Federal departments reported 256 data breaches in 2014-15

Federal institutions reported 256 data breaches in 2014-15, according to the annual report from the Privacy Commissioner of Canada.

That’s up from 228 breaches the year before – which was double the number from the year before that.

For the most part, the data breaches were “accidental disclosure,” according to the report. One example of an accidental disclosure was a Canada Revenue Agency list that included the personal information of more than 1,000 individuals and businesses relating to a tax credit: all were accidentally sent to a CBC journalist. The journalist then reported on it.

Windowed envelopes – the envelopes with a small plastic-covered cut-out that allows part of the letter within to be seen – also caused some problems for government agencies.

In one case, more than 41,000 letters were incorrectly printed so that not only was the name and address of the recipient visible – but also that the letter was from the Marihuana Medical Access Program. In another case, the recipients’ SIN was visible in the letter window on a set of tax slips sent from the Public Prosecution Service of Canada.

READ MORE: Thousands of Canadians compromised by government information breaches

Seventy-three per cent of breaches were accidental disclosures, according to the report.

“Knowing that nearly three-quarters of breaches could have been prevented with greater care is a concern,” wrote the Privacy Commissioner of Canada, Daniel Therrien, in the report. “Relatively simple steps can and must be taken to curtail these types of breaches.”

Strict policies on employee access to records, mail outs and privacy breach reporting can help to minimize these kinds of accidental disclosures, according to the report.

Citizenship and Immigration Canada reported the most Privacy Act breaches: 76. Veterans Affairs reported 65 and the Canada Revenue Agency reported 38.

USB sticks and portable hard drives

The Privacy Commissioner also looked into government’s use of portable storage devices, like USB sticks and portable hard drives. It found that 70 per cent of departments audited have never assessed the risks of using such devices, and 90 per cent do not inventory and track storage devices through their whole life cycle.

These practices run the risk of losing or exposing private or government data, which could result in harm to individuals or to the government, hurting the government’s reputation, and incurring significant costs to recover lost data, says the report. It’s happened before: in 2012, the government lost a portable hard drive containing the personal information of thousands of student loan recipients.

“Effectively protecting personal information is a challenge we do not want to minimize,” said Therrien in a press release. “However, given that Canadians are required to provide very sensitive information to federal departments and agencies, the government’s duty of care is paramount.”