DOCSLIB.ORG

Investigation Into the Loss of a Hard Drive at Employment and Social Development Canada

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Investigation Into the Loss of a Hard Drive at Employment and Social Development Canada Special Report to Parliament Findings under the Privacy Act Investigation into the loss of a hard drive at Employment and Social Development Canada March 25, 2014 Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, Quebec K1A 1H3 © Minister of Public Works and Government Services Canada 2014 IP54-56/2014E-PDF 978-1-100-23322-2 Follow us on Twitter: @PrivacyPrivee Contents Investigation into the loss of a hard drive at Employment and Social Development Canada .................................................................................................... 1 Complaint Under the Privacy Act............................................................................................. 1 Introduction ............................................................................................................................. 1 Background ............................................................................................................................. 1 Methodology ............................................................................................................................ 2 Summary of Facts ..................................................................................................................... 2 ESDC’s Actions Following the Incident................................................................................... 4 Application ................................................................................................................................ 9 Analysis ..................................................................................................................................... 9 I. Physical Controls ............................................................................................................ 10 II. Technical Controls .......................................................................................................... 11 III. Administrative Controls ............................................................................................... 12 IV. Personnel Security Controls ........................................................................................ 13 Findings ................................................................................................................................... 14 Recommendations .................................................................................................................. 15 Other Observations ................................................................................................................ 21 Conclusion .............................................................................................................................. 22 Additional Information ............................................................................................................ 23 Investigation into Background 2. On December 17, 2012, ESDC verbally the loss of a hard notified our Office of the incident. Formal written notification was subsequently received from ESDC on January 7, 2013. drive at 3. ESDC’s written notification advised that the external hard drive contained personal Employment and information dated from 2000-2006 for Canada Student Loan borrowers, including: Social Development Social Insurance Number (SIN), first name, last name, date of birth, home address, and telephone number. ESDC subsequently Canada informed our Office that the external hard drive also included student loan balance information. In addition, the external hard Complaint Under the drive contained employee information from a Business Continuity Plan fan out list. This information included first name, last name, Privacy Act home address and home phone number and/or cell phone number. 4. Upon receipt of the notification from ESDC, Introduction we determined that there were reasonable grounds for a Commissioner-initiated 1. This Report of Findings relates to a complaint against the Department to Commissioner-initiated complaint against ascertain whether there has been a Employment and Social Development contravention of the Privacy Act. Canada (ESDC), formerly Human Resources and Skills Development Canada (HRSDC), in relation to the loss of an 5. Accordingly, the Office of the Privacy external hard drive (the “incident”) Commissioner of Canada (the “OPC”) containing the personal information of initiated a complaint against ESDC on 583,000 Canada student loan borrowers, January 11, 2013, pursuant to subsection and 250 ESDC employees. 29(3) of the Privacy Act (the Act). 6. The OPC’s investigation focused on the incident in relation to the disposal, use and disclosure provisions of the Act. 1 11. According to ESDC’s representations, the Methodology hard drive was stored in a lockable filing cabinet located in that employee’s cubicle, 7. Our investigation examined the in an envelope, hidden under suspended circumstances surrounding the incident, as files. well as ESDC’s policy framework in order to identify the degree of conformity with the 12. ESDC reported that the external hard drive applicable Government of Canada privacy- was a 1 terabyte (TB) Seagate GoFlex. It related policies, and whether the was not password protected, nor was the Departmental policies and procedures that information contained on it encrypted. The were in place at the time of the incident serial number of the hard drive remains were sufficient and effectively implemented. unknown. 