPC Recommendation 5
We recommended that ESDC establish
proper materiel management practices to
inventory and monitor all assets that may be
used to store or transmit sensitive personal
information. This may include affixing a barcode or other inventory measure to enable
tracking of the asset. In addition, the relevant
asset information (e.g. serial number) must
be communicated to the appropriate asset
management staff.
ESDCs Response
ESDC confirmed that, as a result of theincident, portable devices are now procured,
distributed and managed centrally, and
Assistant Deputy Minister (ADM) approval is
required to use such devices. In addition,
ESDC highlighted that laptops are tagged and
tracked by serial number and report to a
technical console each time they are
connected to ensure proper security software is
deployed. Encrypted USB keys and portable
hard drives are tracked by serial number thisinformation is integrated into the software
which is used to monitor connections to the
Department's network. As a safeguard,
devices are attached with a coloured tag that
identifies the Department's Service Desk 1-800
number, in the event a device is found. ESDC
also confirmed that the Department's Material
Management Policy is being updated to reflect
how these devices are tracked.
OPC Recommendation 6
We recommended that ESDC incorporate
regular security reviews or physical
inspections of assets containing personal
information to ensure proper safeguards are
implemented to protect personal information.
ESDCs Response
ESDC submits that the following efforts will
assist the Department in raising awareness
among its employees and will enhance
mitigation of the potential future loss of
government assets and information:
i. The Clean Desk Guideline wasshared with all employees in August2013, to encourage a clean deskpractice to prevent the unauthorizeddisclosure of sensitive information andloss of personal items;
ii. Security sweep inspections ofemployee cubicles and offices havecommenced;
iii. A compliance validation is included inthe approved scope of the Internal
Audit on IT Security, wherebyindividual, portable digital media will beexamined to assess controls in theareas of policy management, technicalsecurity and operational security. Theconduct phase of the audit isproceeding until July 2014.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
23/27
19
OPC Recommendation 7
We recommended that ESDC develop and
implement controls to ensure that personal
information is managed rigorously throughout
its entire lifecycle. This includes establishing
controls to manage and track personalinformation, and ensuring that there is
awareness and accountability for the
information throughout its lifecycle.
ESDCs Response
ESDC attests that a critical element of its
Information Management strategy is ensuring
the appropriate classification of records and theappropriate storage of records classified at
protected or above. Through proper training, a
disciplined process, and regular follow-up,
ESDC submits that awareness of the proper
handling of sensitive records will remain high.
Effective June 2013, Data Loss Prevention
(DLP) software has been deployed which
permits routine scanning of information
repositories. Advanced algorithms detect whenpotentially sensitive files are not properly
protected, which allows management to take
action to ensure the records are more
appropriately managed.
ESDC further submits that promoting employee
awareness and accountability for personal
information throughout the information lifecycle
is a key component of its Privacy Renewal
Action Plan. ESDC highlighted some of itsongoing efforts, including a privacy awareness
week in January 2013; activities organized in all
branches and regions between February and
June 2013 to directly engage employees on the
importance of personal information protection;
the launch of a new 'Stewardship of Information'
portal to provide employees with information
about roles and responsibilities, policies, tools,
and other resources on the subjects of privacy,
security, information management, and values
and ethics, in August 2013. ESDC will continue
to reinforce awareness of employee roles and
responsibilities and the risks and threats
associated with the protection of personalinformation through targeted outreach and
awareness activities.
OPC Recommendation 8
We recommended that ESDCs training and
awareness program include a particular focus
on the following:
Strategies to ensure that all employeesunderstand their roles and responsibilitiesfor the management of personalinformation through its lifecycle, includingidentifying and handling personalinformation;
The requirements for physical securityoutlined in ESDCs own DepartmentalSecurity Policy and Procedures Manual(approved cabinets, locking devices,
etc.), including the requirements for theproper operation and safeguarding ofattractive or valuable assets that containpersonal information (i.e. external harddrives, laptops, etc.);
The requirements for safeguardingpersonal information, including IT controlsfor portable devices (e.g. encryption).Employees that have access to sensitivepersonal information must be aware ofthe privacy risks inherent to the use of
portable devices, as well as thevulnerabilities of the information that maybe stored on these devices (i.e. loss orunauthorized access, use or disclosure ofpersonal information);
The consequences of not adhering toDepartmental security and privacystandards.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
24/27
20
ESDCs Response
ESDC highlighted that in April 2013, the
Department approved an integrated learning
strategy aimed at new and existing employees
that consolidates learning in the key areas
related to the protection of personalinformation. As a further measure, all new and
existing Departmental employees are required
to undertake mandatory testing every two
years to ensure ongoing compliance to the
functions related to the protection of personal
information.
