Province violated privacy act, failed to protect personal info: Privacy Watchdog

VICTORIA, B.C. — After beginning an investigation in September 2015, B.C. Information and Privacy Commissioner Elizabeth Denham said the Ministry of Education ‘failed to protect the personal information’ of 3.4 million B.C. and Yukon students stored on a portable hard drive.

The Province’s privacy watchdog released her investigation report yesterday, and noted this investigation is unique, as events that happened more than four years ago were being investigated.

“The passage of time and the lack of proper documentation made it difficult to gather consistent and complete information from those involved,” Denham said.

“Therefore, the main goal of this report is to highlight lessons from the past to help prevent future breaches.”

The investigation revealed that, despite having privacy and security policies in place, the Ministry of Education violated the Freedom of Information and Protection of Privacy Act — as the ministry did not ensure the information was encrypted, did not store the portable hard drive in an approved offsite warehouse and did not adequately document the contents or location of the portable hard drive.

Following this, the report does say the Ministry did appropriately respond to the discovery of the breach, with its containment efforts, preventative measures and analysis of risk.

The Ministry notified her last fall that a hard drive containing personal information collected between 1986 and 2009 couldn’t be found. The information included names, genders, dates of birth and Personal Education Numbers — but also had more sensitive personal information, such as addresses, types of schooling, grade information, teacher retirement plans, educational outcomes for cancer survivors, health and behaviour issues, and children in care.

The hard drive was a backup for purpose of ‘disaster recovery’ of ministry research data. The report found that the information was moved from a secure server to the hard drive as an attempt to decrease electronic storage costs, and was ultimately sent to an off- site warehouse for storage. After extensive searches in the warehouse, the Ministry declared the hard drive be lost.

Nine recommendations have been made to the Ministry to strengthen the security of personal information. They focus on steps the ministry should take to ensure policies and procedures are followed, including ‘maintaining an accurate inventory of personal information assets, encrypting all mobile data storage devices and storing them only in government approved facilities.’

“This is an example of a breach that was completely preventable,” said Denham. “If the ministry had implemented any one of a number of safeguards and followed existing policy, the breach would not have happened.”

The Commissioner’s office will follow up with the ministry in three months to see where the Ministry is with these recommendations.