DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ministry of Education failed to protect personal information involving missing portable hard drive

Posted on January 28, 2016 by Dissent

VICTORIA—In an investigation report released today, B.C. Information and Privacy Commissioner Elizabeth Denham found that the Ministry of Education failed to protect the personal information of 3.4 million B.C. and Yukon students stored on a portable hard drive.

“This investigation is unique in that we are looking at events that happened more than four years ago. The passage of time and the lack of proper documentation made it difficult to gather consistent and complete information from those involved. Therefore, the main goal of this report is to highlight lessons from the past to help prevent future breaches,” said Commissioner Denham.

The Commissioner initiated an investigation in September 2015 after the Ministry of Education notified her that it was unable to locate a portable hard drive containing personal information collected between 1986 and 2009, including name, gender, date of birth and Personal Education Number.

A number of the records contained more sensitive personal information, including address, type of schooling, grade information, teacher retirement plans, education outcomes for cancer survivors, health and behaviour issues, and children in care.

The ministry used the portable hard drive as a backup for the purpose of disaster recovery of ministry research data. The information was moved from a secure server to the hard drive in an attempt to decrease electronic storage costs, and was ultimately sent to an off-site warehouse for storage.

The ministry declared the hard drive to be lost when employees were unable to locate it in the warehouse after a series of extensive searches.

The investigation found that despite having privacy and security policies in place, the ministry contravened section 30 of the Freedom of Information and Protection of Privacy Act (FIPPA) when it failed to protect the personal information of millions of children and teachers after copying the information onto the portable hard drive. The ministry did not ensure the information was encrypted, did not store the portable hard drive in an approved off-site warehouse and did not adequately document the contents or location of the portable hard drive.

Once the ministry discovered the breach, its response did comply with s. 30 of FIPPA, in that its containment efforts, analysis of the risks to the affected individuals and preventative measures were appropriate.

“There are many important lessons to be learned from this investigation, not only for the Ministry of Education, but for other public agencies as well. This is an example of a breach that was completely preventable. If the ministry had implemented any one of a number of safeguards and followed existing policy, the breach would not have happened.

“This is where executive leadership has an opportunity to reinforce a multi-faceted approach to security. Measures such as maintaining a thorough personal information bank inventory, securing personal information properly and designating an appropriate retention period for records will go a long way in building a sound privacy management program.

“I am pleased to see that the ministry has already taken steps to reduce the risk of future breaches, including implementing a privacy management program and appointing a Ministry Privacy Officer.” said Denham.

Commissioner Denham has made nine recommendations to strengthen the security of personal information maintained by the ministry. The recommendations focus on steps the ministry should take to ensure policies and procedures are followed, including maintaining an accurate inventory of personal information assets, encrypting all mobile data storage devices and storing them only in government approved facilities.

In addition, mandatory training, privacy and security audits and executive leadership are critical to ensuring employees build privacy into their operations and programs.

The Commissioner’s office will follow up with the ministry in three months with respect to the implementation of these recommendations.

Investigation Report F16-01: Ministry of Education is available at:
www.oipc.bc.ca/report/investigation-reports/

Michelle Mitchell
Office of the Information and Privacy Commissioner for B.C.
250 217-7872
[email protected]
Twitter @BCInfoPrivacy

Category: Breach IncidentsEducation SectorGovernment SectorLost or MissingNon-U.S.

Post navigation

← DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System: GAO
Fraternal Order of Police hacked, members’ data dumped →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.