ESDC also submits that when a portable
storage device is issued, the employee signs
an acknowledgement that they have receivedthe device and understand the provisions for its
use.
OPC Recommendation 9
We recommended that participation in
training sessions should be mandatory and
participation should be documented.
ESDCs Response
As part of its learning policy suite, ESDC
submits that the Department approved new
mandatory training guidelines that clearly
outline the approach, roles and responsibilities
for management and employees on the
learning requirements relating to the new
mandatory Stewardship of Information andWorkplace Behaviours Training Program. This
training program, which integrates training for
privacy, information technology security,
information management, security and values
and ethics/code of conduct, was approved as a
Departmental mandatory learning objective and
was launched in September 2013. During this
first phase, the training program was further
refined and systems issues were addressed.
As a result, the training program was re-
launched in February 2014. It is anticipated
that all employees will complete the training by
August 2014.
All employees will be required to undertake the
mandatory training and testing. The
Department will be tracking compliance with
the mandatory learning objective through a
learning management system, and quarterly
completion reports will be provided to senior
officials. Senior management is accountable for
the effective monitoring of employees'
attendance regarding the mandatory training,
testing and revalidation.
OPC Recommendation 10
We recommended that ESDC incorporate
measures to monitor personal information
management practices, particularly in those
cases where it is necessary to use or transfer
personal information to portable storage
devices (i.e. external hard drives, laptops,etc.). This may include formal direction,
follow-ups, inspections, or audit controls.
ESDCs Response
ESDC submits that the following steps are in
place to monitor information management
practices with respect to potentially sensitive
information:
In accordance with the USB StorageDevices Directive, all USB devices forsaving information must be encryptedbiometrically or with a password;
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
25/27
21
Each person who receives an encrypteddevice signs an acknowledgement of thestandard for acceptable use of the deviceand agreement to submit it for audit at anytime. The Internal Audit of IT Security willinclude a provision for this compliancecheck;
USB ports are monitored and IT securityprepares a weekly report on potentiallyunauthorized use of USB devices; and
Data Loss Prevention tools are scanningfile repositories to identify files which maypresent a risk.
Other Observations
124. In our Preliminary Report of Findings,we also offered our observations toESDC in relation to the Departmentalresponse to the incident specifically,the immediate actions taken within theDepartment following the incident, andits notification to the affectedindividuals.
125. Concerns were raised to our Office byindividuals who filed complaintsregarding the delay by ESDC to notifyaffected individuals of the incident. Inaccordance with Treasury BoardsGuidelines for Privacy Breaches,notification to those affected by theincident, particularly in cases wheresensitive personal information iscompromised, ...should occur as soonas possible following the breach toallow individuals to take actions toprotect themselves against or mitigatethe damage from identity theft or otherpossible harm.
126. In our view, considering the scope ofthe breach and the mitigation measuresthat were necessary to be implementedby ESDC following the loss of theexternal hard drive, we find that thedelay in notifying affected individuals inwriting was reasonable in thecircumstances.
127. We acknowledge in this case thatsubstantial efforts were devoted tosearching for the missing external harddrive, including conducting IT forensicanalyses; identifying the individualsaffected by the incident and confirmingmailing information; initiating a public
awareness campaign (setting up a callcentre, preparing press releases, etc.);coordinating SIN monitoring; arrangingan agreement with Equifax for creditprotection services; and of course,issuing a public statement onJanuary 11, 2013.
128. Notwithstanding the above, we wouldlike to highlight that that there may havebeen more personal informationcompromised as a result of the loss of
the hard drive than was reported byESDC to affected individuals. Further toparagraph 20, ESDCs representationsdescribed the specific fields ofinformation that may have beencompromised as a result of the incident.
129. While ESDC submits that these fields ofinformation were grouped into sevenkey pieces of personal information inorder to inform affected individuals asquickly as possible, we failed to see
how some of the personal informationthat was not reported in ESDCsnotification letter to affected individuals
for example, a borrowers gender,language or marital status can begrouped into the seven key pieces ofpersonal information as ESDCsubmits.