8. To this end, we reviewed the 13. According to ESDC, the external hard representations received from ESDC in drive was used to backup information in relation to the incident, and our preparation for the migration of information investigation entailed interviews with key from the T drive to the U drive on the employees identified as having access to Department's network. The migration of the missing external hard drive, as well as information was performed by the a site visit to ESDC’s Canada Student Innovation, Information and Technology Loans Program (CSLP) Unit, and meetings Branch (IITB) on October 12, 2012. with Departmental officials. 14. ESDC confirmed that the IITB was not involved in the backup of information on Summary of Facts the hard drive, as the hard drive was not technically necessary for the data 9. The CSLP promotes accessibility to post- migration. The hard drive was only used secondary education for students with a as a risk mitigation measure by the CSLP demonstrated financial need by lowering to protect against inadvertent loss or financial barriers and ensuring Canadians deletion of the files during the migration. have an opportunity to develop the knowledge and skills to participate in the 15. By way of background, ESDC confirmed economy and society. With these that the data migration project started in objectives in mind, the CSLP offers a suite 2011 by the Operational Program Support of student financial assistance programs Division (OPSD). The OPSD became the and services, including student loans for Program Integrity and Accountability (PIA) full-time and part-time students, non- Division in the fall of 2011. The PIA repayable grants, and repayment Division provides stewardship to the CSLP assistance measures for borrowers who through leadership in planning, reporting, experience difficulty repaying their loans. portfolio management, accountability, program integrity and compliance, as well 10. The investigation confirmed that, on as administrative services for the CSLP, November 5, 2012, an employee of the including finance, human resources, CSLP Unit went to retrieve an external financial and information management, hard drive from a filing cabinet and noticed security and accommodations. that it was missing. 2 16. Following a comprehensive review of the 20. In addition to the seven pieces of personal files and folders on the Department’s information described by ESDC in its network that were identified for the notification to our Office, the files relating to migration project, ESDC informed our client satisfaction surveys may have also Office that the following data files were included the following fields of information compromised by the loss of the external in relation to borrowers: hard drive, each of which is described in more detail below: Loan certificate number, loan ID number, loan class (whether the borrower is in study, • Files pertaining to client satisfaction or in repayment), whether the borrower had surveys; direct contact with the Service Provider, the name of the education institution that the • Files containing investigation reports; borrower attended, the borrower’s gender, • Files containing CSLP financial, language, marital status, the province that business plan and Human Resources issued the loan, the type of loan (e.g. part information; time loan), years of study, end of study date, loan interest rate, loan interest type, • Files containing Business Continuity the date the loan was issued, the Planning information. disbursement date, the federal loan disbursement amount, the student loan 17. Notwithstanding the above, as the hard consolidation date, whether the borrower is drive is missing, ESDC submits that there active (borrower sent in consolidation is no way to conclusively identify what agreement), or passive (borrower did not information was in fact backed up to the hard drive. submit consolidation agreement), the type of loan (eg. full-time direct, part-time direct, Client Satisfaction Surveys integrated), delinquency flag (identifies whether the borrower is in delinquency),
Load more

Recommended publications
  • I Lost My Birth Certificate Ontario
    I Lost My Birth Certificate Ontario Chautauqua and fluty Gerrard dews her leaflet differs while Ace remarried some heaume eagerly. Painstaking and fangled Allyn tress her Stromboli fores spins and disarticulated meantime. Spry Chas usually antagonize some regimens or anathematise whereby. If the parents are not married the father has to acknowledge his paternity. Ontario lawyer, addressed to both applicants, giving reasons why the divorce or annulment should be recognized in the Province of Ontario. Customer service Rep did infact answer and I told her of my find, and asked that my application be withdrawn and asked for the full refund. You can find AMA Grande Prairie Centre beside the Freson Bros. If you enter your family, i lost my birth ontario? By keeping it in a safe place, you are doing your part to protect your identity. ISC will conduct research within its records to determine entitlement to registration. Birth Certificate, Social Insurance Number, and Canada Child Benefits, including the Ontario Child Benefit at the same time; this will make it easier and faster to obtain these documents. Malaysian citizenship at birth would be given a red birth certificate. Licence or Health Card for both parties. It is not necessary to obtain a CRBA. In Singapore, a certified extract can be applied in person or online from the Registry of Births and Deaths. Please kindly fill out the fields below. Wendat, and thanks these nations for their care and stewardship over this shared land. My update request got rejected for invalid documents. How do you apply if you are adopted? What if my Canadian citizenship certificate is lost or stolen? There are advantages to using an expediting courier service to obtain your passport expeditiously, the most obvious being that it speeds up the process.
