Largest data breach in B.C. could have been ‘completely preventable’: watchdog report
The Ministry of Education received a failing grade when it came to protecting the personal information of millions of B.C. and Yukon students after a portable hard drive was lost, according to an investigation report released Thursday by the B.C. Privacy Commissioner.
“There are many important lessons to be learned from this investigation, not only for the Ministry of Education, but for other public agencies as well,” Commissioner Elizabeth Denham said in a statement.
“This is an example of a breach that was completely preventable. If the ministry had implemented any one of a number of safeguards and followed existing policy, the breach would not have happened.”
NDP Opposition Critic for Education Rob Fleming calls the report damning and says it outlines how the provincial government conducted itself and failed to protect personal information of British Columbians.
“This is the largest data breach in B.C. history and I think what’s most disturbing is how Christy Clark and her government just shrug it off, like it’s no big deal,” Fleming said.
When in fact, it is a big deal. When you look at how government has so poorly performed to protect highly sensitive information…. all sorts of things that nobody should have out there in the public sphere. They should be angry with their government and demand accountability.”
The commissioner’s investigation was started in September 2015 after the ministry let it be known that it was unable to locate a portable hard drive containing about 3.4 million education records tied to people between 1986 and 2009 that included their names, postal codes, grades and personal education numbers.
There are also a smaller number of records in files on the hard drive that include more sensitive personal information, such as:
- 825 survey results from 2003 of teachers aged 53 or older on their retirement plans.
- 1,052 personal education numbers, birth years, and grad dates for cancer survivors from a study on their education outcomes.
- 9,273 personal education numbers connected to children in the care of the Ministry of Children and Family Development before 2006-07, including information such as health and behaviour issues and supervision status.
Officials said the sensitive information could be connected to names by comparing the personal education numbers to names through the larger data file.
The hard drive was used as backup in case of disaster and to decrease electronic storage costs and was sent to an off-site warehouse for storage. The ministry said the hard drive was lost when employees were unable to locate it in the warehouse after a series of extensive searches.
While the ministry did have security and privacy police in place, the watchdog’s report said the ministry failed when it copied the private information onto the portable hard drive. The ministry did not ensure the information was encrypted, did not store the drive in an approved offsite location and did not document the contents or location of the hard drive properly.
In the report, Denham made nine recommendations to strengthen the security of personal information kept by the ministry which include: keeping accurate inventory, encrypting devices and storing them only in government-approved facilities.
“If this was actually a situation involving a cash loss of $3.4 million, I believe the government would take rapid, dramatic and decisive action to deal with the situation,” she said in her report.
Education Minister Mike Bernier acknowledged the privacy breach as “unacceptable” and described the commissioner’s assessment and recommendations as “fair and balanced.”
“We sincerely apologize for any inconvenience this incident may have caused people,” he said in a statement.
Bernier also said the government must do a better job of ensuring that public servants receive ongoing training. He said a formal review of the ministry’s personal information management practices is underway.
The commissioner’s office will follow up with the ministry in three months on the implementation of these recommendations.
– With files from The Canadian Press