LONDON, ON - The massive federal department responsible for Canada's employment, training and pension programs faces a formal investigation into a possible breach of the nation's privacy law after the government misplaced a USB key containing the personal information of 5,000 Canadians.
An employee of Human Resources and Skills Development Canada (HRSDC) lost the flash drive containing the Social Insurance Numbers and other sensitive information, QMI Agency first reported last week.
"I think you can expect that we will be investigating the matter," Anne-Marie Hayden, spokeswoman for the Privacy Commissioner of Canada, said Monday.
"Our investigation would focus on the application of the Privacy Act, but may also refer to relevant Treasury Board guidelines and directives as appropriate."
The Privacy Act is designed to "protect the privacy of individuals with respect to personal information about themselves held by a government institution ..."
The Privacy Commissioner investigation would examine how the USB stick -- a thumb-sized digital storage device -- was misplaced, and what personal information it contained, Hayden said.
The investigation would also include how the department may have broke the rules covering the reporting of privacy breaches.
The Treasury Board of Canada sets the rules for how federal departments handle private information of Canadians and breaches of privacy.
For example, the board recommends mobile computer devices be encrypted to protect the private information they carry.
That's a policy HRSDC generally follows, but did not in this case, spokesman Christian Plouffe said in an e-mail.
"As much as possible, we limit situations where employees are required to store and transport protected information on portable media devices, like memory sticks. Where such situations are unavoidable, encryption is required," he said. "We are analyzing why this was not done in this incident . . . "
The Treasury Board also says it's "strongly recommended" the Privacy Commissioner be notified of breaches, especially involving medical information and social insurance numbers "as soon as possible after the institution becomes aware of the breach."
That means, according to the board, "within days."
The USB stick was reported missing at HRSDC national headquarters Nov. 17.
But the privacy breach wasn't reported to the privacy commissioner's office until more than a month later, Dec. 21.
That's the same day letters went out to about 5,000 Canadians notifying them the stick with their private information was missing.
As of Monday, the privacy commissioner's office had already received 100 calls and several official complaints that would spark the investigation, Hayden said.