Privacy Commissioner tables annual report on privacy in the federal government

The Privacy Commissioner of Canada has just tabled his Annual Report on the Privacy Act to Parliament for 2014-2015. The Privacy Act regulates how the federal government and its agencies can collect, use and disclose personal information. The full report is here: Annual Report to Parliament 2014-15 - Protecting personal information and public trust - Report on the Privacy Act.

The highlight of the Annual Report is an audit across government departments regarding the use of portable storage devices. Some might find it ironic, since the Office of the Privacy Commissioner recently lost a portable storage device containing personal information of its employees.

Here's the media release prepared by the Commissioner:

Federal government needs to do more to guard against breaches and privacy violations: Privacy Commissioner

2014-2015 Privacy Act Annual Report to Parliament highlights results of an audit of the government’s management of portable storage devices and reported data breaches

GATINEAU, QC, December 10, 2015 – The Privacy Commissioner of Canada is urging federal departments and agencies to develop and implement more rigorous procedures and safeguards to protect Canadians’ personal information.

This call comes as the Commissioner’s 2014-15 Annual Report on the Privacy Act was tabled today in Parliament, highlighting a record-high number of federal government data breaches reported to his Office and the results of an audit of the government’s management of portable storage devices.

“Many institutions have made some strides to better protect personal information,” says Commissioner Daniel Therrien. “That being said, the breach reports we’ve received, the results of our investigations and our latest audit all suggest there is still much room for improvement.”

Federal institutions reported 256 data breaches in 2014-2015, up from 228 breaches reported the year before—which itself was double the number reported a year earlier. As in previous years, the leading cause of breaches was accidental disclosure, a risk which can often be mitigated by more rigorous procedures.

Last year marked the first time institutions were required to report data breaches to the Privacy Commissioner. Until then, reporting was voluntary.

“Effectively protecting personal information is a challenge we do not want to minimize,” says Commissioner Therrien. “However, given that Canadians are required to provide very sensitive information to federal departments and agencies, the government’s duty of care is paramount.”

The annual report includes details of a recently completed audit which found that gaps in the federal government’s management of portable storage devices, such as memory sticks, are potentially putting the personal information of Canadians at risk.

The audit concluded that, while federal institutions do have policies, processes and controls related to portable storage devices, there is significant room for improvement in order to reduce the risk of privacy breaches.

Portable storage devices are convenient because they can hold huge amounts of data and are generally small and highly portable. But it is those attributes that also create significant privacy and security risks.

“These devices can be easily lost, misplaced or stolen. Without proper controls, federal institutions are running the risk that the personal information of Canadians will be lost or inappropriately accessed,” says Commissioner Therrien.

The audit was prompted by concerns over a number of federal government data breaches involving portable storage devices, including a 2012 incident in which a portable hard drive containing the personal information of almost 600,000 student loan recipients went missing.

The audit, which included a detailed examination of 17 institutions, identified a number of concerns, including:

• More than two-thirds (70%) of the institutions had not formally assessed the risks surrounding the use of all types of portable storage devices.
  
• More than 90% did not track all portable storage devices throughout their lifecycle.
  
• More than 85% did not retain records verifying the secure destruction of data retained on surplus or defective portable storage devices.
  
• One-quarter did not enforce the use of encrypted USB storage devices.
  
• Two-thirds did not have technical controls in place to prevent the connection of unauthorized portable storage devices (for example, privately owned device) on their networks, and more than half (55%) had not assessed the risk to personal information resulting from the absence of such controls.

There were also weaknesses in the security settings to protect data held on smart phones at some of the audited entities. These included, for example, a lack of encryption, strong password controls, or controls to prevent users from installing unauthorized applications.

The audited institutions have accepted all recommendations made in the audit.

“We hope all federal institutions will take note of the audit and its recommendations with respect to portable storage devices,” says Commissioner Therrien. “The audit highlights some preventive steps that can and must be taken to curtail breaches. There is a need for greater vigilance when it comes to protecting the personal information that Canadians entrust to their federal government.”

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

Privacy Commissioner of Canada releases annual report on public sector privacy law

Jennifer Stoddart has just tabled her annual report to Parliament on the Privacy Act, Canada's federal public sector privacy law: Annual Report to Parliament 2010-2011 - Report on the Privacy Act.

