The federal government’s use of handheld communications devices and its practices for disposing of unneeded paper documents and surplus computers could expose the personal information of Canadians to unauthorized disclosure, Privacy Commissioner of Canada Jennifer Stoddart has warned.
The findings, stemming from two separate privacy audits conducted by the Office of the Privacy Commissioner of Canada (OPC), were highlighted in the organization’s 2009-2010 annual report on the Privacy Act, tabled in Parliament today. The Act applies to federal departments, agencies and Crown corporations.
“Our audits turned up some disturbing gaps in the privacy policies and practices of government institutions,” Commissioner Stoddart said. “Whether they’re using a BlackBerry, shredding old papers or disposing of outdated computer equipment, public servants need to know that the security of people’s personal data is a top priority.”
The annual report examines how the government’s holdings of personal data are affected by technology and considers the impact of full-body airport scanners and other national security measures on the privacy rights of Canadians. The report also summarizes key investigations into privacy complaints and data breaches that the Office conducted under the Privacy Act in 2009-2010.
“Considering the vast amounts of personal information on Canadians that the government holds, problems are relatively rare,” the Commissioner acknowledged. But, she noted, the data that the government collects, for purposes such as taxation, income support, the correctional system and international travel, is highly sensitive. Any unauthorized collection, use or disclosure of such data could therefore have serious consequences.
“When it comes to safeguarding the personal information entrusted to it, the government of Canada must always be held to the very highest standards of account.”
Here are some highlights of today’s reports:
* Wireless audit: Of five federal entities examined, none had fully assessed the threats and risks inherent in wireless communications. Gaps in policies and/or practices resulted in weak password protection for smart phones and inadequate encryption for Wi-Fi networks and data stored on mobile devices. Shortcomings were also noted in the disposal of surplus handheld devices and the use of PIN-to-PIN messaging, a form of direct communication between two smart phones that is vulnerable to interception.
* Disposal audit: Satisfactory policies and procedural rules were in place for paper shredding and the disposal of surplus computer equipment among the federal institutions audited. There were, however, disturbing deficiencies in practice. For example, tests on a sample of computers donated to a recycling program for schools revealed that 90 percent of the donating institutions had not properly wiped their computers’ hard drives, leaving behind data that was confidential, highly sensitive and, in some cases, even classified.
* Unauthorized access to tax records: An OPC investigation confirmed that a former Canada Revenue Agency worker had posted to an Internet chat group some personal tax information of high-profile sports figures, which he appears to have gleaned while working at the agency. The investigation further found that other staff still with the agency had similarly accessed tax records without authorization. They were subsequently suspended or fired and new measures were introduced to safeguard the data.
* RCMP Automated License Plate Recognition Program: A surveillance technology rolled out by the RCMP in British Columbia, which aims to spot stolen or uninsured vehicles, raised concerns about the collection and retention of incidental licence plate data from cars that were lawfully on the roads. In response to OPC recommendations, the RCMP made privacy-sensitive modifications to the program.
* Political Impartiality Monitoring Approach: The OPC reviewed a Privacy Impact Assessment for the Political Impartiality Monitoring Approach, a program developed by the Public Service Commission to monitor media outlets, personal websites and social networking sites for signs of inappropriate political activity by government employees and appointees. The review raised concerns about the scope and privacy implications of the initiative. In response, the Commission undertook to modify its approach and to provide the OPC with a new Privacy Impact Assessment in the fall of 2010.
* Technical malfunctions: Several investigations turned up mechanical or computer glitches that led to the unauthorized disclosure of personal information by federal institutions. For instance, a programming flaw allowed a hacker to access personal information submitted through the Canada Post Ombudsman’s online complaint system.
* Federal administrative tribunals: The OPC continues to express concerns about the disclosure of personal information by administrative tribunals and other quasi-judicial bodies. In one case, the Public Service Staffing Tribunal improperly shared sensitive medical information about an individual with hundreds of his former colleagues. In 2009-2010, the Office published guidelines for tribunals on balancing transparency and privacy in the Internet era.