News

Education Ministry Chastised for Latest BC Data Breach

Incidents peaked in 2014, have since declined, say FOI documents.

By Bob Mackin, 29 Jan 2016, TheTyee.ca

Lock keyboard

Government reported 4,420 privacy breaches since 2010. Data security photo via Shutterstock.

Related

The BC Liberal government was chastised again by Information and Privacy Commissioner Elizabeth Denham on Jan. 28, this time for losing a hard drive containing the personal information for 3.4 million B.C. and Yukon students and B.C. teachers from 1986 to 2009.

Information had been transferred from education ministry servers to two hard drives in 2011, one for ministry staff and the other for offsite backup storage. Last summer, the government could not find the backup hard drive and Denham's office launched a probe.

"There was a record that one of the drives was stored at a warehouse leased by the ministry for the storage of exams and curriculum materials, but no one could verify whether it had ever arrived at the warehouse," Denham wrote.

While most of the information consisted of names, genders, birthdates and education identity numbers, the hard drive also contained addresses, health, social, economic and education status of cancer victims and children in provincial foster care.

She found the ministry failed to provide adequate security to prevent unauthorized access, use or disclosure. Privacy and security policies and directives were deemed sound, but the transfer of the data contravened government policy. The ministry also failed to keep the hard drives in its assets inventory and failed to store them in a government-approved facility. The information was also unencrypted.

"This contravention made the information accessible to anyone in possession of the hard drive," Denham wrote.

She concluded that the failure to follow policy and procedure indicated employees were inadequately trained, and executive leadership and compliance monitoring were both substandard.

Though there was no financial, banking or pension information in the hard drive, the information could have caused emotional hurt, humiliation or damage to reputation, if in the wrong hands, the report said.

"I think it essential to emphasize that the affected individuals are some of the most vulnerable in our society," Denham wrote. "They include children in care, children in custody, children with special needs, and children with health conditions. These are all circumstances that can lead to stigmatization by society in general and instances of individual discrimination."

'Trend was increasing through 2014': docs

The incident prompted the Government Communications and Public Engagement office to write a 16-page script of anticipated questions and suggested answers for politicians.

The document, obtained via freedom-of-information request, included details about the mystery. When the ministry realized it couldn't find the hard drive, there were five full searches of the warehouse, each more thorough than the previous.

The ministry was notified that the hard drive was missing from the warehouse on Sept. 1 and the Office of the Chief Information Officer knew on Sept. 14, after the ministry realized generally what the hard drive contained. A team of 30 to 90 people reviewed each file from the original hard drive between Sept. 18 and 20 to determine what would be on the missing unit.

The talking points also reveal that the problem with government data security may be more serious than the public knows.

One of the prepared questions was: "How many other similar breaches have there been over the last 10 years?"

The suggested answer: "Over the last five years, there have been three hard drives that were lost and contained personal information. One was eventually recovered.

"Since 2010, a total of 4,420 government privacy breaches have been reported to the Office of the Chief Information Officer.

"The trend was increasing through 2014, but has since begun to decline as public service employees have become aware, through training and awareness activities, of the need to report all actual or suspected privacy breaches and other information incidents."

The script includes other messages to reassure the public, if pressed by reporters, that most records are now stored on secure servers in Kamloops and Calgary.  [Tyee]

What have we missed? What do you think? We want to know. Comment below. Keep in mind:

Do:

  • Verify facts, debunk rumours
  • Add context and background
  • Spot typos and logical fallacies
  • Highlight reporting blind spots
  • Ignore trolls
  • Treat all with respect and curiosity
  • Connect with each other

Do not:

  • Use sexist, classist, racist or homophobic language
  • Libel or defame
  • Bully or troll
  • Troll patrol. Instead, flag suspect activity.
comments powered by Disqus