A story in the print edition of today’s Toronto Star by Graham Lanktree says that a data breach at the Office of the Privacy Commissioner of Canada may have exposed the private information of 800 current and former federal employees.
The story says that the agency lost an unencrypted hard drive during an office relocation in mid-February. The Star report says the drive had private earnings information including names, official ID numbers, salary and overtime, for current and former employees of the Office of the Privacy Commissioner and the Office of the Information Commissioner.
Although the drive was lost in mid-February, the information technology department did not notice the drive was missing until mid-March. The Toronto Star article says that it took until April 9 for the IT people to realize that missing drive had personal information. Still, 180 current employees were told about the breach last week; another 600 former employees had still not been informed.
Under proposed legislation recently introduced in the Senate [Bill S-4: The Digital Privacy Act], notification must be given “as soon as feasible after the organization determines that the breach has occurred.” Will the timeline for notification by the Privacy Commissioner help inform a definition of “as soon as feasible”?
Who polices a breach of data privacy by the office charged with policing such matters? At the bottom of the Star story, we are told that the RCMP has not been called in to investigate since there is no indication of a criminal act. An internal investigation is said to be expected to return findings on Friday. According to the story, Parliament was notified through the Ethics Committee and the speakers of the House and Senate.
Privacy, security, telemarketing rules, anti-spam, and so much more will all be discussed at The 2014 Canadian Telecom Summit, June 16-18 in Toronto. Have you registered yet?