DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Canadian Privacy Commissioner troubled by poor computer disposal practices and lack of controls for wireless devices in government

Posted on October 5, 2010 by Dissent

The federal government’s use of handheld communications devices and its practices for disposing of unneeded paper documents and surplus computers could expose the personal information of Canadians to unauthorized disclosure, Privacy Commissioner of Canada Jennifer Stoddart has warned.

The findings, stemming from two separate privacy audits conducted by the Office of the Privacy Commissioner of Canada (OPC), were highlighted in the organization’s 2009-2010 annual report on the Privacy Act, tabled in Parliament today. The Act applies to federal departments, agencies and Crown corporations.

“Our audits turned up some disturbing gaps in the privacy policies and practices of government institutions,” Commissioner Stoddart said. “Whether they’re using a BlackBerry, shredding old papers or disposing of outdated computer equipment, public servants need to know that the security of people’s personal data is a top priority.”

The annual report examines how the government’s holdings of personal data are affected by technology and considers the impact of full-body airport scanners and other national security measures on the privacy rights of Canadians. The report also summarizes key investigations into privacy complaints and data breaches that the Office conducted under the Privacy Act in 2009-2010.

“Considering the vast amounts of personal information on Canadians that the government holds, problems are relatively rare,” the Commissioner acknowledged. But, she noted, the data that the government collects, for purposes such as taxation, income support, the correctional system and international travel, is highly sensitive. Any unauthorized collection, use or disclosure of such data could therefore have serious consequences.

“When it comes to safeguarding the personal information entrusted to it, the government of Canada must always be held to the very highest standards of account.”

Here are some highlights of today’s reports:

  • Wireless audit: Of five federal entities examined, none had fully assessed the threats and risks inherent in wireless communications. Gaps in policies and/or practices resulted in weak password protection for smart phones and inadequate encryption for Wi-Fi networks and data stored on mobile devices. Shortcomings were also noted in the disposal of surplus handheld devices and the use of PIN-to-PIN messaging, a form of direct communication between two smart phones that is vulnerable to interception.
  • Disposal audit: Satisfactory policies and procedural rules were in place for paper shredding and the disposal of surplus computer equipment among the federal institutions audited. There were, however, disturbing deficiencies in practice. For example, tests on a sample of computers donated to a recycling program for schools revealed that 90 percent of the donating institutions had not properly wiped their computers’ hard drives, leaving behind data that was confidential, highly sensitive and, in some cases, even classified.
  • Unauthorized access to tax records: An OPC investigation confirmed that a former Canada Revenue Agency worker had posted to an Internet chat group some personal tax information of high-profile sports figures, which he appears to have gleaned while working at the agency. The investigation further found that other staff still with the agency had similarly accessed tax records without authorization. They were subsequently suspended or fired and new measures were introduced to safeguard the data.
  • RCMP Automated Licence Plate Recognition Program: A surveillance technology rolled out by the RCMP in British Columbia, which aims to spot stolen or uninsured vehicles, raised concerns about the collection and retention of incidental licence plate data from cars that were lawfully on the roads. In response to OPC recommendations, the RCMP made privacy-sensitive modifications to the program.
  • Political Impartiality Monitoring Approach: The OPC reviewed a Privacy Impact Assessment for the Political Impartiality Monitoring Approach, a program developed by the Public Service Commission to monitor media outlets, personal websites and social networking sites for signs of inappropriate political activity by government employees and appointees. The review raised concerns about the scope and privacy implications of the initiative. In response, the Commission undertook to modify its approach and to provide the OPC with a new Privacy Impact Assessment in the fall of 2010.
  • Technical malfunctions: Several investigations turned up mechanical or computer glitches that led to the unauthorized disclosure of personal information by federal institutions. For instance, a programming flaw allowed a hacker to access personal information submitted through the Canada Post Ombudsman’s online complaint system.
  • Federal administrative tribunals: The OPC continues to express concerns about the disclosure of personal information by administrative tribunals and other quasi-judicial bodies. In one case, the Public Service Staffing Tribunal improperly shared sensitive medical information about an individual with hundreds of his former colleagues. In 2009-2010, the Office published guidelines for tribunals on balancing transparency and privacy in the Internet era.

Source: Privacy Commissioner of Canada

Related Filings:

  • Annual Report to Parliament 2009-2010 – Report on thePrivacy Act
  • Audit of the Personal Information Disposal Practices in Selected Federal Institutions
  • Audit of the Protection of Personal Information in Wireless Technology – An Examination of Selected Federal Institutions
Category: Commentaries and AnalysesGovernment SectorNon-U.S.Of Note

Post navigation

← AU: ABC Warns Bluebird AR Viewers About Security Breach
Former Employee of Fannie Mae Contractor Convicted of Attempting to Destroy Fannie Mae Computer Data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.