I’m a big fan of British comedies, particularly the fine tradition of political humour so well exemplified by Yes, Minister and The New Statesman. More recently, The Thick of It has become a favourite, and in one of the most squirm-inducing episodes, staff in the Department of Social Affairs and Citizenship realise that 7-and-a-half months’ worth of immigration records have been wiped from a computer. Havoc ensues, especially after the gaffe is accidentally revealed to a journalist.
Of course the humour comes from the extremity of the scenario–“that would never happen in real life”, we tell ourselves–it’s just too far down the path of incompetence. But last Friday afternoon we were proven wrong, not by the UK government, but by Canada’s own–and this time it wasn’t 7.5 months’ worth of data, it was 6 years’ worth. The data were from Canada Student Loan program clients and HRSDC employees, and they were on a portable hard drive that was “lost” from an office in Gatineau, Quebec. Is it any surprise that for some of us the first reaction was “is this a joke?”
The news, real enough, is that over half a million students (and 250 civil servants) have had their privacy compromised by the loss of personal and financial information–“student names, dates of birth, Social Insurance Numbers, addresses and student loan balances”–that could be used for identity theft or other forms of fraud. Whether or not the information had been obtained by someone who might have malicious intent is unknown–because we don’t know where the data went. The external drive just disappeared.
As it turns out this loss was discovered only during the process of investigating an earlier mishap involving a USB key containing information from another 5,000+ Canadians. The Office of the Privacy Commissioner has begun an investigation of the breach since “there is a serious possibility that an investigation would disclose a contravention of the Privacy Act”; the issue was also referred to the RCMP on January 7.
From the press release there are a couple of things that stand out, other than the obvious. Looking at the timeline of events, it seems like it took over two months from the time the hard drive was missed (on November 5, 2012) to a public announcement alerting CSLP clients to the loss (on January 11, 2013). During this period the HRSDC developed a new “policy for storing secure information” designed to prevent similar incidents in the future, which is described in detail in their press release. I’d be interested to know more about why it took so long to inform the affected parties.
It’s also interesting to look at how this information was communicated to the public. For example, the announcement was made as part of what journalists and political communicators often call the “Friday news dump” (a tactic that doesn’t always work). The press release itself, including a statement from Human Resources Minister Diane Finley, was inappropriately (but optimistically) titled “Protecting Canadians’ personal information at HRSDC”. While I understand the organization’s desire to provide the least negative slant, this kind of re-framing is vaguely embarrassing given the nature of the problem.
The issue has gained more media attention this week, especially after Newfoundland lawyer Bob Buckingham filed a class-action against HRSDC; thousands of students are already coming forward to join it. Since I have student loans from the period in question, I knew this incident could have personal consequences. I called the number provided by HRSDC and after being greeted with “thank you for being proactive about your privacy”, a search was run on my SIN and I was told that my information hadn’t been “compromised”. But even knowing that my name isn’t on the infamous 583,000-person list hasn’t been enough to dull my curiosity about how this happened in the first place, and the person I spoke with on the phone didn’t have anything else to tell me. Others who’ve found their information was on the drive haven’t had better luck; they’re being told to wait until they receive a letter via snail mail, and to start taking precautions themselves. Unfortunately, we can’t protect our information pre-emptively on behalf of a government agency–otherwise this might not have happened in the first place.