    [Show full text]
  • Self-Certification for Individuals
    SELF-CERTIFICATION FOR INDIVIDUALS Instructions for Completion Wells Fargo is obligated under the Automatic Exchange of Information requirements including the Common Reporting Standard (CRS) to collect certain information about each account holder’s tax residency status. To ensure compliance, please complete this form and provide additional information as required. Note that in certain circumstances, we may be required to share this and other information with the tax authority in your country, who may exchange such information with other relevant tax authorities. The information we may be required to share includes the name, address, tax identification number (TIN), date of birth, place of birth of the account holder or controlling persons, account balance or value at year end, and payments made with respect to such account during the calendar year. You are required to state the residency (or residencies) for tax purposes of the account holder. This is the person or persons entitled to the income and/or assets associated with an account. Definitions to assist you in completing this form can be found in the instructions attached. Each jurisdiction has its own rules for defining tax residence, and jurisdictions have provided information on how to determine if you are a resident in the jurisdiction on the OECD Automatic Exchange of Information Portal. In general, you will find that the tax residence is the country/jurisdiction in which you live. Special circumstances may cause you to be resident elsewhere or resident in more than one country/jurisdiction at the same time (dual residency). Wells Fargo will not be in a position to provide assistance beyond the information contained within the instructions attached.
    [Show full text]
  • How to Apply for a Social Insurance Number in Some EU States
    Professional European and Worldwide Accounts and Tax Advisors How to Apply for a Social Insurance Number in Some EU States This document provides information on obtaining a Social Insurance number in the following EU member states: Ø Spain Ø Belgium Ø Germany Ø Italy Ø Sweden Ø Poland Ø Norway Ø Denmark Ø Portugal Ø Greece Ø Hungary Ø Lithuania Ø Malta Ø The Netherlands Spain To apply for a Social Insurance number in Spain you first need to apply for a NIE number. How to get an NIE number in Spain The application process is quite easy. Go to your local National Police Station, to the Departmento de Extranjeros (Foreigners Department) and ask for the NIE application form. The following documents must be submitted to the police station to obtain a NIE number: Ø Completed and signed original application and a photocopy (original returned) Form can be downloaded here: http://www.mir.es/SGACAVT/extranje/regimen_general/identificacion/nie.htm Ø Passport and photocopy Address in Spain (you can use a friend's) Ø Written justification of why you need the NIE (issued by an accountant, a notary, a bank manager, an insurance agent a future employer, etc.) If you have any questions, call the National Police Station, the Departamento de Extranjeros (Foreigners Department) Tel: (+34) 952 923 058 When you hand in the documentation, a stamped photocopy of the application is returned to you along with your passport. Ask them when you should come back to pick up the document. The turnaround time fluctuates and your NIE can take one to six weeks.
    [Show full text]
  • Smarter Aadhaar Card for a Smarter and Meticulous India
    PJAEE, 17 (7) (2020) Smarter Aadhaar Card For A Smarter And Meticulous India Dr. Samson. R. Victor1, Candida Grace Dsilva N2, Pooja Tiwari 3 1Assistant Professor, Department of Education, Indira Gandhi National Tribal University, Amarkantak (M.P.) India 2Teacher, National Public School, Bangalore, India 3Research Scholar, Department of Linguistics and Contrastive Study of Tribal Languages, Indira Gandhi National Tribal University, Amarkantak (M.P.) India Email: [email protected], [email protected] ,[email protected] Dr. Samson. R. Victor, Candida Grace Dsilva N, Pooja Tiwari: Smarter Aadhaar Card For A Smarter And Meticulous India -- Palarch’s Journal Of Archaeology Of Egypt/Egyptology 17(7). ISSN 1567-214x Keywords: India - Unique identification number, UIDAI, Aadhaar card & a smart card ABSTRACT The Unique Identification Number (UIDAI) – Aadhaar, is a unique number that is derived to identify every citizen of India, including the Non Residential Indians (NRI). This document was introduced to serve as an authentic identity proof for individuals. UIDAI is a secure document which consists of iris scan and fingerprint scan, that is person specific and identity theft is not very easy, making it a robust and versatile document.Exploring the robustness and versatility of this document this paper focuses on venturing out to identify the diverse applicability of the UIDAI to benefit both the government and the Indian citizens. In order to widen the scope of Aadhaar card, this paper proposes to use the Aadhaar card number to collect and store data such as demographic, health, education, employment, financial, police records of every resident of India so that the government can utilise the information, in order to monitor, analyse and frame policies and schemes in the field of education, employment,pension, scholarship, health schemes, dole, subsidiaries to farmers 10085 PJAEE, 17 (7) (2020) and low income people,in order to up-lift the beneficiaries thus helping India to become a developed country.
