An article in today’s Toronto Star stated that federal government agencies reported 300 privacy breaches in 2014. While some of these involved physical thefts (such as a courier truck transporting passports to Caracas, Venezuela being held up en route), many of the breaches involved digital data.
According to an IT World Canada article, two-thirds of the data breaches resulted from human error. These include the loss of an unencrypted external hard drive by Employment and Social Development Canada containing the personal information of 583,000 student loan recipients, and the loss of a USB hard drive by the Privacy Commission when they moved from Gatineau across the river to Ottawa this past April. While admitting that the USB hard drive loss was embarrassing, the Privacy Commission learned from their mistake, and posted guidelines for government agencies to follow when dealing with a privacy breach. These guidelines are equally applicable to private organizations, and are well worth reading.
Since May of 2014, government agencies have been obligated to report data breaches (prior to that time, reporting was on a voluntary basis). Unfortunately, this obligation does not secure the data – it only lets the public know how when a breach has occurred. The government needs to take more action to ensure that private information, both in digital and print form, is properly identified and secured from unauthorized access.