Canada's Privacy Commissioner releases annual report on government data breaches

Canada’s Privacy Commissioner Daniel Therrien released his Privacy Act Annual Report to Parliament on December 10. The report highlighted the results of an audit of the management of portable storage devices and reported data breaches by 17 federal agencies.

Federal institutions reported a record-high number of data breaches – 256 incidents were reported in 2014-2015, up from 228 reported the year before. The main cause of the data breaches was accidental disclosure. Examples include incidents in which Health Canada mailed letters to over 41,000 people showing their names in conjunction with the medical marijuana access program, and the Canada Revenue Agency accidentally sent the personal financial information of over 1,000 people to a journalist.

The Commissioner urged the agencies to increase their vigilance and implement more effective safeguard and control measures to protect the personal information of Canadians. The Commissioner’s recommendations, which the federal agencies agreed to accept and address, included:

• Ensure that the issuance of all portable storage devices is recorded for identification and tracking purposes;
• Retain documentary evidence as verification that all data on surplus or defective portable storage devices has been destroyed in a secure manner;
• Assess the current disposal process to ensure appropriate controls are in place to mitigate the risk of a data exposure;
• Assess the risk to personal information resulting from the lack of controls on the connection of unauthorized USB storage devices, or from the use of CDs/DVDs to store data, and implement appropriate controls to address identified gaps and weaknesses;
• Ensure that encryption is deployed on all portable storage devices that may contain personal information;
• Ensure that all employees, including contract personnel, are aware of the policies governing the use of portable storage devices, and provide guidance to mitigate the risks inherent to the use of the devices.

This was the first year in which federal institutions were required to report data breaches, as compared to the previous voluntary reporting regime. It is important to note that the mandatory breach notification regime will soon be coming to the private sector. The relevant Digital Privacy Act amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) are expected to come into effect as soon as the government issues corresponding regulations that are currently being drafted.