The internal documents obtained by QMI Agency under Canada’s Access to Information Act, reveal a series of data breaches at Statistics Canada that were investigated but not disclosed publicly, according to a report in the Toronto Sun.
There have been a number of data breach cases of employees having their laptops containing confidential information stolen. In at least two incidents, employees left sticky notes with the passwords on their computers.
In another incident, Wayne Watson, director general of the Investigations and Inquiries Branch of Canada’s Privacy Commissioner, called a March 2007 data breach of the employment records of 66 census takers and managers "a serious matter." The documents were left in surplus filing cabinets and sold at a Crown Assets Auction in Edmonton.
Watson said in an internal letter that measures had been taken to prevent future incidents. "These people should now be better informed of the privacy rights of individuals so that others may be spared the invasion of privacy (names deleted) suffered," he wrote.
In another case, a couriered envelope containing 11 unencrypted, non-password-protected discs sent to Statistics Canada’s Ottawa headquarters were lost. The discs contained more than 21,000 electronic images of birth, death, stillbirth and marriage certificates. The envelope was discovered locked in a rarely used cabinet four months later.
Other incidents have involved census takers inadvertently divulging sensitive information about Canadian citizens and businesses.
Statistics Canada spokesman Peter Frayne told QMI that in a five-year period the agency conducted more than 22 million interviews with only a dozen or so security incidents, the majority resulting from criminal acts by third parties.
"Statistics Canada considers protecting the confidentiality of respondent information not only a legal obligation, but a corporate imperative. It is a fundamental value ingrained in the agency’s culture", he said.