Office of the Information and Privacy Commissioner
July 24, 2008Report
P-2008-002
The Information and Privacy Commissioner, Ed Ring, has
released his Report P-2008-002 under authority of the Access to
Information and Protection of Privacy Act. A summary of the Report
is included below.
To view the Report in its entirety, please go to
//www.oipc.gov.nl.ca/reports-privacy.htm
Report: P-2008-002
Report Date: July 23, 2008
Public Body: Eastern School District
Summary: On 21 February 2008 Eastern School District
("ESD") contacted this Office to advise that four laptop computers had
been stolen from ESD offices. Information on one of the laptops
consisted of personal information including the names, addresses, MCP
numbers, contact and bussing information of over 28,000 school children.
ESD asked the Commissioner to investigate. The Commissioner found that
sections 36 and 39 of the Access to Information and Protection of
Privacy Act (ATIPPA) had been breached. The Commissioner
noted that section 36 of the ATIPPA required public bodies to
make "reasonable security arrangements against such risks as
unauthorized access, collection, use, disclosure or disposal." ESD
failed to provide such reasonable security measures and this led to the
unauthorized disclosure of personal information, contrary to section 39
of the ATIPPA. He concluded that a multi-layered approach to
protection of personal information was necessary. This includes
administrative, physical and technological safeguards. The Commissioner
noted that while policies and directives with respect to safeguarding
information stored on mobile devices were lacking at the time of the
breach, such policies are now in active development by ESD. The
Commissioner was satisfied with the physical safeguards employed by ESD
both prior to and since the breach. Finally, the Commissioner found that
encryption was the required industry standard with respect to
technological safeguards. At the time of the breach, the laptops were
protected by passwords only. This was not a "reasonable security
arrangement" in accordance with section 36. Since the breach ESD has
installed BIOS, hard drive and power-on passwords and an encrypted drive
(where personal information must be stored) on all ESD office laptops.
The Commissioner concluded that these measures are in keeping with
section 36. The Commissioner also recommended that ESD and the
Department of Education develop and assign random unique identifiers to
students to replace the use of MCP numbers.
- 30 -
Media contact:
Ed Ring
Information and Privacy Commissioner
709-729-6309
2008 07 24
3:40 p.m.