IP54-56/2014 — Employment and Social Development Canada
This report details an investigation into the loss of an external hard drive at Employment and Social Development Canada (ESDC), which contained the personal information of 583,000 Canada student loan borrowers and 250 employees. The Office of the Privacy Commissioner of Canada (OPC) found that while ESDC had appropriate policies in place, there was a significant gap in their implementation, leading to inadequate physical, technical, administrative, and personnel security controls. Consequently, ESDC was found to be in contravention of sections 6(3), 7, and 8 of the Privacy Act. ESDC accepted all of the OPC's recommendations for improvement.
- Adequacy of physical security controls for storing personal information on portable media.
- Sufficiency of technical safeguards, such as encryption, for personal information on external hard drives.
- Effectiveness of administrative controls, including asset management and inventory of portable devices.
- Level of employee awareness and training regarding the risks associated with handling personal information on portable devices.
Complaint well-founded — corrective measures taken
The investigation found that ESDC failed to implement appropriate safeguards to protect personal information on the lost hard drive, contravening key sections of the Privacy Act. However, the department has accepted and is implementing the OPC's recommendations to address these deficiencies.
AI-generated summary for reference only. Always verify against the official decision ↗
ESDC was required to implement measures to improve physical, technical, administrative, and personnel security controls to prevent similar incidents and ensure compliance with the Privacy Act.
- s. 6(3) Privacy Act
- s. 7 Privacy Act
- s. 8 Privacy Act
- s. 3 Privacy Act
This summary is informational only and not legal advice.