Investigation of the loss of an unencrypted Universal Serial Bus (USB) storage device by the Royal Canadian Mounted Police
This investigation concerned the loss of an unencrypted USB storage device by the Royal Canadian Mounted Police (RCMP), which contained sensitive personal information of 1,741 individuals. The OPC found that the RCMP contravened section 8 of the Privacy Act by disclosing personal information without consent. The investigation also revealed failures in timely breach reporting and inadequate safeguards for personal information on USB devices, leading to the complaint being well-founded and unresolved.
- Contravention of section 8 of the Privacy Act regarding unauthorized disclosure of personal information
- Timeliness and appropriateness of the RCMP's response to the breach
- Sufficiency of RCMP measures to safeguard personal information on USB storage devices
- Adequacy of policies and enforcement regarding USB device usage
Complaint well-founded and unresolved
The RCMP contravened section 8 of the Privacy Act by disclosing personal information without consent. Furthermore, the RCMP failed to report the breach in a timely manner and did not have adequate safeguards in place to protect the sensitive personal information on the USB device, and has not committed to a timeline for implementing corrective measures.
AI-generated summary for reference only. Always verify against the official decision ↗
The OPC recommended that the RCMP implement measures to strengthen safeguards related to the use of USB storage devices, including ensuring approved devices are used, conducting audits, and providing additional training. The RCMP accepted the recommendations but could not commit to a timeline for implementation.
- s. 8 Privacy Act
This summary is informational only and not legal advice.