Canada’s interim privacy commissioner, Chantal Bernier, has revealed that the Human Resources and Skills Development Canada (HRSDC) department failed to follow its own policies to help keep confidential secure.
As previously reported, the department lost a USB hard drive which contained confidential data belonging to 583,000 Canadian Student Loans Program borrowers from 2000 to 2006. The files contained information relating to student names, social security numbers, dates of birth and their loan balances. Contact information for 250 employees was also on the hard drive.
A report was tabled in Parliament on Tuesday which explained that the confidential data was compromised as the device was left unsecure, without password protection or encryption. It was also noted that employees were unaware of the sensitivity of the data being held on the hard drive.
Bernier stated, “Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly.”
The investigation was started in January 2013 after the hard drive was reported lost and has yet to be found.
Such an incident proves that it is very important that employees are suitably educated about data security when dealing with confidential data. Several data security policies could be in place but if an employee doesn’t understand them or the importance of them being followed, it is more than likely that the policies will not be adhered to.
In this case, if the staff had been appropriately educated, they would have had an idea of the sensitivity of the data that was held on the drive.