The Information and Privacy Commissioner, Ed Ring, has released his Report P-2008-002 under authority of the Access to Information and Protection of Privacy Act. A summary of the Report is included below.

To view the Report in its entirety, please go to //www.oipc.gov.nl.ca/reports-privacy.htm

Report: P-2008-002

Report Date: July 23, 2008

Public Body: Eastern School District

Summary: On 21 February 2008 Eastern School District ("ESD") contacted this Office to advise that four laptop computers had been stolen from ESD offices. Information on one of the laptops consisted of personal information including the names, addresses, MCP numbers, contact and bussing information of over 28,000 school children. ESD asked the Commissioner to investigate. The Commissioner found that sections 36 and 39 of the Access to Information and Protection of Privacy Act (ATIPPA) had been breached. The Commissioner noted that section 36 of the ATIPPA required public bodies to make "reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal." ESD failed to provide such reasonable security measures and this led to the unauthorized disclosure of personal information, contrary to section 39 of the ATIPPA. He concluded that a multi-layered approach to protection of personal information was necessary. This includes administrative, physical and technological safeguards. The Commissioner noted that while policies and directives with respect to safeguarding information stored on mobile devices were lacking at the time of the breach, such policies are now in active development by ESD. The Commissioner was satisfied with the physical safeguards employed by ESD both prior to and since the breach. Finally, the Commissioner found that encryption was the required industry standard with respect to technological safeguards. At the time of the breach, the laptops were protected by passwords only. This was not a "reasonable security arrangement" in accordance with section 36. Since the breach ESD has installed BIOS, hard drive and power-on passwords and an encrypted drive (where personal information must be stored) on all ESD office laptops. The Commissioner concluded that these measures are in keeping with section 36. The Commissioner also recommended that ESD and the Department of Education develop and assign random unique identifiers to students to replace the use of MCP numbers.

- 30 -

Media contact:
Ed Ring
Information and Privacy Commissioner
709-729-6309