OTTAWA – The federal privacy czar says a portable hard drive containing personal information on more than half a million people who took out student loans was left unsecured for extended periods and lacked password protection and encryption.
The report from interim privacy commissioner Chantal Bernier also says employees handling the device were not aware of the sensitivity of the information it contained.
Human Resources and Skills Development Canada acknowledged last year the drive held data on 583,000 Canada Student Loans Program borrowers from 2000 to 2006.
The missing files included student names, social insurance numbers, dates of birth, contact information and loan balances, as well as the personal contact information of 250 department employees.
Bernier’s report, tabled in Parliament, says a gap between policies and practices at the department – now known as Employment and Social Development Canada – led to weaknesses in information management, physical security controls and employee awareness.
She says information security cannot be assured by having policies on paper – they must be put into practice every day.