    [Show full text]
  • Authorized Identification Section 95
    E-18-301 Election Act Section 95 Authorized Identification An elector whose name is not on the List of Electors may vote after producing government issued identification containing the elector’s photograph, current address and name. This includes an Operator’s (Driver’s) Licence or an Alberta Identification Card. An elector whose name is not on the List of Electors, and who is unable to produce government issued identification, must produce two pieces of identification from the following list prior to voting. Both pieces of identification must establish the elector’s name. One piece must establish the elector’s current address. Where an attestation is used to comfirm identity and residence, additional identification is not required. Authorized Identification with Elector’s Name Alberta Assured Income for the Severely Handicapped (AISH) Canadian National Institute for the Blind (CNIB) ID card card Confirmation Certificate Alberta Forestry Identification card Credit/Debit card Alberta Health Care Insurance Plan (AHCIP) card Employee/Staff card Alberta Health Services Identification Band (patient wrist Firearm Possession and Acquisition Licence or identification band) Possession Only Licence Alberta Natural Resources (conservation) ID card Fishing, Trapping or Hunting Licence Alberta Service Dog Team ID card Hospital/Medical card Alberta Wildlife (WIN) ID card Library card Baptismal Certificate Marriage Certificate Birth Certificate Membership card: Service clubs, fitness/health club, Canadian Air Transportation Security Agency (CATSA) ID
    [Show full text]
  • Social Insurance Number Application
    Government Gouvernement of Canada du Canada PROTECTED WHEN COMPLETED - A SOCIAL INSURANCE NUMBER APPLICATION FINDER NO DATE APPLICATION FOR A DO NOT WRITE IN THIS AREA FIRST SOCIAL INSURANCE NUMBER CARD REPLACEMENT CARD LEGAL CHANGE OF NAME(S) CHANGE OF STATUS UPDATE TO RECORD (no card will be issued) CHANGE TO THE EXPIRY DATE OTHER - SPECIFY INFORMATION CONCERNING THE APPLICANT PRINT CLEARLY IN BLUE OR BLACK INK NAME TO BE First Given Name Other Given Names (to be printed on card) Family Name 1 SHOWN ON CARD Day Month Year DATE OF Male Check if you are a twin, triplet, etc. 2 BIRTH 3 GENDER Female MOTHER'S Given Name(s) Family Name FATHER'S Given Name(s) Family Name 4 NAME 5 NAME (at birth) APPLICANT'S City, Town or Village Province Country 6 PLACE OF BIRTH APPLICANT'S FAMILY NAME AT BIRTH OTHER FAMILY NAME(S) PREVIOUSLY USED 7 8 HAVE YOU EVER HAD A 9 SOCIAL INSURANCE No Yes 10 IF "YES", WRITE YOUR NUMBER? NUMBER HERE Check one of the following: Home Telephone Number Daytime Telephone Number STATUS IN Canadian Registered Permanent Other 11 CANADA Citizen Indian Resident 12 Are you currently residing in Canada? Yes No In care of (if different than item 1) MAIL TO Number and Street Apartment No. (Address where you 13 want your card to be sent) City, Town or Village Province Postal Code If the applicant is under 12 years of age, the father, mother or legal guardian must sign and indicate his/her relationship. If you are a Date 14 guardian, you must submit a document showing proof of legal guardianship.
