Data breach protocols deficient in 9 federal departments, watchdog finds

Canada's privacy czar has singled out several federal departments for their lacklustre approach to data breaches, citing a need for better reporting, security and tracking protocols.

Privacy commissioner Jennifer Stoddart's office has compiled a preliminary list of agencies with potentially worrisome patterns when it comes to the loss of Canadians' personal information.

'We know it's a systemic problem. We've seen it for years.' Jennifer Stoddart, Privacy Commissioner

The analysis is based on departmental figures tabled in Parliament in April in response to a question from New Democrat MP Charlie Angus. The response indicated there were more than 3,000 data breaches over a 10-year period affecting about 725,000 Canadians.

Upon crunching the numbers, the privacy commissioner identified nine departments and agencies that may lack adequate reporting mechanisms, have faulty security procedures or require improved tracking protocols.

Stoddart's staff cautions that the figures paint a statistical picture but do not shed full light on the kind of data involved in the breaches.

Poor reporting at Fisheries, Public Safety

Still, the office says two departmentsFisheries and Oceans and Public Safety"may lack adequate reporting mechanisms" for alerting the privacy commissioner of a data loss.

Fisheries reported three breaches affecting 73 people between 2002 and 2012. However, for the same period there were actually 12 lapses affecting 4,690 individuals.

None of the 28 breaches that occurred at Public Safety after 2009 was reported, says the privacy commissioner.

"A cursory comparison between institutions indicates that they do not seem to have a consistent method for reporting breaches," say notes prepared by Stoddart's office. "Some systematically report breaches, others almost never."

• Read about ways in which Jennifer Stoddart thinks Canada's privacy laws fallshort

Security issues in 6 departments

Institutions that "may have systematic issues in safeguard and security protocols" are Citizenship and Immigration, Passport Canada, the Correctional Service, the RCMP, the Parole Board and Veterans Affairs.

Citizenship and Immigration had 161 breaches in 2012 alone, while the passport office had 131 incidents in 2011-12, said the commissioner.

Finally, the Canada Revenue Agency was not able to present any data, suggesting a "deficiency in tracking and auditing."

The difficulty with federal data breaches is not new, Stoddart said in an interview.

"We know it's a systemic problem. We've seen it for years," she said. "So I think a positive action on the part of the government to strengthen education about it, prevention, followup and so on, would be the way to go."

Notification recommended, not required

The commissioner's office points out that while the federal Treasury Board has published guidelines for privacy breaches, they simply recommendnot requirethat institutions notify the commissioner of certain kinds of breaches.

They include ones that involve sensitive personal data such as financial or medical information, can result in identity theft, or might otherwise harm or embarrass a person, damaging their career, reputation or well-being.

"Conversely, this means that there are a number of breaches that are not deemed to be serious enough to warrant notification to our office," say the notes. "We can presume that this may partially explain the vast number of unreported breaches."

During a recent meeting, Stoddart urged Treasury Board President Tony Clement to amend the privacy law to make reporting of federal data losses mandatory.

'Positive meeting' with Treasury Board President

"It was a very positive meeting," Stoddart said. "Minister Clement seemed very concerned about the question of data and very interested in ways of strengthening data breach awareness, I'd say, and proactive work to minimize data breaches."

However, she said Clement "made no commitments" about enshrining mandatory reporting.

Andrea Mandel-Campbell, a spokeswoman for Clement, said Monday that the minister is taking Stoddart's comments "under consideration."

Angus says a "complete overhaul" of reporting procedures is needed. "Every breach must be reported to the privacy commissioner," he said Monday.

Government must also ensure Stoddart's office has the resources to investigate lapses and powers to effectively police both federal agencies and private companies that lose data, he said.

"She has to have the tools that she needs to protect privacy."

After Human Resources and Skills Development lost the personal information of more than half a million people who took out student loans, Angus's NDP colleague, digital issues critic Charmaine Borg, tabled a motion in February requesting a House of Commons committee study mandatory breach notification. It was defeated.