130. In our view, the combination of certaintypes of sensitive personal informationincreases the risks for identity theft, and
therefore, it is essential in our view thata complete list of the personalinformation elements relating to theindividual that is thought to have beenor potentially been compromised, isincluded in the notification.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
26/27
22
131. Transparency is a key fundamentalprinciple that upholds governmentaccountability. To this end, we remindESDC of Treasury Boards guidance forreporting and responding to privacybreaches, specifically, the Guidelinesfor Privacy Breaches. We also
underline the importance of compliancewith Treasury Boards Policy on PrivacyProtection which, as one if itsobjectives, is meant to enhanceeffective application of the Privacy Actand its Regulations.
132. In its December 4, 2013 response toour Office, we highlight the followingcomments from ESDC:
ESDC submits that the scale and
scope of the privacy breachrequired it to take a number of stepsto clearly identify what was missingand who was impacted. AdvisingCanadians and clients as quickly aspossible was of primordialimportance in this instance, and asa result, ESDC issued writtennotices and followed up with writtenletters to all clients for whom theDepartment had a valid address.
ESDC contends that waiting toprepare individualized letterscontaining the specific informationthat may have been contained onthe hard drive would haveunnecessarily delayed thenotification process. Since the initialnotification letters were mailed,clients have contacted theDepartment requesting confirmationof their specific information that wasbelieved to be contained on the
hard drive. The Department hasresponded to these requests withthe exact personal informationassociated with the particular clientmaking the request.
ESDC further submits that, to date,it has received no indication thatany of the personal informationpotentially stored on the externalhard drive has been accessed orused for fraudulent purposes. ESDCsubmits that it makes this statement
following its review of the monitoringof Social Insurance Numbers, aswell as in-depth reviews of affectedclients' consumer profiles byEquifax, the credit bureau withwhich the Department hascontracted to monitor the credithistory of interested individualsaffected by this incident.
Conclusion
133. Our investigation reviewed the physical,technical, administrative, and personnelcontrols in place at ESDC at the time ofthe incident what we refer to as thefour pillars of sound privacymanagement. In our view, thesecontrols should be incorporated into aninstitutions privacy managementframework to protect against databreaches, including the improper or
unauthorized collection, use,disclosure, retention and/or disposal ofpersonal information.
134. Our investigation identified ameasurable gap in ESDCsimplementation of its privacy andsecurity policies in the day-to-daybusiness operations of the Department.This gap resulted in weaknesses ininformation management controls,physical security controls, and most
importantly, the level of employeeawareness of Departmental policiesand procedures.
-
8/12/2019 Privacy Commissioner's report into student loan harddrive loss.
27/27
135. While we have found ESDC to be incontravention of sections 6(3), 7 or 8 ofthe Privacy Actin this case, theDepartment has accepted all of ourrecommendations in full and is in factwell-advanced in the implementation ofmany of the recommendations
identified.
136. Accordingly, we are satisfied that nofurther action is required by our Officeat this time. Nonetheless, we willfollow-up with ESDC in one year toconfirm its progress in theimplementation of ourrecommendations and its ongoingefforts towards the management of theDepartments personal informationholdings.
137. We also take this opportunity tohighlight that there needs to be asynergy between privacy and securitycontrols to effectively mitigate privacyrisks. It is the implementation of thesevery controls that will assist ESDC toadequately protect the personalinformation that Canadians entrust to it.
138. It is expected that ESDC will respectthe spirit and requirements of thePrivacy Act privacy is a fundamentalvalue to Canadians, and it is anessential element in maintaining publictrust in government. Therefore, weremind ESDC that it needs tocontinually be aware of the personalinformation and assets it holds, andtheir associated sensitivity andcriticality. The protection of personalinformation must be properly integratedin all Departmental functions, whichrequires the establishment of a
governance structure that has theweight, composition and mandate toeffectively ensure implementation ofpolicy instruments.
Additional
Information
139. For more information about our Office
and the powers of the PrivacyCommissioner, please visit us online atwww.priv.gc.ca. We also have anumber of resources available on ourweb site that may be of interest to thoseaffected by this incident, includingresources about identity theft and fraud.
http://www.priv.gc.ca/http://www.priv.gc.ca/http://www.priv.gc.ca/
top related