    [Show full text]
  • Tax ID Table
    Country Flag Country Name Tax Identification Number (TIN) type TIN structure Where to find your TIN For individuals, the TIN consists of the letter "E" or "F" followed by 6 numbers and 1 control letter. TINs for Número d’Identificació residents start with the letter "F." TINs for non-residents AD Andorra Administrativa (NIA) start with the letter "E". AI Anguilla N/A All individuals and businesses receive a TIN (a 6-digit number) when they register with the Inland Revenue Department. See http://forms.gov. AG Antigua & Barbuda TIN A 6-digit number. ag/ird/pit/F50_Monthly_Guide_Individuals2006.pdf CUIT. Issued by the AFIP to any individual that initiates any economic AR Argentina activity. The CUIT consists of 11 digits. The TIN is generated by an automated system after registering relevant AW Aruba TIN An 8-digit number. data pertaining to a tax payer. Individuals generally use a TFN to interact with the Australian Tax Office for various purposes and, therefore, most individuals have a TFN. This includes submitting income tax returns, reporting information to the ATO, obtaining The Tax File Number (TFN) is an eight- or nine-digit government benefits and obtaining an Australian Business Number (ABN) AU Australia Tax File Number (TFN) number compiled using a check digit algorithm. in order to maintain a business. TINs are only issued to individuals who are liable for tax. They are issued by the Local Tax Office. When a person changes their residence area, the TIN AT Austria TIN Consists of 9 digits changes as well. TINs are only issued to people who engage in entrepreneurial activities and AZ Azerbaijan TIN TIN is a ten-digit code.
    [Show full text]
  • Guide for Completing an Application and Supporting
    Service Canada Guide for Completing an Application and Supporting Forms for Canada Pension Plan Disability Benefits under the Agreement on Social Security between Canada and the Republic of Poland If you: reside in Poland; and wish to apply for Canada Pension Plan Disability benefits, you must complete an “Application for Canada Pension Plan Disability Benefits under the Agreement on Social Security between Canada and the Republic of Poland”*. If you have been out of work for twelve months or more, be sure to submit your application as soon as possible. Any delay in submitting your application may mean that you will no longer qualify for a Disability benefit or that you may lose several months of benefit entitlement if your benefit is approved. This guide has been prepared to help you fill out the application and supporting forms. Please read the guide carefully and follow the instructions which are given. In order to act on your claim as quickly as possible Service Canada must have all the information which is requested in the forms. The more accurately the forms are completed, the better we can serve you. ∗ If you wish to apply for a Canadian Old Age Security pension or Canada Pension Plan Retirement, Survivor’s, Surviving Child’s or Death benefit you will have to complete a different form entitled “Application for Canadian Old Age, Retirement and Survivors Benefits under the Agreement on Social Security between Canada and the Republic of Poland”. This form is available on this website and from your nearest social security office.
    [Show full text]
  • Jurisdiction's Name: Canada Information on Tax Identification
    Jurisdiction’s name: Canada Information on Tax Identification Numbers Section I – TIN Description Tax identification numbers (TINs) exist in Canada in various forms and are issued to residents and non- residents of Canada. The descriptions below focus on residents of Canada – the persons for which a TIN is required to be collected for exchange of information purposes under the Common Reporting Standard. Individuals For individuals resident in Canada, their authorized tax identification number is their nine-digit Canadian Social Insurance Number (SIN) issued by Service Canada. Every individual resident in Canada with income tax filing obligations (or in respect of whom an information return is to be made) is required to have (or obtain) a SIN. SINs are confidential but are required to be furnished on request to financial institutions for tax reporting purposes. For more information on the SIN, including how to apply for one, go to Service Canada. Corporations For corporations, their tax identification number is a unique nine-digit Business Number (BN) issued by the Canada Revenue Agency. Corporations resident in Canada have income tax reporting obligations and are required to have a BN. For more information on the BN, including how to apply for one, go to Business Number (BN) registration. Trusts For trusts, their tax identification number is their eight-digit trust account number preceded by the letter “T” issued by the Canada Revenue Agency. Trusts resident in Canada with income tax reporting obligations are required to have a trust account number. For more information on the trust account number, including how to apply for one, go to Application for a Trust Account Number.
    [Show full text]
  • Form Confirming Signing an Agreement for the Idosell.Com Service
    The IdoSell.com service Agreement concluded on in Szczecin Between: IAI S.A, with its headquarters in Szczecin, at Madalińskiego Street 8 (70-101) Szczecin (Poland), registered in the NCR (No. 0000325245), a VAT payer (VAT Number PL 8522470967), later regarded as the IAI, and: Represented by: later regarded as the Buyer. 1. The IdoSell.com is a - open to the public - Service of 8. The Agreement is concluded for an indefinite period of renting an application and server resources for e-commerce time. The Agreement may be terminated by any of the needs, provided by the IAI. The description of the parties with three months denouncement period for the IdoSell.com service can be found on the www.idosell.com Buyer and two months for the IAI - with the result at the website. end of the month. In case of not keeping the term of notice, 2. This Agreement determines the conditions of access to the the party that has not kept it, shall pay an agreed penalty – IdoSell.com Service and hereby confirms the agreement equal to the highest subscription fee paid during the concluded by means of the www.idosell.com website. Agreement has been in force – to the other party for each month of the term of notice that had not been kept. 3. The contracting parties declare that they have read the Terms and Conditions of the IdoSell.com, published on the 9. The Agreement is subject to cession, unless all provisions of www.idosell.com website, and oblige to obey them. The the present Agreement are respected by the party making Terms and Conditions of the IdoSell.com is an integral part the cession.
    [Show full text]
  • Advisor's Acknowledgement
    TD Canada Trust Advisor's Acknowledgement (Note: If the Applicant is an Advisor, this form must be filled out and signed by another licensed advisor.) Advisor and Dealer Information: Dealer Code Advisor Code Company Name (the "Dealer") Advisor Name (such person and any person who replaces this person is the "Advisor") Fax No. Telephone No. Advisor's Acknowledgement. By signing below the Advisor acknowledges that the Advisor has acted as agent for the Bank for the purpose of ascertaining identity, and hereby certifies that the Applicant(s) were physically present before the Advisor and produced an original version (not a copy) of valid (i.e., not expired) Identification. "Identification" in this Application refers to: (i) one of the following: Canadian driver's license, Canadian passport, or Canadian Firearms License; OR (ii) two of the following: Canadian Government Issued Identification Card, Canadian Old Age Security Card, Canadian Birth Certificate, NEXUS Card, Social Insurance Number or Canadian Permanent Residency Card. The Advisor acknowledges that the Advisor is required to obtain Identification, documenting below the type, place of issuance, number and expiry date of the Identification. The Advisor agrees that he/she will, on the request of the Bank, send a copy of the Identification obtained to the Bank. The Advisor shall ensure that the Application accurately sets out the full legal name, date of birth, address, occupation, employer name and employer address of each Applicant. The Advisor shall: (i) forward the Application and Agreement to the Bank by courier or by any other method agreed to by the Bank from time to time; and (ii) provide the Applicant(s) with a copy of this Application and the Agreement.
    [Show full text]
  • Application for a Canada Revenue Agency Individual Tax Number (Itn)
    Protected B when completed APPLICATION FOR A CANADA REVENUE AGENCY INDIVIDUAL TAX NUMBER (ITN) FOR NON-RESIDENTS Before you start: • Do not submit this form if you have, or are eligible to obtain, a social insurance number (SIN). For more information about obtaining a SIN, call Service Canada toll-free at 1-800-206-7218. Select option "3" for SIN information. If you are calling from outside Canada, or if you have a rotary dial telephone, call (506) 548-7961 (long distance charges will apply). You may also visit their web site at www.servicecanada.gc.ca. • Do not submit this form if you have previously obtained a SIN, an ITN, or a temporary taxation number. Continue to use the tax number you have already been issued. Indicate the reason you are applying for an ITN: Supporting certified documents: Filing a Canadian income tax return Valid passport Filing an application to waive or reduce Canadian Driver's licence withholding tax on payments that you receive Disposing of taxable Canadian property Birth certificate/Proof of birth Other (please identify): IDENTIFICATION (please print) 1. Name Last name First name Middle name(s) 2. Foreign address Apartment number, street address, street name City Province or State Country Postal code or zip code 3. Mailing address (if different from above) Apartment number, street address, street name City Province or State Country Postal code or zip code 4. Birth information Date of birth (YYYY-MM-DD) Country of birth 5. Other information Foreign tax identification number Telephone number CERTIFICATION I, , (Please print name) certify that the information given on this form is, to the best of my knowledge, correct and complete.
    [Show full text]