OTTAWA — Canada’s privacy watchdog says federal agencies must put more rigorous safeguards in place to protect sensitive personal information — especially when that data is on an easy-to-lose memory stick.
In his annual report tabled Thursday, privacy commissioner Daniel Therrien underscored a record-high number of federal government data breaches disclosed to his office.
While many institutions have made strides, there is still much room for improvement — particularly with the use of portable storage devices, Therrien said.
Federal institutions reported 256 data breaches in 2014-2015, up from 228 the year before.
As in previous years, the leading cause of breaches was accidental disclosure, a risk Therrien says can often be lessened by following proper procedures.
Last year marked the first time institutions were required to report data breaches to the privacy commissioner. Previously, reporting was voluntary.
Given that Canadians are required to provide very sensitive information to federal departments and agencies, “the government’s duty of care is paramount,” Therrien said in a statement.
Portable storage devices are convenient because they can hold huge amounts of data and are generally small and highly portable, the commissioner noted. But that’s what also creates significant privacy and security risks.
“These devices can be easily lost, misplaced or stolen,” he said. “Without proper controls, federal institutions are running the risk that the personal information of Canadians will be lost or inappropriately accessed.”
Therrien’s office undertook a special audit following concerns over a number of such data breaches, including a 2012 incident in which a portable hard drive containing the personal information of almost 600,000 student loan recipients went astray.
The audit, which examined practices at 17 institutions, identified a number of concerns:
— More than two-thirds of the agencies had not formally assessed the risks surrounding the use of all types of portable storage devices
— More than 90 per cent did not track all devices throughout their life cycle
— One-quarter did not enforce the use of encrypted storage devices.
The commissioner says the audited institutions have accepted all of his recommendations.