The Privacy Commissioner of Canada has just tabled his Annual Report on the Privacy Act to Parliament for 2014-2015. The Privacy Act regulates how the federal government and its agencies can collect, use and disclose personal information. The full report is here: Annual Report to Parliament 2014-15 - Protecting personal information and public trust - Report on the Privacy Act.
The highlight of the Annual Report is an audit across government departments regarding the use of portable storage devices. Some might find it ironic, since the Office of the Privacy Commissioner recently lost a portable storage device containing personal information of its employees.
Here's the media release prepared by the Commissioner:
Federal government needs to do more to guard against breaches and privacy violations: Privacy Commissioner
2014-2015 Privacy Act Annual Report to Parliament highlights results of an audit of the government’s management of portable storage devices and reported data breaches
GATINEAU, QC, December 10, 2015 – The Privacy Commissioner of Canada is urging federal departments and agencies to develop and implement more rigorous procedures and safeguards to protect Canadians’ personal information.
This call comes as the Commissioner’s 2014-15 Annual Report on the Privacy Act was tabled today in Parliament, highlighting a record-high number of federal government data breaches reported to his Office and the results of an audit of the government’s management of portable storage devices.
“Many institutions have made some strides to better protect personal information,” says Commissioner Daniel Therrien. “That being said, the breach reports we’ve received, the results of our investigations and our latest audit all suggest there is still much room for improvement.”
Federal institutions reported 256 data breaches in 2014-2015, up from 228 breaches reported the year before—which itself was double the number reported a year earlier. As in previous years, the leading cause of breaches was accidental disclosure, a risk which can often be mitigated by more rigorous procedures.
Last year marked the first time institutions were required to report data breaches to the Privacy Commissioner. Until then, reporting was voluntary.
“Effectively protecting personal information is a challenge we do not want to minimize,” says Commissioner Therrien. “However, given that Canadians are required to provide very sensitive information to federal departments and agencies, the government’s duty of care is paramount.”
The annual report includes details of a recently completed audit which found that gaps in the federal government’s management of portable storage devices, such as memory sticks, are potentially putting the personal information of Canadians at risk.
The audit concluded that, while federal institutions do have policies, processes and controls related to portable storage devices, there is significant room for improvement in order to reduce the risk of privacy breaches.
Portable storage devices are convenient because they can hold huge amounts of data and are generally small and highly portable. But it is those attributes that also create significant privacy and security risks.
“These devices can be easily lost, misplaced or stolen. Without proper controls, federal institutions are running the risk that the personal information of Canadians will be lost or inappropriately accessed,” says Commissioner Therrien.
The audit was prompted by concerns over a number of federal government data breaches involving portable storage devices, including a 2012 incident in which a portable hard drive containing the personal information of almost 600,000 student loan recipients went missing.
The audit, which included a detailed examination of 17 institutions, identified a number of concerns, including:
- More than two-thirds (70%) of the institutions had not formally assessed the risks surrounding the use of all types of portable storage devices.
- More than 90% did not track all portable storage devices throughout their lifecycle.
- More than 85% did not retain records verifying the secure destruction of data retained on surplus or defective portable storage devices.
- One-quarter did not enforce the use of encrypted USB storage devices.
- Two-thirds did not have technical controls in place to prevent the connection of unauthorized portable storage devices (for example, privately owned device) on their networks, and more than half (55%) had not assessed the risk to personal information resulting from the absence of such controls.
There were also weaknesses in the security settings to protect data held on smart phones at some of the audited entities. These included, for example, a lack of encryption, strong password controls, or controls to prevent users from installing unauthorized applications.
The audited institutions have accepted all recommendations made in the audit.
“We hope all federal institutions will take note of the audit and its recommendations with respect to portable storage devices,” says Commissioner Therrien. “The audit highlights some preventive steps that can and must be taken to curtail breaches. There is a need for greater vigilance when it comes to protecting the personal information that Canadians entrust to their federal government.”
About the Office of the Privacy Commissioner of Canada
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.