From her media release on the topic:

Audit of airport security measures flags concerns about over-collection and safeguarding of travellers’ personal information

2010-2011 Annual Report to Parliament on the Privacy Act examines the stewardship of personal information by Canada’s airport security authority, the RCMP and other federal departments and agencies

OTTAWA, November 17, 2011 – The Government of Canada is collecting too much information about some air travellers and is not always safeguarding it properly, Privacy Commissioner Jennifer Stoddart found in an audit published with her annual report today.

The audit of the privacy policies and practices of the Canadian Air Transport Security Authority (CATSA) concluded that the agency was reaching beyond its mandate by completing security reports on incidents which were not related to aviation security.

This was the case even with incidents involving an activity that was legal. For example, CATSA collected information about air passengers who were found to be carrying large sums of cash on domestic flights. CATSA also contacted police in such cases. Since it should not be collecting personal information about legal activities not related to aviation security, the Office of the Privacy Commissioner of Canada recommended that CATSA immediately cease that practice. CATSA agreed.

Moreover, the audit found that such incident reports, and other types of personal information collected by the agency, were not always properly secured.

“Documents containing sensitive personal information were left on open shelves and in plain view in a room where passengers may be taken for security checks,” Commissioner Stoddart reported.

The audit also identified other concerns about procedures not being followed during the screening process. When auditors visited the rooms where CATSA officials screen full-body scans, they discovered a cell phone and a closed-circuit TV camera even though these types of devices are strictly prohibited according to CATSA’s operating procedures.

“Fortunately, these irregularities were uncommon and we were pleased that CATSA moved quickly to correct them by issuing a reminder to staff and conducting inspections to ensure proper procedures were followed,” said Commissioner Stoddart.

Even so, she added, “the Government of Canada is entrusted with highly sensitive personal information, and is obliged to handle it with an uncompromising level of care—not some of the time, or even most of the time, but all of the time.”

The audit was summarized in the 2010-2011 annual report on the Privacy Act, which was tabled in Parliament today.

The annual report also contains a summary of another audit conducted by the Office of the Privacy Commissioner of Canada (OPC). It examined the Royal Canadian Mounted Police’s (RCMP) management of operational databases that are widely shared with other police forces, government institutions and other organizations.

The audit determined that, while the RCMP has policies and procedures to safeguard the sensitive information contained in the databases, there were also some disturbing gaps.

For instance, the Privacy Act, which governs the information-handling practices of federal government departments and agencies, requires that organizations retain personal information no longer than absolutely necessary. And yet, information about offences for which a pardon had been granted, or that resulted in a wrongful conviction, continues to be accessible in a database called the Police Reporting and Occurrence System.

“People who were convicted of an offence they did not commit, or who have been granted a pardon, have a right to go about their lives without information—and especially misinformation—about their past coming to light,” Commissioner Stoddart noted. “Such information must be more tightly controlled.”

The annual report highlights the work of the OPC in 2010-2011 in strengthening the privacy rights of Canadians. It summarizes key investigations into privacy complaints and data breaches that the Office conducted under the Privacy Act. The report also describes several Privacy Impact Assessments that federal institutions submitted to the Office for review during the past fiscal year.

Aimed at assessing the government’s stewardship of personal information, the report has separate chapters devoted to the collection, use and disclosure of data. Given the sensitive nature of the personal information that the state needs to govern, the report warns of grave consequences for its over-collection, misuse or inappropriate disclosure.

Aside from the two audit summaries, here are other highlights of today’s reports:

• Biometric identifiers: Citizenship and Immigration Canada submitted Privacy Impact Assessments for two initiatives involving the use of fingerprints and other biometric identifiers for immigration control. The OPC recommended ways to strengthen privacy safeguards for vulnerable populations such as refugee claimants.
  
• Passenger behaviour observation: A Privacy Impact Assessment for a new pilot project to observe airport travellers for suspicious activity raised several concerns, including the potential for inappropriate risk profiling based on characteristics such as race, age or gender.
  
• Personal data breaches: The OPC received a record number of reports of breaches of personal information in 2010-2011. One involved a malfunction of the new My Service Canada Account website, a day after its launch, which allowed an estimated 75 users to see financial and other personal data of previous visitors to the site.
  
• Follow-up to past audits: During follow-ups on three audits originally conducted in 2008 and 2009, the entities that we audited indicated that 32 of 34 of the OPC’s recommendations had been fully or substantially implemented. For example, the RCMP reported that it had removed tens of thousands of surplus files from its exempt databanks, in compliance with the Privacy Commissioner’s recommendations.

The full annual report and audit reports on CATSA’s aviation security measures and the RCMP operational databanks are available at www.priv.gc.ca.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada.