Investigation Into the Loss of a Hard Drive at Employment and Social Development Canada
Total Page:16
File Type:pdf, Size:1020Kb
Special Report to Parliament Findings under the Privacy Act Investigation into the loss of a hard drive at Employment and Social Development Canada March 25, 2014 Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, Quebec K1A 1H3 © Minister of Public Works and Government Services Canada 2014 IP54-56/2014E-PDF 978-1-100-23322-2 Follow us on Twitter: @PrivacyPrivee Contents Investigation into the loss of a hard drive at Employment and Social Development Canada .................................................................................................... 1 Complaint Under the Privacy Act............................................................................................. 1 Introduction ............................................................................................................................. 1 Background ............................................................................................................................. 1 Methodology ............................................................................................................................ 2 Summary of Facts ..................................................................................................................... 2 ESDC’s Actions Following the Incident................................................................................... 4 Application ................................................................................................................................ 9 Analysis ..................................................................................................................................... 9 I. Physical Controls ............................................................................................................ 10 II. Technical Controls .......................................................................................................... 11 III. Administrative Controls ............................................................................................... 12 IV. Personnel Security Controls ........................................................................................ 13 Findings ................................................................................................................................... 14 Recommendations .................................................................................................................. 15 Other Observations ................................................................................................................ 21 Conclusion .............................................................................................................................. 22 Additional Information ............................................................................................................ 23 Investigation into Background 2. On December 17, 2012, ESDC verbally the loss of a hard notified our Office of the incident. Formal written notification was subsequently received from ESDC on January 7, 2013. drive at 3. ESDC’s written notification advised that the external hard drive contained personal Employment and information dated from 2000-2006 for Canada Student Loan borrowers, including: Social Development Social Insurance Number (SIN), first name, last name, date of birth, home address, and telephone number. ESDC subsequently Canada informed our Office that the external hard drive also included student loan balance information. In addition, the external hard Complaint Under the drive contained employee information from a Business Continuity Plan fan out list. This information included first name, last name, Privacy Act home address and home phone number and/or cell phone number. 4. Upon receipt of the notification from ESDC, Introduction we determined that there were reasonable grounds for a Commissioner-initiated 1. This Report of Findings relates to a complaint against the Department to Commissioner-initiated complaint against ascertain whether there has been a Employment and Social Development contravention of the Privacy Act. Canada (ESDC), formerly Human Resources and Skills Development Canada (HRSDC), in relation to the loss of an 5. Accordingly, the Office of the Privacy external hard drive (the “incident”) Commissioner of Canada (the “OPC”) containing the personal information of initiated a complaint against ESDC on 583,000 Canada student loan borrowers, January 11, 2013, pursuant to subsection and 250 ESDC employees. 29(3) of the Privacy Act (the Act). 6. The OPC’s investigation focused on the incident in relation to the disposal, use and disclosure provisions of the Act. 1 11. According to ESDC’s representations, the Methodology hard drive was stored in a lockable filing cabinet located in that employee’s cubicle, 7. Our investigation examined the in an envelope, hidden under suspended circumstances surrounding the incident, as files. well as ESDC’s policy framework in order to identify the degree of conformity with the 12. ESDC reported that the external hard drive applicable Government of Canada privacy- was a 1 terabyte (TB) Seagate GoFlex. It related policies, and whether the was not password protected, nor was the Departmental policies and procedures that information contained on it encrypted. The were in place at the time of the incident serial number of the hard drive remains were sufficient and effectively implemented. unknown. 8. To this end, we reviewed the 13. According to ESDC, the external hard representations received from ESDC in drive was used to backup information in relation to the incident, and our preparation for the migration of information investigation entailed interviews with key from the T drive to the U drive on the employees identified as having access to Department's network. The migration of the missing external hard drive, as well as information was performed by the a site visit to ESDC’s Canada Student Innovation, Information and Technology Loans Program (CSLP) Unit, and meetings Branch (IITB) on October 12, 2012. with Departmental officials. 14. ESDC confirmed that the IITB was not involved in the backup of information on Summary of Facts the hard drive, as the hard drive was not technically necessary for the data 9. The CSLP promotes accessibility to post- migration. The hard drive was only used secondary education for students with a as a risk mitigation measure by the CSLP demonstrated financial need by lowering to protect against inadvertent loss or financial barriers and ensuring Canadians deletion of the files during the migration. have an opportunity to develop the knowledge and skills to participate in the 15. By way of background, ESDC confirmed economy and society. With these that the data migration project started in objectives in mind, the CSLP offers a suite 2011 by the Operational Program Support of student financial assistance programs Division (OPSD). The OPSD became the and services, including student loans for Program Integrity and Accountability (PIA) full-time and part-time students, non- Division in the fall of 2011. The PIA repayable grants, and repayment Division provides stewardship to the CSLP assistance measures for borrowers who through leadership in planning, reporting, experience difficulty repaying their loans. portfolio management, accountability, program integrity and compliance, as well 10. The investigation confirmed that, on as administrative services for the CSLP, November 5, 2012, an employee of the including finance, human resources, CSLP Unit went to retrieve an external financial and information management, hard drive from a filing cabinet and noticed security and accommodations. that it was missing. 2 16. Following a comprehensive review of the 20. In addition to the seven pieces of personal files and folders on the Department’s information described by ESDC in its network that were identified for the notification to our Office, the files relating to migration project, ESDC informed our client satisfaction surveys may have also Office that the following data files were included the following fields of information compromised by the loss of the external in relation to borrowers: hard drive, each of which is described in more detail below: Loan certificate number, loan ID number, loan class (whether the borrower is in study, • Files pertaining to client satisfaction or in repayment), whether the borrower had surveys; direct contact with the Service Provider, the name of the education institution that the • Files containing investigation reports; borrower attended, the borrower’s gender, • Files containing CSLP financial, language, marital status, the province that business plan and Human Resources issued the loan, the type of loan (e.g. part information; time loan), years of study, end of study date, loan interest rate, loan interest type, • Files containing Business Continuity the date the loan was issued, the Planning information. disbursement date, the federal loan disbursement amount, the student loan 17. Notwithstanding the above, as the hard consolidation date, whether the borrower is drive is missing, ESDC submits that there active (borrower sent in consolidation is no way to conclusively identify what agreement), or passive (borrower did not information was in fact backed up to the hard drive. submit consolidation agreement), the type of loan (eg. full-time direct, part-time direct, Client Satisfaction Surveys integrated), delinquency flag (identifies whether the borrower is in delinquency),