Education Ministry failed to protect student and teacher information: privacy commissioner

VANCOUVER (NEWS 1130) – A report from BC’s privacy commissioner says despite having privacy and security policies in place, a portable hard drive was lost containing the personal information of 3.4 million BC and Yukon students and teachers.

The investigation stemmed from a data breach revealed last year.

Elizabeth Denham says the ministry did not ensure the information was encrypted, did not store the portable hard drive in an approved offsite warehouse, and did not adequately document the contents or location of the hard drive.

“The commissioner found that the ministry failed to provide adequate security to the personal information that was transferred from the secure server onto the portable hard drive, and in doing so, they contravened BC’s privacy law,” says Jay Fedorak, the assistant commissioner with the office of the information and privacy commissioner.

“This investigation is unique in that we are looking at events that happened more than four years ago. The passage of time and the lack of proper documentation made it difficult to gather consistent and complete information from those involved. Therefore, the main goal of this report is to highlight lessons from the past to help prevent future breaches,” says Denham.

The investigation was launched in September 2015, after the Ministry of Education notified Denham’s office that it was unable to locate a portable hard drive containing personal information collected between 1986 and 2009, including name, gender, date of birth and Personal Education Number.

The records contained sensitive information, including addresses, grade information, teacher retirement plans, education outcomes for cancer survivors, as well as health and behaviour issues.

“This is an example of a breach that was completely preventable,” says Denham. “If the ministry had implemented any one of a number of safeguards and followed existing policy, the breach would not have happened.”

NEWS 1130 asked Premier Christy Clark about the report shortly before it was released today.

“The citizens expect us — are relying on us — to be able to keep their data safe. That’s a basic obligation of government, especially given the sensitivity of the data the government looks after on people’s behalf.”

Clark points out she wasn’t premier at the time these events took place.

Denham has made nine recommendations:

1. Ministry staff should be reminded that they must store personal information securely. Complying with the requirement to consult
with their MCIO on relevant policy and procedures before making decisions regarding the secure storage of personal information and
with CPPM 6.3.5 when purchasing portable storage devices will assist in meeting the Ministry’s statutory obligation under FIPPA.

2. The Ministry should comply with the requirement in s. 69 of FIPPA to maintain an accurate inventory of personal information assets in the
directory of Personal Information Banks, including all personal information stored on portable storage devices.

3. To assist with meeting the statutory requirement to store personal information securely, the Ministry should comply with CPPM policy
and the OCIO directive 44692 and transfer all personal information from portable storage devices on to the government network as soon as practicable and delete the personal information from the devices.

4. To assist with meeting the statutory requirement to store personal information securely, the Ministry should comply with the
requirement that when securing mobile devices off-site, they store them in a government approved storage facility, which would
document the handling of the device.

5. To assist with meeting the statutory requirement to store personal information securely, the Ministry should ensure that it complies
with ISP and CPPM policies regarding encryption. If it stores personal information on mobile data storage devices, it must encrypt those devices.

6. The Ministry should apply to amend its ORCS to include a new schedule that governs data extracted from its Educational Data
Warehouse. The designated retention period should be the minimum amount of time required for operational purposes.

7. To ensure that Ministry employees follow the policies and procedures necessary to comply with s. 30 of FIPPA, they should
receive mandatory training with periodic refresher courses on the collection, use, disclosure, security and retention of personal
information and why it is essential that they comply with government policy.

8. The Ministry should implement an audit program that includes risk assessments to evaluate the security of personal information, audits
against policy, and reviews the effectiveness of staff training.

9. Ministries should ensure that they conduct direct notification of affected individuals without delay, even in cases where there is not
compelling urgency for immediate notification.